Login
- Table of Contents
-
- 04-Layer 2—LAN Switching Configuration Guide
- 00-Preface
- 01-MAC address table configuration
- 02-Ethernet link aggregation configuration
- 03-Port isolation configuration
- 04-VLAN configuration
- 05-Loop detection configuration
- 06-Spanning tree configuration
- 07-LLDP configuration
- 08-PFC configuration
- 09-Service loopback group configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-VLAN configuration | 189.78 KB |
Contents
Layer 3 communication between VLANs
Restrictions and guidelines for port-based VLANs
Assigning an access port to a VLAN
Assigning a trunk port to a VLAN
Assigning a hybrid port to a VLAN
Restrictions and guidelines for MAC-based VLANs
Configuring static MAC-based VLAN assignment
Configuring dynamic MAC-based VLAN assignment
VLAN interfaces configuration tasks at a glance
Restoring the default settings for the VLAN interface
Verifying and maintaining VLANs
Verifying MAC-based VLAN configuration and running status
Verifying VLAN group configuration and running status
Verifying VLAN interface configuration and running status
Clearing VLAN interface statistics
Example: Configuring port-based VLANs
Example: Configuring MAC-based VLANs
Configuring VLANs
About VLANs
The Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple logical LANs. It has the following benefits:
· Security—Hosts in the same VLAN can communicate with one another at Layer 2, but they are isolated from hosts in other VLANs at Layer 2.
· Broadcast traffic isolation—Each VLAN is a broadcast domain that limits the transmission of broadcast packets.
· Flexibility—A VLAN can be logically divided on a workgroup basis. Hosts in the same workgroup can be assigned to the same VLAN, regardless of their physical locations.
VLAN frame encapsulation
To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag between the destination and source MAC address (DA&SA) field and the Type field.
Figure 1 VLAN tag placement and format
A VLAN tag includes the following fields:
· TPID—16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default, the hexadecimal TPID value 8100 identifies a VLAN-tagged frame. A device vendor can set the TPID to a different value. For compatibility with a neighbor device, set the TPID value on the device to be the same as the neighbor device.
· Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL and QoS Configuration Guide.
· CFI—1-bit long canonical format indicator that indicates whether the MAC addresses are encapsulated in the standard format when packets are transmitted across different media. Available values include:
¡ 0 (default)—The MAC addresses are encapsulated in the standard format.
¡ 1—The MAC addresses are encapsulated in a non-standard format.
This field is always set to 0 for Ethernet.
· VLAN ID—12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0 to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.
The way a network device handles an incoming frame depends on whether the frame has a VLAN tag and the value of the VLAN tag (if any).
Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and 802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag fields in other frame encapsulation formats, see related protocols and standards.
For a frame that has multiple VLAN tags, the device handles it according to its outermost VLAN tag and transmits its inner VLAN tags as the payload.
VLAN types
The following VLAN types are available:
· Port-based VLAN.
· MAC-based VLAN.
If all these types of VLANs are configured on a port, the port processes packets in the following descending order of priority by default:
· MAC-based VLAN.
· Port-based VLAN.
Port-based VLANs
Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it is assigned to the VLAN.
Port link type
You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling methods:
· Access—An access port can forward packets only from one VLAN and send these packets untagged. An access port is typically used in the following conditions:
¡ Connecting to a terminal device that does not support VLAN packets.
¡ In scenarios that do not distinguish VLANs.
· Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network devices are typically configured as trunk ports.
· Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the packets forwarded by a hybrid port depends on the port configuration.
PVID
The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered as the packets from the port PVID.
An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port. A trunk or hybrid port supports multiple VLANs and the PVID configuration.
How ports of different link types handle frames
|
Actions |
Access |
Trunk |
Hybrid |
|
|
In the inbound direction for an untagged frame |
Tags the frame with the PVID tag. |
· If the PVID is permitted on the port, tags the frame with the PVID tag. · If not, drops the frame. |
||
|
In the inbound direction for a tagged frame |
· Receives the frame if its VLAN ID is the same as the PVID. · Drops the frame if its VLAN ID is different from the PVID. |
· Receives the frame if its VLAN is permitted on the port. · Drops the frame if its VLAN is not permitted on the port. |
||
|
In the outbound direction |
Removes the VLAN tag and sends the frame. |
· Removes the tag and sends the frame if the frame carries the PVID tag and the port belongs to the PVID. · Sends the frame without removing the tag if its VLAN is carried on the port but is different from the PVID. |
Sends the frame if its VLAN is permitted on the port. The tagging status of the frame depends on the port hybrid vlan command configuration. |
|
MAC-based VLANs
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is also called user-based VLAN because VLAN configuration remains the same regardless of a user's physical location.
Static MAC-based VLAN assignment
Use static MAC-based VLAN assignment in networks that have a small number of VLAN users. To configure static MAC-based VLAN assignment on a port, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Assign the port to the MAC-based VLAN.
A port configured with static MAC-based VLAN assignment processes a received frame as follows before sending the frame out:
· For an untagged frame, the port determines its VLAN ID in the following workflow:
a. The port first performs a fuzzy match as follows:
- Searches for the MAC-to-VLAN entries whose masks are not all Fs.
- Performs a logical AND operation on the source MAC address and each of these masks.
If an AND operation result matches the MAC address in a MAC-to-VLAN entry, the port tags the frame with the VLAN ID specific to this entry.
b. If the fuzzy match fails, the port performs an exact match. It searches for MAC-to-VLAN entries whose masks are all Fs. If the source MAC address of the frame exactly matches the MAC address of a MAC-to-VLAN entry, the port tags the frame with the VLAN ID specific to this entry.
c. If no matching VLAN ID is found, the port determines the VLAN for the packet by using the following matching order:
- IP subnet-based VLAN.
- Protocol-based VLAN.
- Port-based VLAN.
When a match is found, the port tags the packet with the matching VLAN ID.
· For a tagged frame, the port determines whether the VLAN ID of the frame is permitted on the port.
¡ If the VLAN ID of the frame is permitted on the port, the port forwards the frame.
¡ If the VLAN ID of the frame is not permitted on the port, the port drops the frame.
Dynamic MAC-based VLAN assignment
When you cannot determine the target MAC-based VLANs of a port, use dynamic MAC-based VLAN assignment on the port. To use dynamic MAC-based VLAN assignment, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Enable dynamic MAC-based VLAN assignment on the port.
Dynamic MAC-based VLAN assignment uses the following workflow, as shown in Figure 2:
4. When a port receives a frame, it first determines whether the frame is tagged.
¡ If the frame is tagged, the port gets the source MAC address of the frame.
¡ If the frame is untagged, the port selects a VLAN for the frame by using the following matching order:
- MAC-based VLAN (fuzzy and exact MAC address match).
- IP subnet-based VLAN.
- Protocol-based VLAN.
- Port-based VLAN.
After tagging the frame with the selected VLAN, the port gets the source MAC address of the frame.
5. The port uses the source MAC address and VLAN of the frame to match the MAC-to VLAN entries.
¡ If the source MAC address of the frame exactly matches the MAC address in a MAC-to-VLAN entry, the port checks whether the VLAN ID of the frame matches the VLAN in the entry.
- If the two VLAN IDs match, the port joins the VLAN and forwards the frame.
- If the two VLAN IDs do not match, the port drops the frame.
¡ If the source MAC address of the frame does not exactly match any MAC addresses in MAC-to-VLAN entries, the port checks whether the VLAN ID of the frame is its PVID.
- If the VLAN ID of the frame is the PVID of the port, the port determines whether it allows the PVID.
If the PVID is allowed, the port forwards the frame within the PVID. If the PVID is not allowed, the port drops the frame.
- If the VLAN ID of the frame is not the PVID of the port, the port drops the frame.
Figure 2 Flowchart for processing a frame in dynamic MAC-based VLAN assignment
Layer 3 communication between VLANs
Hosts of different VLANs use VLAN interfaces to communicate at Layer 3. VLAN interfaces are virtual interfaces that do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the VLAN to forward packets destined for another IP subnet at Layer 3.
Protocols and standards
IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks
Configuring a VLAN
Restrictions and guidelines
· As the system default VLAN, VLAN 1 cannot be created or deleted.
· Before you delete a dynamic VLAN or a VLAN locked by an application, you must first remove the configuration from the VLAN.
Creating VLANs
1. Enter system view.
system-view
2. Create one or multiple VLANs.
¡ Create a VLAN and enter its view.
vlan vlan-id
¡ Create multiple VLANs and enter VLAN view.
Create VLANs.
vlan { vlan-id-list | all }
Enter VLAN view.
vlan vlan-id
By default, only the system default VLAN (VLAN 1) exists.
3. (Optional.) Set a name for the VLAN.
name text
By default, the name of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For example, the name of VLAN 100 is VLAN 0100.
4. (Optional.) Configure the description for the VLAN.
description text
By default, the description of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For example, the default description of VLAN 100 is VLAN 0100.
Configuring port-based VLANs
Restrictions and guidelines for port-based VLANs
· When you use the undo vlan command to delete the PVID of a port, either of the following events occurs depending on the port link type:
¡ For an access port, the PVID of the port changes to VLAN 1.
¡ For a hybrid or trunk port, the PVID setting of the port does not change.
You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access port.
· As a best practice, set the same PVID for a local port and its peer.
· To prevent a port from dropping untagged packets or PVID-tagged packets, assign the port to its PVID.
Assigning an access port to a VLAN
About this task
You can assign an access port to a VLAN in VLAN view or interface view.
Assigning one or multiple access ports to a VLAN in VLAN view
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Assign one or multiple access ports to the VLAN.
port interface-list
By default, all ports belong to VLAN 1.
Assigning an access port to a VLAN in interface view
1. Enter system view.
system-view
2. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to access.
port link-type access
By default, all ports are access ports.
4. Assign the access port to a VLAN.
port access vlan vlan-id
By default, all access ports belong to VLAN 1.
Assigning a trunk port to a VLAN
About this task
A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.
Restrictions and guidelines
To change the link type of a port from trunk to hybrid, set the link type to access first.
To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the PVID by using the port trunk permit vlan command.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to trunk.
port link-type trunk
By default, all ports are access ports.
4. Assign the trunk port to the specified VLANs.
port trunk permit vlan { vlan-id-list | all }
By default, a trunk port permits only VLAN 1.
5. (Optional.) Set the PVID for the trunk port.
port trunk pvid vlan vlan-id
The default setting is VLAN 1.
Assigning a hybrid port to a VLAN
About this task
A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view. Make sure the VLANs have been created.
Restrictions and guidelines
To change the link type of a port from trunk to hybrid, set the link type to access first.
To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the PVID by using the port hybrid vlan command.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
4. Assign the hybrid port to the specified VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, the hybrid port is an untagged member of the VLAN to which the port belongs when its link type is access.
5. (Optional.) Set the PVID for the hybrid port.
port hybrid pvid vlan vlan-id
By default, the PVID of a hybrid port is the ID of the VLAN to which the port belongs when its link type is access.
Configuring MAC-based VLANs
Restrictions and guidelines for MAC-based VLANs
· MAC-based VLANs are available only on hybrid ports.
· The MAC-based VLAN feature is mainly configured on downlink ports of user access devices.
Configuring static MAC-based VLAN assignment
1. Enter system view.
system-view
2. Create a MAC-to-VLAN entry.
mac-vlan mac-address mac-address [ mask mac-mask ] vlan vlan-id [ dot1p priority ]
By default, no MAC-to-VLAN entries exist.
3. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
4. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
5. Assign the hybrid port to the MAC-based VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its link type is access.
6. Enable the MAC-based VLAN feature.
mac-vlan enable
By default, this feature is disabled.
7. (Optional.) Preferentially match the MAC-based VLAN on the interface.
vlan precedence mac-vlan
By default, the system assigns VLANs based on the MAC address preferentially when both the MAC-based VLAN and IP subnet-based VLAN are configured on a port.
Configuring dynamic MAC-based VLAN assignment
About this task
For successful dynamic MAC-based VLAN assignment, use static VLANs when you create MAC-to-VLAN entries.
When a port joins a VLAN specified in the MAC-to-VLAN entry, one of the following events occurs depending on the port configuration:
· If the port has not been configured to allow packets from the VLAN to pass through, the port joins the VLAN as an untagged member.
· If the port has been configured to allow packets from the VLAN to pass through, the port configuration remains the same.
The 802.1p priority of the VLAN in a MAC-to-VLAN entry determines the transmission priority of the matching packets.
Restrictions and guidelines
· If you configure both static and dynamic MAC-based VLAN assignments on a port, dynamic MAC-based VLAN assignment takes effect.
· As a best practice, do not both configure dynamic MAC-based VLAN assignment and disable MAC address learning on a port. If the two features are configured together on a port, the port forwards only packets exactly matching the MAC-to-VLAN entries and drops inexactly matching packets.
· As a best practice, do not configure both dynamic MAC-based VLAN assignment and the MAC learning limit on a port.
If the two features are configured together on a port and the port learns the configured maximum number of MAC address entries, the port processes packets as follows:
¡ Forwards only packets matching the MAC address entries learnt by the port.
¡ Drops unmatching packets.
· As a best practice, do not use dynamic MAC-based VLAN assignment with MSTP. In MSTP mode, if a port is blocked in the MSTI of its target VLAN, the port drops the received packets instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to the target VLAN.
· As a best practice, do not use dynamic MAC-based VLAN assignment with PVST. In PVST mode, if the target VLAN of a port is not permitted on the port, the port is placed in blocked state. The port drops the received packets instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to the target VLAN.
Procedure
1. Enter system view.
system-view
2. Create a MAC-to-VLAN entry.
mac-vlan mac-address mac-address vlan vlan-id [ dot1p priority ]
By default, no MAC-to-VLAN entries exist.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
5. Enable the MAC-based VLAN feature.
mac-vlan enable
By default, MAC-based VLAN is disabled.
6. Enable dynamic MAC-based VLAN assignment.
mac-vlan trigger enable
By default, dynamic MAC-based VLAN assignment is disabled.
The VLAN assignment for a port is triggered only when the source MAC address of its receiving packet exactly matches the MAC address in a MAC-to-VLAN entry.
7. (Optional.) Configure the system to assign VLANs based on the MAC address preferentially.
vlan precedence mac-vlan
By default, the system assigns VLANs based on the MAC address preferentially when both the MAC-based VLAN and IP subnet-based VLAN are configured on a port.
8. (Optional.) Disable the port from forwarding packets that fail the exact MAC address match in its PVID.
port pvid forbidden
By default, when a port receives packets whose source MAC addresses fail the exact match, the port forwards them in its PVID.
Configuring a VLAN group
About this task
A VLAN group includes a set of VLANs.
Procedure
1. Enter system view.
system-view
2. Create a VLAN group and enter its view.
vlan-group group-name
3. Add VLANs to the VLAN group.
vlan-list vlan-id-list
By default, no VLANs exist in a VLAN group.
You can add multiple VLAN lists to a VLAN group.
Configuring VLAN interfaces
Restrictions and guidelines
For information about the bandwidth, description, and shutdown commands, see Interface Command Reference.
When a VLAN interface is not manually shut down, the following guidelines apply to the interface state:
· The VLAN interface is down if all ports in the VLAN are down.
· The VLAN interface is up if one or more ports in the VLAN are up.
When you use this command to shut down a VLAN interface, the VLAN interface remains in DOWN (Administratively) state. In this case, the VLAN interface state is not affected by the state of the ports in the VLAN.
Before you configure parameters for a VLAN interface, use this command to shut it down to prevent the configuration from affecting the network. After you complete the VLAN interface configuration, use the undo shutdown command to make the settings take effect.
To troubleshoot a failed VLAN interface, you can use the shutdown command and then the undo shutdown command on the interface to see whether it recovers.
In a VLAN, the state of each Ethernet interface is independent of the state of the VLAN interface.
VLAN interfaces configuration tasks at a glance
To configure VLAN interfaces, perform the following tasks:
2. (Optional.) Restoring the default settings for the VLAN interface
Prerequisites
Before you create a VLAN interface for a VLAN, create the VLAN first.
Creating a VLAN interface
1. Enter system view.
system-view
2. Create a VLAN interface and enter its view.
interface vlan-interface interface-number
3. Assign an IP address to the VLAN interface.
ip address ip-address { mask | mask-length } [ sub ]
By default, no IP address is assigned to a VLAN interface.
4. (Optional.) Configure the description for the VLAN interface.
description text
The default setting is the VLAN interface name. For example, Vlan-interface1 Interface.
5. (Optional.) Set the MTU for the VLAN interface.
mtu size
By default, the MTU for a VLAN interface is 1500 bytes.
6. (Optional.) Set a MAC address for the VLAN interface.
mac-address mac-address
By default, no MAC address is configured for a VLAN interface.
7. (Optional.) Set the expected bandwidth for the interface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
8. Bring up the VLAN interface.
undo shutdown
By default, a VLAN interface is up.
Restoring the default settings for the VLAN interface
Restrictions and guidelines
This feature might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands, and then use their undo forms or follow the command reference to restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.
For information about the default command, see Interface Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter a VLAN interface view.
interface vlan-interface interface-number
3. Restore the default settings for the VLAN interface.
Default
|
|
CAUTION: This feature might interrupt ongoing network services. Make sure you are fully aware of the impact of this feature when you use it on a live network. |
Verifying and maintaining VLANs
Verifying VLAN configuration
Perform all display tasks in any view.
· Display brief VLAN information.
display vlan brief
· Display VLAN information.
display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | reserved | static ]
· Display hybrid ports or trunk ports on the device.
display port { hybrid | trunk }
Verifying MAC-based VLAN configuration and running status
Perform all display tasks in any view.
· Display MAC-to-VLAN entries.
display mac-vlan { all | dynamic | mac-address mac-address [ mask mac-mask ] | static | vlan vlan-id }
· Display all ports that are enabled with the MAC-based VLAN feature.
display mac-vlan interface
Verifying VLAN group configuration and running status
Display VLAN group information in any view.
display vlan-group [ group-name ]
Verifying VLAN interface configuration and running status
Perform all display tasks in any view.
· Display VLAN interface information.
display interface [ vlan-interface [ interface-number ] ] [ brief [ description | down ] ]
Clearing VLAN interface statistics
Clear statistics on a VLAN interface in user view.
reset counters interface [ vlan-interface [ interface-number ] ]
|
|
NOTE: For information about the reset counters interface command, see Interface Command Reference. |
VLAN configuration examples
Example: Configuring port-based VLANs
Network configuration
As shown in Figure 3:
· Host A and Host C belong to Department A. VLAN 100 is assigned to Department A.
· Host B and Host D belong to Department B. VLAN 200 is assigned to Department B.
Configure port-based VLANs so that only hosts in the same department can communicate with each other.
Procedure
1. Configure Device A:
# Create VLAN 100, and assign Twenty-FiveGigE 1/0/1 to VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] port twenty-fivegige 1/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign Twenty-FiveGigE 1/0/2 to VLAN 200.
[DeviceA] vlan 200
[DeviceA-vlan200] port twenty-fivegige 1/0/2
[DeviceA-vlan200] quit
# Configure Twenty-FiveGigE 1/0/3 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-type trunk
[DeviceA-Twenty-FiveGigE1/0/3] port trunk permit vlan 100 200
Please wait... Done.
2. Configure Device B in the same way Device A is configured. (Details not shown.)
3. Configure hosts:
a. Configure Host A and Host C to be on the same IP subnet. For example, 192.168.100.0/24.
b. Configure Host B and Host D to be on the same IP subnet. For example, 192.168.200.0/24.
Verifying the configuration
# Verify that Host A and Host C can ping each other, but they both fail to ping Host B and Host D. (Details not shown.)
# Verify that Host B and Host D can ping each other, but they both fail to ping Host A and Host C. (Details not shown.)
# Verify that VLANs 100 and 200 are correctly configured on Device A.
[DeviceA-Twenty-FiveGigE1/0/3] display vlan 100
VLAN ID: 100
VLAN type: Static
Route interface: Not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged ports:
Twenty-FiveGigE1/0/3
Untagged ports:
Twenty-FiveGigE1/0/1
[DeviceA-Twenty-FiveGigE1/0/3] display vlan 200
VLAN ID: 200
VLAN type: Static
Route interface: Not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged ports:
Twenty-FiveGigE1/0/3
Untagged ports:
Twenty-FiveGigE1/0/2
Example: Configuring MAC-based VLANs
Network configuration
As shown in Figure 4:
· Twenty-FiveGigE 1/0/1 of Device A and Device C are each connected to a meeting room. Laptop 1 and Laptop 2 are used for meetings and might be used in either of the two meeting rooms.
· One department uses VLAN 100 and owns Laptop 1. The other department uses VLAN 200 and owns Laptop 2.
Configure MAC-based VLANs, so that Laptop 1 and Laptop 2 can access Server 1 and Server 2, respectively, no matter which meeting room they are used in.
Procedure
1. Configure Device A:
# Create VLANs 100 and 200.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] vlan 200
[DeviceA-vlan200] quit
# Associate the MAC addresses of Laptop 1 and Laptop 2 with VLANs 100 and 200, respectively.
[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure Twenty-FiveGigE 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an untagged VLAN member.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-type hybrid
[DeviceA-Twenty-FiveGigE1/0/1] port hybrid vlan 100 200 untagged
# Enable the MAC-based VLAN feature on Twenty-FiveGigE 1/0/1.
[DeviceA-Twenty-FiveGigE1/0/1] mac-vlan enable
[DeviceA-Twenty-FiveGigE1/0/1] quit
# Configure the uplink port (Twenty-FiveGigE 1/0/2) as a trunk port, and assign it to VLANs 100 and 200.
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceA-Twenty-FiveGigE1/0/2] port trunk permit vlan 100 200
[DeviceA-Twenty-FiveGigE1/0/2] quit
2. Configure Device B:
# Create VLAN 100, and assign Twenty-FiveGigE 1/0/3 to VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB-vlan100] port twenty-fivegige 1/0/3
[DeviceB-vlan100] quit
# Create VLAN 200 and assign Twenty-FiveGigE 1/0/4 to VLAN 200.
[DeviceB] vlan 200
[DeviceB-vlan200] port twenty-fivegige 1/0/4
[DeviceB-vlan200] quit
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceB-Twenty-FiveGigE1/0/1] port trunk permit vlan 100 200
[DeviceB-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceB-Twenty-FiveGigE1/0/2] port trunk permit vlan 100 200
[DeviceB-Twenty-FiveGigE1/0/2] quit
3. Configure Device C in the same way as the Device A is configured. (Details not shown.)
Verifying the configuration
# Verify that Laptop 1 can access only Server 1, and Laptop 2 can access only Server 2. (Details not shown.)
# Verify the MAC-to-VLAN entries on Device A and Device C, for example, on Device A.
[DeviceA] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC address Mask VLAN ID Dot1p State
000d-88f8-4e71 ffff-ffff-ffff 100 0 S
0014-222c-aa69 ffff-ffff-ffff 200 0 S
Total MAC VLAN address count: 2
