Introduction to port-based VLAN
Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.
Port link type
You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods:
An access port belongs to only one VLAN and sends traffic untagged. It is usually used to connect a terminal device unable to recognize VLAN tagged-packets or when there is no need to separate different VLAN members.
A trunk port can carry multiple VLANs to receive and send traffic for them. Except traffic of the default VLAN, traffic sent through a trunk port will be VLAN tagged. Usually, ports connecting network devices are configured as trunk ports.
Like a trunk port, a hybrid port can carry multiple VLANs to receive and send traffic for them. Unlike a trunk port, a hybrid port allows traffic of all VLANs to pass through VLAN untagged. You can use hybrid ports to interconnect network devices or connect to terminals.
Default VLAN
By default, VLAN 1 is the default VLAN for all ports. You can configure the default VLAN for a port as required.
Use the following guidelines when configuring the default VLAN on a port:
Because an access port can join only one VLAN, its default VLAN is the VLAN to which it belongs and cannot be configured.
Because a trunk or hybrid port can join multiple VLANs, you can configure a default VLAN for the port.
You can use a nonexistent VLAN as the default VLAN for a hybrid or trunk port but not for an access port. After you remove the VLAN that an access port resides in with the undo vlan command, the default VLAN of the port changes to VLAN 1. The removal of the VLAN specified as the default VLAN of a trunk or hybrid port, however, does not affect the default VLAN setting on the port.
The following table shows how ports of different link types handle frames:
© Copyright 2015 Hewlett Packard Enterprise Development LP
- New Titles and Certification Information
- CCNP Enterprise
- CCNP Data Center
- CCNP Security
- CCNP Collaboration
- Exam Vouchers
- Practice Tests
- Product Support
- Register a Product
- Web Editions
- Cisco Networking Academy
- Video Training
- Affiliate Program
- Chapters & Articles
- Deals & Promotions
Newsletters
- Press & Media Relations
- User Groups
Home > Articles > Cisco Network Technology > General Networking > VLANs and Trunking
VLANs and Trunking
- By David Hucaby , Stephen McQuerry .
- Sample Chapter is provided courtesy of Cisco Press .
- Date: Oct 25, 2002.
Chapter Information
- VLAN Configuration
- VLAN Port Assignments
- VLAN Trunking Protocol
- Private VLANs
- Further Reading
Chapter Description
From the book.
Cisco Field Manual: Catalyst Switch Configuration
6-1: VLAN Configuration
VLANs are broadcast domains defined within switches to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device.
VLANs are defined on a switch in an internal database known as the VLAN Trunking Protocol (VTP) database . After a VLAN has been created, ports are assigned to the VLAN.
VLANs are assigned numbers for identification within and between switches. Cisco switches have two ranges of VLANs, the normal range and extended range .
VLANs have a variety of configurable parameters, including name, type, and state.
Several VLANs are reserved, and some can be used for internal purposes within the switch.
Creation of an Ethernet VLAN
VLANs are created on Layer 2 switches to control broadcasts and enforce the use of a Layer 3 device for communications. Each VLAN is created in the local switch's database for use. If a VLAN is not known to a switch, that switch cannot transfer traffic across any of its ports for that VLAN. VLANs are created by number, and there are two ranges of usable VLAN numbers (normal range 1–1000 and extended range 1025–4096). When a VLAN is created, you can also give it certain attributes such as a VLAN name, VLAN type, and its operational state. To create a VLAN, use the following steps.
Configure VTP.
VTP is a protocol used by Cisco switches to maintain a consistent database between switches for trunking purposes. VTP is not required to create VLANs; however, Cisco has set it up to act as a conduit for VLAN configuration between switches as a default to make administration of VLANs easier. Because of this, you must first either configure VTP with a domain name or disable VTP on the switch. VTP is explained in detail in section "6-4: VLAN Trunking Protocol."
For Catalyst 4000 and 6000 switches running IOS Supervisor 12.1(8a) or above (native IOS), you can configure the VTP parameters in global configuration mode as well.
Specify a VTP name:
By default, the VTP is in server mode and must be configured with a domain name before any VLANs can be created. These commands specify the VTP domain name. For IOS switches, you enter vlan database mode, (vlan) , by entering the command vlan database , at the privileged-level prompt.
The global configuration command vtp domain is not available on all switches that run IOS.
Disable VTP synchronization:
Another option is to disable VTP synchronization of the databases. Disabling it enables you to manage your local VTP database without configuring and relying on VTP. For Catalyst 4000 and 6000 switches running IOS Supervisor 12.1(8a) or above (native IOS), you can configure the VTP parameters in global configuration mode as well.
The global configuration command vtp mode transparent is not available on all switches that run IOS.
Disable VTP:
With the introduction of COS version 7.1.1, an option now exists to disable VTP completely. Use the command set vtp mode off to turn off VTP. After doing so, you can administer the local VTP database.
Create the VLAN.
VLANs are created by number. The two ranges of VLANs are as follows:
The standard range consists of VLANs 1 to 1000.
The extended range consists of VLANs 1025 to 4096.
Extended VLANs are currently supported only on switches running COS software version 6.1 or greater. When you create a VLAN, you have many options to consider. Many options are valid only for FDDI and Token Ring VLANs. Some of the items configured deal with options, such as private VLANs, which are discussed in other sections in this book. VLANs are created using the set vlan command for COS devices or with the vlan command in vlan database mode for IOS switches. For Ethernet VLANs, you can also configure the standard parameters in Table 6-1.
Table 6-1 Configurable VLAN Parameters
Many other options are available during the VLAN configuration command; however, most of these deal with the configuration of FDDI and Token Ring VLANs. Because these are not widely used topologies, the options and descriptions of Token Ring and FDDI VLAN configuration and parameters have not been included in this book. For information on Token Ring or FDDI VLANs, refer to http://www.cisco.com/univercd/cc/td/doc/product/ lan/cat5000/rel_6_3/config/vlans.htm .
Create a VLAN in the standard range:
The vlan-id specifies the VLAN by number. For COS you can specify a range of VLANs in the vlan-id section; you cannot configure the name for a range of VLANs, however, because each VLAN is to have a unique name. For IOS switches, VLANs are created in vlan database mode. For Catalyst 6000 and 4000 switches running Supervisor IOS 12.1(8a) and above, you can create VLANs in global configuration mode if the switch is in VTP transparent mode. To do this, enter the vlan vlan-id command to move to vlan-config mode. From vlan-config mode, you can manage the parameters of the VLANs.
You cannot modify any of the parameters for VLAN 1.
Create a VLAN in the extended range.
Extended VLANs support VLANs up to 4096 in accordance with the 802.1Q standard. Currently only switches running COS 6.1 or greater can support creation and assignment of VLANs in the extended range. You cannot currently use VTP to manage VLANs in the extended range, and these VLANs cannot be passed over an Inter-Switch Link (ISL) trunk link.
Enable spanning-tree MAC reduction:
To allow these switches to use the extended range, you must first enable spanningtree macreduction to allow the switch to support a large number of spanning-tree instances with a very limited number of MAC addresses and still maintain the IEEE 802.1D bridge ID requirement for each STP instance.
After you have created a VLAN in the extended range, you cannot disable this feature unless you first delete the VLAN.
Create a VLAN in the extended range:
Here the vlan-id would be a number from 1025 to 4096. Numbers 1001 to 1024 are reserved by Cisco and cannot be configured.
For Catalyst 6000 series switches with FlexWAN cards, the system identifies these ports internally with VLAN numbers starting with 1025. If you have any FlexWAN modules, be sure to reserve enough VLAN numbers (starting with VLAN 1025) for all the FlexWAN ports you want to install. You cannot use these extended VLANs if you install FlexWAN ports.
Feature Example
In this example, the switches Access_1 and Distribution_1 are going to be configured with VLANs 5, 8, and 10 with the names Cameron, Logan, and Katie, respectively. Also the distribution switch will be configured with VLAN 2112 with the name Rush.
An example of the Catalyst OS configuration for Distribution 1 follows:
An example of the Supervisor IOS configuration for Distribution 1 follows:
For the Supervisor IOS, extended VLANs such as 2112 are not supported.
An example of the Layer 2 IOS configuration for Access 1 follows:
Cisco Press Promotional Mailings & Special Offers
I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.
Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.
This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.
Collection and Use of Information
To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:
Questions and Inquiries
For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.
Online Store
For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.
Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.
Contests and Drawings
Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.
If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply www.informit.com/u.aspx , enter your email address in the field supplied, and click the Submit button. On the resulting page, check the box of the particular item(s) you would no longer like to receive, and click the Unsubscribe button-->email [email protected] .
Service Announcements
On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.
Customer Service
We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form .
Other Collection and Use of Information
Application and system logs.
Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.
Web Analytics
Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.
Cookies and Related Technologies
This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.
Do Not Track
This site currently does not respond to Do Not Track signals.
Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.
This site is not directed to children under the age of 13.
Pearson may send or direct marketing communications to users, provided that
- Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
- Such marketing is consistent with applicable law and Pearson's legal obligations.
- Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
- Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.
Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.
Correcting/Updating Personal Information
If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page . If a user no longer desires our service and desires to delete his or her account, please contact us at [email protected] and we will process the deletion of a user's account.
Choice/Opt-out
Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx .
Sale of Personal Information
Pearson does not rent or sell personal information in exchange for any payment of money.
While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to [email protected] .
Supplemental Privacy Statement for California Residents
California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.
Sharing and Disclosure
Pearson may disclose personal information, as follows:
- As required by law.
- With the consent of the individual (or their parent, if the individual is a minor)
- In response to a subpoena, court order or legal process, to the extent permitted or required by law
- To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
- In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
- To investigate or address actual or suspected fraud or other illegal activities
- To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
- To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
- To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.
This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.
Requests and Contact
Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.
Changes to this Privacy Notice
We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.
Last Update: November 17, 2020
- Cisco Systems, Inc.
- Legal Notice
- Ordering Information
- Privacy Notice
- Do Not Sell My Personal Information
- Write for Us
© 2023 Pearson Education, Cisco Press . All rights reserved.
221 River Street , Hoboken , NJ 07030
- Skip to content
- Skip to search
- Skip to footer
Configure Port to VLAN Interface Settings on a Switch through the CLI
Available languages, download options.
- PDF (1.8 MB) View with Adobe Reader on a variety of devices
- ePub (2.0 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
- Mobi (Kindle) (802.4 KB) View on Kindle device or Kindle app on multiple devices
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
A Virtual Local Area Network (VLAN) allows you to logically segment a Local Area Network (LAN) into different broadcast domains. In scenarios where sensitive data may be broadcast on a network, VLANs can be created to enhance security by designating a broadcast to a specific VLAN. Only users that belong to a VLAN are able to access and manipulate the data on that VLAN.
You can configure the ports and specify whether the port should be in access or trunk mode, and assign specific ports to VLANs. This article provides instructions on how to configure an interface VLAN as an access or trunk port on your switch through the Command Line Interface (CLI).
Introduction
VLAN is a network that is usually segmented by function or application. VLANs behave much like physical LANs, but you can group hosts even if they are not physically co-located. A switch port can belong to a VLAN. Unicast, broadcast, and multicast packets are forwarded and flooded out ports in the same VLAN.
VLANs can also be used to enhance performance by reducing the need to send broadcasts and multicasts to unnecessary destinations. It also eases network configuration by logically connecting devices without physically relocating those devices.
Note: To learn how to configure the VLAN settings on your switch through the web-based utility, click here . For CLI-based instructions, click here .
The image below displays an SG350X switch that is configured with the following VLANs:
- VLAN1 - This is the default VLAN. The switch is connected to the router through this VLAN. This can be used but cannot be modified or deleted.
- VLAN10 - Virtual network for the Admin department. The network address is 192.168.10.1 with subnet mask 255.255.255.0 or /24.
- VLAN20 - Virtual network for the Finance department. The network address is 192.168.20.1 with subnet mask 255.255.255.0 or /24.
- VLAN30 - Virtual network for the Operations department. The network address is 192.168.30.1 with subnet mask 255.255.255.0 or /24.
In a bigger network, the configured VLANs with interfaces assigned as access and trunk ports on switches could look like this:
The port modes are defined as follows:
- Access Port - The frames received on the interface are assumed to not have a VLAN tag and are assigned to the specified VLAN. Access ports are used primarily for hosts and can only carry traffic for a single VLAN.
- Trunk Port - The frames received on the interface are assumed to have VLAN tags. Trunk ports are for links between switches or other network devices and are capable of carrying traffic for multiple VLANs.
Note: By default, all interfaces are in trunk mode, which means they can carry traffic for all VLANs. To know how to assign an interface VLAN as an Access or Trunk port through the web-based utility of the switch, click here .
To configure VLANs, follow these guidelines:
1. Create the VLANs. To learn how to configure the VLAN settings on your switch through the web-based utility, click here . For CLI-based instructions, click here .
2. (Optional) Set the desired VLAN-related configuration for ports. For instructions on how to configure the VLAN interface settings on your switch through the web-based utility, click here . For CLI-based instructions, click here .
3. Assign interfaces to VLANs. For instructions on how to assign interfaces to VLANs through the web-based utility of your switch, click here .
4. (Optional) Configure VLAN groups on your switch. You can configure any of the following:
- MAC-based VLAN Group Overview - For instructions on how to configure MAC-based VLAN Groups through the web-based utility of your switch, click here . For CLI-based instructions, click here .
- Subnet-based VLAN Groups Overview - For instructions on how to configure subnet-based VLAN Groups through the web-based utility of your switch, click here . For CLI-based instructions, click here .
- Protocol-based VLAN Groups Overview - For instructions on how to configure Protocol-based VLAN Groups through the web-based utility of your switch, click here . For CLI-based instructions, click here .
5. (Optional) Configure TV VLAN settings on your switch. You can configure any of the following:
- Access Port Multicast TV VLAN - For instructions on how to configure Access Port Multicast TV VLAN through the web-based utility of your switch, click here .
- Customer Port Multicast TV VLAN - For instructions on how to configure Customer Port Multicast TV VLAN through the web-based utility of your switch, click here .
Applicable Devices | Software Version
- Sx300 Series | 1.4.7.06 ( Download latest )
- Sx350 Series | 2.2.8.04 ( Download latest )
- SG350X Series | 2.2.8.04 ( Download latest )
- Sx500 Series | 1.4.7.06 ( Download latest )
- Sx550X Series | 2.2.8.04 ( Download latest )
Configure VLAN Interface Settings on the Switch through the CLI
Configure interface as access port and assign to vlan.
Step 1. Log in to the switch console. The default username and password is cisco/cisco. If you have configured a new username or password, enter the credentials instead.
Note: The commands may vary depending on the exact model of your switch. In this example, the SG350X switch is accessed through Telnet.
Step 2. To display the current VLAN on the switch, enter the following:
Note: In this example, VLANs 1, 10, 20, and 30 are available with no manually assigned ports.
Step 3. From the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
Step 4. In the Global Configuration mode, enter the Interface Configuration context by entering the following:
The options are:
- interface-id - Specifies an interface ID to be configured.
- range vlan vlan-range - Specifies a list of VLANs. Separate nonconsecutive VLANs with a comma and no spaces. Use a hyphen to designate a range of VLANs.
Note: In this example, an interface range that covers ports 14 to 24 is entered.
Step 5. In the Interface Configuration context, use the switchport mode command to configure the VLAN membership mode.
Step 6. Use the switchport access vlan command to assign the port or range of ports into access ports. A port in access mode can have only one VLAN configured on the interface which can carry traffic for only one VLAN.
- vlan-id - Specifies the VLAN to which the port is configured.
- none - Specifies that the access port cannot belong to any VLAN.
Note: In this example, the range of ports is assigned to VLAN 30.
Step 7. (Optional) To return the port or range of ports to the default VLAN, enter the following:
Step 8. To exit the Interface Configuration context, enter the following:
Step 9. (Optional) Repeat steps 4 to 6 to configure more access ports and assign to the corresponding VLANs.
Note: In this example, interface range 26 to 36 are assigned to VLAN 10, while interface range 38 to 48 are assigned to VLAN 20.
Step 10. Enter the end command to go back to the Privileged EXEC mode:
Step 11. (Optional) To display the configured ports on the VLANs, enter the following:
Note: The configured ports should be displayed according to the assigned VLANs. In this example, the interface range 26 to 36 are assigned in VLAN 10, 38 to 48 belong to VLAN 20, and 14 to 24 are configured to VLAN 30.
Step 12. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:
Step 13. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You should now have configured the interfaces on your switch as access ports and assigned to their corresponding VLANs.
Configure Interface as Trunk Port and Assign to VLAN
Step 1. In the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
Step 2. In the Global Configuration mode, enter the Interface Configuration context by entering the following:
Note: In this example, interface ge1/0/13 is used.
Step 3. In the Interface Configuration context, use the switchport mode command to configure the VLAN membership mode.
Step 4. (Optional) To return the port to the default VLAN, enter the following:
Step 5. Use the switchport trunk allowed vlan command to specify which VLANs the port belongs to when its mode is configured as trunk.
- all - Specifies all VLANs from 1 to 4094. At any time, the port belongs to all VLANs existing at the time.
- none - Specifies an empty VLAN list. The port does not belong to any VLAN.
- add vlan-list - List of VLAN IDs to add to the port. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.
- remove vlan-list - List of VLAN IDs to remove from a port. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.
- except vlan-list - List of VLAN IDs including all VLANs from range 1-4094 except VLANs belonging to vlan-list.
Note: In this example, port ge1/0/13 belongs to all VLANs except VLAN 10.
Step 6. To exit the Interface Configuration context, enter the following:
Step 8. (Optional) Repeat steps 2 to 6 to configure more trunk ports and assign to the corresponding VLANs.
Note: In this example, interface ge1/0/25 belongs to VLAN 10 and not in VLAN 20, while interface ge1/0/27 belongs to all VLANs except VLAN 10.
Step 9. Enter the end command to go back to the Privileged EXEC mode:
Step 10. (Optional) To display the configured ports on the VLANs, enter the following:
Note: The configured ports should be displayed according to the assigned VLANs. In this example, the trunk port gi1/0/25 belongs to VLAN 10 and VLAN 30, gi1/0/13 and gi1/0/37 both belong to VLAN 20 and VLAN 30.
Step 11. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:
Step 12. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You should now have configured the interfaces on your switch as trunk ports and assigned to their corresponding VLANs.
Important: To proceed with configuring the VLAN group settings on your switch, follow the guidelines above.
Other links you might find valuable
- Configure Port to Virtual Local Area Network (VLAN) Settings on a Switch
- Configure Port Virtual Local Area Network (VLAN) Membership of an Interface on a Switch
- Configure Private Virtual Local Area Network (VLAN) Settings on a Switch
- Configure Private VLAN Membership Settings on a Switch through the CLI
- Product Page that contains links to all switch related articles
Revision History
Was this document helpful.
Contact Cisco
- (Requires a Cisco Service Contract )
Thank you for taking the time to respond. The NETGEAR documentation team uses your feedback to improve our knowledge base content.
Rating Submitted
Do you have a suggestion for improving this article?
Characters Left : 500
MyNETGEAR® Account
Welcome back
Access your NETGEAR
NETGEAR Support
How do I create and manage port-based VLANs on my NETGEAR GS908E switch?
Was this article helpful? Yes No
You must activate the port-based VLAN mode (also referred to as the basic VLAN mode) before you can add and manage port-based VLANs.
Click a topic from the following list to skip to that topic:
Activate the Port-Based VLAN Mode
Create a port-based vlan, change a port-based vlan, delete a port-based vlan.
By default, all types of VLANs are disabled on the switch. Before you can add and manage port-based VLANs, you must activate the port-based VLAN mode. This mode is also referred to as the basic VLAN mode.
When you activate the port-based VLAN mode, VLAN 1 is added to the switch and all ports (1 through 8) are members of VLAN 1. This is the default VLAN in the port-based VLAN mode.
To activate the port-based VLAN mode:
- Open a web browser from a computer that is connected to the same network as the switch or to the switch directly through an Ethernet cable.
- Enter the IP address that is assigned to the switch. The login page opens.
- Enter the switch password. The default password is password . The password is case-sensitive. The Home page displays.
- From the menu at the top of the page, select SWITCHING . The Quality of Service (QoS) page displays.
- From the menu on the left, select VLAN . The VLAN page displays.
- In the Port-based VLAN (Basic Mode) section, click the ACTIVATE button. A pop-up window opens, informing you that the current VLAN settings will be lost.
- Click the OK button. Your settings are saved and the pop-up window closes. By default, VLAN 1 is added.
A port-based VLAN configuration lets you assign ports on the switch to a VLAN. The number of VLANs is limited to the number of ports on the switch. In a basic port-based VLAN configuration, ports with the same VLAN ID are placed into the same VLAN. One port can be a member of multiple VLANs.
By default, all ports are members of VLAN 1.
To create a port-based VLAN:
- In the Port-based VLAN section, click the ADD VLAN button.
- VLAN Name . Enter a name from 1 to 20 characters.
- VLAN ID . Enter a number from 1 to 8.
- Click the Select All link to add all ports to the VLAN
- Click the Remove All link to remove all selected ports from the VLAN.
- Click the icon for an unselected port to add the port to the VLAN.
- Click the icon for a selected port to remove the port from the VLAN. The icon for a selected port displays blue.
If ports are members of the same LAG, you must assign them to the same VLAN.
- Click the APPLY button. Your settings are saved. The new VLAN shows in the Port-based VLAN section.
You can change the settings for an existing port-based VLAN.
To change a port-based VLAN:
- In the Port-based VLAN section, click the down arrow for the VLAN that you want to change.
- Click the EDIT button.
- Click the APPLY button. Your settings are saved. The modified VLAN shows in the Port-based VLAN section.
You can delete a port-based VLAN that you no longer need.You cannot delete the default VLAN.
If you deactivate the port-based VLAN mode, all port-based VLANs are deleted.
To delete a port-based VLAN:
- In the Port-based VLAN section, click the down arrow for the VLAN that you want to delete.
- Click the DELETE button. Your settings are saved. The VLAN is deleted.
For more information about using VLANs with your GS908E switch, see the following knowledge base articles:
- What types of VLANs can I create on my NETGEAR GS908E switch?
- How do I create and manage 802.1Q VLANs on my NETGEAR GS908E switch?
Last Updated:11/11/2017 | Article ID: 000051460
Was this article helpful?
Looking for more about your product.
Get information, documentation, videos and more for your specific product.
Can’t find what you’re looking for?
Quick and easy solutions are available for you in the NETGEAR community.
Need to Contact NETGEAR Support?
With NETGEAR’s round-the-clock premium support, help is just a phone call away.
Complimentary Support
NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.
NETGEAR Premium Support
Gearhead support for home users.
GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:
- Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
- Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
- Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender
ProSUPPORT Services for Business Users
NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:
- Product Installation
- Professional Wireless Site Survey
- Defective Drive Retention (DDR) Service
Where to Find Your Model Number
To find the model/version number, check the bottom or back panel of your NETGEAR device.
Select a product or category below for specific instructions.
Nighthawk Routers
Powerline and Wall Plug Extenders
Cable and DSL Modem Routers
ReadyNAS Network Storage
Wireless Access Points
Other Business Products
This document describes the configuration of Ethernet services, including configuring link aggregation, VLANs, Voice VLAN, VLAN mapping, QinQ, GVRP, MAC table, STP/RSTP/MSTP, SEP, and so on.
- About This Document
- Introduction to Ethernet Switching
- Ethernet Network Layers
- Introduction to Ethernet Cable Standards
- Minimum Frame Length and Maximum Transmission Distance
- Duplex Modes of Ethernet
- Auto-Negotiation of Ethernet
- Collision Domain and Broadcast Domain
- MAC Sub-layer
- LLC Sub-layer
- Layer 2 Switching
- Layer 3 Switching
- Building an Enterprise Network
- Introduction to the MAC Address
- Definition and Classification of MAC Address Entries
- Elements and Functions of a MAC Address Table
- MAC Address Entry Learning and Aging
- MAC Address Learning Control
- MAC Address Flapping
- MAC Address-Triggered ARP Entry Update
- Configuring MAC Address Flapping Prevention to Block User Attacks
- Configuring MAC Address Flapping Detection to Quickly Detect Loops
- Configuring MAC Address-Triggered ARP Entry Update to Improve VRRP Switchover Performance
- Configuration Task Summary
- Licensing Requirements and Limitations for MAC Address Tables
- Default Configuration
- Configuring a Static MAC Address Entry
- Configuring a Blackhole MAC Address Entry
- Setting the Aging Time of Dynamic MAC Address Entries
- Disabling MAC Address Learning
- Configuring the MAC Address Limiting Function
- Enabling MAC Address Alarm Functions
- Configuring a MAC Hash Algorithm
- Configuring the Extended MAC Entry Resource Mode
- Configuring a MAC Address Learning Priority for an Interface
- Preventing MAC Address Flapping Between Interfaces with the Same Priority
- Configuring Global MAC Address Flapping Detection
- Configuring MAC Address Flapping Detection in a VLAN
- Configuring the Switch to Discard Packets with an All-0 MAC Address
- Configuring the Switch to Discard Packets That Do Not Match Any MAC Address Entry
- Enabling MAC Address-Triggered ARP Entry Update
- Enabling Port Bridge
- Configuring Re-marking of Destination MAC Addresses
- Displaying MAC Address Entries
- Deleting MAC Address Entries
- Displaying MAC Address Flapping Information
- Example for Configuring Static MAC Address Entries
- Example for Configuring Blackhole MAC Address Entries
- Example for Configuring MAC Address Limiting on an Interface
- Example for Configuring MAC Address Limiting in a VLAN
- Example for Configuring MAC Address Limiting in a VSI
- Example for Configuring MAC Address Flapping Prevention
- Example for Configuring MAC Address Flapping Detection
- MAC Address Entries Failed to Be Learned on an Interface
- How Do I Enable and Disable MAC Address Flapping Detection?
- How Do I Check MAC Address Flapping Information?
- What Should I Do When Finding a MAC Address Flapping Alarm?
- How Do I Rapidly Determine a Loop?
- Introduction to Link Aggregation
- Link Aggregation in Manual Mode
- Link Aggregation in LACP Mode
- Load Balancing Modes of Link Aggregation
- Link Aggregation in CSS Scenarios
- Switches Directly Connected Through Link Aggregation
- Switches Connected Across a Transmission Device Through Link Aggregation
- Switches Connecting to Transmission Devices Through Link Aggregation
- A Switch Connecting to a Server Through Link Aggregation
- A Switch Connecting to a CSS Through Link Aggregation
- Using E-Trunk to Implement Link Aggregation Across Devices
- Licensing Requirements and Limitations for Link Aggregation
- Default Settings
- (Optional) Setting the Maximum Number of LAGs and the Maximum Number of Member Interfaces in Each LAG
- Creating an LAG
- Setting the Manual Load Balancing Mode
- Adding Member Interfaces to an Eth-Trunk
- (Optional) Setting the Lower Threshold for the Number of Active Interfaces
- (Optional) Configuring a Load Balancing Mode
- Checking the Configuration
- Setting the LACP Mode
- (Optional) Setting the Upper and Lower Thresholds for the Number of Active Interfaces
- (Optional) Setting the LACP System Priority
- (Optional) Setting the LACP Interface Priority
- (Optional) Configuring LACP Preemption
- (Optional) Setting the Timeout Interval for Receiving LACPDUs
- (Optional) Configuring an Eth-Trunk Member Interface on a Switch Directly Connected to a Server to Forward Packets
- Configuring Preferential Forwarding of Local Traffic in a CSS
- Creating an Eth-Trunk Sub-interface
- Setting the LACP System ID and LACP Priority of an E-Trunk
- Creating an E-Trunk and Setting the E-Trunk Priority
- Configuring Local and Remote IP Addresses of an E-Trunk
- Binding an E-Trunk to a BFD Session
- Adding an Eth-Trunk to an E-Trunk
- (Optional) Configuring the Working Mode of an Eth-Trunk in an E-Trunk
- (Optional) Setting the Password for Encrypting Packets
- (Optional) Setting the Timeout Interval of Hello Packets
- (Optional) Setting the Revertive Switching Delay
- (Optional) Disabling Revertive Switching on an E-Trunk
- (Optional) Configuring the E-Trunk Sequence Number Check Function
- Maintaining Link Aggregation
- Example for Configuring Link Aggregation in Manual Mode
- Example for Configuring Link Aggregation in LACP Mode
- Example for Configuring an Inter-Chassis Eth-Trunk to Forward Traffic Preferentially Through Local Member Interfaces (CSS)
- Example for Configuring Connecting an E-Trunk to a VPLS Network
- Traffic Is Unevenly Load Balanced Among Eth-Trunk Member Interfaces Because the Load Balancing Mode Is Incorrect
- Eth-Trunk at Both Ends Cannot Be Up Because the Lower Threshold for the Number of Active Interfaces Is Incorrect
- Can an Eth-Trunk Be Configured with an IP Address?
- How Do I Add Member Interfaces to an Eth-Trunk?
- How Do I Delete Member Interfaces from an Eth-Trunk?
- What Is the Function of the Delay for LACP Preemption?
- VLAN Overview
- Link and Interface Types
- Default VLAN
- Adding and Removing VLAN Tags
- VLAN Assignment
- Intra-VLAN Communication
- Inter-VLAN Communication
- Intra-VLAN Layer 2 Isolation
- Inter-VLAN Layer 3 Isolation
- Protocol Packet Transparent Transmission in a VLAN
- Using VLAN Assignment to Implement Layer 2 Isolation
- Using VLANIF Interfaces to Implement Inter-VLAN Layer 3 Connectivity
- Using a Traffic Policy to Implement Inter-VLAN Access Control
- Using a VLANIF Interface to Implement Layer 3 Connectivity Between the Switch and Router
- Licensing Requirements and Limitations for VLANs
- Configuring Interface-based VLAN Assignment
- Configuring MAC Address-based VLAN Assignment
- Configuring IP Subnet-based VLAN Assignment
- Configuring Protocol-based VLAN Assignment
- Configuring Policy-based VLAN Assignment
- Configuring Inter-VLAN Communication
- Configuring a Traffic Policy to Implement Intra-VLAN Layer 2 Isolation
- Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation
- Configuring an mVLAN
- Configuring Transparent Transmission of Protocol Packets in a VLAN
- Collecting VLAN Traffic Statistics
- Clearing VLAN Traffic Statistics
- Clearing Packet Statistics on a VLANIF Interface
- Enabling GMAC Ping to Detect Layer 2 Network Connectivity
- Enabling GMAC Trace to Locate Faults
- Example for Configuring Interface-based VLAN Assignment
- Example for Configuring MAC Address-based Assignment (the Switch Connects to Downstream Terminals)
- Example for Configuring IP Subnet-based VLAN Assignment
Example for Configuring Protocol-based VLAN Assignment
- Example for Configuring VLANIF Interfaces to Implement Inter-VLAN Communication
- Example for Configuring VLANIF Interfaces to Implement Intra-VLAN Communication
- Example for Configuring VLANIF Interfaces to Implement Communication of Hosts on Different Network Segments in the Same VLAN
- Example for Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation
- Example for Configuring an mVLAN to Implement Remote Management
- Example for Configuring Transparent Transmission of Protocol Packets in a VLAN
- A VLANIF Interface Fails to Be Created
- A VLANIF Interface Goes Down
- Users in a VLAN Cannot Communicate
- IP Addresses of the Connected Interfaces Between Switches Cannot Be Pinged
- How Do I Create VLANs in a Batch?
- How Do I Add Interfaces to a VLAN in a Batch?
- How Do I Restore the Default VLAN Configuration of an Interface?
- How Do I Change the Link Type of an Interface?
- How Do I Rapidly Query the Link Types and Default VLANs of All Interfaces?
- How Do I Delete a Single VLAN or VLANs in a Batch?
- Can Multiple Network Segments Be Configured in a VLAN?
- How Is the Inter-VLAN Communication Fault Rectified?
- Do VLANs Need to Be Assigned on the Intermediate Device That Transparently Transmits Packets?
- Why Are MAC-VLAN Entries Invalid?
- Can the Switch Collect Statistics on Only Traffic Destined for the VLANIF Interface Enabled with Traffic Statistics?
- Introduction to VLAN Aggregation
- Application Scenario
- Licensing Requirements and Limitations for VLAN Aggregation
- Creating a Sub-VLAN
- Creating a Super-VLAN
- Configuring a VLANIF Interface Corresponding to a Super-VLAN
- (Optional) Enabling Proxy ARP on the VLANIF Interface Corresponding to a Super-VLAN
- Example for Configuring VLAN Aggregation
- How Do I Implement Communication Between Specific Sub-VLANs in a Super-VLAN
- How Should a Traffic Policy Be Configured in a Super-VLAN or Sub-VLAN to Make the Traffic Policy Take Effect
- Introduction to VLAN Switch
- Licensing Requirements and Limitations for VLAN Switch
- Configuring Switch-vlan
- Configuring Stack-vlan
- Maintaining VLAN Switch
- Example for Implementing Inter-VLAN Communication Using VLAN Switch
- Introduction to MUX VLAN
- Licensing Requirements and Limitations for MUX VLANs
- Configuring a Principal VLAN for MUX VLAN
- Configuring a Group VLAN for a Subordinate VLAN
- Configuring a Separate VLAN for a Subordinate VLAN
- Enabling the MUX VLAN Function on an Interface
- Example for Configuring MUX VLAN on the Access Device
- Example for Configuring MUX VLAN on the Aggregation Device
- Introduction to VLAN Termination
- Using a Dot1q Termination Sub-interface to Implement Inter-VLAN Communication
- Using a Dot1q Termination Sub-interface to Connect to a VPN
- Using a QinQ Termination Sub-interface to Connect to a VPN
- Licensing Requirements and Limitations for VLAN Termination
- Configuring a Dot1q Termination Sub-interface
- Configuring L2VPN
- Configuring L3VPN
- Configuring a QinQ Sub-interface
- Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication
- Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication Across Different Networks
- Example for Connecting Dot1q Sub-interfaces to a VLL Network
- Example for Connecting QinQ Termination Sub-interfaces to a VLL Network
- Example for Connecting Dot1q Termination Sub-interfaces to a VPLS Network
- Example for Connecting QinQ Termination Sub-interfaces to a VPLS Network
- Example for Connecting Dot1q Termination Sub-interfaces to an L3VPN
- Example for Connecting QinQ Termination Sub-interfaces to an L3VPN
- Introduction to Voice VLAN
- Typical Networking
- Applicable Scenario
- Licensing Requirements and Limitations for Voice VLAN
- Enabling the Voice VLAN Function
- Configuring a Mode in Which the Priority of Voice Packets Is Increased Based on MAC Addresses
- Configuring an OUI for a Voice VLAN
- Configuring a Mode in Which an Interface Is Added to a Voice VLAN
- (Optional) Configuring the Secure or Normal Mode of a Voice VLAN
- (Optional) Configuring the 802.1p Priority and DSCP Priority for a Voice VLAN
- Configuring a Mode in Which the Priority of Voice Packets Is Increased Based on VLAN IDs
- Configuring the Switch to Advertise Voice VLAN Information to an IP Phone
- Example for Configuring a MAC Address-based Voice VLAN (IP Phones Send Untagged Voice Packets)
- Example for Configuring a VLAN ID-based Voice VLAN (IP Phones Send Tagged Voice Packets)
- Introduction to QinQ
- QinQ Fundamentals
- Selective QinQ
- QinQ Mapping
- Public User Services on a Metro Ethernet Network
- Enterprise Network Connection Through Private Lines
- Licensing Requirements and Limitations for QinQ
- Configuring Basic QinQ
- Configuring VLAN ID-based Selective QinQ
- Configuring MQC-based Selective QinQ
- Configuring 802.1p Priority-based Selective QinQ
- Configuring the TPID Value in an Outer VLAN Tag
- Configuring the Device to Add Double VLAN Tags to Untagged Packets
- Configuring 1-to-1 QinQ Mapping
- Configuring 2-to-1 QinQ Mapping
- Displaying VLAN Translation Resource Usage
- Example for Configuring Basic QinQ
- Example for Configuring Selective QinQ
- Example for Configuring Selective QinQ and VLAN Mapping
- Example for Configuring Traffic Selective QinQ and Traffic Policy
- Example for Configuring Flow-based Selective QinQ
- Example for Connecting a Single-Tag VLAN Mapping Sub-Interface to a VLL Network
- Example for Connecting a Double-Tag VLAN Mapping Sub-Interface to a VLL Network
- Example for Connecting a VLAN Stacking Sub-interface to a VLL Network
- Example for Connecting a Single-tag VLAN Mapping Sub-interface to a VPLS Network
- Example for Connecting a Double-tag VLAN Mapping Sub-interface to a VPLS Network
- Example for Connecting a VLAN Stacking Sub-interface to a VPLS Network
- QinQ Traffic Forwarding Fails Because the Outer VLAN Is Not Created
- QinQ Traffic Forwarding Fails Because the Interface Does Not Transparently Transmit the Outer VLAN ID
- Does the Switch Support QinQ?
- What Are Causes for QinQ Traffic Forwarding Failures?
- Why Does a Standard Card Fail to Transparently Transmit Single-Tagged Packets from a VLAN?
- Can I Rapidly Delete All QinQ Configurations of an Interface?
- Can I Directly Delete Inner VLAN IDs from QinQ Configuration?
- Can the Switch Add Double VLAN Tags to Untagged Packets?
- Introduction to VLAN Mapping
- Applications
- Licensing Requirements and Limitations for VLAN Mapping
- Configuring 1:1 VLAN Mapping
- Configuring 2:1 VLAN Mapping
- Configuring 2:2 VLAN Mapping
- Configuring 802.1p Priority-based VLAN Mapping
- Configuring MQC-based VLAN Mapping
- Example for Configuring VLAN ID-based 1:1 VLAN Mapping
- Example for Configuring VLAN ID-based N:1 VLAN Mapping
- Example for Configuring VLAN ID-based 2 to 1 VLAN Mapping
- Example for Configuring VLAN ID-based 2:2 VLAN Mapping
- Example for Configuring Traffic Policy-based 2:2 VLAN Mapping
- Communication Failure After VLAN Mapping Configuration
- Introduction to GVRP
- Basic Concepts
- Packet Format
- Working Mechanism
- Licensing Requirements and Limitations for GVRP
- Enabling GVRP
- (Optional) Setting the Registration Mode for a GVRP Interface
- (Optional) Setting GARP Timers
- Clearing GVRP Statistics
- Example for Configuring GVRP
- Why Is the CPU Usage High When VLANs Are Created or Deleted Through GVRP in Default Configuration?
- Introduction to STP/RSTP
- BPDU Format
- STP Topology Calculation
- Improvements in RSTP
- RSTP Technology Details
- Licensing Requirements and Limitations for STP/RSTP
- Configuring the STP/RSTP Mode
- (Optional) Configuring the Root Bridge and Secondary Root Bridge
- (Optional) Setting a Priority for a Switching Device
- (Optional) Setting a Path Cost for a Port
- (Optional) Setting a Priority for a Port
- Enabling STP/RSTP
- Setting the STP Network Diameter
- Setting the STP Timeout Interval
- Setting STP Timers
- Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation
- Setting the RSTP Network Diameter
- Setting the RSTP Timeout Interval
- Setting RSTP Timers
- Setting the Link Type for a Port
- Setting the Maximum Transmission Rate of an Interface
- Switching to the RSTP Mode
- Configuring Edge Ports and BPDU Filter Ports
- Configuring BPDU Protection on a Switching Device
- Configuring TC Protection on a Switching Device
- Configuring Root Protection on a Port
- Configuring Loop Protection on a Port
- Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices
- Clearing STP/RSTP Statistics
- Monitoring STP/RSTP Topology Change Statistics
- Example for Configuring Basic STP Functions
- Example for Configuring Basic RSTP Functions
- How to Prevent Low Convergence for STP Edge Ports that Connect Terminals?
- Can Switches Using RSTP and STP Be Connected?
- Why Is the Recommended Value of STP Network Radius Within 7?
- In What Condition Do I Need to Configure STP Edge Ports?
- What Are Precautions for Configuring the Formats of Sent and Received BPDUs on an STP Interface?
- How Do I Configure a User-Side Interface on an STP Switch?
- How Do I Prevent Terminals' Failures to Ping the Gateway or Low Speed in Obtaining IP Addresses When They Connect to an STP Network?
- Can the Switch Work with Non-Huawei Devices Running STP or RSTP?
- What Is the Function of Automatic Edge-port Detecting?
- Introduction to MSTP
- MSTP Background
- Basic MSTP Concepts
- MSTP Topology Calculation
- MSTP Fast Convergence
- MSTP Multi-Process
- Application Environment
- Licensing Requirements and Limitations for MSTP
- Configuring the MSTP Mode
- Configuring and Activating an MST Region
- (Optional) Configuring a Priority for a Switch in an MSTI
- (Optional) Configuring a Path Cost of a Port in an MSTI
- (Optional) Configuring a Port Priority in an MSTI
- Enabling MSTP
- Creating an MSTP Process
- Adding a Port to an MSTP Process
- Configuring TC Notification in MSTP Multi-process
- Setting the MSTP Network Diameter
- Setting the MSTP Timeout Interval
- Setting the Values of MSTP Timers
- Setting the Link Type of a Port
- Switching to the MSTP Mode
- Configuring a Port as an Edge Port and BPDU Filter Port
- Setting the Maximum Number of Hops in an MST Region
- Configuring BPDU Protection on a Switch
- Configuring TC Protection on a Switch
- Configuring Root Protection on an Interface
- Configuring Loop Protection on an Interface
- Configuring Shared-Link Protection on a Switch
- Configuring a Proposal/Agreement Mechanism
- Configuring the MSTP Protocol Packet Format on an Interface
- Enabling the Digest Snooping Function
- Clearing MSTP Statistics
- Monitoring the Statistics on MSTP Topology Changes
- Example for Configuring MSTP
- Example for Configuring MSTP + VRRP Network
- Example for Connecting CEs to the VPLS in Dual-Homing Mode Through MSTP
- Example for Configuring MSTP Multi-Process for Layer 2 Single-Access Rings and Layer 2 Multi-Access Rings
- How to Configure the MSTP Region?
- Can a Huawei STP Switch Work with a Non-Huawei STP Device?
- Why Cannot Information About an STP Instance with a Non-Zero ID Be Displayed?
- Introduction to VBST
- Licensing Requirements and Limitations for VBST
- (Optional) Setting the Device Priority
- (Optional) Setting the Path Cost for a Port
- (Optional) Configuring Port Priorities
- (Optional) Manually Configuring the Mapping between MSTIs and VLANs
- Enabling VBST
- Setting the Network Diameter
- Setting Values of VBST Timers
- Setting the VBST Timeout Interval
- Setting the Maximum Transmission Rate of a Port
- Manually Switching to the VBST Mode
- Configuring a VBST Convergence Mode
- Configuring BPDU Protection on the Switch
- Configuring TC Protection on the Switch
- Setting Parameters for Interworking Between a Huawei Datacom Device and a Non-Huawei Device
- Displaying VBST Running Information and Statistics
- Clearing VBST Statistics
- Example for Configuring VBST
- Introduction to SEP
- Principles of SEP
- Basic Concepts of SEP
- SEP Implementation Mechanisms
- Open Ring Networking
- Closed Ring Networking
- Multi-Ring Networking
- Hybrid SEP+MSTP Ring Networking
- Hybrid SEP+RRPP Ring Networking
- SEP Multi-Instance
- Association Between SEP and VPLS
- Association Between SEP and CFM
- Licensing Requirements and Limitations for SEP
- Configuring a SEP Segment
- Configuring a Control VLAN
- Configuring a Protected Instance
- Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface
- Setting an Interface Blocking Mode
- Configuring the Preemption Mode
- Configuring SEP Multi-Instance
- Reporting Topology Changes in a Lower-Layer Network - SEP Topology Change Notification
- Reporting Topology Changes in a Lower-Layer Network - Enabling the Devices in a SEP Segment to Process SmartLink Flush Packets
- Reporting Topology Changes in an Upper-Layer Network - Configuring Association Between SEP and CFM
- Clearing SEP Statistics
- Example for Configuring SEP on a Closed Ring Network
- Example for Configuring SEP on a Multi-Ring Network
- Example for Configuring a Hybrid SEP+MSTP Ring Network
- Example for Configuring a Hybrid SEP+RRPP Ring Network
- Example for Configuring SEP Multi-Instance
- Example for Configuring Association Between SEP and VPLS (Reporting Topology Changes of a Lower-Layer Network)
- Introduction to RRPP
- Basic RRPP Concepts
- RRPP Packets
- Implementation of a Single RRPP Ring (When the Ring is Complete)
- Implementation of a Single RRPP Ring (When the Ring is Faulty)
- Implementation of a Single RRPP Ring (When the Fault is Rectified)
- Implementation of Multiple Rings
- RRPP Multi-Instance
- Application of a Single Ring
- Application of Tangent RRPP Rings
- Application of Intersecting RRPP Rings
- Application of RRPP and STP
- Application of Intersecting RRPP Rings of Multi-Instance on a MAN
- Application of Tangent RRPP Rings of Multi-Instance on a MAN
- Application of Multiple Instances Single-homed to an RRPP Aggregation Ring
- Application of the RRPP Multi-instance Ring and Smart Link Network
- Application of RRPP Snooping
- Licensing Requirements and Limitations for RRPP
- Configuring Interfaces on an RRPP Ring
- Creating an RRPP Domain and the Control VLAN
- Creating an Instance
- Configuring a Protected VLAN
- (Optional) Setting the RRPP Working Mode
- Creating and Enabling an RRPP Ring
- Enabling RRPP
- (Optional) Creating a Ring Group
- (Optional) Setting the Values of the Hello Timer and Fail Timer in an RRPP Domain
- (Optional) Setting the Value of the Link-Up Timer
- Enabling RRPP Snooping
- Configuring the VSI Associated with RRPP Snooping
- Clearing RRPP Statistics
- Example for Configuring a Single RRPP Ring with a Single Instance
- Example for Configuring Intersecting RRPP Rings with a Single Instance When Huawei Devices and Third-Party Devices Are Used
- Example for Configuring Intersecting RRPP Rings with a Single Instance When Only Huawei Devices Are Used
- Example for Configuring Tangent RRPP Rings
- Example for Configuring a Single RRPP Ring with Multiple Instances
- Example for Configuring Intersecting RRPP Rings with Multiple Instances When Huawei Devices and Third-Party Devices Are Used
- Example for Configuring Intersecting RRPP Rings with Multiple Instances When Only Huawei Devices Are Used
- Example for Configuring Tangent RRPP Rings with Multiple Instances
- A Loop Occurs After the RRPP Configuration is Complete
- After the Primary Port of a Transit Node on an RRPP Ring Network Becomes Down and Then Recovers, the Transit Node and Other Transit Nodes Cannot Register With the Master Node
- What Should Be Noted When Configuring RRPP?
- Can RRPP and VRRP Be Used Together on a Switch?
- Can Data Packets Be Blocked in the Control VLAN of RRPP?
- Introduction to ERPS
- Basic ERPS Concepts
- ERPS Single-ring Principles
- ERPS Multi-ring Principles
- ERPS Multi-instance
- Licensing Requirements and Limitations for ERPS
- Creating an ERPS Ring
- Configuring the Control VLAN
- Configuring an ERP Instance and Activating the Mapping Between the ERP Instance and VLAN
- Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role
- (Optional) Configuring Timers in an ERPS Ring
- (Optional) Configuring the MEL Value
- (Optional) Configuring Association Between ERPS and Ethernet CFM
- Configuring the Topology Change Notification Function
- (Optional) Configuring ERPS Protection Switching
- Clearing ERPS Statistics
- Example for Configuring ERPS Multi-instance
- Example for Configuring Intersecting ERPS Rings
- Traffic Forwarding Fails in an ERPS Ring
- Introduction to LBDT and LDT
- Licensing Requirements and Limitations for LDT and LBDT
- Enabling LDT
- (Optional) Setting the Interval for Sending LDT Packets
- Configuring an Action Taken After a Loop Is Detected
- (Optional) Setting the Recovery Time of an Interface
- Enabling Automatic LBDT
- (Optional) Setting the Interval for Sending LBDT Packets
- Enabling Manual LBDT
- Example for Configuring LDT to Detect Loops on the Downstream Network
- Example for Configuring LDT to Detect Loops on the Local Network
- Example for Configuring LBDT to Detect Loopbacks on an Interface
- Example for Configuring LBDT to Detect Loops on the Downstream Network
- Example for Configuring LBDT to Detect Loops on the Local Network
- Introduction to HVRP
- Working Process
- Licensing Requirements and Limitations for HVRP
- Enabling HVRP Globally
- Enabling HVRP on an Interface
- (Optional) Setting the VLAN Registration Timer
- (Optional) Setting the Aging Timer of Registered VLANs
- (Optional) Configuring Permanent VLANs
- (Optional) Configuring a Switch to Age All VLANs
- Example for Configuring HVRP
- Introduction to Layer 2 Protocol Transparent Transmission
- Licensing Requirements and Limitations for Layer 2 Protocol Transparent Transmission
- (Optional) Defining Characteristic Information About a Layer 2 Protocol
- Configuring Layer 2 Protocol Transparent Transmission Mode
- Enabling Layer 2 Protocol Transparent Transmission on an Interface
- Enabling VLAN-based Layer 2 Protocol Transparent Transmission on an Interface
- Enabling QinQ-based Layer 2 Transparent Transmission on an Interface
- Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission
- Example for Configuring VLAN-based Layer 2 Protocol Transparent Transmission
- Example for Configuring QinQ-based Layer 2 Protocol Transparent Transmission
- How to Configure BPDU Tunnel to Transparently Transmit BPDUs?
- How to View and Change MAC Addresses of BPDUs?
- How Does a Switch Process BPDUs?
Networking Requirements
A company uses multiple services, including IPTV, VoIP, and Internet access. Each service uses a different protocol. To facilitate network management, each service is added to a different VLAN.
In Figure 4-26 , Swithc1 receives packets of multiple services that use different protocols. Users in VLAN 10 use IPv4 to communicate with remote users, and users in VLAN 20 use IPv6 to communicate with the servers. Switch1 needs to assign VLANs to packets of different services and transmit packets with different VLAN IDs to different servers.
Configuration Roadmap
The configuration roadmap is as follows:
Create VLANs and determine which VLAN each service belongs to.
Associate protocols with VLANs so that the VLANs can be assigned based on protocols.
- Add interfaces to VLANs so that packets of the protocol-based VLANs can pass through the interfaces.
Associate interfaces with VLANs.
After the Switch receives a frame of a specified protocol, it assigns the VLAN ID associated with the protocol to the frame.
< Quidway > system-view [ Quidway ] sysname Switch 1 [ Switch 1] vlan batch 10 20
# Associate IPv4 with VLAN 10 on Switch 1.
# Associate IPv6 with VLAN 20 on Switch 1.
# Associate GE 1/0/2 with VLAN 10 and set the 802.1p priority of VLAN 10 to 5 on Switch 1.
# Associate GE 1/0/3 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6 on Switch 1.
# Add GE 1/0/1 to VLAN 10 and VLAN 20 in trunk mode on Switch 1.
# Add GE 1/0/2 to VLAN 10 in untagged mode on Switch1.
# Add GE 1/0/3 to VLAN 20 in untagged mode on Switch1.
# Add GE 1/0/1 to VLAN 10 and VLAN 20 in trunk mode on the switch.
# Add GE 1/0/2 to VLAN 10 in trunk mode on the switch.
# Add GE 1/0/3 to VLAN 20 in trunk mode on the switch.
After the configuration is complete, run the display protocol-vlan interface all command on Switch1 to view the protocol-based VLAN assignment.
Configuration Files
Switch 1 configuration file
Switch configuration file
Document ID: EDOC1000142074
Views: 881977
Downloads: 591
Industry Solutions
- Training & Certification
- Contact Sales
Online Exhibition Center
Resource center.
- Become a Partner
- 04-Layer 2 - LAN Switching Configuration Guide
- 01-MAC address table configuration
- 02-Ethernet link aggregation configuration
- 03-DRNI configuration
- 04-Port isolation configuration
- 05-VLAN configuration
- 06-MVRP configuration
- 07-QinQ configuration
- 08-VLAN mapping configuration
- 09-Loop detection configuration
- 10-Spanning tree configuration
- 11-LLDP configuration
- 12-L2PT configuration
- 13-Service loopback group configuration
Configuring VLANs · 1
Overview · 1
VLAN frame encapsulation · 1
Protocols and standards · 2
Configuration restrictions and guidelines · 2
Configuring basic VLAN settings · 2
Configuring VLAN interfaces · 3
Configuring port-based VLANs · 4
Introduction · 4
Assigning an access port to a VLAN · 5
Assigning a trunk port to a VLAN · 6
Assigning a hybrid port to a VLAN · 7
Configuring MAC-based VLANs · 7
Introduction · 7
General configuration restrictions and guidelines · 10
Configuring static MAC-based VLAN assignment 10
Configuring dynamic MAC-based VLAN assignment 11
Configuring server-assigned MAC-based VLAN · 12
Configuring IP subnet-based VLANs · 13
Configuring protocol-based VLANs · 14
Configuring a VLAN group · 15
Enabling packet statistics for a VLAN · 15
Displaying and maintaining VLANs · 15
VLAN configuration examples · 16
Port-based VLAN configuration example · 16
MAC-based VLAN configuration example · 18
IP subnet-based VLAN configuration example · 20
Protocol-based VLAN configuration example · 21
Configuring super VLANs · 25
Overview · 25
Super VLAN configuration restrictions and guidelines · 25
Super VLAN configuration task list 25
Creating a sub-VLAN · 25
Configuring a super VLAN · 26
Configuring a super VLAN interface · 26
Displaying and maintaining super VLANs · 27
Super VLAN configuration example · 27
Network requirements · 27
Configuration procedure · 27
Verifying the configuration · 28
Configuring the private VLAN ·· 30
Configuration task list 30
Configuration restrictions and guidelines · 31
Configuration procedure · 31
Displaying and maintaining the private VLAN · 33
Private VLAN configuration examples · 33
Promiscuous port configuration example · 33
Trunk promiscuous port configuration example · 36
Trunk promiscuous and trunk secondary port configuration example · 39
Secondary VLAN Layer 3 communication configuration example · 43
Configuring voice VLANs · 46
Overview · 46
Methods of identifying IP phones · 46
Identifying IP phones through OUI addresses · 46
Automatically identifying IP phones through LLDP · 47
Advertising the voice VLAN information to IP phones · 47
IP phone access methods · 47
Connecting the host and the IP phone in series · 47
Connecting the IP phone to the device · 48
Voice VLAN assignment modes · 48
Automatic mode · 48
Manual mode · 49
Cooperation of voice VLAN assignment modes and IP phones · 49
Security mode and normal mode of voice VLANs · 50
Voice VLAN configuration restrictions and guidelines · 51
Voice VLAN configuration task list 51
Configuring the QoS priority settings for voice traffic · 51
Configuring a port to operate in automatic voice VLAN assignment mode · 52
Configuration restrictions and guidelines · 52
Configuration procedure · 52
Configuring a port to operate in manual voice VLAN assignment mode · 53
Configuration restrictions and guidelines · 53
Configuration procedure · 53
Enabling LLDP for automatic IP phone discovery · 54
Configuration restrictions and guidelines · 54
Configuration procedure · 54
Configuring LLDP to advertise a voice VLAN · 55
Configuring CDP to advertise a voice VLAN · 55
Displaying and maintaining voice VLANs · 56
Voice VLAN configuration examples · 56
Automatic voice VLAN assignment mode configuration example · 56
Manual voice VLAN assignment mode configuration example · 58
Configuring VLAN s
Ethernet is a family of shared-media LAN technologies based on the CSMA/CD mechanism. An Ethernet LAN is both a collision domain and a broadcast domain. Because the medium is shared, collisions and broadcasts are common in an Ethernet LAN. Typically, bridges and Layer 2 switches can reduce collisions in an Ethernet LAN. To confine broadcasts, a Layer 2 switch must use the Virtual Local Area Network (VLAN) technology.
VLANs enable a Layer 2 switch to break a LAN down into smaller broadcast domains, as shown in Figure 1 .
Figure 1 A VLAN diagram
A VLAN is logically divided on an organizational basis rather than on a physical basis. For example, you can assign all workstations and servers used by a particular workgroup to the same VLAN, regardless of their physical locations. Hosts in the same VLAN can directly communicate with one another. You need a router or a Layer 3 switch for hosts in different VLANs to communicate with one another.
All these VLAN features reduce bandwidth waste, improve LAN security, and enable flexible virtual group creation.
VLAN frame encapsulation
To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag between the destination and source MAC address (DA&SA) field and the Type field.
Figure 2 VLAN tag placement and format
A VLAN tag includes the following fields:
· TPID —16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default, the hexadecimal TPID value 8100 identifies a VLAN-tagged frame. A device vendor can set the TPID to a different value. For compatibility with a neighbor device, set the TPID value on the device to be the same as the neighbor device.
· Priority —3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL and QoS Configuration Guide .
· CFI —1-bit long canonical format indicator that indicates whether the MAC addresses are encapsulated in the standard format when packets are transmitted across different media. Available values include:
¡ 0 (default) —The MAC addresses are encapsulated in the standard format.
¡ 1 —The MAC addresses are encapsulated in a non-standard format.
This field is always set to 0 for Ethernet.
· VLAN ID —12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0 to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.
The way a network device handles an incoming frame depends on whether the frame has a VLAN tag and the value of the VLAN tag (if any). For more information, see " Introduction ."
Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and 802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag fields in other frame encapsulation formats, see related protocols and standards.
For a frame that has multiple VLAN tags, the device handles it according to its outermost VLAN tag and transmits its inner VLAN tags as the payload.
Protocols and standards
IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks
Configuration restrictions and guidelines
The VLAN ID value range supported by an IRF 3.1 system depends on PEXs. For more information, see PEX manuals.
Configuring basic VLAN settings
Configuring vlan interfaces.
Hosts of different VLANs use VLAN interfaces to communicate at Layer 3. VLAN interfaces are virtual interfaces that do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the VLAN to forward packets destined for another IP subnet at Layer 3.
When you configure a VLAN interface, follow these restrictions and guidelines:
· Before you create a VLAN interface for a VLAN, create the VLAN first.
· You cannot create VLAN interfaces for sub-VLANs. For more information about sub-VLANs, see " Configuring super VLANs ."
· You cannot create VLAN interfaces for secondary VLANs that have the following characteristics:
¡ Associated with the same primary VLAN.
¡ Enabled with Layer 3 communication in VLAN interface view of the primary VLAN interface.
For more information about secondary VLANs, see " Configuring the private VLAN ."
To configure basic settings of a VLAN interface:
Configuring port-based VLANs
Introduction.
Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it is assigned to the VLAN.
Port link type
You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling methods:
· Access —An access port can forward packets only from one VLAN and send these packets untagged. An access port is typically used in the following conditions:
¡ Connecting to a terminal device that does not support VLAN packets.
¡ In scenarios that do not distinguish VLANs.
· Trunk —A trunk port can forward packets from multiple VLANs. Except packets from the port VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network devices are typically configured as trunk ports.
· Hybrid —A hybrid port can forward packets from multiple VLANs. The tagging status of the packets forwarded by a hybrid port depends on the port configuration. In one-to-two VLAN mapping, hybrid ports are used to remove SVLAN tags for downlink traffic. For more information about one-to-two VLAN mapping, see "Configuring VLAN mapping."
The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered as the packets from the port PVID.
When you set the PVID for a port, follow these restrictions and guidelines:
· An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.
· A trunk or hybrid port supports multiple VLANs and the PVID configuration.
· When you use the undo vlan command to delete the PVID of a port, either of the following events occurs depending on the port link type:
¡ For an access port, the PVID of the port changes to VLAN 1.
¡ For a hybrid or trunk port, the PVID setting of the port does not change.
You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access port.
· As a best practice, set the same PVID for a local port and its peer.
· To prevent a port from dropping untagged packets or PVID-tagged packets, assign the port to its PVID.
How ports of different link types handle frames
In a VLAN-aware network, the default processing order for untagged packets is as follows, in descending order of priority:
· MAC-based VLANs.
· IP subnet-based VLANs.
· Protocol-based VLANs.
· Port-based VLANs.
Assigning an access port to a VLAN
You can assign an access port to a VLAN in VLAN view or interface view.
Make sure the VLAN has been created.
Assign one or multiple access ports to a VLAN in VLAN view
Assign an access port to a vlan in interface view, assigning a trunk port to a vlan.
A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.
When you assign a trunk port to a VLAN, follow these restrictions and guidelines:
· To change the link type of a port from trunk to hybrid, set the link type to access first.
· To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the PVID by using the port trunk permit vlan command.
To assign a trunk port to one or multiple VLANs:
Assigning a hybrid port to a VLAN
A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view. Make sure the VLANs have been created.
When you assign a hybrid port to a VLAN, follow these restrictions and guidelines:
· To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the PVID by using the port hybrid vlan command.
To assign a hybrid port to one or multiple VLANs:
Configuring MAC-based VLANs
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is also called user-based VLAN because VLAN configuration remains the same regardless of a user's physical location.
Static MAC-based VLAN assignment
Use static MAC-based VLAN assignment in networks that have a small number of VLAN users. To configure static MAC-based VLAN assignment on a port, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Assign the port to the MAC-based VLAN.
A port configured with static MAC-based VLAN assignment processes a received frame as follows before sending the frame out:
· For an untagged frame, the port determines its VLAN ID in the following workflow:
a. The port first performs a fuzzy match as follows:
- Searches for the MAC-to-VLAN entries whose masks are not all Fs.
- Performs a logical AND operation on the source MAC address and each of these masks.
If an AND operation result matches the MAC address in a MAC-to-VLAN entry, the port tags the frame with the VLAN ID specific to this entry.
b. If the fuzzy match fails, the port performs an exact match. It searches for MAC-to-VLAN entries whose masks are all Fs. If the source MAC address of the frame exactly matches the MAC address of a MAC-to-VLAN entry, the port tags the frame with the VLAN ID specific to this entry.
c. If no matching VLAN ID is found, the port determines the VLAN for the packet by using the following VLAN match order:
- IP subnet-based VLAN.
- Protocol-based VLAN.
- Port-based VLAN.
When a match is found, the port tags the packet with the matching VLAN ID.
· For a tagged frame, the port determines whether the VLAN ID of the frame is permitted on the port.
¡ If the VLAN ID of the frame is permitted on the port, the port forwards the frame.
¡ If the VLAN ID of the frame is not permitted on the port, the port drops the frame.
Dynamic MAC-based VLAN assignment
When you cannot determine the target MAC-based VLANs of a port, use dynamic MAC-based VLAN assignment on the port. To use dynamic MAC-based VLAN assignment, perform the following tasks:
3. Enable dynamic MAC-based VLAN assignment on the port.
Dynamic MAC-based VLAN assignment uses the following workflow, as shown in Figure 3 :
1. When a port receives a frame, it first determines whether the frame is tagged.
¡ If the frame is tagged, the port gets the source MAC address of the frame.
¡ If the frame is untagged, the port selects a VLAN for the frame by using the following matching order:
- MAC-based VLAN (fuzzy and exact MAC address match).
After tagging the frame with the selected VLAN, the port gets the source MAC address of the frame.
2. The port uses the source address and VLAN of the frame to match the MAC-to VLAN entries.
¡ If the source MAC address of the frame exactly matches the MAC address in a MAC-to-VLAN entry, the port checks whether the VLAN ID of the frame matches the VLAN in the entry.
- If the two VLAN IDs match, the port joins the VLAN and forwards the frame.
- If the two VLAN IDs do not match, the port drops the frame.
¡ If the source MAC address of the frame does not exactly match any MAC addresses in MAC-to-VLAN entries, the port checks whether the VLAN ID of the frame is its PVID.
- If the VLAN ID of the frame is the PVID of the port, the port determines whether it allows the PVID.
If the PVID is allowed, the port forwards the frame within the PVID. If the PVID is not allowed, the port drops the frame.
- If the VLAN ID of the frame is not the PVID of the port, the port determines whether the VLAN ID is the primary VLAN ID and the port PVID is a secondary VLAN ID.
If yes, the port forwards the frame. Otherwise, the port drops the frame.
Figure 3 Flowchart for processing a frame in dynamic MAC-based VLAN assignment
When you configure dynamic MAC-based VLAN assignment, follow these guidelines:
· When a port joins a VLAN specified in the MAC-to-VLAN entry, one of the following events occurs depending on the port configuration:
¡ If the port has not been configured to allow packets from the VLAN to pass through, the port joins the VLAN as an untagged member.
¡ If the port has been configured to allow packets from the VLAN to pass through, the port configuration remains the same.
· If you configure both static and dynamic MAC-based VLAN assignments on a port, dynamic MAC-based VLAN assignment takes effect.
· The 802.1p priority of the VLAN in a MAC-to-VLAN entry determines the transmission priority of the matching packets.
Server-assigned MAC-based VLAN
Use this feature with access authentication, such as MAC-based 802.1X authentication, to implement secure and flexible terminal access.
To implement server-assigned MAC-based VLAN, perform the following tasks:
1. Configure the server-assigned MAC-based VLAN feature on the access device.
2. Configure username-to-VLAN entries on the access authentication server.
When a user passes authentication of the access authentication server, the server assigns the authorization VLAN information for the user to the device. The device then performs the following operations:
1. Generates a MAC-to-VLAN entry by using the source MAC address of the user packet and the authorization VLAN information. The authorization VLAN is a MAC-based VLAN.
The generated MAC-to-VLAN entry cannot conflict with the existing static MAC-to-VLAN entries. If a confliction exists, the dynamic MAC-to-VLAN entry cannot be generated.
2. Assigns the port that connects the user to the MAC-based VLAN.
When the user goes offline, the device automatically deletes the MAC-to-VLAN entry and removes the port from the MAC-based VLAN. For more information about 802.1X and MAC authentication, see Security Configuration Guide .
General configuration restrictions and guidelines
When you configure MAC-based VLANs, follow these restrictions and guideline:
· This feature is available only on hybrid ports.
· A port enabled with the MAC - based VLAN feature does not support EVB . For more information about EVB , see EVB Configuration Guide .
· Do not configure a VLAN as both a super VLAN and a MAC-based VLAN.
· When MAC-to-VLAN entries whose masks are not all Fs exist, the vlan precedence ip-subnet-vlan command cannot be used to match VLANs based on IP subnets preferentially.
· The MAC-based VLAN feature is mainly configured on downlink ports of user access devices. Member ports of an aggregation group do not support this feature.
· Layer 2 aggregate interfaces do not support dynamic MAC-based VLAN assignment.
Configuring static MAC-based VLAN assignment
Configuring dynamic mac-based vlan assignment.
When you configure dynamic MAC-based VLAN assignment, follow these restrictions and guideline:
· As a best practice, do not configure MAC-to-VLAN entries whose masks are not all Fs. Otherwise, traffic might be dropped.
· As a best practice, do not modify the PVID of an interface after you enable dynamic MAC-based VLAN assignment on the interface. Otherwise, packet forwarding errors occur. To resolve this problem, execute the following commands sequence on the interface:
a. undo mac-vlan trigger enable
b. undo mac-vlan enable
c. mac-vlan enable
d. mac-vlan trigger enable
· As a best practice to ensure correct operation of 802.1X and MAC authentication, do not use dynamic MAC-based VLAN assignment with 802.1X or MAC authentication.
· As a best practice, do not both configure dynamic MAC-based VLAN assignment and disable MAC address learning on a port. If the two features are configured together on a port, the port forwards only packets exactly matching the MAC-to-VLAN entries and drops inexactly matching packets.
· As a best practice, do not configure both dynamic MAC-based VLAN assignment and the MAC learning limit on a port.
If the two features are configured together on a port and the port learns the configured maximum number of MAC address entries, the port processes packets as follows:
¡ Forwards only packets matching the MAC address entries learnt by the port.
¡ Drops unmatching packets.
· For successful dynamic MAC-based VLAN assignment, use static VLANs when you create MAC-to-VLAN entries.
· As a best practice, do not use dynamic MAC-based VLAN assignment with MSTP. In MSTP mode, if a port is blocked in the MSTI of its target VLAN, the port drops the received packets instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to the target VLAN.
· As a best practice, do not use dynamic MAC-based VLAN assignment with PVST. In PVST mode, if the target VLAN of a port is not permitted on the port, the port is placed in blocked state. The port drops the received packets instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to the target VLAN.
· As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic voice VLAN assignment mode on a port. They can have a negative impact on each other.
Configuration procedure
To configure dynamic MAC-based VLAN assignment:
Configuring server-assigned MAC-based VLAN
Configuring ip subnet-based vlans.
In this method, untagged packets are assigned to VLANs based on their source IP addresses and subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet to a VLAN based on the source address of the packet.
Use this feature when untagged packets from an IP subnet or IP address must be transmitted in a VLAN.
This feature is available only on hybrid ports, and it processes only untagged packets.
An IP subnet-based VLAN has one or multiple subnets to match inbound packets. Each subnet has a unique index in the IP subnet-based VLAN. All subnets in an IP subnet-based VLAN have the same VLAN ID.
To configure an IP subnet-based VLAN:
Configuring protocol-based VLANs
The protocol-based VLAN feature assigns inbound packets to different VLANs based on their protocol types and encapsulation formats. The protocols available for VLAN assignment include IP, IPX, and AT. The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
This feature is available only on hybrid ports, and it processes only untagged packets. It associates the available network service types with VLANs and facilitates network management and maintenance.
A protocol-based VLAN has one or multiple protocol templates. A protocol template defines a protocol type and an encapsulation format as the match criteria to match inbound packets. Each protocol template has a unique index in the protocol-based VLAN. All protocol templates in a protocol-based VLAN have the same VLAN ID.
For a port to assign inbound packets to protocol-based VLANs, perform the following tasks:
· Assign the port to the protocol-based VLANs.
· Associate the port with the protocol templates of the protocol-based VLANs.
When an untagged packet arrives at the port, the port processes the packet as follows:
· If the protocol type and encapsulation format in the packet match a protocol template, the port tags the packet with the VLAN tag specific to the protocol template.
· If no protocol templates are matched, the port tags the packet with its PVID.
The voice VLAN in automatic mode processes only tagged voice traffic. Do not configure a VLAN as both a protocol-based VLAN and a voice VLAN.
To configure a protocol-based VLAN:
Configuring a VLAN group
A VLAN group includes a set of VLANs.
On an authentication server, a VLAN group name represents a group of authorization VLANs. When an 802.1X user passes authentication, the authentication server assigns a VLAN group name to the device. The device then uses the received VLAN group name to match the locally configured VLAN group names. If a match is found, the device selects a VLAN from the group and assigns the VLAN to the user. For more information about 802.1X authentication, see Security Configuration Guide .
To configure a VLAN group:
Enabling packet statistics for a VLAN
When you need to examine or troubleshoot the network, you can enable packet statistics for a VLAN to monitor the total number of packets in the VLAN. The VLAN packet statistics include statistics on unicast, multicast, and broadcast packets.
Disable packet statistics for a VLAN to save system resources when you do not need this feature.
To enable packet statistics for a VLAN:
Displaying and maintaining VLAN s
Execute display commands in any view and reset commands in user view.
VLAN configuration examples
Port-based vlan configuration example, network requirements.
As shown in Figure 4 :
· Host A and Host C belong to Department A. VLAN 100 is assigned to Department A.
· Host B and Host D belong to Department B. VLAN 200 is assigned to Department B.
Configure port-based VLANs so that only hosts in the same department can communicate with each other.
Figure 4 Network diagram
1. Configure Device A:
# Create VLAN 100, and assign GigabitEthernet 1/0/1 to VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] port gigabitethernet 1/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign GigabitEthernet 1/0/2 to VLAN 200.
[DeviceA] vlan 200
[DeviceA-vlan200] port gigabitethernet 1/0/2
[DeviceA-vlan200] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-GigabitEthernet1/0/3] port trunk permit vlan 100 200
Please wait... Done.
2. Configure Device B in the same way Device A is configured. (Details not shown.)
3. Configure hosts:
a. Configure Host A and Host C to be on the same IP subnet. For example, 192.168.100.0/24.
b. Configure Host B and Host D to be on the same IP subnet. For example, 192.168.200.0/24.
Verifying the configuration
# Verify that Host A and Host C can ping each other, but they both fail to ping Host B and Host D. (Details not shown.)
# Verify that Host B and Host D can ping each other, but they both fail to ping Host A and Host C. (Details not shown.)
# Verify that VLANs 100 and 200 are correctly configured on Device A.
[DeviceA-GigabitEthernet1/0/3] display vlan 100
VLAN ID: 100
VLAN type: Static
Route interface: Not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged p orts:
GigabitEthernet1/0/3
Untagged p orts:
GigabitEthernet1/0/1
[DeviceA-GigabitEthernet1/0/3] display vlan 200
VLAN ID: 200
Description: VLAN 0200
Name: VLAN 0200
GigabitEthernet1/0/2
MAC-based VLAN configuration example
As shown in Figure 5 :
· GigabitEthernet 1/0/1 of Device A and Device C are each connected to a meeting room. Laptop 1 and Laptop 2 are used for meetings and might be used in either of the two meeting rooms.
· One department uses VLAN 100 and owns Laptop 1. The other department uses VLAN 200 and owns Laptop 2.
Configure MAC-based VLANs, so that Laptop 1 and Laptop 2 can access Server 1 and Server 2, respectively, no matter which meeting room they are used in.
Figure 5 Network diagram
# Create VLANs 100 and 200.
# Associate the MAC addresses of Laptop 1 and Laptop 2 with VLANs 100 and 200, respectively.
[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an untagged VLAN member.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Enable the MAC-based VLAN feature on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] mac-vlan enable
[DeviceA-GigabitEthernet1/0/1] quit
# Configure the uplink port (GigabitEthernet 1/0/2) as a trunk port, and assign it to VLANs 100 and 200.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceA-GigabitEthernet1/0/2] quit
2. Configure Device B:
# Create VLAN 100, and assign GigabitEthernet 1/0/3 to VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB-vlan100] port gigabitethernet 1/0/3
[DeviceB-vlan100] quit
# Create VLAN 200 and assign GigabitEthernet 1/0/4 to VLAN 200.
[DeviceB] vlan 200
[DeviceB-vlan200] port gigabitethernet 1/0/4
[DeviceB-vlan200] quit
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet1/0/2] quit
3. Configure Device C in the same way as the Device A is configured. (Details not shown.)
# Verify that Laptop 1 can access only Server 1, and Laptop 2 can access only Server 2. (Details not shown.)
# Verify the MAC-to-VLAN entries on Device A and Device C, for example, on Device A.
[DeviceA] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC address Mask VLAN ID Priority State
000d-88f8-4e71 ffff-f fff-ffff 100 0 S
0014-222c-aa69 ffff-ffff-ffff 200 0 S
Total MAC VLAN address count: 2
IP subnet-based VLAN configuration example
As shown in Figure 6 , the hosts in the office belong to different IP subnets.
Configure Device C to transmit packets from 192.168.5.0/24 and 192.168.50.0/24 in VLANs 100 and 200, respectively.
Figure 6 Network diagram
1. Configure Device C:
# Associate IP subnet 192.168.5.0/24 with VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC-vlan100] ip-subnet-vlan ip 192.168.5.0 255.255.255.0
[DeviceC-vlan100] quit
# Associate IP subnet 192.168.50.0/24 with VLAN 200.
[DeviceC] vlan 200
[DeviceC-vlan200] ip-subnet-vlan ip 192.168.50.0 255.255.255.0
[DeviceC-vlan200] quit
# Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLAN 100 as a tagged VLAN member.
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] port link-type hybrid
[DeviceC-GigabitEthernet1/0/2] port hybrid vlan 100 tagged
[DeviceC-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a hybrid port, and assign it to VLAN 200 as a tagged VLAN member.
[DeviceC] interface gigabitethernet 1/0/3
[DeviceC-GigabitEthernet1/0/3] port link-type hybrid
[DeviceC-GigabitEthernet1/0/3] port hybrid vlan 200 tagged
[DeviceC-GigabitEthernet1/0/3] quit
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type hybrid
[DeviceC-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet 1/0/1 with the IP subnet-based VLANs 100 and 200.
[DeviceC-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 100
[DeviceC-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 200
[DeviceC-GigabitEthernet1/0/1] quit
2. Configure Device A and Device B to forward packets from VLANs 100 and 200, respectively. (Details not shown.)
# Verify the IP subnet-based VLAN configuration on Device C.
[DeviceC] display ip-subnet-vlan vlan all
Subnet index IP address Subnet mask
0 192.168.5.0 255.255.255.0
0 192.168.50.0 255.255.255.0
# Verify the IP subnet-based VLAN configuration on GigabitEthernet 1/0/1 of Device C.
[DeviceC] display ip-subnet-vlan interface gigabitethernet 1/0/1
Interface: GigabitEthernet1/0/1
VLAN ID Subnet index IP address Subnet mask Status
100 0 192.168.5.0 255.255.255.0 Active
200 0 192.168.50.0 255.255.255.0 Active
Protocol-based VLAN configuration example
As shown in Figure 7 :
· The majority of hosts in a lab environment run the IPv4 protocol.
· The other hosts run the IPv6 protocol for teaching purposes.
To isolate IPv4 and IPv6 traffic at Layer 2, configure protocol-based VLANs to associate the IPv4 and ARP protocols with VLAN 100, and associate the IPv6 protocol with VLAN 200.
Figure 7 Network diagram
In this example, L2 Switch A and L2 Switch B use the factory configuration.
1. Configure Device:
# Create VLAN 100, and configure the description for VLAN 100 as protocol VLAN for IPv4 .
<Device> system-view
[Device] vlan 100
[Device-vlan100] description protocol VLAN for IPv4
# Assign GigabitEthernet 1/0/3 to VLAN 100.
[Device-vlan100] port gigabitethernet 1/0/3
[Device-vlan100] quit
# Create VLAN 200, and configure the description for VLAN 200 as protocol VLAN for IPv6 .
[Device] vlan 200
[Device-vlan200] description protocol VLAN for IPv6
# Assign GigabitEthernet 1/0/4 to VLAN 200.
[Device-vlan200] port gigabitethernet 1/0/4
# Configure VLAN 200 as a protocol-based VLAN, and create an IPv6 protocol template with the index 1 for VLAN 200.
[Device-vlan200] protocol-vlan 1 ipv6
[Device-vlan200] quit
# Configure VLAN 100 as a protocol-based VLAN. Create an IPv4 protocol template with the index 1, and create an ARP protocol template with the index 2. (In Ethernet II encapsulation, the protocol type ID for ARP is 0806 in hexadecimal notation.)
[Device-vlan100] protocol-vlan 1 ipv4
[Device-vlan100] protocol-vlan 2 mode ethernetii etype 0806
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port link-type hybrid
[Device-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet 1/0/1 with the IPv4 and ARP protocol templates of VLAN 100 and the IPv6 protocol template of VLAN 200.
[Device-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 100 1 to 2
[Device-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 200 1
[Device-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 100 and 200 as an untagged VLAN member.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port link-type hybrid
[Device-GigabitEthernet1/0/2] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet 1/0/2 with the IPv4 and ARP protocol templates of VLAN 100 and the IPv6 protocol template of VLAN 200.
[Device-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 100 1 to 2
[Device-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 200 1
[Device-GigabitEthernet1/0/2] quit
2. Configure hosts and servers:
a. Configure IPv4 Host A, IPv4 Host B, and IPv4 server to be on the same network segment (192.168.100.0/24, for example). (Details not shown.)
b. Configure IPv6 Host A, IPv6 Host B, and IPv6 server to be on the same network segment (2001::1/64, for example). (Details not shown.)
1. Verify the following:
¡ The hosts and the server in VLAN 100 can successfully ping one another. (Details not shown.)
¡ The hosts and the server in VLAN 200 can successfully ping one another. (Details not shown.)
¡ The hosts or the server in VLAN 100 cannot ping the hosts or server in VLAN 200. (Details not shown.)
2. Verify the protocol-based VLAN configuration:
# Display protocol-based VLANs on Device.
[Device] display protocol-vlan vlan all
Protocol index Protocol type
1 IPv4
2 Ethernet II Etype 0x0806
1 IPv6
# Display protocol-based VLANs on the ports of Device.
[Device] display protocol-vlan interface all
VLAN ID Protocol index Protocol type Status
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active
Interface: GigabitEthernet 1/0/2
100 1 IPv4 Active
Configuring super VLAN s
Hosts in a VLAN typically use IP addresses in the same subnet. For Layer 3 interoperability with other VLANs, you can create a VLAN interface for the VLAN and assign an IP address to it. This requires a large number of IP addresses.
The super VLAN feature was introduced to save IP addresses. A super VLAN is associated with multiple sub-VLANs. These sub-VLANs use the VLAN interface of the super VLAN (also known as a super VLAN interface) as the gateway for Layer 3 communication.
You can create a VLAN interface for a super VLAN and assign an IP address to it. However, you cannot create a VLAN interface for a sub-VLAN. You can assign a physical port to a sub-VLAN, but you cannot assign a physical port to a super VLAN. Sub-VLANs are isolated at Layer 2.
To enable Layer 3 communication between sub-VLANs, perform the following tasks:
1. Create a super VLAN and the VLAN interface for the super VLAN.
2. Enable local proxy ARP or ND on the super VLAN interface as follows:
¡ In an IPv4 network, enable local proxy ARP on the super VLAN interface. The super VLAN can then process ARP requests and replies sent from the sub-VLANs.
¡ In an IPv6 network, enable local proxy ND on the super VLAN interface. The super VLAN can then process the NS and NA messages sent from the sub-VLANs.
Super VLAN configuration restrictions and guidelines
The super VLAN feature cannot be used together with the VXLAN IP gateway feature. For more information about VXLAN IP gateways, see VXLAN Configuration Guide .
Super VLAN configuration task list
Creating a sub-vlan, configuring a super vlan.
When you configure a super VLAN, follow these restrictions and guidelines:
· The VLAN of a MAC address-to-VLAN entry cannot be configured as a super VLAN.
· A VLAN cannot be configured as both a super VLAN and a guest VLAN, Auth-Fail VLAN, or critical VLAN. For more information about guest VLANs, Auth-Fail VLANs, and critical VLANs, see Security Configuration Guide .
· A VLAN cannot be configured as both a super VLAN and a sub-VLAN.
· Layer 2 multicast configuration for super VLANs does not take effect because they do not have physical ports.
To configure a super VLAN:
Configuring a super VLAN interface
As a best practice, do not configure VRRP for a super VLAN interface because the configuration affects network performance. For more information about VRRP, see High Availability Configuration Guide .
To configure a VLAN interface for a super VLAN:
Displaying and maintaining super VLAN s
Execute display commands in any view.
Super VLAN configuration example
As shown in Figure 8 :
· GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are in VLAN 2.
· GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 are in VLAN 3.
· GigabitEthernet 1/0/5 and GigabitEthernet 1/0/6 are in VLAN 5.
To save IP addresses and enable sub-VLANs to be isolated at Layer 2 but interoperable at Layer 3, perform the following tasks:
· Create a super VLAN and assign an IP address to its VLAN interface.
· Associate the super VLAN with VLANs 2, 3, and 5.
Figure 8 Network diagram
# Create VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] quit
# Create VLAN-interface 10, and assign IP address 10.1.1.1/24 to it.
[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] ip address 10.1.1.1 255.255.255.0
# Enable local proxy ARP.
[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit
# Create VLAN 2, and assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the VLAN.
[DeviceA] vlan 2
[DeviceA-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2
[DeviceA-vlan2] quit
# Create VLAN 3, and assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to the VLAN.
[DeviceA] vlan 3
[DeviceA-vlan3] port gigabitethernet 1/0/3 gigabitethernet 1/0/4
[DeviceA-vlan3] quit
# Create VLAN 5, and assign GigabitEthernet 1/0/5 and GigabitEthernet 1/0/6 to the VLAN.
[DeviceA] vlan 5
[DeviceA-vlan5] port gigabitethernet 1/0/5 gigabitethernet 1/0/6
[DeviceA-vlan5] quit
# Configure VLAN 10 as a super VLAN, and associate sub-VLANs 2, 3, and 5 with the super VLAN.
[DeviceA-vlan10] supervlan
[DeviceA-vlan10] subvlan 2 3 5
[DeviceA] quit
# Display information about super VLAN 10 and its associated sub-VLANs.
<DeviceA> display supervlan
Super VLAN ID: 10
Sub-VLAN ID: 2-3 5
VLAN ID: 10
It is a super VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports: None
VLAN ID: 2
It is a sub VLAN.
Description: VLAN 0002
Name: VLAN 0002
Untagged ports:
VLAN ID: 3
Description: VLAN 0003
Name: VLAN 0003
GigabitEthernet1/0/4
VLAN ID: 5
Description: VLAN 0005
Name: VLAN 0005
GigabitEthernet1/0/5
GigabitEthernet1/0/6
Configuring the private VLAN
VLAN technology provides a method for isolating traffic from customers. At the access layer of a network, customer traffic must be isolated for security or accounting purposes. If VLANs are assigned on a per-user basis, a large number of VLANs will be required.
The private VLAN feature saves VLAN resources. It uses a two-tier VLAN structure as follows:
· Primary VLAN —Used for connecting the upstream device. A primary VLAN can be associated with multiple secondary VLANs. The upstream device identifies only the primary VLAN.
· Secondary VLANs —Used for connecting users. Secondary VLANs are isolated at Layer 2. To implement Layer 3 communication between secondary VLANs associated with the primary VLAN, enable local proxy ARP or ND on the upstream device (for example, L3 Device A in Figure 9 ).
As shown in Figure 9 , the private VLAN feature is enabled on L2 Device B. VLAN 10 is the primary VLAN. VLANs 2, 5, and 8 are secondary VLANs that are associated with VLAN 10. L3 Device A is only aware of VLAN 10.
Figure 9 Private VLAN example
If the private VLAN feature is configured on a Layer 3 device, use one of the following methods on the Layer 3 device to enable Layer 3 communication. Layer 3 communication might be required between secondary VLANs that are associated with the same primary VLAN, or between secondary VLANs and other networks.
· Method 1:
a. Create VLAN interfaces for the secondary VLANs.
b. Assign IP addresses to the secondary VLAN interfaces.
· Method 2:
a. Enable Layer 3 communication between the secondary VLANs that are associated with the primary VLAN.
b. Create the VLAN interface for the primary VLAN and assign an IP address to it. (Do not create secondary VLAN interfaces if you use this method.)
c. Enable local proxy ARP or ND on the primary VLAN interface.
Configuration task list
To configure the private VLAN feature, perform the following tasks:
1. Configure the primary VLAN.
2. Configure the secondary VLANs.
3. Associate the secondary VLANs with the primary VLAN.
4. Configure the uplink and downlink ports:
¡ Configure the uplink port (for example, the port connecting L2 Device B to L3 Device A in Figure 9 ):
- When the port allows only one primary VLAN, configure the port as a promiscuous port of the primary VLAN. The promiscuous port can be automatically assigned to the primary VLAN and its associated secondary VLANs.
- When the port allows multiple primary VLANs, configure the port as a trunk promiscuous port of the primary VLANs. The trunk promiscuous port can be automatically assigned to the primary VLANs and their associated secondary VLANs.
¡ Configure a downlink port (for example, the port connecting L2 Device B to a host in Figure 9 ) as a host port. The host port can be automatically assigned to the secondary VLAN and its associated primary VLAN.
¡ If a downlink port allows multiple secondary VLANs, configure the port as a trunk secondary port. The trunk secondary port can be automatically assigned to the secondary VLANs and their associated primary VLANs.
For more information about promiscuous, trunk promiscuous, host, and trunk secondary ports, see Layer 2—LAN Switching Command Reference .
5. Configure Layer 3 communication between the specified secondary VLANs that are associated with the primary VLAN.
When you configure the private VLAN feature, follow these restrictions and guidelines:
· Make sure the following requirements are met:
¡ For a promiscuous port:
- The primary VLAN is the PVID of the port.
- The port is an untagged member of the primary VLAN and secondary VLANs.
¡ For a host port:
- The PVID of the port is a secondary VLAN.
- The port is an untagged member of the primary VLAN and the secondary VLAN.
¡ A trunk promiscuous or trunk secondary port must be a tagged member of the primary VLANs and the secondary VLANs.
· After you configure a primary VLAN, the system automatically synchronizes the dynamic MAC address entries of the primary VLAN with the dynamic MAC address entries of the secondary VLANs.
· After you configure a primary VLAN, the static MAC address entries of the secondary VLANs do not take effect. After you disassociate a primary VLAN from a secondary VLAN, the static MAC address entries of the primary VLAN do not affect the traffic of the secondary VLAN.
· VLAN 1 (system default VLAN) does not support the private VLAN configuration.
· The private VLAN feature cannot be used with IP multicast.
· The private VLAN feature cannot be used together with the VXLAN IP gateway feature. For more information about VXLAN IP gateways, see VXLAN Configuration Guide .
To configure the private VLAN feature:
Displaying and maintaining the private VLAN
Private vlan configuration examples, promiscuous port configuration example.
As shown in Figure 10 , configure the private VLAN feature to meet the following requirements:
· On Device B, VLAN 5 is a primary VLAN that is associated with secondary VLANs 2 and 3. GigabitEthernet 1/0/5 is in VLAN 5. GigabitEthernet 1/0/2 is in VLAN 2. GigabitEthernet 1/0/3 is in VLAN 3.
· On Device C, VLAN 6 is a primary VLAN that is associated with secondary VLANs 3 and 4. GigabitEthernet 1/0/5 is in VLAN 6. GigabitEthernet 1/0/3 is in VLAN 3. GigabitEthernet 1/0/4 is in VLAN 4.
· Device A is aware of only VLAN 5 on Device B and VLAN 6 on Device C.
Figure 10 Network diagram
This example describes the configurations on Device B and Device C.
1. Configure Device B:
# Configure VLAN 5 as a primary VLAN.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
# Create VLANs 2 and 3.
[DeviceB] vlan 2 to 3
# Associate secondary VLANs 2 and 3 with primary VLAN 5.
[DeviceB-vlan5] private-vlan secondary 2 to 3
# Configure the uplink port (GigabitEthernet 1/0/5) as a promiscuous port of VLAN 5.
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] port private-vlan 5 promiscuous
[DeviceB-GigabitEthernet1/0/5] quit
# Assign downlink port GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceB-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-GigabitEthernet1/0/2] port private-vlan host
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-GigabitEthernet1/0/3] quit
2. Configure Device C:
# Configure VLAN 6 as a primary VLAN.
[DeviceC] vlan 6
[DeviceC–vlan6] private-vlan primary
[DeviceC–vlan6] quit
# Create VLANs 3 and 4.
[DeviceC] vlan 3 to 4
# Associate secondary VLANs 3 and 4 with primary VLAN 6.
[DeviceC-vlan6] private-vlan secondary 3 to 4
[DeviceC-vlan6] quit
# Configure the uplink port (GigabitEthernet 1/0/5) as a promiscuous port of VLAN 6.
[DeviceC] interface gigabitethernet 1/0/5
[DeviceC-GigabitEthernet1/0/5] port private-vlan 6 promiscuous
[DeviceC-GigabitEthernet1/0/5] quit
[DeviceC-GigabitEthernet1/0/3] port access vlan 3
[DeviceC-GigabitEthernet1/0/3] port private-vlan host
# Assign downlink port GigabitEthernet 1/0/4 to VLAN 4, and configure the port as a host port.
[DeviceC] interface gigabitethernet 1/0/4
[DeviceC-GigabitEthernet1/0/4] port access vlan 4
[DeviceC-GigabitEthernet1/0/4] port private-vlan host
[DeviceC-GigabitEthernet1/0/4] quit
# Verify the private VLAN configurations on the devices, for example, on Device B.
[DeviceB] display private-vlan
Primary VLAN ID: 5
Secondary VLAN ID: 2-3
Private VLAN type: Primary
Tagged ports: None
Private VLAN type: Secondary
Tagged Ports: None
Untagged Ports:
The output shows that:
· The promiscuous port (GigabitEthernet 1/0/5) is an untagged member of primary VLAN 5 and secondary VLANs 2 and 3.
· Host port GigabitEthernet 1/0/2 is an untagged member of primary VLAN 5 and secondary VLAN 2.
· Host port GigabitEthernet 1/0/3 is an untagged member of primary VLAN 5 and secondary VLAN 3.
Trunk promiscuous port configuration example
As shown in Figure 11 , configure the private VLAN feature to meet the following requirements:
· VLANs 5 and 10 are primary VLANs on Device B. The uplink port (GigabitEthernet 1/0/1) on Device B permits the packets from VLANs 5 and 10 to pass through tagged.
· On Device B, downlink port GigabitEthernet 1/0/2 permits secondary VLAN 2. Downlink port GigabitEthernet 1/0/3 permits secondary VLAN 3. Secondary VLANs 2 and 3 are associated with primary VLAN 5.
· On Device B, downlink port GigabitEthernet 1/0/4 permits secondary VLAN 6. Downlink port GigabitEthernet 1/0/5 permits secondary VLAN 8. Secondary VLANs 6 and 8 are associated with primary VLAN 10.
· Device A is aware of only VLANs 5 and 10 on Device B.
Figure 11 Network diagram
# Configure VLANs 5 and 10 as primary VLANs.
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan primary
[DeviceB-vlan10] quit
# Create VLANs 2, 3, 6, and 8.
[DeviceB] vlan 6
[DeviceB-vlan6] quit
[DeviceB] vlan 8
[DeviceB-vlan8] quit
# Associate secondary VLANs 6 and 8 with primary VLAN 10.
[DeviceB-vlan10] private-vlan secondary 6 8
# Configure the uplink port (GigabitEthernet 1/0/1) as a trunk promiscuous port of VLANs 5 and 10.
[DeviceB-GigabitEthernet1/0/1] port private-vlan 5 10 trunk promiscuous
# Assign downlink port GigabitEthernet 1/0/4 to VLAN 6, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/4
[DeviceB-GigabitEthernet1/0/4] port access vlan 6
[DeviceB-GigabitEthernet1/0/4] port private-vlan host
[DeviceB-GigabitEthernet1/0/4] quit
# Assign downlink port GigabitEthernet 1/0/5 to VLAN 8, and configure the port as a host port.
[DeviceB-GigabitEthernet1/0/5] port access vlan 8
[DeviceB-GigabitEthernet1/0/5] port private-vlan host
2. Configure Device A:
# Create VLANs 5 and 10.
# Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 5 and 10 as a tagged VLAN member.
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 5 10 tagged
# Verify the primary VLAN configurations on Device B. The following output uses primary VLAN 5 as an example.
[DeviceB] display private-vlan 5
Tagged ports:
Ta gged ports:
· The trunk promiscuous port (GigabitEthernet 1/0/1) is a tagged member of primary VLAN 5 and secondary VLANs 2 and 3.
Trunk promiscuous and trunk secondary port configuration example
As shown in Figure 12 , configure the private VLAN feature to meet the following requirements:
· VLANs 10 and 20 are primary VLANs on Device A. The uplink port (GigabitEthernet 1/0/5) on Device A permits the packets from VLANs 10 and 20 to pass through tagged.
· VLANs 11, 12, 21, and 22 are secondary VLANs on Device A.
¡ Downlink port GigabitEthernet 1/0/2 permits the packets from secondary VLANs 11 and 21 to pass through tagged.
¡ Downlink port GigabitEthernet 1/0/1 permits secondary VLAN 22.
¡ Downlink port GigabitEthernet 1/0/3 permits secondary VLAN 12.
· Secondary VLANs 11 and 12 are associated with primary VLAN 10.
· Secondary VLANs 21 and 22 are associated with primary VLAN 20.
Figure 12 Network diagram
# Configure VLANs 10 and 20 as primary VLANs.
[DeviceA-vlan10] private-vlan primary
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan primary
[DeviceA-vlan20] quit
# Create VLANs 11, 12, 21, and 22.
[DeviceA] vlan 11 to 12
[DeviceA] vlan 21 to 22
# Associate secondary VLANs 11 and 12 with primary VLAN 10.
[DeviceA-vlan10] private-vlan secondary 11 12
# Associate secondary VLANs 21 and 22 with primary VLAN 20.
[DeviceA-vlan20] private-vlan secondary 21 22
# Configure the uplink port (GigabitEthernet 1/0/5) as a trunk promiscuous port of VLANs 10 and 20.
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] port private-vlan 10 20 trunk promiscuous
[DeviceA-GigabitEthernet1/0/5] quit
# Assign downlink port GigabitEthernet 1/0/1 to VLAN 22 and configure the port as a host port.
[DeviceA-GigabitEthernet1/0/1] port access vlan 22
[DeviceA-GigabitEthernet1/0/1] port private-vlan host
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 12 and configure the port as a host port.
[DeviceA-GigabitEthernet1/0/3] port access vlan 12
[DeviceA-GigabitEthernet1/0/3] port private-vlan host
[DeviceA-GigabitEthernet1/0/3] quit
# Configure downlink port GigabitEthernet 1/0/2 as a trunk secondary port of VLANs 11 and 21.
[DeviceA-GigabitEthernet1/0/2] port private-vlan 11 21 trunk secondary
# Create VLANs 11 and 21.
[DeviceB] vlan 11
[DeviceB-vlan11] quit
[DeviceB] vlan 21
[DeviceB-vlan21] quit
# Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 11 and 21 as a tagged VLAN member.
[DeviceB-GigabitEthernet1/0/2] port link-type hybrid
[DeviceB-GigabitEthernet1/0/2] port hybrid vlan 11 21 tagged
# Assign GigabitEthernet 1/0/3 to VLAN 11.
[DeviceB-GigabitEthernet1/0/3] port access vlan 11
# Assign GigabitEthernet 1/0/4 to VLAN 21.
[DeviceB-GigabitEthernet1/0/4] port access vlan 21
3. Configure Device C:
# Create VLANs 10 and 20.
[DeviceC] vlan 10
[DeviceC-vlan10] quit
[DeviceC] vlan 20
[DeviceC-vlan20] quit
# Configure GigabitEthernet 1/0/5 as a hybrid port, and assign it to VLANs 10 and 20 as a tagged VLAN member.
[DeviceC-GigabitEthernet1/0/5] port link-type hybrid
[DeviceC-GigabitEthernet1/0/5] port hybrid vlan 10 20 tagged
# Verify the primary VLAN configurations on Device A. The following output uses primary VLAN 10 as an example.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 11-12
Private-vlan type: Primary
VLAN ID: 11
Private-vlan type: Secondary
Description: VLAN 0011
Name: VLAN 0011
VLAN ID: 12
Description: VLAN 0012
Name: VLAN 0012
· The trunk promiscuous port (GigabitEthernet 1/0/5) is a tagged member of primary VLAN 10 and secondary VLANs 11 and 12.
· The trunk secondary port (GigabitEthernet 1/0/2) is a tagged member of primary VLAN 10 and secondary VLAN 11.
· The host port (GigabitEthernet 1/0/3) is an untagged member of primary VLAN 10 and secondary VLAN 12.
Secondary VLAN Layer 3 communication configuration example
As shown in Figure 13 , configure the private VLAN feature to meet the following requirements:
· Primary VLAN 10 on Device A is associated with secondary VLANs 2 and 3. The IP address of VLAN-interface 10 is 192.168.1.1/24.
· GigabitEthernet 1/0/1 belongs to VLAN 10. GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 belong to VLAN 2 and VLAN 3, respectively.
· Secondary VLANs are isolated at Layer 2 but interoperable at Layer 3.
Figure 13 Network diagram
# Create VLAN 10 and configure it as a primary VLAN.
[DeviceA] vlan 2 to 3
# Associate primary VLAN 10 with secondary VLANs 2 and 3.
[DeviceA-vlan10] private-vlan secondary 2 3
# Configure the uplink port (GigabitEthernet 1/0/1) as a promiscuous port of VLAN 10.
[DeviceA-GigabitEthernet1/0/1] port private-vlan 10 promiscuous
[DeviceA-GigabitEthernet1/0/2] port access vlan 2
[DeviceA-GigabitEthernet1/0/2] port private-vlan host
[DeviceA-GigabitEthernet1/0/3] port access vlan 3
# Enable Layer 3 communication between secondary VLANs 2 and 3 that are associated with primary VLAN 10.
[DeviceA-Vlan-interface10] private-vlan secondary 2 3
# Assign IP address 192.168.1.1/24 to VLAN-interface 10.
[DeviceA-Vlan-interface10] ip address 192.168.1.1 255.255.255.0
# Enable local proxy ARP on VLAN-interface 10.
# Display the configuration of primary VLAN 10.
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
The Route interface field in the output is Configured , indicating that secondary VLANs 2 and 3 are interoperable at Layer 3.
Configuring voice VLAN s
A voice VLAN is used for transmitting voice traffic. The device can configure QoS parameters for voice packets to ensure higher transmission priority of the voice packets.
Common voice devices include IP phones and integrated access devices (IADs). This chapter uses IP phones as an example.
For an IP phone to access a device, the device must perform the following operations:
1. Identify the IP phone in the network and obtain the MAC address of the IP phone.
2. Advertise the voice VLAN information to the IP phone.
After receiving the voice VLAN information, the IP phone performs automatic configuration. Voice packets sent from the IP phone can then be transmitted within the voice VLAN.
Methods of identifying IP phones
Devices can use the OUI addresses or LLDP to identify IP phones.
Identifying IP phones through OUI addresses
A device identifies voice packets based on their source MAC addresses. A packet whose source MAC address complies with an Organizationally Unique Identifier (OUI) address of the device is regarded as a voice packet.
You can use system default OUI addresses (see Table 1 ) or configure OUI addresses for the device. You can manually remove or add the system default OUI addresses.
Table 1 Default OUI addresses
Typically, an OUI address refers to the first 24 bits of a MAC address (in binary notation) and is a globally unique identifier that IEEE assigns to a vendor. However, OUI addresses in this chapter are addresses that the system uses to identify voice packets. They are the logical AND results of the mac-address and oui-mask arguments in the voice-vlan mac-address command.
Automatically identifying IP phones through LLDP
If IP phones support LLDP, configure LLDP for automatic IP phone discovery on the device. The device can then automatically discover the peer through LLDP, and exchange LLDP TLVs with the peer.
If the LLDP System Capabilities TLV received on a port indicates that the peer can act as a telephone, the device performs the following operations:
1. Sends an LLDP TLV with the voice VLAN configuration to the peer.
2. Assigns the receiving port to the voice VLAN.
3. Increases the transmission priority of the voice packets sent from the IP phone.
4. Adds the MAC address of the IP phone to the MAC address table to ensure that the IP phone can pass authentication.
Use LLDP instead of the OUI list to identify IP phones if the network has more IP phone categories than the maximum number of OUI addresses supported on the device. LLDP has higher priority than the OUI list.
For more information about LLDP, see "Configuring LLDP."
Advertising the voice VLAN information to IP phones
Figure 14 shows the workflow of advertising the voice VLAN information to IP phones.
Figure 14 Workflow of advertising the voice VLAN information to IP phones
IP phone access methods
Connecting the host and the ip phone in series.
As shown in Figure 15 , the host is connected to the IP phone, and the IP phone is connected to the device. In this scenario, the following requirements must be met:
· The host and the IP phone use different VLANs.
· The IP phone is able to send out VLAN-tagged packets, so that the device can differentiate traffic from the host and the IP phone.
· The port connecting to the IP phone forwards packets from the voice VLAN and the PVID.
Figure 15 Connecting the host and IP phone in series
Connecting the IP phone to the device
As shown in Figure 16 , IP phones are connected to the device without the presence of the host. Use this connection method when IP phones sends out untagged voice packets. In this scenario, you must configure the voice VLAN as the PVID of the access port of the IP phone, and configure the port to forward the packets from the PVID.
Figure 16 Connecting the IP phone to the device
Voice VLAN assignment modes
A port can be assigned to a voice VLAN automatically or manually.
Automatic mode
Use automatic mode when PCs and IP phones are connected in series to access the network through the device, as shown in Figure 15 . Ports on the device transmit both voice traffic and data traffic.
When an IP phone is powered on, it sends out protocol packets. After receiving these protocol packets, the device uses the source MAC address of the protocol packets to match its OUI addresses. If the match succeeds, the device performs the following operations:
· Assigns the receiving port of the protocol packets to the voice VLAN.
· Issues ACL rules to set the packet precedence.
· Starts the voice VLAN aging timer.
If no voice packet is received from the port before the aging timer expires, the device will remove the port from the voice VLAN. The aging timer is also configurable.
When the IP phone reboots, the port is reassigned to the voice VLAN to ensure the correct operation of the existing voice connections. The reassignment occurs automatically without being triggered by voice traffic as long as the voice VLAN operates correctly.
Manual mode
Use manual mode when only IP phones access the network through the device, as shown in Figure 16 . In this mode, ports are assigned to a voice VLAN that transmits voice traffic exclusively. No data traffic affects the voice traffic transmission.
You must manually assign the port that connects to the IP phone to a voice VLAN. The device uses the source MAC address of the received voice packets to match its OUI addresses. If the match succeeds, the device issues ACL rules to set the packet precedence.
To remove the port from the voice VLAN, you must manually remove it.
Cooperation of voice VLAN assignment modes and IP phones
Some IP phones send out VLAN-tagged packets, and others send out only untagged packets. For correct packet processing, ports of different link types must meet specific configuration requirements in different voice VLAN assignment modes.
Access ports do not transmit tagged packets.
Table 2 Configuration requirements for trunk and hybrid ports to support tagged voice traffic
When IP phones send out untagged packets, you must set the voice VLAN assignment mode to manual.
Table 3 Configuration requirements for ports in manual mode to support untagged voice traffic
If an IP phone sends out tagged voice traffic, and its access port is configured with 802.1X authentication, guest VLAN, Auth-Fail VLAN, or critical VLAN, VLAN IDs must be different for the following VLANs:
· Voice VLAN.
· PVID of the access port.
· 802.1X guest, Auth-Fail, or critical VLAN.
If an IP phone sends out untagged voice traffic, the PVID of the access port must be the voice VLAN. In this scenario, 802.1X authentication is not supported.
Security mode and normal mode of voice VLANs
Depending on the filtering mechanisms to incoming packets, a voice VLAN-enabled port can operate in one of the following modes:
· Normal mode —The port receives voice-VLAN-tagged packets and forwards them in the voice VLAN without examining their MAC addresses. If the PVID of the port is the voice VLAN and the port operates in manual VLAN assignment mode, the port forwards all the received untagged packets in the voice VLAN.
In this mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send a large number of forged voice-VLAN-tagged or untagged packets to affect voice communication.
· Security mode —The port uses the source MAC addresses of voice packets to match the OUI addresses of the device. Packets that fail the match will be dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode. This mode reduces system resource consumption in source MAC address checking.
In either mode, the device modifies the transmission priority only for voice VLAN packets whose source MAC addresses match OUI addresses of the device.
As a best practice, do not transmit both voice traffic and non-voice traffic in a voice VLAN. If you must transmit different traffic in a voice VLAN, make sure the voice VLAN security mode is disabled.
Table 4 Packet processing on a voice VLAN-enabled port in normal or security mode
Voice VLAN configuration restrictions and guidelines
A port enabled with the voice VLAN feature does not support EVB. For more information about EVB, see EVB Configuration Guide .
Aggregate interfaces and member ports in an aggregation group do not support the voice VLAN feature. For information about aggregate interface and member ports, see "Configuring Ethernet link aggregation."
The aging timer of a voice VLAN starts only when the dynamic MAC address entry of the voice VLAN ages out. The aging period for the voice VLAN equals the sum of the voice VLAN aging timer and the aging timer for its dynamic MAC address entry. For more information about the aging timer for dynamic MAC address entries, see "Configuring the MAC address table."
As a best practice, do not both configure voice VLAN and disable MAC address learning on a port. If the two features are configured together on a port, the port forwards only packets exactly matching the OUI addresses and drops inexactly matching packets.
As a best practice, do not configure both voice VLAN and the MAC learning limit on a port. If the two features are configured together on a port and the port learns the configured maximum number of MAC address entries, the port processes packets as follows:
· Forwards only packets matching the MAC address entries learnt by the port and OUI addresses.
· Drops unmatching packets.
Voice VLAN configuration task list
Configuring the qos priority settings for voice traffic.
The QoS priority settings carried in voice traffic include the CoS and DSCP values. You can configure the device to modify the QoS priority settings for voice traffic.
You cannot configure the QoS priority settings on a voice VLAN-enabled port. Before you configure the QoS priority settings for voice traffic on a port, you must disable the voice VLAN feature on it.
To configure the QoS priority settings for voice traffic:
Configuring a port to operate in automatic voice VLAN assignment mode
When you configure a port to operate in automatic voice VLAN assignment mode, follow these restrictions and guidelines:
· Do not configure a VLAN as both a voice VLAN and a protocol-based VLAN.
¡ A voice VLAN in automatic mode on a hybrid port processes only tagged incoming voice traffic.
¡ A protocol-based VLAN on a hybrid port processes only untagged incoming packets. For more information about protocol-based VLANs, see " Configuring protocol-based VLANs ."
· As a best practice, do not use this mode with MSTP. In MSTP mode, if a port is blocked in the MSTI of the target voice VLAN, the port drops the received packets instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to the voice VLAN.
· As a best practice, do not use this mode with PVST. In PVST mode, if the target voice VLAN is not permitted on a port, the port is placed in blocked state. The port drops the received packets instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to the voice VLAN.
To configure a port to operate in automatic voice VLAN assignment mode:
Configuring a port to operate in manual voice VLAN assignment mode
When you configure a port to operate in manual voice VLAN assignment mode, follow these restrictions and guidelines:
· You can configure different voice VLANs for different ports on the same device. Make sure the following requirements are met:
¡ One port can be configured with only one voice VLAN.
¡ Voice VLANs must be existing static VLANs.
· To make a voice VLAN take effect on a port operating in manual mode, you must manually assign the port to the voice VLAN.
To configure a port to operate in manual voice VLAN assignment mode:
Enabling LLDP for automatic IP phone discovery
When you enable LLDP for automatic IP phone discovery, following these restrictions and guidelines:
· Before you enable this feature, enable LLDP both globally and on access ports.
· Use this feature only with the automatic voice VLAN assignment mode.
· Do not use this feature together with CDP compatibility.
To enable LLDP for automatic IP phone discovery:
Configuring LLDP to advertise a voice VLAN
For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones through the LLDP-MED TLVs.
Before you configure this feature, enable LLDP both globally and on access ports.
To configure LLDP to advertise a voice VLAN:
Configuring CDP to advertise a voice VLAN
If an IP phone supports CDP but does not support LLDP, it will send out CDP packets to the device to request the voice VLAN ID. If the IP phone does not receive the voice VLAN ID within a time period, it will send out untagged packets. The device cannot differentiate untagged voice packets from other types of packets.
You can configure CDP compatibility on the device to enable it to perform the following operations:
· Receive and identify CDP packets from the IP phone.
· Send CDP packets to the IP phone. The voice VLAN information is carried in the CDP packets.
After receiving the advertised VLAN information, the IP phone performs automatic voice VLAN configuration. Packets from the IP phone will be transmitted in the dedicated voice VLAN.
LLDP packets sent from the device carry the priority information. CDP packets sent from the device do not carry the priority information.
Before you configure this feature, enable LLDP globally and on access ports.
To configure CDP to advertise a voice VLAN:
Displaying and maintaining voice VLANs
Voice vlan configuration examples, automatic voice vlan assignment mode configuration example.
As shown in Figure 17 , Device A transmits traffic from IP phones and hosts.
For correct voice traffic transmission, perform the following tasks on Device A:
· Configure voice VLANs 2 and 3 to transmit voice packets from IP phone A and IP phone B, respectively.
· Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to operate in automatic voice VLAN assignment mode.
· Add MAC addresses of IP phones A and B to the device for voice packet identification. The mask of the two MAC addresses is FFFF-FF00-0000.
· Set an aging timer for voice VLANs.
Figure 17 Network diagram
1. Configure voice VLANs:
# Set the voice VLAN aging timer to 30 minutes.
[DeviceA] voice-vlan aging 30
# Enable security mode for voice VLANs.
[DeviceA] voice-vlan security enable
# Add MAC addresses of IP phones A and B to the device with mask FFFF-FF00-0000.
[DeviceA] voice-vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP phone A
[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP phone B
2. Configure GigabitEthernet 1/0/1:
# Configure GigabitEthernet 1/0/1 as a hybrid port.
# Configure GigabitEthernet 1/0/1 to operate in automatic voice VLAN assignment mode.
[DeviceA-GigabitEthernet1/0/1] voice-vlan mode auto
# Enable voice VLAN on GigabitEthernet 1/0/1 and configure VLAN 2 as the voice VLAN for it.
[DeviceA-GigabitEthernet1/0/1] voice-vlan 2 enable
3. Configure GigabitEthernet 1/0/2:
# Configure GigabitEthernet 1/0/2 as a hybrid port.
[DeviceA-GigabitEthernet1/0/2] port link-type hybrid
# Configure GigabitEthernet 1/0/2 to operate in automatic voice VLAN assignment mode.
[DeviceA-GigabitEthernet1/0/2] voice-vlan mode auto
# Enable voice VLAN on GigabitEthernet 1/0/2 and configure VLAN 3 as the voice VLAN for it.
[DeviceA-GigabitEthernet1/0/2] voice-vlan 3 enable
# Display the OUI addresses supported on Device A.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0011-1100-0000 ffff-ff00-0000 IP phone A
0011-2200-0000 ffff-ff00-0000 IP phone B
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone
# Display the voice VLAN state.
[DeviceA] display voice-vlan state
Current voice VLANs: 2
Voice VLAN security mode: Security
Voice VLAN aging time: 30 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
GE1/0/1 2 Auto 6 46
GE1/0/2 3 Auto 6 46
Manual voice VLAN assignment mode configuration example
As shown in Figure 18 , IP phone A send untagged voice traffic.
To enable GigabitEthernet 1/0/1 to transmit only voice packets, perform the following tasks on Device A:
· Create VLAN 2. This VLAN will be used as a voice VLAN.
· Configure GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode and add it to VLAN 2.
· Add the OUI address of IP phone A to the OUI list of Device A.
Figure 18 Network diagram
# Add MAC address 0011-2200-0001 with mask FFFF-FF00-0000.
[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description test
# Create VLAN 2.
# Configure GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode.
[DeviceA-GigabitEthernet1/0/1] undo voice-vlan mode auto
# Set the PVID of GigabitEthernet 1/0/1 to VLAN 2.
[DeviceA-GigabitEthernet1/0/1] port hybrid pvid vlan 2
# Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged VLAN member.
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 2 untagged
# Enable voice VLAN and configure VLAN 2 as the voice VLAN on GigabitEthernet 1/0/1.
0011-2200-0000 ffff-ff00-0000 test
Current voice VLANs: 1
Voice VLAN aging time: 1440 minutes
GE1/0/1 2 Manual 6 46
InterConnect
Intelligent computing, smb products, intelligent terminal products.
- Cloud Computing
- Computing Virtualization
- Distributed Storage
- Virtual Desktop
H3C Workspace Cloud Desktop
H3C UIS 3000 G5 HCI
- Application-Driven Data Center (AD-DC)
- Application-Driven Wide Area Network (AD-WAN)
- Application-Driven Campus Network (AD-Campus)
- H3C Cloudnet Solution
- Network Management
- Operating System
- UniServer Series
- Server Intelligent Management Platform
H3C UniServer R4900 G5 Server
- Boundary Security
- Application Security
- Security Management
Situational Awareness
Zero Trust Security Solution
- Star Products
- Manufacturing
- Transportation
- TV Solution
- SMB Solutions
The Government Cloud “1+N+N+1” Innovation Model Becomes a Template
Strong Support for the G20 Hangzhou Summit
Product Support Services
Technical service solutions.
- Maintenance Service
- Product Deployment Services
- Support Service For Cloud Software
- Unified Operations
- Cloud Computing Services
- Security Services and Operations
- H3C IC7000 Prefabricated Container Data Center
Online Help
- Software Download
- Technical Documents
- Service Bulletin
- Product Life Cycle Management Strategy
- Star-rated Service Certification
- Service and Warranty
- License Service
- Warranty Query
- H3C Product Anti-Counterfeit Query
- Service Hotlines
- Web to Case
- Repair & Replace
- H3C Support APP
- Security Vulnerability Announcement
- Knowledge Base
- Certification Programs
- Product Training
- College Services
- Certificate Query
Partner Resources
Partner business management.
- Channel Service
- Find an H3C Partner
- Channel Policy & Bulletin
- e-Learning Center
- Marketing Resources
- H3C Configurator
- Business Profile
- Find Your Order
- Self-service Inquiry System
News & Events
- Company Information
- President´s Message
- Success Stories
- Navigator Culture
- Corporate Social Responsibility
- Ethics & Compliance
Understanding VLAN Assignments
A client is assigned to a VLAN by one of several methods, in order of precedence. The assignment of VLANs are (from lowest to highest precedence):
Tunnel-Type="VLAN"(13)
Tunnel-Medium-Type="IEEE-802" (6)
Tunnel-Private-Group-Id="101"
Aruba -User-VLAN
Aruba -Named-User-VLAN
VLAN Derivation Priorities for VLAN types
The VLAN derivation priorities for VLAN is defined below in the increasing order:
Use the following command to display user VLAN derivation related debug information:
(host) #show aaa debug vlan user [ip | ipv6 | mac]
How a VLAN Obtains an IP Address
A VLAN on the controller obtains its IP address in one of the following ways:
Assigning a Static Address to a VLAN
You can manually assign a static IP address to a VLAN on the controller . At least one VLAN on the controller a static IP address.
In the WebUI
(host)(config) # interface vlan < id>
ip address < address> < netmask>
Configuring a VLAN to Receive a Dynamic Address
In a branch office, you can connect a controller to an uplink switch or server that dynamically assigns IP addresses to connected devices. For example, you can connect the controller to a DSL or cable modem, or a broadband remote access server (BRAS). The following figure shows a branch office where a controller connects to a cable modem. VLAN 1 has a static IP address, while VLAN 2 has a dynamic IP address assigned via DHCP or PPPoE from the uplink device.
Figure 1 IP Address Assignment to VLAN via DHCP or PPPoE
Configuring Multiple Wired Uplink Interfaces (Active-Standby)
You can assign up to four VLAN interfaces to operate in active-standby topology. An active-standby topology provides redundancy so that when an active interface fails, the user traffic can failover to the standby interface.
To allow the controller to obtain a dynamic IP address for a VLAN, enable the DHCP or PPPoE client on the controller for the VLAN.
The following restrictions apply when enabling the DHCP or PPPoE client on the controller :
Enabling the DHCP Client
The DHCP server assigns an IP address for a specified amount of time called a lease. The controller automatically renews the lease before it expires. When you shut down the VLAN, the DHCP lease is released.
Figure 2 Assigning VLAN Uplink Priority—Active-Standby Configuration
In this example, the DHCP client has the client ID name myclient , and the interface VLAN 62 has an uplink priority of 2:
(host)(config) #interface vlan 62
(host)(config) #uplink wired vlan 62 priority 2
(host)(config) #interface vlan 62 ip address dhcp-client client-id myclient
Enabling the PPPoE Client
To authenticate the BRAS and request a dynamic IP address, the controller must have the following configured:
When you shut down the VLAN, the PPPoE session terminates.
In this example, a PPoE service name, username, and password are assigned, and the interface VLAN 14 has an uplink priority of 3:
(host)(config) # interface vlan 14
ip address pppoe
(host)(config) # interface vlan 14 ip pppoe-service-name < service_name >
(host)(config) # interface vlan 14 ip pppoe-username < username >
(host)(config) # interface vlan 14 ip pppoe-password *****
(host)(config) # uplink wired vlan 14 priority 3
Default Gateway from DHCP/PPPoE
You can specify that the router IP address obtained from the DHCP or PPPoE server be used as the default gateway for the controller .
(host) (config) # ip default-gateway import
Configuring DNS/WINS Server from DHPC/PPPoE
The DHCP or PPPoE server can also provide the IP address of a DNS server or NetBIOS name server, which can be passed to wireless clients through the controller ’s internal DHCP server.
For example, the following configures the DHCP server on the controller to assign addresses to authenticated employees; the IP address of the DNS server obtained by the controller via DHCP/PPPoE is provided to clients along with their IP address.
Use the following commands:
(host)(config) # ip dhcp pool employee-pool
default-router 10.1.1.254
dns-server import
netbios-name-server import
network 10.1.1.0 255.255.255.0
Configuring Source NAT to Dynamic VLAN Address
When a VLAN interface obtains an IP address through DHCP or PPPoE, a NAT pool (dynamic-srcnat) and a session ACL (dynamic-session-acl) are automatically created which reference the dynamically-assigned IP addresses. This allows you to configure policies that map private local addresses to the public address(es) provided to the DHCP or PPPoE client. Whenever the IP address on the VLAN changes, the dynamic NAT pool address also changes to match the new address.
For example, the following rules for a guest policy deny traffic to internal network addresses. Traffic to other (external) destinations are source NATed to the IP address of the DHCP/PPPoE client on the controller .
(host)(config) # ip access-list session guest
any network 10.1.0.0 255.255.0.0 any deny
any any any src-nat pool dynamic-srcnat
Configuring Source NAT for VLAN Interfaces
The example configuration in the previous section illustrates how to configure source NAT using a policy that is applied to a user role. You can also enable source NAT for a VLAN interface to perform NAT on the source address for all traffic that exits the VLAN.
Starting with ArubaOS 6.4.4, all outbound traffic now can enable NAT with the IP address of the VLAN interface as the source address; while the locally routed traffic is sent without any address translation.
Traditionally, ArubaOS supported only IP NAT Inside feature where traffic performs NAT with the desired IP address of the VLAN interface as the source address which was useful for only traffic going out of uplink VLAN interface. However, for traffic which needed local routing was also going through unnecessary address translation. Now, this feature resolves this issue by allowing only outbound traffic to perform NAT.
Sample Configuration
In the following example, the controller operates within an enterprise network. VLAN 1 is the outside VLAN, and traffic from VLAN 6 is source NATed using the IP address of the controller . The IP address assigned to VLAN 1 is used as the controller ’s IP address; thus traffic from VLAN 6 would be source NATed to 66.1.131.5:
Figure 3 Example: Source NAT using Controller IP Address
(host)(config) # interface vlan 1
ip address 66.1.131.5 255.255.255.0
(host)(config) # interface vlan 6
(host)(config) # ip address 192.168.2.1 255.255.255.0
ip nat inside
ip default-gateway 66.1.131.1
ip nat outside
Inter-VLAN Routing
On the controller , you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and a netmask, or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the VLAN interface. The controller , acting as a layer-3 switch, routes traffic between VLANs that are mapped to IP subnetworks; this forwarding is enabled by default.
In Figure 4 , VLAN 200 and VLAN 300 are assigned the IP addresses 2.1.1.1/24 and 3.1.1.1/24, respectively. Client A in VLAN 200 is able to access server B in VLAN 300 and vice-versa, provided that there is no firewall rule configured on the controller to prevent the flow of traffic between the VLANs.
Figure 4 Default Inter-VLAN Routing
You can optionally disable layer-3 traffic forwarding to or from a specified VLAN. When you disable layer-3 forwarding on a VLAN, the following restrictions apply:
To disable layer-3 forwarding for a VLAN configured on the controller :
(host)(config) #interface vlan <id>
ip address {<ipaddr> <netmask>|dhcp-client|pppoe}
no ip routing
IMAGES
VIDEO
COMMENTS
An access port belongs to only one VLAN and sends traffic untagged. It is usually used to connect a terminal device unable to recognize VLAN tagged-packets or
6-2: VLAN Port Assignments · VLANs are assigned to individual switch ports. · Ports can be statically assigned to a single VLAN or dynamically
For instructions on how to assign interfaces to VLANs through the web-based utility of your switch, click here. 4. (Optional) Configure VLAN
A port-based VLAN configuration lets you assign ports on the switch to a VLAN. The number of VLANs is limited to the number of ports on the
Interface-based VLAN assignment indicates that VLANs are assigned based on interfaces. A network administrator preconfigures a PVID for each interface on a
Version:V200R010C00.This document describes the configuration of Ethernet services, including configuring link aggregation, VLANs, Voice VLAN, VLAN mapping
Configuring port-based VLANs. Introduction. Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it is assigned to
(The 802.1Q compatibility enables you to assign each switch port to multiple VLANs, if needed, and the port-based nature of the configuration allows
Each port-based VLAN can contain either tagged or untagged ports. A port cannot be a member of more than one port-based VLAN unless the port is tagged. 802.1Q
The default VLAN is the VLAN configured for the WLAN (see Virtual AP Profiles). 2. Before client authentication, the VLAN can be derived from rules based on