vlan

Virtual LAN (VLAN)

2.© 1996-2004 NETGEAR® . All rights reserved

What is VLAN?» VLANs logically (software) divide the LAN into separate subgroups -

broadcast domains.

» VLAN groups relate users regardless of the physical LAN segment to which the hosts are attached .

» The logical networks may (but not must) correspond to subnets.

» Allows traffic to flow more efficiently within populations of mutual interest.

» VLANs allow broadcast domains to be defined without using routers.

» Routers are needed for communication between the different VLANs.


VLAN C

VLAN B

VLAN A

Switch with VLANs


VLAN; Multiple Switches

Switch Switch

#1 #2

VLAN-1 VLAN-2 VLAN-2VLAN-1

VLAN Trunk


A,B,C, D

VLAN A

VLAN CVLAN B

VLAN D

A,B,C

C,D

RouterSwitch

Multiple VLANs On One Device - One Armed Router

VLANs;


Benefits of VLANs

» Improves network performance

» Reduces the number of routers needed

» Flexible network segmentation (virtual workgroups)

» Simplified administration

» Enhanced network security

» Reduces network solution cost

» Better use of server resources


VLAN Solution

Marketing

Engineering

Administration


Types of VLANs» Membership by 802.1Q tag

» Membership by port

» Membership by MAC address

» Membership by protocol (IP, IPX…)

» Membership by subnet

» Membership by application or service (telnet, FTP..)


VLAN - Propriety

» VLAN multi switch solutions were propriety and vendor based:

• Cisco: ISL• Bay : Lattisspan• 3Com: VLT• Cabletron: SecureFast

» Propriety VLAN are a disadvantage for networks that don’t wish to be vendor dependant.

» The IEEE 802.1Q standardized VLANs.


Types Of Devices on VLAN

VLAN “aware” devices» Understands VLAN membership (which user belongs to which

VLAN) and format.

• Making forwarding decisions based on VLAN association and not only on destination address

• Adding (and removing) explicit VLAN identification (tagging) to frames (tag aware)

VLAN “unaware” devices» Usually unmanaged devices» Does not Understand VLAN membership & format.


Frames Sent by Aware\Unaware Devices

Types of Devices

»VLAN unaware device

»VLAN aware device

Types of Frames

»Untagged frames (implicit)

»Tagged frames (explicit)

All connected devices

Other VLAN aware devices

VLA

N u

naw

are

devi

ces

VLANs;


Type of Links – Access Link

» Connects VLAN tagged unaware devices to the port of a VLAN tagged aware switch

» The VLAN switch adds tags to received frames, and removes tags when transmitting frames

» All frames on access links are untagged

VLAN AAccess Link

VLAN tagged aware switch

VLAN tagged unaware


Types of Links;

» Attaches 2 VLAN aware switches (or other VLAN tagged aware devices)

» All frames on VLAN Trunk links must have a special header attached (tagged frames)

» Allows for multiple VLAN frames to use one link

VLAN tagged aware switch VLAN

tagged aware switch

VLAN tagged aware Workstation

VLAN Trunk Link

VLAN Trunk

Link

“VLAN Trunk Link”

IEEE 802.1Q VLAN


The VLAN Tag – Ethernet Frame

2 Bytes 2 BytesTag Protocol IdentifierTPID

Tag Control InformationTCI

Destination Address

Source Address

Length/Type DATA FSCTPID TCI


The VLAN Tag

2 Bytes 2 Bytes

Tag Protocol IdentifierTPID

Tag Control InformationTCI

VLAN protocol Id = 0x8100VLAN protocol Id = 0x8100

Tag Priority3 Bits

CFI1Bit

VID12 Bits

• Tag priority according to IEEE802.1p• CFI – Canonical Format Indicator• VID – VLAN ID


Tag Control Information» Tag Priority –

• “Piggyback” on VLAN TAG• 7 is the highest priority (0 the default)

» CFI –

• Value 1

VLAN tag extended to include embedded Source Routing information which will also contain the canonical format of any embedded MAC address

• Value 0

VLAN tag not extended + any embedded MAC addresses are in canonical (Little Endian) format

» VLAN ID• Between 1 to 4094 (0x000 and 0xFFF reserved)


Port VLAN ID (PVID)

» Each port in a VLAN has a default VLAN ID called Port VLAN ID (PVID).

» When an untagged packet comes to the switch, it will be tagged with the PVID value as the VLAN ID for further processing.


Switch Filtering Operation Process

» Ingress- Takes received frames from a physical port and performs 3

operations: - Acceptable frame filter- ingress rule- ingress filter

» Progress - Forwarding decision according to database

» Egress- How to transmit frames through the output ports


Switch Filtering Operation


VLAN; “Tagged / Untagged Ports”

» A port added to a VLAN on a (VLAN aware) device can be in one of 2 states – tagged or untagged (for each specific VLAN)

» A certain VLAN can have both tagged and untagged ports


Tagging;

Advantages

» The standard way of VLAN implementation in the networking devices

» VLAN association rules need to be applied only once

» Only edge switches need to know the VLAN association rules

» Core switches can get higher performance by operating on an explicit VLAN identifier

» VLAN aware end stations can reduce load from switches

Disadvantages

» Tags can be interpreted only by VLAN aware devices

» Edge switches must strip tags before forwarding them to VLAN unaware devices

» Insertion or removal of a tag requires recalculation of CRC

» May increase length of frame beyond maximum (“old” frame size – 1518 bytes, “new” frame size – 1522 bytes)

“Advantage/Disadvantage”


Ingress Port Behavior

»At the ingress – tagged and untagged VLAN configuration have the same affect:

• Tagged frames which have a VID matching that of one of the VLANs defined on the port – are forwarded

• Tagged frames which have a VID that does not match any of the VLANs defined on the port – are discarded

• Untagged frames are forwarded on the VLAN which is the PVID – and PVID tag is added to the frames


Process Behavior

» Filtering Database- Either static or dynamic entries - Either unicast or multicast entries

» Forwarding decisions- Known MAC addresses

Lookup in MAC address table. Lookup key is based on both: VLAN tag and destination MAC address leading to the required egress port

- Unknown Unicast – initial lookup in MAC forwarding table, when entry is not found – flooding is performed based on the VLAN Port Table

- Broadcast frame – lookup is done directly at the VLAN Port Table (flooding to all ports of the VLAN)


Egress Port Behavior

» At the egress – tagged and untagged VLAN port configuration have different affects:

• Tagged VLANs forward the egress traffic (“out of the device”) as tagged frames

• If ingress frame is untagged, tagged with PVID of the port

• Un-tagged VLANs forward the egress traffic (“out of the device”) as un-tagged frames

• If ingress frame is tagged, strip tag before forwarding

VLAN Commands


VLAN Database

» This command gives you access to the VLAN Config mode, which allows you to configure VLAN characteristics.

» Format vlan database» Mode Privileged EXEC


Create a VLAN

» This command creates a new VLAN and assigns it an ID. The ID is a valid VLAN identification number (ID 1 is reserved for the default VLAN). VLAN range is 2-4094. The no option remove the VLAN.

• Format [no] vlan <2-4094>• Mode VLAN Config


Name/Rename a VLAN

» This command changes the name of a VLAN. The name is an alphanumeric string of up to 32 characters, and the ID is a valid VLAN identification number. ID range is 1-4094.

• Format [no] vlan name <2-4094> <name>• Mode VLAN Config• Default VLAN ID 1 - default; other VLANS - blank string


VLAN Accept Frame» This command sets the frame acceptance mode per interface.

» For specific interface(s)• Format [no] vlan acceptframe {vlanonly | all}• Mode Interface Config• Default all

» For all interfaces• Format vlan port acceptframe all {vlanonly | all}• Mode Global Config• Default all

» VLAN Only: untagged frames or priority frames received on this interface are discarded.

» All: untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port.

» With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.


VLAN Ingress Filter» This command enables ingress filtering. If ingress filtering is

disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

» For specific interface(s):• Format [no] vlan ingressfilter• Mode Interface Config• Default disabled

» For all interfaces:• Format [no] vlan port ingressfilter all• Mode Global Config• Default disabled


Convert a Dynamic VLAN to Static

» This command changes a dynamically created VLAN (one that is created by GVRP registration) to a static VLAN (one that is permanently configured and defined). The ID is a valid VLAN identification number. VLAN range is 2-4094.

• Format vlan makestatic <2-4094>• Mode VLAN Config


Assign VLAN Membership

» For specific interface(s)• Format vlan participation {exclude | include | auto} <1-4094>• Mode Interface Config

» For all interfaces• Format vlan participation all {exclude | include | auto} <1-4094>• Mode Global Config

• include The interface is always a member of this VLAN. This is equivalent to registration fixed.

• exclude The interface is never a member of this VLAN. This is equivalent to registration forbidden.

• auto The interface is dynamically registered in this VLAN by GVRP. The interface will not participate in this VLAN unless a join request is received on this interface. This is equivalent to registration normal.


Assign PVID» For all port:

• Format [no] vlan port pvid all <1-4094>• Mode Global Config• Default 1

» For specific port(s):• Format [no] vlan pvid <1-4094>• Mode Interface Config• Default 1


Tagging a port for VLAN

» This command configures the tagging behavior for interface(s) in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

» For specific interface(s):• Format [no] vlan tagging <1-4094>• Mode Interface Config• Default 1

» For all interfaces(s):• Format [no] vlan port pvid all <1-4094>• Mode Global Config• Default 1

Web Interface (Firmware version 6.x or Prior)


VLAN configuration


VLAN Status


VLAN Port Configuration

Web Interface(Firmware version 7.x)


VLAN Configuration


VLAN Membership


Port VLAN ID Configuration

VLAN Examples


VLAN example #1

VLAN1 VLAN2 VLAN3 VLAN4

Vlan databaseVlan 1Vlan name 1 vlan1Vlan 2Vlan name 2 vlan2Vlan 3Vlan name 3 vlan3Vlan 4Vlan name 4 vlan4

ConfigInterface 0/1Vlan participation include 1Vlan pvid 1exitInterface 0/2Vlan participation include 2Vlan pvid 2Exit

Create the VLAN Assign membership

“Four standalone VLANs”


VLAN Example #2

» Port 1 belongs to all four VLANs. All the port can access port 1 but not each other.

» Create VLAN1, 2, 3, 4 as usual.

» Create common VLAN including all the ports of all four VLANs and the uplink port.

» PVID of the uplink port will be the VLAN ID of the common VLAN.

“One arm router”


VLAN Trunking

» Propagate VLAN information between switches.

» VTP (VLAN trunk protocol) – proprietary to Cisco.

» Trunk port – connect two switches that share VLAN information.• Includes in all the VLANs that need to be trunked.• Trunk port must be tagged in all VLAN.


VLAN Example #3

» Include trunk port in all the VLANs.

» Trunk port is tagged in all the VLANs.

» PVID of of trunk port doesn’t matter.

“VLAN trunking”


Combining example 1,2,3



Trunk port

Trunk port

» Create common VLAN in both switch#1 and switch#2.» Includes all the ports as member of common VLAN.» PVID of uplink port on switch#1 is VLAN ID of common VLAN.» PVIDs of the other ports are their own individual VLAN ID.» Include trunk ports in every VLAN.» Trunk ports need to be tagged in every VLAN.» PVID of the trunk port should be VLAN ID of common VLAN.

Uplink to internet


Lab1;

» Create VLAN2 – port 2,3,4,5.


» Make sure computers on VLAN2 can ping each other.

» Make sure computers on VLAN2 cannot ping computer on VLAN3.

“Standalone VLAN”


Lab2;

» Create VLAN 2 – port 2.3,4,5.


» Configure port 10 such that computer connected to port 10 can ping computer in VLAN2 and VLAN3.

» Make sure computers in VLAN2 still cannot ping computers in VLAN2

“One Arm Router”


Lab3; “VLAN trunking”» Create VLAN2 on switch 1 – port 2,3,4,5.

» Create VLAN3 on switch 1 – port 6,7,8,9.

» Configure port 11 on switch 1 to be a VLAN trunk port.




» Connect port 11 on switch 1 to port 11 on switch 2.

» Make sure computer connected to VLAN2 on switch 1 can ping computer connected to VLAN2 on switch 2.


» Make sure computer connected to VLAN2 on switch 1 cannot ping computer connected to VLAN3 on switch 2.


Lab4; “Putting them together”» Create VLAN2 on switch 1 – port 2,3,4,5.


» Configure port 10 on switch 1 to be a common port that can access both VLAN 2 and 3.





» Connect port 11 on switch 1 to port 11 on switch 2.



» Make sure computer connected to port 10 on switch 1 can ping computer connected to both VLAN2 and VLAN3 on switch 2.

» Make sure computer connected to VLAN2 on switch 1 cannot ping computer connected to VLAN3 on switch 2.

MAC address based VLAN(Supported only on GSM7300S)


MAC Address Based VLAN

» MAC address based VLAN allow VLAN membership to be defined using MAC address.

» Allow VLAN members not to be restricted by port.

» Member of MAC address based VLAN can also defined using port.

» Supported only on GSM7300S.


Procedure;

» Create VLAN• Vlan database• Vlan <vlan ID>

» Add member to the VLAN by MAC address• Vlan association mac <mac address> <vlan ID>

» Add member to the VLAN by port (optional)• Vlan participation include <vlan ID>

“How To Create MAC Address Based VLAN”


MAC Address Based VLAN GUI


Lab 5; “MAC address based VLAN”

» Connect 2 computers to the switch.

» Create a MAC based VLAN with one of the computer’s MAC addresses.

» Test and confirm the two computers cannot ping each other.

» Added MAC address of the other computer to the MAC based VLAN.

» Test and confirm the two computers can now ping each other.

» Add a port to the MAC based VLAN.

» Remove MAC address of computer#2 from the MAC based VLAN.

» Test and confirm the two computers cannot ping each other.

» Connect computer#2 to the port belong to the MAC based VLAN.

» Test and confirm the two computer can now ping each other.

Protocol Based VLAN


Protocol Based VLAN» Protocol VLAN allow member of a VLAN to be defined using protocol (IP,

IPX, ARP) in addition to port.

» After create a protocol group, a group ID will be assigned starting with 1.

» A protocol (IP/IPX/ARP) can be assigned to the created protocol group.

» A VLAN ID must be associated to the group ID.

» Interface will be added as member of port.

» Only packets matching the defined protocol will be forwarded within the protocol group.


Create Protocol VLAN Group

» This command adds protocol-based VLAN group to the system. The <groupName> is a character string of 1 to 16 characters. When it is created, the protocol group will be assigned a unique number that will be used to identify the group in subsequent commands.

• Format vlan protocol group <groupname>

• Mode Global Config

» To remove a protocol group:• Format vlan protocol group remove <groupid>

• Mode Global Config


Add a Protocol To The Protocol Group

» This command adds the <protocol> to the protocol-based VLAN identified by <groupid>.

» A group may have more than one protocol associated with it. Each interface and protocol combination can only be associated with one group.

» If adding a protocol to a group causes any conflicts with interfaces currently associated with the group, this command will fail and the protocol will not be added to the group.

» The possible values for protocol are ip, arp, and ipx.

• Format [no] vlan protocol group add protocol <groupid> <protocol>

• Mode Global Config• Default none


Attach a VLAN;

» This command attaches a <vlanid> to the protocol-based VLAN identified by <groupid>.

» A group may only be associated with one VLAN at a time, however the VLAN association can be changed.

» The referenced VLAN should be created prior to the creation of the protocol-based VLAN except when GVRP is expected to create the VLAN.

• Format [no] protocol group <groupid> <vlanid>

• Mode VLAN Config• Default none

“To The Protocol VLAN Group”


Add Interface(s);

» This command adds the physical interface(s) to the protocol-based VLAN identified by <groupid>.

» You can associate multiple interfaces with a group, but you can only associate each interface and protocol combination with one group.

» If adding an interface to a group causes any conflicts with protocols currently associated with the group, this command fails and the interface(s) are not added to the group.

» Create the referenced VLAN before you create the protocol-based VLAN except when you configure GVRP to create the VLAN.

» For specific interface(s):• Format [no] protocol vlan group <groupid>• Mode Interface Config

» For all interfaces:• Format [no] protocol vlan group all <groupid>• Mode Global Config

“To The Protocl VLAN Group”


Procedure;

» Create VLAN• vlan database• vlan <vlan ID>

» Create protocol VLAN group• vlan protocol group <group name>

» Assign protocol to the protocol VLAN group• vlan protocol group add protocol <group ID> [IP | IPX | ARP]

» Add an interface as a member of the protocol VLAN group• Interface mode: protocol vlan group <group ID>

» Map the protocol VLAN group to a VLAN• VLAN database mode: protocol group <group ID> <VLAN ID>

“Create a Protcol Based VLAN”


Protocol Based VLAN Configuration

(Firmware version 6.x or Prior)


Protocol Based VLAN Group Configuration

(Firmware version 7.x)


Protocol Based VLAN Group Membership

“(Firmware version 7.x)”

GVRP


GARP and GVRP

» GARP is a protocol that allows client stations to register with the switch for membership in VLANS (by using GVMP) or multicast groups (by using GMRP).

» GVRP dynamically create VLAN with neighbor switches enabled for GVRP.

» GVRP automatically tag interface connected to neighbor switches enabled for GVRP.


Enable GVRP

» This command enables GVRP.

» If GVRP is disabled, the system does not forward GVRP messages.

• Format [no] set gvrp adminmode

• Mode Privileged EXEC• Default disabled


Enable GVRP;

» This command enables GVRP on interface(s)

• Format [no] set gvrp interfacemode

• Modes Interface Config/Global Config• Default disabled

“On interface(s)”


Procedure;

» Enable GVRP on the switch• set gvrp adminmode

» Enable GVRP on the interface(s)• Interface mode: set gvrp interface mode

» When VLAN is created on one switch, dynamically, same VLAN will be created on the other switches running GVRP and the port connecting the switches together will be added to the VLAN and tagged dynamically.

» A VLAN created by GVRP (dynamic VLAN) can be converted to static VLAN.

• vlan makestatic <VLAN ID>

“Configuring GVRP”


GARP Switch Configuration

“(Firmware version 6.x and Prior)”


GARP Port Configuration;

“(Firmware version 6.x and Prior)”


GARP Switch Configuration“(Firmware version 7.x)”


GARP Switch Configuration

(Firmware version 7.x)


LAB 6;» Create VLAN 2 on switch#1.

» Assign interface 1-5 as member.

» Connect port 5 of switch#1 to port 5 of switch#2.

» Enable GVRP on switch#1.

» Enable GVRP on port 5 of switch#1.

» Enable GVRP on switch#2.

» Enable GVRP on port 5 of switch#2.

» Run “show vlan” on switch#2.

» Observe VLAN2 get automatically created on switch#2.

» Observe port 5 of switch#2 get automatically added to VLAN2 and tagged.

“GVRP”

Double VLAN


Double VLAN

» Only supported on GSM7300S.

» Double VLAN tagging is a way to pass VLAN traffic from one customer domain to another through a Metro Core in a simple and cost effective manner.

» The additional tag on the traffic helps differentiate between customers in the MAN while preserving the VLAN identification of the individual customers when they enter their own 802.1Q domain.


Example;


“For Packet Types Ingressing An Uplink (SP) Port”

Ingress Packet Uplink (Service

Provider). Action taken on ingress.

Packet seen on egress at another Uplink port on

the switch.

Packet seen on egress at another Access port on

the switch.

Untagged Add a SP Tag Single Tagged Untagged

802.1Q Tagged Add a SP TagSP+802.1Q

Tagged802.1Q Tagged

SP Tagged Do Nothing SP Tagged Untagged

SP+802.1Q Tagged

Do NothingSP+802.1Q

Tagged802.1Q Tagged

Ingress Logic


Ingress Logic;

Ingress Packet

Access (Customer). Action taken on ingress.

Packet seen on egress at

another Uplink port on the

switch.

Packet seen on egress at

another Access port on the

switch.

Untagged Add a SP Tag SP Tagged Untagged

802.1Q Tagged Add a SP TagSP+802.1Q

Tagged802.1Q Tagged

“For Packet Types Ingressing An Access (Customer) Port”


Enable DVLAN On Interface(s)

» This command is used to enable Double VLAN Tunneling on the specified interface.

» When you use the mode dvlan-tunnel command on an interface, it becomes a service provider port. Ports that do not have double VLAN tunneling enabled are customer ports.

• Format [no] mode dvlan-tunnel

• Mode Interface Config• Default disabled

• Format [no] mode dot1q-tunnel

• Mode Interface Config• Default disabled


Configure Customer ID;

» This command configures the customer identification for the Double VLAN tunnel on the specified interface. The customer ID may have the value 0 to 4095, and the default is 0.

• Format [no] dvlan-tunnel customer-id <0-4095>

• Mode Interface Config• Default 0

“For The DVLAN Tunnel”


Configure EtherType of the DVLAN tunnel

» This command configures the ether-type for the specified interface.

» The ether-type may have the values of 802.1Q, vMAN, or custom. » If the ether-type has a value of custom, the optional value of the

custom ether type must be set to a value from 0 to 65535.

» Format [no] dvlan-tunnel etherType <802.1Q | vman | custom> [0-65535]

» Mode Interface Config» Default vman

Self Evaluation Questions


Self Evaluation Questions» 1. If a port is untagged for VLAN3, port PVID is 3, when an untagged

packet ingress the port, what should be the VLAN ID on the egress packet?

» 2. If a port is tagged for VLAN2, port PVID is 3, when a tagged packet with VLAN ID 2 ingress the port, what should be the VLAN ID on the egress packet?

» 3. If a port is tagged for VLAN2 and PVID is 2, when an untagged packet ingress the port, what should be the VLAN ID on the egress packet?

» 4. How to make a port a VLAN trunk port on the 7000 series switches?

» 5. How to make a port to be accessible by both VLAN2 and VLAN3 while ports belong to VLAN 2 still cannot access VLAN3, or vice versa?



» 6. What is the purpose of MAC based VLAN?

» 7. What is the purpose of protocol VLAN?

» 8. Which protocols are supported on protocol based VLAN?

» 9. When GVRP is enabled on two switches, if a VLAN is created on switch#1, what settings will be dynamically created on switch#2?



» 1. No, VLAN ID. VLAN ID will be stripped on untagged port.

» 2. VLAN ID is 2. If port is tagged and ingress packet is tagged, packet egress with tagging intact.

» 3. VLAN ID is 2. If port is tagged and ingress packet is untagged, packet egress tagged with port PVID.

» 4. Make that port a tagged member of all the VLANs.

» 5. Create a common VLAN which VLAN members include the common port and all ports of VLAN2 and VLAN3. Make PVID of the common port the VLAN ID of the common VLAN.

Answers;



» 6. Allow member of a VLAN not to be restricted by ports. A computer can be moved from port to port but still maintain membership in the VLAN regardless if the port belong to the VLAN or not.

» 7. Allow packets going through a VLAN to be restricted to the protocol in addition to port.

» 8. IP, IPX and ARP.

» 9. The VLAN will be dynamically created. The port connected to the neighbor switch will be added as a member of the dynamic VLAN and tagged.

Answers;

Question?

Thank you

vlan

Documents

based vlan

mac based

vlan unaware

vlan port

priority frames

command enables

ping computer

vlan trunk