No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes principles of VLAN.

Basic Concepts of VLAN

VLAN frame format

A conventional Ethernet frame is encapsulated with the Length/Type field for an upper-layer protocol following the Destination address and Source address fields, as shown in Figure 5-38.

Figure 5-38 Conventional Ethernet frame format

IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It adds a 4-byte field between the Source address and the Length/Type fields of the original frame, as shown in Figure 5-39.

Figure 5-39 802.1Q frame format

Table 5-13 describes the fields contained in an 802.1Q tag.

Table 5-13 Fields contained in an 802.1Q tag

Field

Length

Name

Description

TPID

2 bytes

Tag Protocol Identifier (TPID), indicating the frame type.

The value 0x8100 indicates an 802.1Q-tagged frame. If an 802.1Q-incapable device receives an 802.1Q frame, it will discard the frame.

PRI

3 bits

Priority (PRI), indicating the frame priority.

The value ranges from 0 to 7. The greater the value, the higher the priority. These values can be used to prioritize different classes of traffic to ensure that frames with high priorities are transmitted first when traffic is heavy.

CFI

1 bit

Canonical Format Indicator (CFI), indicating whether the MAC address is in canonical format.

If the value is 0, the MAC address is in the canonical format. CFI is used to ensure compatibility between Ethernet networks and Token Ring networks. It is always set to zero for Ethernet switches.

VID

12 bits

VLAN ID (VID), indicating the VLAN to which the frame belongs.

VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved, and therefore VLAN IDs range from 1 to 4094 (VLANs 4064 to 4094 are default reserved VLANs. You can run the vlan reserved command to configure the reserved VLAN range).

Each frame sent by an 802.1Q-capable switch carries a VLAN ID. In a VLAN, Ethernet frames are classified into the following types:
  • Tagged frames: frames with 4-byte 802.1Q tags.
  • Untagged frames: frames without 4-byte 802.1Q tags.
Link Types

As shown in Figure 5-40, there are the following types of VLAN links:

  • Access link: connects a host to a switch. Generally, a host does not know which VLAN it belongs to, and host hardware cannot distinguish frames with VLAN tags. Therefore, hosts send and receive only untagged frames.

  • Trunk link: connects a switch to another switch or to a router. Data of different VLANs are transmitted along a trunk link. The two ends of a trunk link must be able to distinguish frames with VLAN tags. Therefore, only tagged frames are transmitted along trunk links.

Figure 5-40 Link types

NOTE:
  • A host does not need to know the VLAN to which it belongs. It sends only untagged frames.
  • After receiving an untagged frame from a host, a switching device determines the VLAN to which the frame belongs. The determination is based on the configured VLAN assignment method such as port information, and then the switching device processes the frame accordingly.
  • If the frame needs to be forwarded to another switching device, the frame must be transparently transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow other switching devices to properly forward the frame based on the VLAN information.
  • Before sending the frame to the destination host, the switching device connected to the destination host removes the VLAN tag from the frame to ensure that the host receives an untagged frame.

Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on access links. In this manner, switching devices on the network can properly process VLAN information and hosts are not concerned about VLAN information.

Port Types

After the 802.1Q defines VLAN frames, ports can be classified into four types:

  • Access port

    As shown in Figure 5-40, the access port on a switch connects to the port on a host. The access port can only connect to an access link. Only the VLAN whose ID is the same as the default VLAN ID is allowed on the access port. Ethernet frames sent from the access port are untagged frames.

  • Trunk port

    As shown in Figure 5-40, a trunk port on a switch connects to another switch. It can only connect to a trunk link. Multiple tagged VLAN frames are allowed on the trunk port.

  • Hybrid port

    As shown in Figure 5-41, a hybrid port on a switch can connect either to a host or to another switch. A hybrid port can connect either to an access link or to a trunk link. The hybrid port allows multiple VLAN frames and removes tags from some VLAN frames on the outbound port.

    Figure 5-41 Port types

  • QinQ port

    QinQ ports are enabled with the IEEE 802.1 QinQ protocol. A QinQ port adds a tag to a single-tagged frame and supports a maximum of 4094 x 4094 VLAN tags, which meets the requirement for the VLAN quantity.

    Figure 5-42 shows the format of a QinQ frame. The outer tag usually called the public tag carries the public VLAN ID. The inner tag usually called the private tag carries the private VLAN ID.

Figure 5-42 Format of a QinQ frame

For details on the QinQ protocol, see QinQ.

Default VLAN

Each port can be configured with a default VLAN identified by the port VLAN ID (PVID). The meaning of the default VLAN varies according to the port type.

For details on different PVIDs and methods of processing Ethernet frames, see Frame processing based on the port type.

VLAN Assignment

VLAN assignment is a basic VLAN configuration. Users in the same VLAN can communicate with each other. Table 5-14 shows the VLAN assignment methods and their usage scenarios.

Table 5-14 Differences between VLAN assignment modes

VLAN Assignment Mode

Principle

Advantage

Disadvantage

VLAN assignment based on interface

In this mode, VLAN assignment based on interface numbers of the switch.

The network administrator configures a port VLAN ID (PVID), that is, default VLAN ID, for each port on the switching device. That is, a port belongs to a VLAN by default.

  • When a data frame reaches a port, it is marked with the PVID if the data frame carries no VLAN tag and the port is configured with a PVID.
  • If the data frame carries a VLAN tag, the switching device will not add a VLAN tag to the data frame even if the port is configured with a PVID.

Different types of ports process VLAN frames in different manners.

It is simple to define VLAN members.

VLANs must be re-configured when VLAN members change locations.

VLAN assignment based on MAC addresses

In this mode, VLANs are classified based on the MAC addresses of network interface cards (NICs). The network administrator configures the mappings between MAC addresses and VLAN IDs.

In this case, when a switching device receives an untagged packet, it searches the MAC-VLAN table for a tag to be added to the packet according to the MAC address of the packet.

When the physical locations of users change, you do not need to re-configure VLANs for the users. This improves the security of users and increases the flexibility of user access.

  • This mode is applicable to only a simple networking environment where the NIC seldom changes.

  • In addition, all members on the network must be pre-defined.

VLAN assignment based on IP subnets

When receiving an untagged packet, a switching device adds a VLAN tag to the packet based on the source IP address of the packet.

Packets sent from specified network segments or IP addresses are transmitted in specific VLANs. This facilitates management.

This mode is applicable to the networking environment where users are distributed in an orderly manner and multiple users are on the same network segment.

The switch supports multiple VLAN assignment modes, the priority is of MAC address-based VLAN assignment or IP subnet-based VLAN assignment, interface-based VLAN assignment in a descending order.
  • If packets match both MAC address-based VLAN assignment and IP subnet-based VLAN assignment, by default, MAC address-based VLAN assignment is preferentially adopted. Alternatively, you can run commands to change priorities of these two VLAN assignment modes to select a VLAN assignment mode.

  • Interface-based VLAN assignment has the lowest priority and is the most common VLAN assignment mode.

Principle of VLAN Communication

Basic Principle of VLAN Communication

To improve the efficiency in processing frames, frames within a switch all carry VLAN tags for uniform processing. When a data frame reaches a port of the switch, if the frame carries no VLAN tag and the port is configured with a PVID, the frame is marked with the port's PVID. If the frame has a VLAN tag, the switch will not mark a VLAN tag for the frame regardless of whether the port is configured with a PVID.

The switch processes frames differently according to the type of port receiving the frames. The following describes the frame processing according to the port type.

Table 5-15 Frame processing based on the port type

Port Type

Untagged Frame Processing

Tagged Frame Processing

Frame Transmission

Access port

Accepts an untagged frame and adds a tag with the default VLAN ID to the frame.

  • Accepts the tagged frame if the frame's VLAN ID matches the default VLAN ID.
  • Discards the tagged frame if the frame's VLAN ID differs from the default VLAN ID.

After the PVID tag is stripped, the frame is transmitted.

Trunk port

  • Adds a tag with the default VLAN ID to the untagged frame and then transmits it if the default VLAN ID is permitted by the port.

  • Adds a tag with the default VLAN ID to the untagged frame and then discards it if the default VLAN ID is denied by the port.
  • Accepts a tagged frame if the VLAN ID carried in the frame is permitted by the port.
  • Discards a tagged frame if the VLAN ID carried in the frame is denied by the port.
  • If the frame's VLAN ID matches the default VLAN ID and the VLAN ID is permitted by the port, the switch removes the tag and transmits the frame.
  • If the frame's VLAN ID differs from the default VLAN ID, but the VLAN ID is still permitted by the port, the switch will directly transmit the frame.

Hybrid port

  • Adds a tag with the default VLAN ID to an untagged frame and accepts the frame if the port permits the default VLAN ID.

  • Adds a tag with the default VLAN ID to an untagged frame and discards the frame if the port denies the default VLAN ID.
  • Accepts a tagged frame if the VLAN ID carried in the frame is permitted by the port.
  • Discards a tagged frame if the VLAN ID carried in the frame is denied by the port.

If the frame's VLAN ID is permitted by the port, the frame is transmitted. The port can be configured whether to transmit frames with tags.

QinQ port

QinQ ports are enabled with the IEEE 802.1 QinQ protocol. A QinQ port adds a tag to a single-tagged frame, and supports a maximum of 4094 x 4094 VLAN tags, which meets the requirement on the number of VLANs.

NOTE:

Because all interfaces join VLAN 1 by default, broadcast storms may occur if unknown unicast, multicast, or broadcast packets exist in VLAN 1. To prevent loops, delete interfaces that do not need to be added to VLAN 1 from VLAN 1.

Intra-VLAN Communication

Sometimes VLAN users are connected to different switches, in which case the VLAN spans multiple switches. Since ports between these switches must recognize and send packets belonging to the VLAN, the trunk link technology becomes helpful in simplifying this solution.

The trunk link plays the following two roles:

  • Trunk line

    The trunk link transparently transmits VLAN packets between switches.

  • Backbone line

    The trunk link transmits packets belonging to multiple VLANs.

Figure 5-43 Trunk link communication

As shown in Figure 5-43, the trunk link between DeviceA and DeviceB must both support the intra-communication of VLAN 2 and the intra-communication of VLAN 3. Therefore, the ports at both ends of the trunk link must be configured to belong to both VLANs. That is, Port2 on DeviceA and Port1 on DeviceB must belong to both VLAN 2 and VLAN 3.

User A sends a frame to User B in the following process:

  1. The frame is first sent to Port4 on DeviceA.
  2. A tag is added to the frame on Port4. The VID field of the tag is set to 2, that is, the ID of the VLAN to which Port4 belongs.
  3. DeviceA queries its MAC address table for the MAC forwarding entry with the destination MAC address of User B.
    • If this entry exists, DeviceA sends the frame to the outbound interface Port2.
    • If this entry does not exist, DeviceA sends the frame to all interfaces bound to VLAN 2 except for Port4.
  4. Port2 sends the frame to DeviceB.
  5. After receiving the frame, DeviceB queries its MAC address table for the MAC forwarding entry with the destination MAC address of User B.
    • If this entry exists, DeviceB sends the frame to the outbound interface Port3.
    • If this entry does not exist, DeviceB sends the frame to all interfaces bound to VLAN 2 except for Port1.
  6. Port3 sends the frame to User B.
Inter-VLAN Communication

After VLANs are configured, users in different VLANs cannot directly communicate with each other. To implement communication between VLANs, The VLANIF interface can be used to implement inter-VLAN communication.

Layer 3 switching combines routing and switching techniques to implement routing on a switch, improving the overall performance of the network. After sending the first data flow, a Layer 3 switch generates a mapping table on which it records the mapping between the MAC address and the IP address for the data flow. If the switch needs to send the same data flow again, it directly sends the data flow at Layer 2 based on the mapping table. In this manner, network delays caused by route selection are eliminated, and data forwarding efficiency is improved.

In order for new data flows to be correctly forwarded, the routing table must have the correct routing entries. Therefore, VLANIF interfaces are used to configure routing protocols on Layer 3 switches to reach Layer 3 routes.

A VLANIF interface is a Layer 3 logical interface, which can be configured on either a Layer 3 switch or a router.

As shown in Figure 5-44, Users connected to the switch are assigned to VLAN 2 and VLAN 3. To implement inter-VLAN communication, configure as follows:

  • Create two VLANIF interfaces on the device, and configure IP addresses for them so that they can communicate.

  • Set the default gateway address to the IP address of the VLANIF interface mapping the VLAN to which the user server belongs.

Figure 5-44 Inter-VLAN communication through VLANIF interfaces

User A communicates with User C as follows:

  1. User A checks the IP address of User C and determines that User C is in another subnet.
  2. User A sends an ARP request packet to Device to request Device's MAC address.
  3. After receiving the ARP request packet, Device returns an ARP reply packet in which the source MAC address is the MAC address of VLANIF2.
  4. User A obtains Device's MAC address.
  5. User A sends a packet whose destination MAC address is the MAC address of the VLANIF interface and destination IP address is User C's IP address to Device.
  6. After receiving the packet, Device forwards the packet and detects that the route to User C is a direct route. The packet is forwarded by VLANIF3.
  7. Functioning as the gateway of users in VLAN3, Device broadcasts an ARP packet requesting User C's MAC address.
  8. After receiving the packet, User C returns an ARP reply packet.
  9. After receiving the reply packet, DeviceA sends the packet from User A to User C. All packets sent from User A to User C are sent to Device first to implement Layer 3 forwarding.

VLAN Aggregation

Background of VLAN Aggregation

VLAN is widely applied to switching networks because of its flexible control of broadcast domains and convenient deployment. On a Layer-3 switch, the interconnection between the broadcast domains is implemented using one VLAN to correspond to one Layer-3 logic interface. However, this can waste IP addresses. Figure 5-45 shows the VLAN division in the device.

Figure 5-45 Diagram of a common VLAN

Table 5-16 Example of Assigning Server Addresses on a common VLAN

VLAN

Sub-network

Gateway address

Number of available addresses

Number of available servers

Practical requirements

2

1.1.1.0/28

1.1.1.1

14

13

10

3

1.1.1.16/29

1.1.1.17

6

5

5

4

1.1.1.24/30

1.1.1.25

2

1

1

As show in Table 5-16, VLAN 2 requires 10 server addresses. The sub network 1.1.1.0/28 with the mask length as 28 bits is assigned for VLAN 2. 1.1.1.0 is the address of the sub network, and 1.1.1.15 is the directed broadcast address. These two addresses cannot serve as the host address. In addition, as the default address of the network gateway of the sub network, 1.1.1.1 cannot be used as the host address. The other 13 addresses ranging from 1.1.1.2 to 1.1.1.14 can be used by the servers. In this way, although VLAN 2 needs only ten addresses, 13 addresses need to be assigned for it according to the division of the sub network.

VLAN 3 requires five server addresses. The sub network 1.1.1.16/29 with the mask length as 29 bits needs to be assigned for VLAN 3. VLAN 4 requires only one address. The sub network 1.1.1.24/30 with the mask length as 30 bits needs to be assigned for VLAN 4.

In above, 16 (10+5+1) addresses are needed for all the preceding VLANs. However, 28 (16+8+4) addresses are needed according to the common VLAN addressing mode even if the optimal scheme is used. Nearly half of the addresses is wasted. In addition, if VLAN 2 is accessed to three servers instead of ten servers later, the extra addresses will not be used by other VLANs and will be wasted.

This division is inconvenient for the later network upgrade and expansion. Assume that two more servers need to be added to VLAN 4 and VLAN 4 does not want to change the assigned IP addresses, and the addresses after 1.1.1.24 has been assigned to others, a new sub network with the mask length as 29 bits and a new VLAN need to be assigned for the new customers of VLAN 4. Therefore, the customers of VLAN 4 have only three servers, but the customers are assigned to two sub networks and are not in the same VLAN. As a result, this is inconvenient for network management.

In above, many IP addresses are used as the addresses of sub networks, directional broadcast addresses of sub networks, and default addresses of network gateways of sub networks. These IP addresses cannot be used as the server addresses in the VLAN. The limit on address assignation reduces the addressing flexibility, so that many idle addresses are wasted. To solve this problem, VLAN aggregation is used.

Principle

The VLAN aggregation technology, also known as the super-VLAN, provides a mechanism that partitions the broadcast domain using multiple VLANs in a physical network so that different VLANs can belong to the same subnet. In VLAN aggregation, two concepts are involved, namely, super-VLAN and sub-VLAN.

  • Super-VLAN: It is different from the common VLAN. In the super-VLAN, only Layer 3 interfaces are created and physical ports are not contained. The super-VLAN can be viewed as a logical Layer 3 concept. It is a collection of many sub-VLANs.
  • Sub-VLAN: It is used to isolate broadcast domains. In the sub-VLAN, only physical ports are contained and Layer 3 VLANIF interfaces cannot be created. The Layer 3 switching with the external network is implemented through the Layer 3 interface of the super-VLAN.

A super-VLAN can contain one or more sub-VLANs retaining different broadcast domains. The sub-VLAN does not occupy an independent subnet segment. In the same super-VLAN, IP addresses of servers belong to the subnet segment of the super-VLAN, regardless of the mapping between servers and sub-VLANs.

The same Layer 3 interface is shared by sub-VLANs. Some subnet IDs, default gateway addresses of the subnets, and directed broadcast addresses of the subnets are saved and different broadcast domains can use the addresses in the same subnet segment. As a result, subnet differences are eliminated, addressing becomes flexible and idle addresses are reduced.

Take the Table 5-16 to explain the implementation theory. Suppose that user demands are unchanged. In VLAN 2, 10 server addresses are demanded; in VLAN 3, 5 server addresses are demanded; in VLAN 4, 1 server address is demanded.

According to the implementation of VLAN aggregation, create VLAN 10 and configure VLAN 10 as a super-VLAN. Then assign a subnet address 1.1.1.0/24 with the mask length being 24 to VLAN 10; 1.1.1.0 is the subnet ID and 1.1.1.1 is the gateway address of the subnet, as shown in Figure 5-46. Address assignments of sub-VLANs (VLAN 2, VLAN 3, and VLAN 4) are shown in Table 5-17.

Figure 5-46 Schematic diagram of VLAN aggregation

Table 5-17 Example for assigning Server addresses in VLAN aggregation mode

VLAN

Subnet

Gateway address

Number of available addresses

Number of available servers

Practical requirements

2

1.1.1.0/24

1.1.1.1

10

1.1.1.2-1.1.1.11

10

3

5

1.1.1.12-1.1.1.16

5

4

1

1.1.1.17

1

In VLAN aggregation implementation, sub-VLANs are not divided according to the previous subnet border. Instead, their addresses are flexibly assigned in the subnet corresponding to the super-VLAN according to the required server number.

As the Table 5-17 shows that VLAN 2, VLAN 3, and VLAN 4 share a subnet (1.1.1.0/24), a default gateway address of the subnet (1.1.1.1), and a directed broadcast address of the subnet (1.1.1.255). In this manner, the subnet ID (1.1.1.16, 1.1.1.24), the default gateway of the subnet (1.1.1.17, 1.1.1.25), and the directed broadcast address of the subnet (1.1.1.15, 1.1.1.23, and 1.1.1.27) can be used as IP addresses of servers.

Totally, 16 addresses (10 + 5 + 1 = 16) are required for the three VLANs. In practice, in this subnet, a total of 16 addresses are assigned to the three VLANs (1.1.1.2 to 1.1.1.17). A total of 19 IP addresses are used, that is, the 16 server addresses together with the subnet ID (1.1.1.0), the default gateway of the subnet (1.1.1.1), and the directed broadcast address of the subnet (1.1.1.255). In the network segment, 236 addresses (255 - 19 = 236) are available, which can be used by any server in the sub-VLAN.

Communications Between VLANs
  • Introduction

    VLAN aggregation ensures that different VLANs use the IP addresses in the same subnet segment. This, however, leads to the problem of Layer 3 forwarding between sub-VLANs.

    In common VLAN mode, the servers of different VLANs can communicate with each other based on the Layer 3 forwarding through their respective gateways. In VLAN aggregation mode, the servers in a super-VLAN uses the IP addresses in the same network segment and share the same gateway address. The servers in different sub-VLANs belong to the same subnet. Therefore, they communicate with each other based on the Layer 2 forwarding, rather than the Layer 3 forwarding through a gateway. In practice, servers in different sub-VLANs are separated in Layer 2. As a result, sub-VLANs fails to communicate with each other.

    To solve the preceding problem, you can use Proxy ARP.

    NOTE:

    For details of Proxy ARP , refer to the chapter ARP in the IP Services.

  • Layer 3 Communications Between Different Sub-VLANs

    As shown in Figure 5-47, the super-VLAN, namely, VLAN 10, contains the sub-VLANs, namely, VLAN 2 and VLAN 3.

    Figure 5-47 Networking diagram of Layer 3 communications between different sub-VLANs based on Proxy ARP

    Suppose that the ARP table of Server A has no corresponding entry of Server B, and the gateway is enabled with the Proxy ARP between sub-VLANs. Then the communication process between Server A in VLAN 2 and Server B in VLAN 3 is shown as below:

    1. After comparing the IP address of Server B 1.1.1.3 with its IP address, Server A finds that both IP addresses are in the same network segment 1.1.1.0/24, and its ARP table has no corresponding entry of Server B.
    2. Server A initiates an ARP broadcast to request for the MAC address of Server B.
    3. Server is not in the broadcast domain of VLAN 2, and cannot receive the ARP request.
    4. The gateway is enabled with the Proxy ARP between sub-VLANs. Therefore, after receiving the ARP request from Server A, the gateway finds that the IP address of Server B 1.1.1.3 is the IP address of a directly-connected interface. Then the gateway initiates an ARP broadcast to all the other sub-VLAN interfaces to request for the MAC address of Server B.
    5. After receiving the ARP request, Server B offers an ARP response.
    6. After receiving the ARP response from Server B, the gateway replies its MAC address to Server A.
    7. The ARP tables in the gateway have the corresponding entries of Server B.
    8. To send packets to Server B, Server A first sends packets to the gateway, and then the gateway performs the Layer 3 forwarding.

    The process that Server B sends packets to Server A is just the same, and is not mentioned here.

  • Layer 2 Communications Between a Sub-VLAN and an External Network

    As shown in Figure 5-48, in the Layer 2 VLAN communications based on ports, the received or sent frames are not tagged with the super-VLAN ID.

    Figure 5-48 Networking diagram of Layer 2 communications between a sub-VLAN and an external network

    The frame that accesses Switch1 through Port1 on Server A is tagged with the ID of VLAN 2. The VLAN ID, however, is not changed to the ID of VLAN 10 on Switch1 even if VLAN 2 is the sub-VLAN of VLAN 10. After passing through Port3, which is the trunk type, this frame still carries the ID of VLAN 2.

    That is to say, Switch1 itself does not send the frames of VLAN 10. In addition, Switch1 discards the frames of VLAN 10 that are sent to Switch1 by other devices because Switch1 has no corresponding physical port for VLAN 10.

    A super-VLAN has no physical port. This limitation is obligatory, as shown below:
    • If you configure the super-VLAN and then the trunk interface, the frames of a super-VLAN are filtered automatically according to the VLAN range set on the trunk interface.

      As shown in Figure 5-48, no frame of the super-VLAN 10 passes through Port3 on Switch1, even though the interface allows frames from all VLANs to pass through.

    • If you finish configuring the trunk interface and allow all VLANs to pass through, you still cannot configure the super-VLAN on Switch1. The root cause is that any VLAN with physical ports cannot be configured as the super-VLAN, and the trunk interface allows only the frames tagged with VLAN IDs to pass through. Therefore, no VLAN can be configured as a super-VLAN.

    As for Switch1, the valid VLANs are just VLAN 2 and VLAN 3, and all frames are forwarded in these VLANs.

  • Layer 3 Communications Between a Sub-VLAN and an External Network

    Figure 5-49 Networking diagram of Layer 3 communications between a sub-VLAN and an external network

    As shown in Figure 5-49, Switch1 is configured with super-VLAN 4, sub-VLAN 2, sub-VLAN 3, and a common VLAN 10. Switch2 is configured with two common VLANs, namely, VLAN 10 and VLAN 20. Suppose that Switch1 is configured with the route to the network segment 1.1.3.0/24, and Switch2 is configured with the route to the network segment 1.1.1.0/24. Then Server A in sub-VLAN 2 that belongs to the super-VLAN 4 needs to access Server C in Switch2.
    1. After comparing the IP address of Server C 1.1.3.2 with its IP address, Server A finds that two IP addresses are not in the same network segment 1.1.1.0/24.
    2. Server A initiates an ARP broadcast to its gateway to request for the MAC address of the gateway.
    3. After receiving the ARP request, Switch1 identifies the correlation between the sub-VLAN and the super-VLAN, and offers an ARP response to Server A through sub-VLAN 2. The source MAC address in the ARP response packet is the MAC address of VLANIF4 for super-VLAN 4.
    4. Server A learns the MAC address of the gateway.
    5. Server A sends the packet to the gateway, with the destination MAC address as the MAC address of VLANIF4 for super-VLAN 4, and the destination IP address as 1.1.3.2.
    6. After receiving the packet, Switch1 performs the Layer 3 forwarding and sends the packet to Switch2, with the next hop address as 1.1.2.2, the outgoing interface as VLANIF10.
    7. After receiving the packet, Switch2 performs the Layer 3 forwarding and sends the packet to Server C through the directly-connected interface VLANIF20.
    8. The response packet from Server C reaches Switch1 after the Layer 3 forwarding on Switch2.
    9. After receiving the packet, Switch1 performs the Layer 3 forwarding and sends the packet to Server A through the super-VLAN.

VLAN Damping

In a specified VLAN where a VLANIF interface has been configured, when all interfaces in the VLAN goes Down, the VLAN becomes Down. The interface Down event is reported to the VLANIF interface, causing the VLANIF interface status change. To avoid network flapping due to the status change of the VLANIF interface, you can enable VLAN damping on the VLANIF interface and set a delay after which the VLANIF interface goes Down.

With VLAN damping enabled, when the last Up interface in the VLAN goes Down, the Down event will be reported to the VLANIF interface after a delay (the delay can be set as required). If an interface in the VLAN goes Up during the delay, the status of the VLANIF interface keeps unchanged. That is, the VLAN damping function postpones the time at which the VLAN reports a Down event to the VLANIF interface, avoiding unnecessary route flapping.

MUX VLAN

Background

Multiplex VLAN (MUX VLAN) controls network resources by VLAN.

For example, in a data center network, all servers of the data center can access external networks. It is required that some servers can communicate with each other while others cannot communicate with each other.

To allow all servers to access external networks, configure communication between VLANs. If there are a large number of servers in a data center, assign VLANs to servers that cannot communicate with each other. This wastes VLAN IDs and requires great workload on network configuration and maintenance.

MUX VLAN allows some servers to communicate and some servers to be isolated.

Basic Concepts

As shown in Table 5-18, a MUX VLAN is classified into principal VLANs and subordinate VLANs; a subordinate VLAN is classified into separate VLANs and group VLANs.

Table 5-18 Classification of a MUX VLAN

MUX VLAN

VLAN Type

Associated Port

Access Authority

Principal VLAN

-

Principal port

A principal port can communicate with all ports in a MUX VLAN.

Subordinate VLAN

Separate VLAN

Separate port

A separate port can communicate only with a principal port and is isolated from other types of ports.

A separate VLAN must be bound to a principal VLAN.

Group VLAN

Group port

A group port can communicate with a principal port and the other ports in the same group, but cannot communicate with ports in other groups or a separate port.

A group VLAN must be bound to a principal VLAN.

Principle of Communication in MUX VLAN

As shown in Figure 5-50, the principal port connects to the external network, the separate port connects to users who do not need to communicate, and the group port connects to users who need to communication. By doing this, internal users of the data center can communicate and some users are isolated.

Figure 5-50 Application scenario of MUX VLAN at the access layer

On an aggregation device, you can create a VLANIF interface for the principal VLAN. The IP address of the VLANIF interface can be used as the gateway address of a server. As shown in Figure 5-51, MUX VLAN is configured on aggregation switch Switch1 to implement isolation or interworking.
Figure 5-51 Application scenario of MUX VLAN at the aggregation layer

VLAN Management

To use a network management system to manage multiple devices, create a VLANIF interface on each device and configure a management IP address for the VLANIF interface. You can then log in to a device and manage it using its management IP address. If a user-side interface is added to the VLAN, users connected to the interface can also log in to the device. This brings security risks to the device.

After a VLAN is configured as a management VLAN, no access interface or dot1q-tunnel interface can be added to the VLAN. An access interface or a dot1q-tunnel interface is connected to users. The management VLAN forbids users connected to access and dot1q-tunnel interfaces to log in to the device, improving device performance.

Transparent Transmission of Protocol Packets in a VLAN

When the device used as the gateway or Layer 2 switches is enabled with snooping functions such as DHCP/IGMP/MLD snooping, the device needs to parse and process protocol packets such as ARP, DHCP, and IGMP packets. That is, protocol packets received by an interface are sent to the CPU for processing. The interface sends protocol packets without differentiating VLANs. If the preceding functions are deployed, protocol packets from all VLANs are sent to the CPU for processing.

If the device is a gateway of some VLANs or snooping functions is deployed in some VLANs, the device does not need to process protocol packets in other VLANs. After the protocol packets in other VLANs are sent to the CPU, the CPU needs to forwards them to other devices. This mechanism is called software forwarding. Software forwarding affects the forwarding speed and efficiency of protocol packets because protocol packets need to be processed.

To address this issue, deploy transparent transmission of protocol packets in VLANs where protocol packets do not need to be processed. This function enables the device to transparently transmit the protocol packets in the VLANs to other devices, which improves the forwarding speed and efficiency.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58667

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next