No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring VLAN

Configuring VLAN

This section describes the VLAN configuration.

Assigning a LAN to VLANs

VLANs can isolate the hosts that require no communication with each other, which improves network security, reduces broadcast traffic, and suppresses broadcast storms.

Dividing a LAN into VLANs Based on Ports

Context

Ports on a Layer 2 switching device can be bound to a specific VLAN. After a port is added to a VLAN, packets of the user that is connected to the port can only be forwarded within the VLAN, but not forwarded to another VLAN. This implementation ensures that broadcast packets are forwarded only within a single VLAN.

You must create VLANs, configure the port type, and associate ports with VLANs.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.

    The VLAN ID ranges from 1 to 4094(VLANs 4064 to 4094 are default reserved VLANs. You can run the vlan reserved command to configure the reserved VLAN range). If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN.

    NOTE:

    If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run:

    quit

    The system view is displayed.

  4. Configure the port type and features.

    1. Run the interface interface-type interface-number command to enter the view of an Ethernet port to be added to the VLAN.

    2. Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command to configure the port type.

      By default, the port type is Access.

      • If an Ethernet port is directly connected to a terminal, set the port type to access or hybrid.

      • If an Ethernet port is connected to another switch modules, set the port type to trunk or hybrid.

    3. (Optional) Run the port priority priority-value command to configure the port priority.

      By default, the port priority value is 0. The value ranges from 0 to 7. A larger value indicates a higher priority.

  5. Add ports to the VLAN.

    Run either of the following commands as needed:

    • For access or QinQ ports:

      Run the port default vlan vlan-id command to add a port to a specified VLAN.

      To add ports to a VLAN in batches, run the port interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the VLAN view.

    • For trunk ports:

      • Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add the port to specified VLANs.

      • (Optional) Run the port trunk pvid vlan vlan-id command to specify the default VLAN for a trunk interface.

    • For hybrid ports:

      • Run either of the following commands to add a port to VLANs in untagged or tagged mode:

        • Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add a port to VLANs in untagged mode.

          In untagged mode, a port removes tags from frames and then forwards the frames. This is applicable to scenarios in which Ethernet ports are connected to terminals.

        • Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add a port to VLANs in tagged mode.

          In tagged mode, a port forwards frames without removing their tags. This is applicable to scenarios in which Ethernet ports are connected to switch moduleses.

      • (Optional) Run the port hybrid pvid vlan vlan-id command to specify the default VLAN of a hybrid interface.

      By default, all ports are added to VLAN 1.

  6. Run:

    commit

    The configuration is committed.

Dividing a LAN into VLANs Based on MAC Addresses

Context

MAC address-based VLAN division is used if user locations do not need to be concerned. This improves security and flexibility for terminal users.

VLANs configured based on MAC addresses process only untagged frames, and treat tagged frames in the same manner as VLANs configured based on ports.

After receiving an untagged frame, a port searches for a MAC-VLAN mapping based on the source MAC address in the frame.
  • If a mapping is found, the port forwards the frame based on the VLAN ID and priority value in the mapping.

  • If no matching mapping is found, the port matches the frame with other matching rules.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.

    The VLAN ID ranges from 1 to 4094(VLANs 4064 to 4094 are default reserved VLANs. You can run the vlan reserved command to configure the reserved VLAN range). If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN.

    NOTE:

    If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run:

    mac-vlan mac-address mac-address [ priority priority ]

    A MAC address is mapped to the VLAN.

    • The mac-address value is in H-H-H format. H is a hexadecimal number that contains one to four digits, such as 00e0 and fc01. If an H contains less than four digits, 0s are padded ahead. For example, if you specify an H as e0, it is displayed as 00e0. A MAC address cannot be set to all 0s, all Fs or multicast addresses.

    • priority specifies the 802.1p priority relevant to the MAC addresses. The value ranges from 0 to 7. A larger value indicates a higher priority. The default value is 0. After the 802.1p priority is specified, frames with high priorities are first forwarded when traffic is congested.

  4. Run:

    quit

    The system view is displayed.

  5. Configure attributes for Ethernet interfaces.

    1. Run the interface interface-type interface-number command to enter the view of the interface.
    2. Run the port link-type hybrid command to set the link type of the interface to hybrid.

      The interface where MAC address-based VLAN assignment is to be enabled is a hybrid interface.

      By default, the link type is access.

    3. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to configure the hybrid interface to allow frames with a specified VLAN ID to pass through.

  6. Run:

    mac-vlan enable

    MAC address-based VLAN division is enabled.

    By default, MAC address-based VLAN division is disabled.

    NOTE:

    MAC address-based VLAN assignment cannot be used with port security or MAC address limiting on the same interface.

    When MAC address-based VLAN assignment is used, the priority of packets with the VLAN ID of 0 cannot be modified.

  7. Run:

    commit

    The configuration is committed.

Dividing a LAN into VLANs Based on IP Subnets

Context

IP subnet-based allows users to easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN. IP subnet-based VLAN division is applicable to networks that have traveling users and require simple management.

VLANs configured based on IP subnets process only untagged frames. After receiving untagged frames, a device determines the VLANs to which the frames belong based on their source IP addresses and network segment addresses before sending them to corresponding VLANs.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.

    The VLAN ID ranges from 1 to 4094(VLANs 4064 to 4094 are default reserved VLANs. You can run the vlan reserved command to configure the reserved VLAN range). If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN.

    NOTE:

    If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run:

    ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length } [ priority priority ]

    An IP subnet is associated with the VLAN.

    • The optional parameter ip-subnet-index specifies the IP subnet index. The subnet index can be specified by a user or automatically generated by the system.

    • The parameter ip-address specifies the source IP address or network address based on which a VLAN is configured. The value is in dotted decimal notation.

    • The optional parameter priority specifies the 802.1p priority value related to the VLAN configured based on the IP address or network address. The value ranges from 0 to 7. The greater the value, the higher the priority. The default value is 0. After the 802.1p priority value is specified, frames with high priorities are first forwarded when traffic is congested.

    NOTE:

    The IP subnet or the IP address associated with a VLAN cannot be a multicast network segment or multicast address.

    The device supports 256 subnets.

  4. Run:

    quit

    The system view is displayed.

  5. Configure attributes for Ethernet interfaces.

    1. Run the interface interface-type interface-number command to enter the view of the Ethernet interface configured with IP subnet-based VLAN assignment.
    2. Run the port link-type hybrid command to set the link type of the interface to hybrid.

      IP subnet-based VLAN assignment must be configured on the hybrid interface.

      By default, the link type is access.

    3. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add the hybrid interface to the IP subnet-based VLAN.

  6. (Optional) Run:

    vlan precedence ip-subnet-vlan

    IP subnet-based VLAN division is configured with a higher priority.

    By default, MAC address-based VLAN assignment is used.

  7. Run:

    ip-subnet-vlan enable

    IP subnet-based VLAN division is enabled.

    By default, IP subnet-based VLAN division is disabled.

  8. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display vlan reserved command to view information about reserved VLANs.
  • Run the display vlan command to check information about all VLANs or a specified VLAN.
  • Run the display mac-vlan { mac-address { all | mac-address } | vlan vlan-id } command to check information about VLANs configured based on MAC addresses.
  • Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check information about IP subnet associated with VLANs.

Configuring VLANIF Interfaces for Inter-VLAN Communication

A VLANIF interface is a Layer 3 logical interface. After VLANIF interfaces are created on the device, communication between VLANs is allowed.

Context

After VLANs are configured, users in the same VLAN can communication with each other while users in different VLANs cannot. To implement inter-VLAN communication, configure VLANIF interfaces which are Layer 3 logical interfaces.

If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF interface to go Down. To prevent network flapping caused by changes of VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last Up port in a VLAN goes Down, the system starts a delay timer and informs the corresponding VLANIF interface of the VLAN Down event after the timer expires. If a port in the VLAN goes Up during the delay period, the VLANIF interface remains Up.

MTU is short for maximum transmission unit. An MTU value determines the maximum number of bytes each time a sender can send. If the size of packets exceeds the MTU supported by a transit node or a receiver, the transit node or receiver fragments the packets or even discards them, aggravating the network transmission load. To avoid this problem, set the MTU value of the VLANIF interface.

After configuring bandwidth for VLANIF interfaces, you can use the NMS to query the bandwidth. This facilitates traffic monitoring.

NOTE:

To implement communication between VLANs, hosts in each VLAN must use the IP address of the corresponding VLANIF interface as the gateway address.

Pre-configuration Tasks

Before creating a VLANIF interface, complete the following tasks:

  • Create a VLAN.

  • Associate the VLAN with the physical interface.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface vlanif vlan-id

    A VLANIF interface is created and the VLAIF interface view is displayed.

    The VLAN ID specified in this command must be the ID of an existing VLAN.

    A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.

  3. Run:

    ip address ip-address { mask | mask-length } [ sub ]

    An IP address is assigned to the VLANIF interface for communication at the network layer.

    If IP addresses assigned to VLANIF interfaces belong to different network segments, a routing protocol must be configured on the switch to provide reachable routes. Otherwise, VLANIF interfaces cannot communicate with each other at the network layer.

  4. (Optional) Run:

    damping time delay-time

    The delay period of VLAN damping is configured.

    The delay-time value ranges from 0 to 20, in seconds. By default, the delay is 0 second, indicating that VLAN damping is disabled.

  5. (Optional) Run:

    mtu (VLANIF interface view) mtu

    The MTU value of the VLANIF interface is configured.

    The mtu value ranges from 128 to 9216. By default, the value is 1500.

    NOTE:
    • After changing the maximum transmission unit (MTU) using the mtu (VLANIF interface view) command on a VLANIF interface, you need to restart the VLANIF interface to make the new MTU take effect. To restart the VLANIF interface, run the shutdown command and then the undo shutdown command, or run the restart (interface view) command in the VLANIF interface view.

    • The mtu value plus the Layer 2 frame header of a VLANIF interface must be smaller than the jumboframe value of the peer interface; otherwise, some packets may be discarded.

  6. (Optional) Run:

    bandwidth bandwidth

    The bandwidth of the VLANIF interface is configured.

  7. Run:

    commit

    The configuration is committed.

Checking the Configuration
  • Run the display interface vlanif [ vlan-id ] command to verify that the VLANIF interface and protocol are enabled and view the interface description and IP address.

Configuring VLAN Aggregation to Save IP Addresses

VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN communication.

Creating a Sub-VLAN

Context

In VLAN aggregation, physical interfaces can be added to a sub-VLAN but no VLANIF interface can be created for the sub-VLAN. All the interfaces in the sub-VLAN use the same IP address with the VLANIF interface of the super-VLAN. Some subnet IDs, default gateway addresses of the subnets, and directed broadcast addresses of the subnets are saved and different broadcast domains can use the addresses in the same subnet segment. As a result, subnet differences are eliminated, addressing becomes flexible and idle addresses are reduced. VLAN aggregation allows each sub-VLAN to function as a broadcast domain to implement broadcast isolation and saves IP address resources.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Configure the link type of the interface as access.

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      port link-type access

      The link type of the interface is set to access.

    3. Run:

      quit

      Return to the system view.

  3. Run:

    vlan vlan-id

    A sub-VLAN is created and the sub-VLAN view is displayed.

    NOTE:

    If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  4. Run:

    port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>

    A port is added to the sub-VLAN.

  5. Run:

    commit

    The configuration is committed.

Creating a Super-VLAN

Context

A super-VLAN consists of several sub-VLANs. No physical port can be added to a super-VLAN, but a VLANIF interface can be configured for the super-VLAN and an IP address can be assigned to the VLANIF interface.

NOTE:

Before configuring a super-VLAN, ensure that sub-VLANs have been configured.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    A VLAN is created, and the VLAN view is displayed.

    The VLAN ID of a super-VLAN must be different from every sub-VLAN ID.

  3. Run:

    aggregate-vlan

    A super-VLAN is created.

    A super-VLAN cannot contain any physical interfaces.

    VLAN 1 cannot be configured as a super-VLAN.

  4. Run:

    access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

    A sub-VLAN is added to a super-VLAN.

    Before adding sub-VLANs to a super-VLAN, ensure that these sub-VLANs are not configured with VLANIF interfaces.

    The device supports 32 sub-VLANs in a super-VLAN.

  5. Run:

    commit

    The configuration is committed.

Assigning an IP Address to the VLANIF Interface of a Super-VLAN

Context

The IP address of the VLANIF interface of a super-VLAN must contain the subnet segments where users in sub-VLANs reside. All the sub-VLANs use the IP address of the VLANIF interface of the super-VLAN, saving IP addresses.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface vlanif vlan-id

    A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is displayed.

  3. Run:

    ip address ip-address { mask | mask-length } [ sub ]

    An IP address is assigned to the VLANIF interface.

  4. Run:

    commit

    The configuration is committed.

(Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN

Context

VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in different sub-VLANs from communicating with each other at the network layer.

PCs in ordinary VLANs can communicate with each other at the network layer by using different gateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet address and gateway address. As PCs in different sub-VLANs belong to one subnet, they communicate with each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer 2. Consequently, PCs in different sub-VLANs cannot communicate with each other.

Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another sub-VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created, proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request and reply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the network layer.

NOTE:

An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN. Otherwise, proxy ARP cannot take effect.

VLAN aggregation simplifies configurations for the network where many VLANs are configured and PCs in different VLANs need to communicate with each other.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface vlanif vlan-id

    The view of the VLANIF interface of the super-VLAN is displayed.

  3. Run:

    arp proxy inter-vlan enable

    Inter-sub-VLAN proxy ARP is enabled.

  4. Run:

    commit

    The configuration is committed.

(Optional) Configuring an IP Address Pool for a Sub-VLAN

Specifying an IP address range for users in a sub-VLAN filters out unauthorized users of which IP addresses are beyond the range.

Context

Specifying an IP address range for users in a sub-VLAN filters out unauthorized users of which IP addresses are beyond the range.

After configuring an IP address pool for a sub-VLAN, note the following points:
  • Only packets with IP addresses in the IP address pool are processed in the sub-VLAN. The packets include ARP Request packets, ARP Reply packets, and ARP proxy packets. Packets with IP addresses beyond the IP address pool are discarded.
  • Only entries mapping IP addresses in the IP address pool are learned in the sub-VALN.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The view of a created sub-VLAN is displayed.

  3. Run:

    ip pool start-address [ to end-address ]

    An IP address pool is configured for the sub-VLAN.

  4. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display vlan [ vlan-id [ verbose ] ] or display vlan [ vlan-id1 [ to vlan-id2 ] | vlan-name vlan-name | summary ] command to check VLAN information.
  • Run the display interface vlanif [ vlan-id ] command to check information about a specific VLANIF interface.

Configuring MUX VLAN

Configuring a MUX VLAN allows users in different VLANs to communicate with each other, and separates users in a certain VLAN.

Pre-configuration Tasks

Before configuring a MUX VLAN, complete the following task:

  • Creating VLANs
Configuring a Principal VLAN for a MUX VLAN

Context

Ports added to a principal VLAN can communicate with every port in the MUX VLAN.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.

    The VLAN ID ranges from 1 to 4094(VLANs 4064 to 4094 are default reserved VLANs. You can run the vlan reserved command to configure the reserved VLAN range). If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN.

    NOTE:

    If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run:

    mux-vlan

    The VLAN is configured as a principal VLAN.

    The VLAN ID assigned to a principal VLAN can no longer be used to configure any VLAN Mapping, super-VLAN, or sub-VLAN.

  4. Run:

    commit

    The configuration is committed.

Configuring a Group VLAN for a Subordinate VLAN

Context

A VLAN associated with a group port is called a group VLAN. Group ports in a group VLAN can communicate with each other.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The view of a created principal VLAN is displayed.

  3. Run:

    subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>

    A group VLAN is configured for the subordinate VLAN.

    A maximum of 128 group VLANs can be configured for a principal VLAN.

    The VLAN ID assigned to a group VLAN can no longer be used to configure any VLANIF interface, VLAN Mapping, Super-VLAN, or Sub-VLAN.

  4. Run:

    commit

    The configuration is committed.

Configuring a Separate VLAN for a Subordinate VLAN

Context

A VLAN associated with separate ports is called a separate VLAN. Ports in a separate VLAN cannot communicate with each other.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The view of a created principal VLAN is displayed.

  3. Run:

    subordinate separate vlan-id

    A separate VLAN is configured for a subordinate VLAN.

    Only one separate VLAN can be configured for a principal VLAN.

    Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID.

    The VLAN ID assigned to a separate VLAN can no longer be used to configure any VLANIF interface, VLAN Mapping, Super-VLAN, or Sub-VLAN.

  4. Run:

    commit

    The configuration is committed.

Enabling the MUX VLAN Function on a Port

Context

After the MUX VLAN function is enabled on a port, the principal VLAN and subordinate VLAN can communicate with each other; ports in a group VLAN can communicate with each other; ports in a separate VLAN cannot communicate with each other.

Pre-configuration Tasks

Before enabling the MUX VLAN function on a port, complete the following task:

  • Adding the port to a principal or subordinate VLAN as an access, hybrid, or trunk interface

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    port link-type { hybird | access | trunk }

    The port link-type is set.

  4. Run:

    port mux-vlan enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

    The MUX VLAN function is enabled.

    After the MUX VLAN function is enabled on an interface, VLAN mapping cannot be configured on the interface.

    NOTE:
    • Access interfaces can be added to only one MUX VLAN group. Trunk and hybrid interfaces can be added to multiple MUX VLAN groups. An interface can be added to a maximum of 32 MUX VLAN groups.

    • Disabling MAC address learning or limiting the number of learned MAC addresses on an interface affects the MUX VLAN function on the interface.

    • The MUX VLAN and port security functions cannot be enabled on the same interface.

  5. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display mux-vlan command to check information about the MUX VLAN.

Configuring an mVLAN to Implement Integrated Management

Management VLAN (mVLAN) configuration allows users to use the VLANIF interface of the mVLAN to log in to the management switch modules to manage devices in a centralized manner.

Context

To use a network management system to manage multiple devices, create a VLANIF interface on each device and configure a management IP address for the VLANIF interface. You can then log in to a device and manage it using its management IP address. If a user-side interface is added to the VLAN, users connected to the interface can also log in to the device. This brings security risks to the device.

After a VLAN is configured as a management VLAN, no access interface or dot1q-tunnel interface can be added to the VLAN. An access interface or a dot1q-tunnel interface is connected to users. The management VLAN forbids users connected to access and dot1q-tunnel interfaces to log in to the device, improving device performance.

Pre-configuration Tasks

Before creating a VLANIF interface, complete the following tasks:

  • Create a VLAN.

  • Associate the VLAN with the physical interface.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The VLAN view is displayed.

    NOTE:

    If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run:

    management-vlan

    An mVLAN is configured.

    After an mVLAN is configured, an interface added to the mVLAN must be a trunk or hybrid interface.

    VLAN 1 cannot be configured as an mVLAN.

  4. Run:

    quit

    The VLAN view is quit.

  5. Run:

    interface vlanif vlan-id

    A VLANIF interface is created and the VLANIF interface view is displayed.

  6. Run:

    ip address ip-address { mask | mask-length } [ sub ]

    The IP address of the VLANIF interface is configured.

    After assigning an IP address to the VLANIF interface, you can run the stelnet command to log in to a management switch modules to manage attached devices.

  7. Run:

    commit

    The configuration is committed.

Checking the Configuration
  • Run the display vlan command to check information about the mVLAN. The command output shows information about the mVLAN in the line started with an asterisk sign (*).

Configuring Transparent Transmission of Protocol Packets in a VLAN to Improve Forwarding Efficiency

VLAN transparent transport improves forwarding efficiency. A switch directly forwards protocol packets of a specific VLAN without sending the packets to its CPU.

Context

If the device is a gateway of some VLANs or snooping functions is deployed in some VLANs, the device does not need to process protocol packets in other VLANs. After the protocol packets in other VLANs are sent to the CPU, the CPU needs to forwards them to other devices. This mechanism is called software forwarding. Software forwarding affects the forwarding speed and efficiency of protocol packets because protocol packets need to be processed.

To address this issue, deploy transparent transmission of protocol packets in VLANs where protocol packets do not need to be processed. This function enables the device to transparently transmit the protocol packets in the VLANs to other devices, which improves the forwarding speed and efficiency.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The VLAN view is displayed.

    NOTE:

    If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run:

    protocol-transparent

    Transparent transmission of protocol packets in a VLAN is enabled.

    By default, transparent transmission of protocol packets in a VLAN is disabled.

    Transparent transmission of protocol packets cannot be configured in VLAN 1.

    NOTE:

    A VLAN enabled with transparent transmission of protocol packets cannot be configured as a multicast VLAN or MUX VLAN.

  4. Run:

    commit

    The configuration is committed.

Checking the Configuration

Run the display this command in the VLAN view to check the configuration for transparent transmission of protocol packets in a VLAN.

Configuring an Interface to Discard Incoming Tagged Packets

If a user connects a switch to a user-side interface without permission, the user-side interface may receive tagged packets. To prevent unauthorized access, you can configure the user-side interface to discard incoming tagged packets.

Context

All packets sent from user devices are untagged, so user-side interfaces on a switch does not receive tagged packets, and the interface must be configured as an access interface. If a user connects a switch to a user-side interface without permission, the user-side interface may receive tagged packets. To prevent unauthorized access, you can configure the user-side interface to discard incoming tagged packets.

Only interfaces that are connected to user devices and do not receive tagged packets can be configured to discard incoming tagged packets.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The member interface view is displayed.

  3. Run:

    port discard tagged-packet

    The interface is configured to discard incoming tagged packets.

    By default, an interface does not discard incoming tagged packets.

  4. Run:

    commit

    The configuration is committed.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57219

Downloads: 3617

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next