What Is a VLAN?
Introduction
This chapter defines Virtual Local Area Networks (VLANs), introduces related concepts, and provides configuration examples.
VLAN is a basic feature of Huawei data communications products, including switches, routers, WLAN products, and firewalls. Descriptions and examples in this chapter are based on Huawei's S12700 switch.
Understanding VLANs
VLANs are used to divide a physical LAN into multiple broadcast domains to isolate services with the aim of improving the security and management of the network. Hosts within a VLAN can directly communicate only with other hosts in the same VLAN and must use a router to communicate with hosts in other VLANs.
In the network shown in Figure 1, two switches are deployed at different locations, for example, on different floors of an office building. Both switches connect to two computers that belong to different enterprises. In this case, the computers can be assigned to different VLANs, achieving isolation of users between enterprises.
A switch identifies packets from different VLANs according to the information contained in its VLAN tags. IEEE 802.1Q adds a 4-byte VLAN tag between the Source/Destination MAC address and Length/Type fields of an Ethernet frame, as shown in Figure 2.
The VLAN ID (VID) field in a data frame identifies the VLAN to which the data frame belongs (the VLAN in which the data frame can be transmitted). All frames processed on a switch carry VLAN tags, but some devices connected to a switch cannot process tagged frames. To enable communication between the switch and these devices, the switch interfaces must be able to identify whether an Ethernet frame is tagged, and then decide whether to add VLAN tags to or remove VLAN tags from the frames. Hosts in the same VLAN may be connected to different switches, in which case the VLAN spans multiple switches. To enable communication between these hosts, interfaces between switches must be able to identify and send frames of multiple VLANs.
Huawei network devices can be configured with four types of interfaces: access, trunk interface, hybrid interface, and QinQ interface. The four interface types process frames differently and therefore the interface that should be configured depends on what the interface connects to (for example, whether it connects to a host or another switch).
- Access interface: An access interface often connects to a user terminal such as a user host or server that cannot identify VLAN tags, or is used when VLANs do not need to be differentiated. In most cases, access interfaces can only receive and send untagged frames, and can add only a unique VLAN tag to untagged frames.
- Trunk interface: A trunk interface often connects to a switch, a router, an AP, or a voice terminal that can receive and send both tagged and untagged frames. It allows tagged frames from multiple VLANs and untagged frames from only one VLAN to pass through.
- Hybrid interface: A hybrid interface can connect to a user terminal (such as a user host or server) or network device (such as a hub or an unmanaged switch) that cannot identify VLAN tags, and also can connect to a switch, a router, an AP, or a voice terminal that can receive and send both tagged and untagged frames. It allows tagged frames from multiple VLANs to pass through. Whether frames sent out from a hybrid interface are tagged or untagged depends on the VLAN configuration.
- QinQ interface: An 802.1Q-in-802.1Q (QinQ) interface often connects a private network to a public network. It can add an additional 802.1Q tag to a tagged frame. QinQ supports up to 4094 x 4094 VLANs, offering sufficient VLANs required by networks. A QinQ interface is also called a Dot1q-tunnel interface. For details about QinQ, refer to "QinQ Configuration" in the S12700 V200R013C00 Configuration Guide - Ethernet Switching Configuration Guide.
VLANs can be assigned based on interfaces, MAC addresses, policies, IP subnets, and protocols. Table 1 compares different VLAN assignment modes.
VLAN Assignment Mode |
Introduction |
Usage Scenario |
|---|---|---|
Interface-based VLAN assignment |
VLANs are assigned based on interfaces. |
Networks of any scale and with devices at fixed locations |
MAC address-based assignment |
VLANs are assigned based on source MAC addresses of frames. |
Small-scale networks where user terminals often change physical locations but their NICs seldom change |
IP subnet-based VLAN assignment |
VLANs are assigned based on source IP addresses and subnet masks. |
Scenarios where there are high requirements for mobility and simplified management and low requirements for security. |
Protocol-based VLAN assignment |
VLANs are assigned based on protocol (suite) types and encapsulation formats of frames. |
Networks using multiple protocols |
Policy-based VLAN assignment |
VLANs are assigned based on policies such as combinations of interfaces, MAC addresses, and IP addresses. |
Complex networks |
Interface-based VLAN assignment is the simplest and most widely used of the VLAN assignment modes listed above. The configuration methods vary according to interface type. For details, see Assigning VLANs.
Configuring VLANs
Creating a VLAN
- Run the system-view command to enter the system view.
- Run the vlan vlan-id command to create a VLAN and enter its view.
NOTE:
A switch supports a maximum of 4096 VLANs, among which VLANs 0 and 4095 are reserved for system use, and VLAN 1 is the default VLAN. Therefore, you can only create VLANs 2 to 4094.
You can repeat the vlan command multiple times. If a VLAN has been created, this command cannot be used to create the same VLAN or modify the configurations of the VLAN.
The vlan batch command can be used to create multiple VLANs in batches. If a VLAN has been created, this command cannot be used to create the same VLAN or modify the configurations of the VLAN. If you run the vlan batch command multiple times, all the specified VLANs are created.
The following describes how to create VLAN 100 and verify the creation of the VLAN on a switch:
<HUAWEI> system-view [HUAWEI] vlan 100 [HUAWEI-vlan100] quit [HUAWEI] display vlan summary Static VLAN: Total 2 static VLAN. 1 100 Dynamic VLAN: Total 0 dynamic VLAN. Reserved VLAN: Total 0 reserved VLAN.
Assigning VLANs
VLANs can be assigned based on interfaces, MAC addresses, policies, IP subnets, and protocols. Here, interface-based VLAN assignment is used as an example.
The following examples describe the methods for configuring an interface as an access, hybrid, or trunk interface, and adding it to a VLAN:
Access Interface
- Run the interface interface-type interface-number command to enter the view of the Ethernet interface to be added to the VLAN.
- Run the port link-type access command to configure the Ethernet interface as an access interface.
- Run the port default vlan vlan-id command to configure the default VLAN for the interface and add the interface to the specified VLAN.
The following shows how to configure GE1/0/1 as an access interface, add it to VLAN 100, and verify the configuration:
[HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type access [HUAWEI-GigabitEthernet1/0/1] port default vlan 100 [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] display port vlan gigabitethernet 1/0/1 Port Link Type PVID Trunk VLAN List ------------------------------------------------------------------------------- GigabitEthernet1/0/1 access 100 -
Trunk Interface
- Run the interface interface-type interface-number command to enter the view of the Ethernet interface to be added to the VLAN.
- Run the port link-type trunk command to configure the Ethernet interface as a trunk interface.
- Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add the interface to the specified VLAN.
- (Optional) Run the port trunk pvid vlan vlan-id command to configure the default VLAN for the trunk interface.
NOTE:
If the VLAN allowed by an interface is the default VLAN of the interface, packets from the VLAN are forwarded as untagged.
The following shows how to configure GE1/0/2 as a trunk interface, add it to VLAN 100, and verify the configuration:
[HUAWEI] interface gigabitethernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] port link-type trunk [HUAWEI-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 [HUAWEI-GigabitEthernet1/0/2] quit [HUAWEI] display port vlan gigabitethernet 1/0/2 Port Link Type PVID Trunk VLAN List ------------------------------------------------------------------------------- GigabitEthernet1/0/2 trunk 1 1 100
Hybrid Interface
- Run the interface interface-type interface-number command to enter the view of the Ethernet interface to be added to the VLAN.
- Run the port link-type hybrid command to configure the Ethernet interface as a hybrid interface.
- Run the following commands as required:
- port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }: The hybrid interface is added to the VLAN in untagged mode and the interface will remove VLAN tags of frames before sending frames.
- port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }: The hybrid interface is added to the VLAN in tagged mode and the interface will forward frames without removing VLAN tags of frames.
- (Optional) Run the port hybrid pvid vlan vlan-id command to configure the default VLAN for the hybrid interface.
The following shows how to configure GE1/0/3 as a hybrid interface, add it to VLAN 100, and verify the configuration:
[HUAWEI] interface gigabitethernet 1/0/3 [HUAWEI-GigabitEthernet1/0/3] port link-type hybrid [HUAWEI-GigabitEthernet1/0/3] port hybrid tagged vlan 100 [HUAWEI-GigabitEthernet1/0/3] quit [HUAWEI] display port vlan gigabitethernet 1/0/3 Port Link Type PVID Trunk VLAN List ------------------------------------------------------------------------------- GigabitEthernet1/0/3 hybrid 1 100
Other VLAN Configurations
For more details about VLANs, for example, configuring the management VLAN, inter-VLAN communication on layer 3 switches, port isolation, and transparent transmission of protocol packets in a VLAN, refer to "VLAN Configuration" in the S12700 V200R013C00 Configuration Guide - Ethernet Switching Configuration Guide.