SupportDocumentationSwitchesCampus SwitchS100&S200&S300&S500&S600&S700Reference GuidesCommand Reference

S220S and S310S V600R024C00 MD-CLI Configuration Reference

Understanding VLANs

Understanding VLANs

VLAN Tags

Definition

Each VLAN on a LAN is identified by a unique VLAN tag, which is also called an 802.1Q tag.

Format

IEEE 802.1Q adds a 4-byte 802.1Q tag between the Source Address field and the Length/Type field of an Ethernet frame. Figure 5-21 shows the VLAN-tagged frame format defined in IEEE 802.1Q.

Figure 5-21 VLAN-tagged frame format defined in IEEE 802.1Q

An 802.1Q tag contains four fields:

  • Tag protocol identifier (TPID): determines whether a VLAN frame carries an 802.1Q tag. This field is 16 bits long and defaults to 0x8100, which indicates an 802.1Q-tagged frame. A device that does not support 802.1Q discards 802.1Q-tagged frames.

    Device vendors can define their own TPID values. When the TPID value of a neighbor device is set to a value other than 0x8100, the TPID value of the local device must be changed to that of the neighbor device. This enables the local device to identify the frames sent by, and communicate with, the neighbor device.

  • Priority (PRI): indicates the frame priority. This field is 3 bits long and its value ranges from 0 to 7, with a larger value indicating a higher priority. If network congestion occurs, a device preferentially sends frames with a higher priority.
  • Canonical Format Indicator (CFI): indicates whether a MAC address is encapsulated in canonical format. This field is 1 bit long and can be set to 0 or 1 (0 by default). The value 0 indicates that the MAC address is encapsulated in canonical format while the value 1 indicates non-canonical format.
  • VID: indicates the VLAN to which a frame belongs. This field is 12 bits long and ranges from 0 to 4095. The values 0 and 4095 are reserved, and therefore available VLAN IDs are in the range from 1 to 4094.

Frame Types

Each 802.1Q-capable device identifies the VLAN to which a frame belongs based on the VLAN ID, and processes the frame based on whether it carries a VLAN tag and the specific VLAN tag value. Frames are classified into the following types based on whether they carry VLAN tags:

  • Tagged frame: a frame with a 4-byte 802.1Q tag
  • Untagged frame: an original frame without a 4-byte 802.1Q tag

In most cases, devices process tagged and untagged frames differently:

  • User hosts, servers, hubs, and unmanaged switches can only receive and send untagged frames.
  • Switches, routers, firewalls, and access controllers (ACs) can send and receive both tagged and untagged frames.
  • Voice terminals can send and receive the tagged or untagged frames of only one VLAN.

Default VLAN

The default VLAN ID of an interface is called the PVID. Each interface has a PVID.

Adding and Removing VLAN Tags

Interfaces process data frames as tagged or untagged based on their interface types and default VLANs. Table 5-9 describes how interfaces process data frames.

To improve the efficiency of data frame processing, all data frames inside a device carry VLAN tags so that the device can process them in a unified manner.

Table 5-9 Data frame processing modes of different interfaces

Interface Type

Processing a Received Frame

Processing a Frame to Be Sent

Access
Checks whether the received frame carries a VLAN tag:
  • Tags the frame with its PVID if the frame does not carry a VLAN tag.
  • Accepts the frame only when the frame carries a VLAN tag with the same VLAN ID as the PVID. Otherwise, the frame is discarded.

Removes the PVID tag from the frame before sending it.

Trunk

Checks whether the received frame carries a VLAN tag:

  • Tags the frame with its PVID if the frame does not carry a VLAN tag. Accepts the frame if the PVID is in the allowed VLAN ID list. Otherwise, the frame is discarded.
  • Accepts the frame if it carries a tag with a VLAN ID specified in the allowed VLAN ID list. Otherwise, the frame is discarded.

Checks the VLAN tag of the frame to be sent:

  • If the VLAN ID in the tagged frame is the same as the PVID of the interface and the VLAN is allowed, the interface removes the VLAN tag from the frame before sending it.
  • If the VLAN ID in the tagged frame is different from the PVID of the interface and the VLAN is allowed, the interface sends the frame without removing the carried tag. Otherwise, the frame is discarded.

Hybrid

Checks whether the received frame carries a VLAN tag:

  • Tags the frame with its PVID if the frame does not carry a VLAN tag. Accepts the frame if the PVID is in the allowed VLAN ID list. Otherwise, the frame is discarded.
  • Accepts the frame if it carries a tag with a VLAN ID specified in the allowed VLAN ID list. Otherwise, the frame is discarded.

Checks the VLAN tag of the frame to be sent:

  • If the VLAN ID is allowed by the interface, you can use trunk-vlans or untag-vlans to configure whether the interface removes the VLAN tag from the frame before sending it.
  • If the VLAN ID is not allowed by the interface, the frame is discarded.

Intra-VLAN Communication

Intra-VLAN Communication Through a Single Device

In Figure 5-22, Host1 and Host2 connect to the same device, belong to VLAN 2, and are located on the same network segment.

Figure 5-22 Intra-VLAN communication through a single device

When Host1 sends a packet to Host2, the packet is transmitted as follows (assuming that no forwarding entry is created on DeviceA):

  1. Host1 determines that the destination IP address is on the same network segment as its IP address, and broadcasts an ARP Request packet to obtain the MAC address of Host2. The ARP Request packet carries the all-F destination MAC address and the destination IP address 10.1.1.3 (Host2's IP address).
  2. When the packet reaches interface 1 on DeviceA, DeviceA determines that the ARP Request packet is untagged and adds a tag with VLAN ID 2 (which is the PVID of interface 1) to the packet. DeviceA then adds the mapping between the source MAC address, VLAN ID, and interface (00e0-fc00-1111, 2, interface 1) to its MAC address table.
  3. As DeviceA does not find a MAC address entry matching the destination MAC address and VLAN ID of the ARP Request packet, it broadcasts the ARP Request packet through all interfaces that allow VLAN 2 (interface 2 in this example).
  4. Before sending the ARP Request packet, interface 2 on DeviceA removes the tag with VLAN ID 2 from the packet.
  5. Host2 receives the ARP Request packet from interface 2 and records the mapping between the MAC address and the IP address of Host1 in its ARP table. Host2 then compares the destination IP address with its own IP address. If they are the same, Host2 sends an ARP Reply packet carrying Host2's MAC address (00e0-fc00-2222) and Host1's IP address (10.1.1.2) as the destination IP address.
  6. After receiving the ARP Reply packet, interface 2 on DeviceA tags the packet with VLAN ID 2.
  7. DeviceA adds the mapping between the source MAC address, VLAN ID, and interface (00e0-fc00-2222, 2, interface 2) to its MAC address table, and then searches for an entry in its MAC address table based on the destination MAC address and VLAN ID (00e0-fc00-1111, 2). DeviceA finds the matching entry and sends the ARP Reply packet through interface 1.
  8. Before sending the ARP Reply packet through interface 1, DeviceA removes the tag with VLAN ID 2 from the packet based on the interface configuration.
  9. Host1 receives the ARP Reply packet from interface 1 and records the mapping between the MAC address and the IP address of Host2 in its ARP table.

Intra-VLAN Communication Through Multiple Devices

In Figure 5-23, Host1 and Host2 connect to different devices, belong to VLAN 2, and are located on the same network segment. DeviceA and DeviceB are connected using a trunk link over which frames tagged with VLAN ID 2 can be identified and transmitted between them.

Users in the same VLAN but on different network segments cannot communicate with each other at Layer 2 through DeviceA and DeviceB. The VLANIF technology can be used to implement Layer 3 communication between them.

Figure 5-23 Intra-VLAN communication through multiple devices

When Host1 sends a packet to Host2, the packet is transmitted as follows (assuming that no forwarding entry is created on DeviceA and DeviceB):

  1. Host1 determines that the destination IP address is on the same network segment as its IP address, and broadcasts an ARP Request packet to obtain the MAC address of Host2. The ARP Request packet carries the all-F destination MAC address and destination IP address 10.1.1.3 (Host2's IP address).
  2. When the packet reaches interface 1 on DeviceA, DeviceA determines that the ARP Request packet is untagged and adds a tag with VLAN ID 2 (which is the PVID of interface 1) to the packet. DeviceA then adds the mapping between the source MAC address, VLAN ID, and interface (00e0-fc00-1111, 2, interface 1) to its MAC address table.
  3. As DeviceA does not find a MAC address entry matching the destination MAC address and VLAN ID of the ARP Request packet, it broadcasts the ARP Request packet through all interfaces that allow VLAN 2 (interface 2 in this example).
  4. Interface 2 on DeviceA transparently transmits the ARP Request packet to interface 2 on DeviceB without removing the packet's VLAN tag, as the VLAN ID of the packet is different from the PVID (which is 1 in this example) of interface 2 on DeviceA.
  5. After receiving the ARP Request packet, interface 2 on DeviceB determines that VLAN 2 is allowed and accepts the packet.
  6. As DeviceB does not find a MAC address entry matching the destination MAC address and VLAN ID of the ARP Request packet, it broadcasts the ARP Request packet through all interfaces that allow VLAN 2 (interface 1 in this example).
  7. Before sending the ARP Request packet, interface 1 on DeviceB removes the tag with VLAN ID 2 from the packet.
  8. Host2 receives the ARP Request packet from interface 1 on DeviceB and records the mapping between the MAC address and IP address of Host1 in its ARP table. Host2 then compares the destination IP address with its own IP address. If they are the same, Host2 sends an ARP Reply packet carrying Host2's MAC address (00e0-fc00-2222) and Host1's IP address (10.1.1.2) as the destination IP address.
  9. After interface 1 on DeviceB receives the ARP Reply packet, DeviceB adds a tag with VLAN ID 2 to the packet, and then adds the mapping between the source MAC address, VLAN ID, and interface (00e0-fc00-2222, 2, interface 1) to its MAC address table.
  10. DeviceB transparently transmits the ARP Reply packet of Host2 through interface 2 to interface 2 on DeviceA. This is because interface 2 on DeviceB is a trunk interface and its PVID (which is 1 in this example) is different from the VLAN ID of the packet. As a result, interface 2 on DeviceB does not remove the VLAN tag of the packet.
  11. After receiving the ARP Reply packet, interface 2 on DeviceA determines that VLAN 2 is an allowed VLAN and accepts the packet.
  12. DeviceA adds the mapping between the source MAC address, VLAN ID, and interface (00e0-fc00-2222, 2, interface 2) to its MAC address table, and then searches for an entry in its MAC address table based on the destination MAC address and VLAN ID (00e0-fc00-1111, 2). DeviceA finds the matching entry and sends the ARP Reply packet through interface 1.
  13. Before sending the ARP Reply packet through interface 1, DeviceA removes the tag with VLAN ID 2 from the packet based on the interface configuration.
  14. Host1 receives the ARP Reply packet from interface 1 and records the mapping between the MAC address and the IP address of Host2 in its ARP table.

In addition to transmitting frames from multiple VLANs, a trunk link can transparently transmit frames without adding or removing VLAN tags of packets.

Inter-VLAN Communication

Inter-VLAN Communication Through a Single Device (Using VLANIF Interfaces)

In Figure 5-24, Host1 and Host2 connect to the same device, are located on different network segments, and belong to VLAN 2 and VLAN 3, respectively. After VLANIF 2 and VLANIF 3 are created on DeviceA and configured with IP addresses, the default gateway addresses of Host1 and Host2 are set to the IP addresses of VLANIF 2 and VLANIF 3, respectively.

Figure 5-24 Using VLANIF interfaces to implement inter-VLAN communication through a single device

When Host1 sends a packet to Host2, the packet is transmitted as follows (assuming that no forwarding entry is created on DeviceA):

  1. Host1 determines that the destination IP address is on a different network segment from its own IP address, and therefore sends an ARP Request packet to request the gateway MAC address. The ARP Request packet carries the destination IP address 10.1.1.1 (gateway's IP address) and all-F destination MAC address.
  2. When the ARP Request packet reaches interface 1 on DeviceA, DeviceA tags the packet with VLAN ID 2 (PVID of interface 1). DeviceA then records the mapping between the source MAC address, VLAN ID, and inbound interface (00e0-fc00-1111, 2, interface 1) in its MAC address table.
  3. DeviceA determines that the packet is an ARP Request packet and the destination IP address is that of its own VLANIF 2. DeviceA then encapsulates VLANIF 2's MAC address 00e0-fc00-3333 into the ARP Reply packet and removes the tag with VLAN ID 2 before sending it through interface 1. In addition, DeviceA records the mapping between the IP address and MAC address of Host1 in its ARP table.
  4. After receiving the ARP Reply packet from DeviceA, Host1 records the mapping between the IP address and MAC address of VLANIF 2 on DeviceA in its ARP table and sends a packet to DeviceA. The packet carries the destination MAC address 00e0-fc00-3333 and destination IP address 10.2.2.2 (Host2's IP address).
  5. After receiving the packet, interface 1 on DeviceA tags the packet with VLAN ID 2.
  6. DeviceA updates its MAC address table based on the source MAC address, VLAN ID, and inbound interface of the packet, and compares the destination MAC address of the packet with the MAC address of VLANIF 2. If they are the same, DeviceA determines that the packet should be forwarded at Layer 3 and searches for a Layer 3 forwarding entry based on the destination IP address. If no entry is found, DeviceA sends the packet to the CPU, which then searches for a routing entry to forward the packet.
  7. The CPU searches the routing table based on the destination IP address of the packet and determines that the destination IP address matches a directly connected network segment (the network segment where VLANIF 3 is located). The CPU continues to search the ARP table but finds no matching ARP entry. As a result, DeviceA broadcasts an ARP Request packet with the destination address of 10.2.2.2 to all interfaces in VLAN 3. Before sending the ARP Request packet from interface 2, DeviceA removes the tag with VLAN ID 2.
  8. After receiving the ARP Request packet, Host2 determines that the destination IP address in the packet is its own IP address and sends an ARP Reply packet carrying its own MAC address. At the same time, Host2 records the mapping between the MAC address and IP address of VLANIF 3 in its ARP table.
  9. After interface 2 on DeviceA receives the ARP Reply packet, DeviceA tags the packet with VLAN ID 3 and records the mapping between the MAC address and IP address of Host2 in its ARP table. Before forwarding the packet from Host1 to Host2, DeviceA removes the tag with VLAN ID 3 from the packet. At the same time, DeviceA records the mapping between the Host2's IP address, MAC address, VLAN ID, and outbound interface in its Layer 3 forwarding table.

At this point, Host1 accesses Host2 successfully. The same process is used for Host2 to access Host1.

Inter-VLAN Communication Through Multiple Devices Using VLANIF Interfaces

When hosts in different VLANs connect to multiple devices, you need to configure static routes or a dynamic routing protocol in addition to configuring VLANIF interfaces and their IP addresses, as the IP addresses of VLANIF interfaces can only be used to generate direct routes.

In Figure 5-25, Host1 and Host2 connect to different devices, are located on different network segments, and belong to VLAN 2 and VLAN 3, respectively. DeviceA and DeviceB connect to hosts using access interfaces and connect to each other using trunk interfaces. On DeviceA, VLANIF 2 and VLANIF 4 are created and configured with IP addresses 10.1.1.1 and 10.1.4.1, respectively. On DeviceB, VLANIF 3 and VLANIF 4 are created and configured with IP addresses 10.1.2.1 and 10.1.4.2, respectively. Static routes are configured on DeviceA and DeviceB. On DeviceA, the destination network segment in the static route is 10.1.2.0/24 and the next-hop address is 10.1.4.2. On DeviceB, the destination network segment in the static route is 10.1.1.0/24 and the next-hop address is 10.1.4.1.

Figure 5-25 Using VLANIF interfaces to implement inter-VLAN communication through multiple devices

When Host1 sends a packet to Host2, the packet is transmitted as follows (assuming that no forwarding entry is created on DeviceA and DeviceB):

  1. The first six steps are the same as steps 1 to 6 in Inter-VLAN Communication Through a Single Device (Using VLANIF Interfaces). After those steps are complete, DeviceA sends the packet to its CPU which then searches the routing table to forward the packet.
  2. The CPU of DeviceA searches the routing table based on the destination IP address 10.1.2.2, and finds a static route with the destination network segment of 10.1.2.0/24 and the next-hop address of 10.1.4.2. The CPU continues to search the ARP table but finds no matching ARP entry. Therefore, DeviceA broadcasts an ARP Request packet with the destination address 10.1.4.2 to all interfaces in VLAN 4. Interface 2 on DeviceA transparently transmits the ARP Request packet to interface 2 on DeviceB without removing the tag from the packet.
  3. After the ARP Request packet reaches DeviceB, DeviceB determines that the destination IP address of the ARP Request packet is the IP address of its own VLANIF 4. DeviceB then sends an ARP Reply packet with the MAC address of VLANIF 4 to DeviceA.
  4. Interface 2 on DeviceB transparently transmits the ARP Reply packet to DeviceA. After DeviceA receives the ARP Reply packet, it records the mapping between the MAC address and IP address of VLANIF 4 in its ARP table.
  5. Before forwarding the packet of Host1 to DeviceB, DeviceA changes the destination MAC address of the packet to the MAC address of VLANIF 4 on DeviceB, and the source MAC address to the MAC address of its own VLANIF 4. In addition, DeviceA records the forwarding entry (10.1.2.0/24, destination MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table. Similarly, the packet is transparently transmitted to interface 2 on DeviceB.
  6. After DeviceB receives the packet of Host1 forwarded by DeviceA, steps 6 to 9 in Inter-VLAN Communication Through a Single Device (Using VLANIF Interfaces) are performed. In addition, DeviceB records the forwarding entry (Host2's IP address, MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table.

At this point, Host1 accesses Host2 successfully. The same process is used for Host2 to access Host1.

Translation
Favorite
Download
Update Date:2024-10-28
Document ID:EDOC1100411928
Views:14261
Downloads:49
Average rating:0.0Points

Related Documents

Digital Signature File

digtal sigature tool