1 of 29

VLAN Principles

Page 0

2 of 29

A Virtual Local Area Network (VLAN) represents a form of administrative network that defines a logical grouping of hosts or end system devices that are not limited to a physical location, and may be defined based on a wide range of parameters that allow for a greater flexibility in the way that logical groups are defined. The application of VLAN technology has expanded to support many aspects of enterprise networking as a means of logical data flow management and isolation.

Foreword

Page 1

3 of 29

Upon completion of this section, you will be able to:

Explain the application of VLAN tagging.
Describe the different port link types and characteristics.
Successfully establish port based VLANs.

Objectives

Page 2

4 of 29

No broadcast domain to manage expanding local networks.

LAN Limitations

Page 3

5 of 29

A VLAN enables logical isolation of traffic at the data link layer.

VLAN Technology

Group 1

Group 2

Page 4

6 of 29

A VLAN tag is inserted to distinguish frames for each VLAN.

VLAN Frame Format

Untagged frame

Tagged frame

0x8100	PCP	DEI	VLAN ID（12b）

2 bytes

DMAC

Data

SMAC

Type

FCS

6 bytes

2 bytes

46-1500 bytes

4 bytes

DMAC

Data

SMAC

Type

FCS

6 bytes

2 bytes

46-1500 bytes

4 bytes

Tag

TPID

TCI

Page 5

VLAN frames are identified using a tag header which is inserted into the Ethernet frame as a means of distinguishing a frame associated with one VLAN from frames of another. The VLAN tag format contains a Tag Protocol Identifier (TPID) and associated Tag Control Information (TCI). The TPID is used to identify the frame as a tagged frame, which currently only refers to the IEEE 802.1Q tag format, for which a value of 0x8100 is used to identify this format. The TCI contains fields that are associated with the tag format type.
The Priority Code Point (PCP) is a form of traffic classification field that is used to differentiate one form of traffic from another so as to prioritize traffic generally based on a classification such as voice, video, data etc. This is represented by a three bit value allowing a range from 0-7, and can be understood based on general 802.1p class of service (CoS) principles. The Drop Eligibility Indicator (DEI) represents a single bit value that exists in either a True of False state to determine the eligibility of a frame for discarding in the event of congestion.
The VLAN ID indicates the VLAN with which the frame is associated, represented as a 12 bit value. VLAN ID values range from 0x000 through to 0xFFF and for which the two upper and lower values are reserved, allowing 4094 possible VLAN Combinations. Huawei VRP implementation of VLANs uses VLAN 1 as the default VLAN (PVID) as based on IEEE802.1Q standards.

7 of 29

A trunk represents a backbone for the transmission of VLAN traffic between switches.

Link Types

Trunk

Access

VLAN3

VLAN2

Page 6

8 of 29

PVID represents the default VLAN for each interface.
The PVID is set to VLAN 1 for all ports by default.

Port VLAN ID

PVID1

PVID2

PVID3

PVID1

Page 7

9 of 29

Access ports remove VLAN tags before forwarding frames.

Port Types – Access

Host A

Host C

Host B

Untagged

PVID10

PVID2

Frame

10

Page 8

Access ports associate with access links, and frames that are received will be assigned a VLAN tag that is equal to the Port VLAN ID (PVID) of the interface. Frames being transmitted from an interface will typically remove the VLAN tag before forwarding to an end system that is not VLAN aware. If the tag and the PVID vary however, the frame will not be forwarded and therefore discarded. In the example a frame (untagged) is forwarded to the interface of the switch, which can be understood to forward to all other destinations.
Upon receiving the frame, the switch will associate the frame with VLAN 10 based on the PVID of the interface. The switch is able to identify at the port interface the PVID and make a decision as to whether the frame can be forwarded. In the case of Host C the PVID matches the VLAN ID in the VLAN tag, for which the tag is removed and the frame forwarded. For Host B however the frame and the PVID differ, and therefore the frame is restricted from being forwarded to this destination.

10 of 29

Frames carried over a trunk link may be tagged or untagged.
All VLANs must be permitted before being carried over a trunk.

Port Types – Trunk

Host A

Host C

Host B

Host D

Untagged

Frame

20

Untagged

SWA

SWB

Untagged

PVID10

PVID20

PVID10

PVID20

PVID10

Page 9

11 of 29

Hybrid ports are defined as either tagged or untagged.
VLAN communication can be managed on a port by port basis.

Port Types – Hybrid

PVID10

Host A

Host C

Host B

Host D

Untagged

PVID10

Frame

20

Untagged

SWA

SWB

Untagged

PVID10

PVID20

PVID10

PVID20

Hybrid Untagged

Hybrid Tagged

Untagged

Frame

10

Page 10

Hybrid represents the default port type for Huawei devices supporting VLAN operation and provides a means of managing the tag switching process associated for all interfaces. Each port can be considered as either a tagged port or an untagged port. Ports which operate as access ports (untagged) and ports which operate as trunk ports (tagged).
Ports which are considered untagged will generally receive untagged frames from end systems, and be responsible for adding a tag to the frame based on the Port VLAN ID (PVID) of the port. One of the key differences is in the hybrid port’s ability to selectively perform the removal of VLAN tags from frames that differ from the PVID of the port interface. In the example, Host D is connected to a port which specifies a Port VLAN ID of 20, whilst at the same time is configured to allow for the removal of the tag from frames received from VLAN 10, thereby allowing Host D to receive traffic from both VLANs 10 & 20.
Hybrid Ports that are tagged will operate in a similar manner as a regular trunk interface, however one major difference exists. VLAN frames that both match the PVID and are permitted by the port will continue be tagged when forwarded.

12 of 29

Five methods of VLAN assignment are possible.
Port based VLAN assignment is the default assignment method.

VLAN Assignment Methods

Assignment Method	VLAN 5	VLAN 10
Port based	G0/0/1, G0/0/7	G0/0/2 G0/0/9
MAC based	00-01-02-03-04-AA 00-01-02-03-04-CC	00-01-02-03-04-BB 00-01-02-03-04-DD
IP Subnet based	10.0.1.*	10.0.2.*
Protocol based	IP	IPX
Policy based	10.0.1.* + G0/0/1+ 00-01-02-03-04-AA	10.0.2.* + G0/0/2 + 00-01-02-03-04-BB

G0/0/1

Host A

10.0.1.1

Host D

10.0.2.2

Host B

10.0.2.1

Host C

10.0.1.2

G0/0/2

G0/0/7

G0/0/9

SWA

Page 11

VLAN assignment can be implemented based on one of five different methods, including Port based, MAC based, IP Subnet based, Protocol based and Policy based implementations. The port based method represents the default and most common method for VLAN assignment. Using this method, VLANs are classified based on the port numbers on a switching device. The network administrator configures a Port VLAN ID (PVID), representing the default VLAN ID for each port on the switching device. When a data frame reaches a port, it is marked with the PVID if the data frame carries no VLAN tag and the port is configured with a PVID. If the data frame carries a VLAN tag, the switching device will not add a VLAN tag to the data frame even if the port is configured with a PVID.
Using the MAC address assignment method, VLANs are classified based on the MAC addresses of network interface cards (NICs). The network administrator configures the mappings between MAC addresses and VLAN IDs. In this case, when a switching device receives an untagged frame, it searches the MAC-VLAN table for a VLAN tag to be added to the frame according to the MAC address of the frame. For IP subnet based assignment, upon receiving an untagged frame, the switching Device adds a VLAN tag to the frame based on the IP address of the packet header.
Where VLAN classification is based on protocol, VLAN IDs are allocated to packets received on an interface according to the protocol (suite) type and encapsulation format of the packets. The network administrator configures the mappings between types of protocols and VLAN IDs. The Policy based assignment implements a combination of criteria for assignment of the VLAN tag, including the IP subnet, port and MAC address, in which all criteria must match before the VLAN is assigned.

13 of 29

Creating VLANs

Page 12

[SWA]vlan 10

[SWA-vlan10]quit

[SWA]vlan batch 2 to 3

Info: This operation may take a few seconds. Please wait for a moment...done.

Host A

Host D

Host B

Host C

SWA

SWB

Page 12

14 of 29

Creating VLANs

[SWA]display vlan

The total number of vlans is : 4

------------------------------------------------------------

U:Up; D:Down; TG:Tagged; UT:Untagged; MP:Vlan-mapping; ST:Vlan-stacking; #: ProtocolTransparent-vlan; *:Management-vlan;

--------------------------------------------------------------

VID Type Ports

--------------------------------------------------------------

1 common UT:GE0/0/1(U) ……

2 common

3 common

common

……

Page 13

15 of 29

Setting the Port Link Type

[SWA]interface GigabitEthernet 0/0/1

[SWA-GigabitEthernet0/0/1]port link-type trunk

[SWA-GigabitEthernet0/0/1]quit

[SWA]interface GigabitEthernet 0/0/5

[SWA-GigabitEthernet0/0/5]port link-type access

SWA

SWB

G0/0/1

G0/0/7

G0/0/5

Host A

Host D

Host B

Host C

Page 14

16 of 29

Assigning Ports to VLANs

[SWA]vlan 2

[SWA-vlan2]port GigabitEthernet 0/0/7

[SWA-vlan2]quit

[SWA]interface GigabitEthernet 0/0/5

[SWA-GigabitEthernet0/0/5]port link-type access

[SWA-GigabitEthernet0/0/5]port default vlan 3

SWA

SWB

G0/0/1

G0/0/7

G0/0/5

Host A

Host D

Host B

Host C

Page 15

17 of 29

Verifying VLAN Assignment

[SWA]display vlan

The total number of vlans is : 4

------------------------------------------------------------

U:Up; D:Down; TG:Tagged; UT:Untagged; MP:Vlan-mapping; ST:Vlan-stacking; #: ProtocolTransparent-vlan; *:Management-vlan;

--------------------------------------------------------------

VID Type Ports

--------------------------------------------------------------

1 common UT:GE0/0/1(U) ……

2 common UT:GE0/0/7(D)

common UT:GE0/0/5(U)

10 common

……

Page 16

18 of 29

Forwarding Over the Trunk

[SWA-GigabitEthernet0/0/1]port link-type trunk

[SWA-GigabitEthernet0/0/1]port trunk pvid vlan 10

[SWA-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3

SWA

SWB

G0/0/1

Host A

Host D

Host B

Host C

Page 17

The assigning of the port link type of trunk interfaces enables the trunk to support the forwarding of VLAN frames for multiple VLANs between switches, however in order for frames to be carried over the trunk interface, permissions must be applied. The port trunk allow-pass vlan <vlan-id> command is used to set the permission for each VLAN, where vlan-id refers to the VLANs to be permitted. It is also necessary that the PVID for the trunk interface be included in the command to enable untagged traffic to be carried over the trunk link. The example demonstrates the changing of the default Port VLAN ID (PVID) for the interface to 10 and the applying of permission for VLANs 2 and 3 over the trunk link. In this case, any frames associated with VLAN 10 will not be carried over the trunk even though VLAN 10 is now the default VLAN for the trunk port. The command port trunk allow-pass vlan all can be used to allow all VLANs to traverse the trunk link.

19 of 29

Forwarding Over the Trunk

[SWA]display vlan

The total number of vlans is : 4

------------------------------------------------------------

U:Up; D:Down; TG:Tagged; UT:Untagged; MP:Vlan-mapping; ST:Vlan-stacking; #: ProtocolTransparent-vlan; *:Management-vlan;

--------------------------------------------------------------

VID Type Ports

--------------------------------------------------------------

1 common UT:GE0/0/1(U) ……

2 common UT:GE0/0/7(D) TG:GE0/0/1(U)

common UT:GE0/0/5(U) TG:GE0/0/1(U)

10 common

……

Page 18

20 of 29

Configuring Hybrid Ports

[SWA-GigabitEthernet0/0/5]port link-type hybrid

[SWA-GigabitEthernet0/0/5]port hybrid pvid vlan 3

[SWA-GigabitEthernet0/0/5]port hybrid untagged vlan 3

[SWA-GigabitEthernet0/0/7]port link-type hybrid

[SWA-GigabitEthernet0/0/7]port hybrid pvid vlan 2

[SWA-GigabitEthernet0/0/7]port hybrid untagged vlan 2

SWA

SWB

G0/0/1

Host A

Host D

Host B

Host C

G0/0/7

G0/0/5

Page 19

Hybrid port configuration represents the default port type on switch port interfaces and therefore the command port link-type hybrid is generally only necessary when converting the port link type from an access or a trunk port link type. Each port however may require to be associated with a default Port VLAN ID (PVID) over which frames are required to be either tagged or untagged. The port hybrid pvid vlan <vlan-id> command enables the default PVID to be assigned on a port by port basis following which it is also necessary to associate the forwarding behavior for a given port.
For ports that are to operate as access ports, this is achieved using the port hybrid untagged vlan<vlan-id> command. It should be clearly noted that the use of this command multiple times under the same interface view shall result in the interface being associated with all VLANs specified, with the associated VLAN frames being untagged before forwarding. The undo port hybrid vlan command can be used restore the default VLAN setting of VLAN1 and return to the default untagged mode.

21 of 29

Trunk links using the hybrid port link-type must enable tagging of VLAN frames before forwarding.

Configuring Hybrid Ports

SWA

SWB

G0/0/1

Host A

Host D

Host B

Host C

G0/0/7

G0/0/5

[SWA-GigabitEthernet0/0/1]port link-type hybrid

[SWA-GigabitEthernet0/0/1]port hybrid tagged vlan 2 to 3

Page 20

22 of 29

Configuration Validation

[SWA]display vlan

The total number of vlans is : 4

------------------------------------------------------------

U:Up; D:Down; TG:Tagged; UT:Untagged; MP:Vlan-mapping; ST:Vlan-stacking; #: ProtocolTransparent-vlan; *:Management-vlan;

--------------------------------------------------------------

VID Type Ports

--------------------------------------------------------------

1 common UT:GE0/0/1(U) ……

2 common UT:GE0/0/7(D)

TG:GE0/0/1(U)

3 common UT:GE0/0/5(U)

TG:GE0/0/1(U)

10 common

……

Page 21

23 of 29

Hybrid ports can be configured to receive VLAN traffic from multiple VLANs by simply removing the tag at the port interface.

Configuring Hybrid Ports

[SWB-GigabitEthernet0/0/4]port link-type hybrid

[SWB-GigabitEthernet0/0/4]port hybrid pvid vlan 3

[SWB-GigabitEthernet0/0/4]port hybrid untagged vlan 2 to 3

SWA

SWB

G0/0/1

Host A

Host D

Host B

Host C

G0/0/7

G0/0/5

G0/0/4

Page 22

24 of 29

Configuration Validation

[SWB]display vlan

The total number of vlans is : 3

------------------------------------------------------------

U:Up; D:Down; TG:Tagged; UT:Untagged; MP:Vlan-mapping; ST:Vlan-stacking; #: ProtocolTransparent-vlan; *:Management-vlan;

--------------------------------------------------------------

VID Type Ports

--------------------------------------------------------------

1 common UT:GE0/0/1(U) ……

2 common UT:GE0/0/4(U)

common UT:GE0/0/4(U)
……

Page 23

25 of 29

Voice VLANs are used to distinguish, isolate and prioritize voice traffic over service traffic as a means of quality assurance.

Voice VLAN Application

SWB

Host A

SWA

VoIP

IPTV

G0/0/1

MAC: 0011-2200-0001

MAC: 0011-2200-0002

Page 24

The growth of IP convergence has seen the integration of multiple technologies that allows High Speed Internet (HSI) services, Voice over IP (VoIP) services, and Internet Protocol Television (IPTV) services to be transmitted over a common Ethernet & TCP/IP network. These technologies originate from networks consisting of different forms of behavior. VoIP originates from circuit switched network technologies that involve the establishment of a fixed circuit between the source and destination, over which a dedicated path is created, ensuring that voice signals arrive with little delay and in a first-in-first-out signal order.
High Speed Internet operates in a packet switched network involving contention, and packet forwarding with no guarantee of orderly delivery for which packet re-sequencing is often necessary. Guaranteeing that technologies originating from a circuit switched network concept are capable of functioning over packet switched networks has brought about new challenges. This challenge focuses on ensuring that the services are capable of differentiating voice data from other data. The solution involves VoIP traffic being isolated through different VLANs and being assigned a higher priority to ensure voice quality throughput. Special voice VLANs can be configured on the switch, which allows the switch to assign a pre-configured VLAN ID and a higher priority to VoIP traffic.

26 of 29

Voice VLAN Configuration

[SWB]vlan 2

[SWB-vlan2]interface GigabitEthernet 0/0/1

[SWB-GigabitEthernet0/0/1]voice-vlan 2 enable

[SWB-GigabitEthernet0/0/1]voice-vlan mode auto

[SWB-GigabitEthernet0/0/1]quit

[SWB]voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000

SWB

Host A

SWA

VoIP

IPTV

G0/0/1

MAC: 0011-2200-0001

MAC: 0012-2400-0002

Page 25

27 of 29

Configuration Validation

[SWB]display voice-vlan status

Voice VLAN Configurations:

-----------------------------------------------------------

Voice VLAN ID : 2

Voice VLAN status : Enable

Voice VLAN aging time : 1440(minutes)

Voice VLAN 8021p remark : 6

Voice VLAN dscp remark : 46

-----------------------------------------------------------

Port Information:

-----------------------------------------------------------

Port Add-Mode Security-Mode Legacy

-----------------------------------------------------------

GigabitEthernet0/0/1 Auto Security Disable

Page 26

The display voice-vlan status command allows voice VLAN information to be viewed, including the status, security mode, aging time, and the interface on which the voice VLAN function is enabled. The status determines whether the voice VLAN is currently enabled or disabled. The security-mode can exist in one of two modes, either normal or security. The normal mode allows the interface enabled with voice VLAN to transmit both voice data and service data, but remains vulnerable to attacks by invalid packets. It is generally used when multiple services (HSI, VoIP, and IPTV) are transmitted to a Layer 2 network through one interface, and the interface transmits both voice data and service data. The security mode applied on an interface enabled with voice VLAN checks whether the source MAC address of each packet that enters the voice VLAN matches the OUI. It is applied where the voice VLAN interface transmits ONLY voice data. The security mode can protect the voice VLAN against the attacks by invalid packets, however checking packets occupies certain system resources.
The Legacy option determines whether the interface can communicate with voice devices of other vendors, where an enabled interface permits this communication. The Add-Mode determines the working mode of the voice VLAN. In auto voice VLAN mode, an interface can be automatically added to the voice VLAN after the voice VLAN function is enabled on the interface, and adds the interface connected to a voice device to the voice VLAN if the source MAC address of packets sent from the voice device matches the OUI. The interface is automatically deleted if the interface does not receive any voice data packets from the voice device within the aging time. In manual voice VLAN mode, an interface must be added to the voice VLAN manually after the voice VLAN function is enabled on the interface.

28 of 29

If a trunk link has a PVID of 5 and the command port trunk allow-pass vlan 2 3 is used, which VLAN traffic will be carried over the trunk?
What action will be taken by an access port with a PVID of 2 when receiving an untagged frame?

Summary

Page 27

29 of 29

www.huawei.com

Thank You

Page 28