As local networks expand, traffic increases and broadcasts become more common. There are no real boundaries within such an expanding network, causing interrupts and growing traffic utilization to occur. Traditionally, the alternative option was to implement a layer three device within the local network to generate broadcast domains, however in doing so additional expense was incurred and the forwarding behavior of such devices did not provide as efficient throughput as found with switches, leading to bottlenecks at transit points between broadcast domains.
The principle of VLAN technology was introduced that enabled traffic isolation at the data link layer. VLAN technology has the added advantage of traffic isolation without the limitation of physical boundaries. Users can be physically dispersed but still be associated as part of a single broadcast domain, logically isolating users from other user groups at the data link layer. Today VLAN technology is applied as a solution to a variety of challenges.
VLAN frames are identified using a tag header which is inserted into the Ethernet frame as a means of distinguishing a frame associated with one VLAN from frames of another. The VLAN tag format contains a Tag Protocol Identifier (TPID) and associated Tag Control Information (TCI). The TPID is used to identify the frame as a tagged frame, which currently only refers to the IEEE 802.1Q tag format, for which a value of 0x8100 is used to identify this format. The TCI contains fields that are associated with the tag format type.
The Priority Code Point (PCP) is a form of traffic classification field that is used to differentiate one form of traffic from another so as to prioritize traffic generally based on a classification such as voice, video, data etc. This is represented by a three bit value allowing a range from 0-7, and can be understood based on general 802.1p class of service (CoS) principles. The Drop Eligibility Indicator (DEI) represents a single bit value that exists in either a True of False state to determine the eligibility of a frame for discarding in the event of congestion.
The VLAN ID indicates the VLAN with which the frame is associated, represented as a 12 bit value. VLAN ID values range from 0x000 through to 0xFFF and for which the two upper and lower values are reserved, allowing 4094 possible VLAN Combinations. Huawei VRP implementation of VLANs uses VLAN 1 as the default VLAN (PVID) as based on IEEE802.1Q standards.
VLAN links can be classified into two types, an access link type and a trunk link type. The access link refers to the link between an end system and a switch device participating in VLAN tagging, the link between host terminals and switches are all access links. A trunk link refers to the link over which VLAN tagged frames are likely to be carried. The links between switches are generally understood to be trunk links.
Each interface of a device participating in VLAN tagging will be associated with a VLAN. The default VLAN for the interface is recognized as the Port VLAN ID (PVID). This value determines the behavior that is applied to any frames being received or transmitted over the interface.
Access ports associate with access links, and frames that are received will be assigned a VLAN tag that is equal to the Port VLAN ID (PVID) of the interface. Frames being transmitted from an interface will typically remove the VLAN tag before forwarding to an end system that is not VLAN aware. If the tag and the PVID vary however, the frame will not be forwarded and therefore discarded. In the example a frame (untagged) is forwarded to the interface of the switch, which can be understood to forward to all other destinations.
Upon receiving the frame, the switch will associate the frame with VLAN 10 based on the PVID of the interface. The switch is able to identify at the port interface the PVID and make a decision as to whether the frame can be forwarded. In the case of Host C the PVID matches the VLAN ID in the VLAN tag, for which the tag is removed and the frame forwarded. For Host B however the frame and the PVID differ, and therefore the frame is restricted from being forwarded to this destination.
For trunk ports that are associated with trunk links, the Port VLAN ID (PVID) will identify which VLAN frames are required to carry a VLAN tag before forwarding, and which are not. The example demonstrates a trunk interface assigned with a PVID of 10, for which it should be assumed that all VLANs are permitted to traverse the trunk link. Only frames associated with VLAN 10 will be forwarded without the VLAN tag, based on the PVID. For all other VLAN frames, a VLAN tag must be included with the frame and be permitted by the port before the frame can be transmitted over the trunk link. Frames associated with VLAN 20 are carried as tagged frames over the trunk link.
Hybrid represents the default port type for Huawei devices supporting VLAN operation and provides a means of managing the tag switching process associated for all interfaces. Each port can be considered as either a tagged port or an untagged port. Ports which operate as access ports (untagged) and ports which operate as trunk ports (tagged).
Ports which are considered untagged will generally receive untagged frames from
end systems, and be responsible for adding a tag to the frame based on the Port VLAN ID (PVID) of the port. One of the key differences is in the hybrid port’s ability to selectively perform the removal of VLAN tags from frames that differ from the PVID of the port interface. In the example, Host D is connected to a port which specifies a Port VLAN ID of 20, whilst at the same time is configured to allow for the removal of the tag from frames received from VLAN 10, thereby allowing Host D to receive traffic from both VLANs 10 & 20.
Hybrid Ports that are tagged will operate in a similar manner as a regular trunk interface, however one major difference exists. VLAN frames that both match the PVID and are permitted by the port will continue be tagged when forwarded.
VLAN assignment can be implemented based on one of five different methods, including Port based, MAC based, IP Subnet based, Protocol based and Policy based implementations. The port based method represents the default and most common method for VLAN assignment. Using this method, VLANs are classified based on the port numbers on a switching device. The network administrator configures a Port VLAN ID (PVID), representing the default VLAN ID for each port on the switching device. When a data frame reaches a port, it is marked with the PVID if the data frame carries no VLAN tag and the port is configured with a PVID. If the data frame carries a VLAN tag, the switching device will not add a VLAN tag to the data frame even if the port is configured with a PVID.
Using the MAC address assignment method, VLANs are classified based on the MAC addresses of network interface cards (NICs). The network administrator configures the mappings between MAC addresses and VLAN IDs. In this case, when a switching device receives an untagged frame, it searches the MAC-VLAN table for a VLAN tag to be added to the frame according to the MAC address of the frame. For IP subnet based assignment, upon receiving an untagged frame, the switching Device adds a VLAN tag to the frame based on the IP address of the packet header.
Where VLAN classification is based on protocol, VLAN IDs are allocated to packets received on an interface according to the protocol (suite) type and encapsulation format of the packets. The network administrator configures the mappings between types of protocols and VLAN IDs. The Policy based assignment implements a combination of criteria for assignment of the VLAN tag, including the IP subnet, port and MAC address, in which all criteria must match before the VLAN is assigned.
The implementation of VLANs begins with the creation of the VLAN on the switch. The vlan<vlan-id> command is used to initially create the the VLAN on the switch which can be understood to exist once the user enters the VLAN view for the given vlan as demonstrated in the configuration example. The VLAN ID ranges from 1 to 4094 and where it is necessary to create multiple VLANs for a switch, the vlan batch <vlan-id1 to vlan-id2> command can be used where contiguous VLAN ranges need to be created and vlan batch &<1-4094> command used where “&’” represents a space between non-contiguous VLAN ranges. All ports are associated with VLAN 1 as the default VLAN by default, and therefore forwarding is unrestricted.
Once the VLANs have been created, the creation can be verified using the display vlan command. The command allows information about all VLANs to be specified, and if no parameter is specified, brief information about all VLANs is displayed. Additional parameters include display vlan <vlan-id> verbose command, used to display detailed information about a specified VLAN, including the ID, type, description, and status of the VLAN, status of the traffic statistics function, interfaces in the VLAN, and mode in which the interfaces are added to the VLAN. The display vlan <vlan-id> statistics command, allows for the view of traffic statistics on interfaces for a specified VLAN. The display vlan summary command, provides a summary of all VLANs in the system.
The configuration of the port link type is performed in the interface view for each interface on a VLAN active switch. The default port link type on Huawei switch devices is hybrid. The port link-type <type> command is used to configure the port link type of the interface where the type can be set as access, trunk or hybrid. A fourth QinQ option exists but is considered outside of the scope of this course. It should also be noted that in the displayed configuration if no port type is displayed, the default hybrid port link type is configured. Prior to changing the interface type, it is also necessary to restore the default VLAN configuration of the interface so that the interface belongs to only the default VLAN 1.
The association of a port with a created VLAN can be achieved using two configuration methods, the first of those is to enter the VLAN view and configure the interface to be associated with the VLAN using the port <interface> command. The second means of assigning ports to VLANs involves accessing the interface view for the interface to be added to a VLAN and implement the command port default <vlan-id> where the vlan-id refers to the VLAN to which the port is to be added.
The display vlan command can be used to verify the changes made to the configuration and confirm the association of port interfaces with the VLANs to which the ports have been assigned. In the display example port interfaces Gigabit Ethernet 0/0/5 and Gigabit Ethernet 0/0/7 can be identified as being associated with VLANs 2 and 3 respectively. The UT value identifies that the port is considered untagged either through assigning of the port link type as an access port or as anuntagged hybrid port. The current state of the link can also be determined as either up (U) or down (D)
The assigning of the port link type of trunk interfaces enables the trunk to support the forwarding of VLAN frames for multiple VLANs between switches, however in order for frames to be carried over the trunk interface, permissions must be applied. The port trunk allow-pass vlan <vlan-id> command is used to set the permission for each VLAN, where vlan-id refers to the VLANs to be permitted. It is also necessary that the PVID for the trunk interface be included in the command to enable untagged traffic to be carried over the trunk link. The example demonstrates the changing of the default Port VLAN ID (PVID) for the interface to 10 and the applying of permission for VLANs 2 and 3 over the trunk link. In this case, any frames associated with VLAN 10 will not be carried over the trunk even though VLAN 10 is now the default VLAN for the trunk port. The command port trunk allow-pass vlan all can be used to allow all VLANs to traverse the trunk link.
The changes to the VLAN permissions can again be monitored through the display vlan command, for which the application of VLANs over the trunk link are reflected. The TG value identifies that VLANs have been associated with a tagged interface either over a trunk or tagged hybrid port interface. In the display example, VLANs 2 and 3 have been given permission to traverse the tagged interface Gigabit Ethernet 0/0/1, an interface that is currently active.
Hybrid port configuration represents the default port type on switch port interfaces and therefore the command port link-type hybrid is generally only necessary when converting the port link type from an access or a trunk port link type. Each port however may require to be associated with a default Port VLAN ID (PVID) over which frames are required to be either tagged or untagged. The port hybrid pvid vlan <vlan-id> command enables the default PVID to be assigned on a port by port basis following which it is also necessary to associate the forwarding behavior for a given port.
For ports that are to operate as access ports, this is achieved using the port hybrid untagged vlan<vlan-id> command. It should be clearly noted that the use of this command multiple times under the same interface view shall result in the interface being associated with all VLANs specified, with the associated VLAN frames being untagged before forwarding. The undo port hybrid vlan command can be used restore the default VLAN setting of VLAN1 and return to the default untagged mode.
For ports that are to operate as trunk ports, the port hybrid tagged vlan <vlan-id> command is used. It should be clearly noted that the use of this command multiple times under the same interface view shall result in the interface being associated with all VLANs specified, with the associated VLAN frames being tagged before forwarding. In the example the hybrid port interface Gigabit Ethernet 0/0/1 is expected to tag all frames that are associated with VLANs 2 and 3 before such frames are forwarded over the interface.
Through the display vlan command, the results of the tagged and untagged hybrid port configuration can be verified. Interface Gigabit Ethernet 0/0/7 has been established as a VLAN 2 untagged interface, while interface Gigabit Ethernet 0/0/5 has been established as an untagged interface associated with VLAN 3. In terms of both VLAN 2 and VLAN 3, frames associated with either VLAN will be carried as a tagged frame over interface Gigabit Ethernet 0/0/1.
Switch port interfaces can use the port hybrid untagged vlan <vlan-id> [to <vlanid>] command to apply the untagged behavior on a port interface for multiple VLANs in a single batch command. This behavior enables hybrid interfaces to permit the untagged forwarding of traffic from multiple VLANs to a given end system. All traffic forwarded from the end system is associated with the PVID assigned to the port and tagged respectively.
The command port hybrid untagged vlan 2 to 3 on interface Gigabit Ethernet 0/0/4 results in the interface applying untagged behavior to both VLAN 2 and VLAN 3. This means that any traffic forwarded from a host associated with either VLAN, to an end system associated with interface Gigabit Ethernet 0/0/4, can be successfully received.
The growth of IP convergence has seen the integration of multiple technologies that allows High Speed Internet (HSI) services, Voice over IP (VoIP) services, and Internet Protocol Television (IPTV) services to be transmitted over a common Ethernet & TCP/IP network. These technologies originate from networks consisting of different forms of behavior. VoIP originates from circuit switched network technologies that involve the establishment of a fixed circuit between the source and destination, over which a dedicated path is created, ensuring that voice signals arrive with little delay and in a first-in-first-out signal order.
High Speed Internet operates in a packet switched network involving contention, and packet forwarding with no guarantee of orderly delivery for which packet resequencing is often necessary. Guaranteeing that technologies originating from a circuit switched network concept are capable of functioning over packet switched networks has brought about new challenges. This challenge focuses on ensuring that the services are capable of differentiating voice data from other data. The solution involves VoIP traffic being isolated through different VLANs and being assigned a higher priority to ensure voice quality throughput. Special voice VLANs can be configured on the switch, which allows the switch to assign a preconfigured VLAN ID and a higher priority to VoIP traffic.
Configuration of the voice VLAN involves the configuring of a specified VLAN using the voice-vlan <vlan-id> enable command. The voice VLAN can be associated with any VLAN between 2 and 4094. The voice-vlan mode <mode> command specifies the working mode, by which a port interface is added to a voice VLAN. This is set by default to occur automatically however can be also achieved manually. The voice-vlan mac-address <mac-address> mask <mask> command allows voice packets originating from an IP phone to be identified and associated with the voice VLAN, based on the Organizationally Unique Identifier (OUI), to ultimately allow a higher priority to be given to voice traffic.
The display voice-vlan status command allows voice VLAN information to be viewed, including the status, security mode, aging time, and the interface on which the voice VLAN function is enabled. The status determines whether the voice VLAN is currently enabled or disabled. The security-mode can exist in one of two modes, either normal or security. The normal mode allows the interface enabled with voice VLAN to transmit both voice data and service data, but remains vulnerable to attacks by invalid packets. It is generally used when multiple services (HSI, VoIP, and IPTV) are transmitted to a Layer 2 network through one interface, and the interface transmits both voice data and service data. The security mode applied on an interface enabled with voice VLAN checks whether the source MAC address of each packet that enters the voice VLAN matches the OUI. It is applied where the voice VLAN interface transmits ONLY voice data. The security mode can protect the voice VLAN against the attacks by invalid packets, however checking packets occupies certain system resources.
The Legacy option determines whether the interface can communicate with voice devices of other vendors, where an enabled interface permits this communication. The Add-Mode determines the working mode of the voice VLAN. In auto voice VLAN mode, an interface can be automatically added to the voice VLAN after the voice VLAN function is enabled on the interface, and adds the interface connected to a voice device to the voice VLAN if the source MAC address of packets sent from the voice device matches the OUI. The interface is automatically deleted if the interface does not receive any voice data packets from the voice device within the aging time. In manual voice VLAN mode, an interface must be added to the voice VLAN manually after the voice VLAN function is enabled on the interface.
The PVID on a trunk link defines only the tagging behavior that will be applied at the trunk interface. If the port trunk allow-pass vlan 2 3 command is used, only frames associated with VLAN 2 and VLAN 3 will be forwarded over the trunk link.
An access port configured with a PVID of 2 will tag all received untagged frames with a VLAN 2 tag. This will be used by the switch to determine whether a frame can be forwarded via other access interfaces or carried over a trunk link.