Table of Contents
Table of Contents
Chapter 1 VLAN Configuration .................................................................................................... 1-1 1.1 Introduction to VLAN.......................................................................................................... 1-1 1.1.1 VLAN Overview ....................................................................................................... 1-1 1.1.2 VLAN Classification................................................................................................. 1-2 1.2 Configuring Basic VLAN Attributes .................................................................................... 1-2 1.3 Configuring VLAN Interface Basic Attributes..................................................................... 1-2 1.4 Configuring the Port-Based VLAN ..................................................................................... 1-3 1.4.1 Introduction to the Port-Based VLAN ...................................................................... 1-3 1.4.2 Configuring the Access-Port-Based VLAN ............................................................. 1-5 1.4.3 Configuring the Trunk-Port-Based VLAN................................................................ 1-6 1.4.4 Configuring the Hybrid-Port-Based VLAN............................................................... 1-7 1.5 Configuring the IP-Subnet-Based VLAN ........................................................................... 1-8 1.5.1 Introduction.............................................................................................................. 1-8 1.5.2 Configuring the IP-Subnet-Based VLANs ............................................................... 1-9 1.6 Displaying and Maintaining VLAN ................................................................................... 1-10 1.7 A Typical VLAN Configuration Example .......................................................................... 1-10 Chapter 2 Voice VLAN Configuration.......................................................................................... 2-1 2.1 Introduction to Voice VLAN................................................................................................ 2-1 2.1.1 Voice VLAN Mode on a Port ................................................................................... 2-1 2.1.2 Security Mode and Normal Mode of Voice VLAN ................................................... 2-4 2.2 Configuring the Voice VLAN .............................................................................................. 2-4 2.2.1 Configuration Prerequisites..................................................................................... 2-4 2.2.2 Setting Voice VLAN Mode on a Port to Automatic Mode........................................ 2-4 2.2.3 Setting Voice VLAN Mode on a Port to Manual Mode ............................................ 2-5 2.3 Displaying and Maintaining Voice VLAN ........................................................................... 2-6 2.4 Typical Voice VLAN Configuration Examples.................................................................... 2-7 2.4.1 Configuring Automatic Voice VLAN Mode .............................................................. 2-7 2.4.2 Configuring Manual Voice VLAN Mode .................................................................. 2-8 Chapter 3 GVRP Configuration .................................................................................................... 3-1 3.1 GVRP Overview................................................................................................................. 3-1 3.1.1 Introduction to GARP .............................................................................................. 3-1 3.1.2 Introduction to GVRP .............................................................................................. 3-3 3.1.3 Protocols and Standards......................................................................................... 3-4 3.2 Configuring GVRP ............................................................................................................. 3-4 3.2.1 Configuring GVRP Functions .................................................................................. 3-4 3.2.2 Configuring GARP Timers....................................................................................... 3-5 3.3 Displaying and Maintaining GVRP..................................................................................... 3-6
Table of Contents
3.4 GVRP Configuration Example ........................................................................................... 3-6 3.4.1 Example 1 ............................................................................................................... 3-6 3.4.2 Example 2 ............................................................................................................... 3-8 3.4.3 Example 3 ............................................................................................................... 3-9
LAN Switch
VLAN A
VLAN B VLAN A
LAN Switch
VLAN A
VLAN B
VLAN B
Router
Figure 1-1 A VLAN diagram A VLAN is not restricted by physical factors, that is to say, hosts that reside in different network segments may belong to the same VLAN, a VLAN can be within the same switch, or span across multiple switches or routers. VLAN technology has the following advantages: 1) 2) Broadcast traffic is confined to each VLAN, reducing bandwidth utilization and improving network performance. LAN security is improved. Packets in different VLANs cannot communicate with each other directly. That is, users in a VLAN cannot interact directly with users in other VLANs, unless routers or Layer 3 switches are used.
3)
A more flexible way to establish virtual working groups. With VLAN technology, clients can be allocated to different working groups, and users from the same group do not have to be within the same physical area, making network construction and maintenance much easier and more flexible.
This chapter will focus on the port-based VLANs and IP-subnet-based VLANs.
Follow the following steps to configure VLAN interface basic attributes: To do Enter system view Create VLAN interface and enter its view Use the command system-view interface Vlan-interface vlan-interface-id ip address ip-address { mask | mask-length } [ sub ] Required The VLAN interface must be created first before entering its view Optional Not configured by default Optional Specify the descriptive character string for the VLAN interface description text VLAN interface name used by default, for example, Vlan-interface1 Interface Optional Bring up interface the VLAN By default, the VLAN interface is down if all ports in the VLAN are down, as long as one port in the VLAN is up, the VLAN interface is up Remarks
undo shutdown
Note: Before creating a VLAN interface, ensure that the corresponding VLAN already exists. Otherwise, the specified VLAN interface will not be created.
Access port: An access port belongs to only one VLAN and strips off the VLAN tags when sending packets of this VLAN, normally used to connect computers; Trunk port: A trunk port can belong to multiple VLANs and receive and send packets for multiple VLANs, normally used to connect devices;
Huawei Technologies Proprietary 1-3
Hybrid port: A hybrid port can belong to multiple VLANs and receive and send packets for multiple VLANs, used to connect either computers or devices.
A Hybrid port allows packets of multiple VLANs to be sent without the Tag label; A Trunk port only allows packets from the default VLAN to be sent without the Tag label.
An Access port only belongs to one VLAN. Therefore, its default VLAN is the VLAN it resides in and cannot be configured. You can configure the default VLAN for the Trunk port or the Hybrid port as they can both belong to multiple VLANs. After deletion of the default VLAN using the undo vlan command, the default VLAN for an Access port will revert to VLAN 1, whereas that for the Trunk or Hybrid port remains.
Note: For the voice VLAN in automatic mode, the default VLAN of the corresponding port cannot be configured as voice VLAN. Otherwise, the system prompts error information. For information about voice VLAN, refer to Chapter 2 VLAN Configuration.
Configured with the default VLAN, a port handles packets in the following ways:
Tag available Receive the packet if its VLAN ID is the same as the default VLAN ID Discard the packet if its VLAN ID is different from the default VLAN ID Receive the packet if the VLAN ID is the same as the default VLAN ID Receive the packet if the VLAN ID is not the same as the default VLAN ID but is allowed to pass through the port Discard the packet if the VLAN ID is neither the same as the default VLAN ID nor allowed to pass through the port
Access Port
Strip the Tag and send the packet as the VLAN ID is the same with the default VLAN ID
z z
Trunk port
Strip the Tag and send the packet if the VLAN ID is the same as the default VLAN ID Keep the tag and send the packet if the VLAN ID is not the same as the default VLAN ID but allowed to pass through the port
Hybrid port
Send the packets if the VLAN ID is allowed to pass through the port. Use the port hybrid vlan command to configure whether the port tags packets when sending packets in this VLAN (including default VLAN).
Remarks
Required Enter VLAN view vlan vlan-id For a nonexistent VLAN, this command will create a VLAN and enter its view Required port interface-list By default, system will add all ports to VLAN 1
Follow the following steps to configure the Access-port-based VLAN in Ethernet port view/port group view: To do Enter system view Enter Ethernet port view Enter Ethernet port view or port group view Use the command system-view interface interface-type interface-number Use either command Under Ethernet port view, the subsequent configurations only apply to the current port; under port group view, the subsequent configurations apply to all ports in the port group Optional port link-type access The link type of a port is Access by default Optional By default, all Access ports belong to VLAN 1 Remarks
vlan
Note: Ensure that you create a VLAN first before trying to add an Access port to the VLAN.
Follow the following steps to configure the Trunk-port-based VLAN: To do Enter system view Enter Ethernet port view Use the command system-view interface interface-type interface-number Use either command Under Ethernet port view, the subsequent configurations only apply to the current port; under port group view, the subsequent configurations apply to all ports in the port group Required port link-type trunk The link type of a port is Access by default Required By default, all Trunk ports belong to VLAN 1 only Optional VLAN 1 is the default by default Remarks
Configure the port link type as Trunk Allow a specified VLAN to pass through the current Trunk port Configure the default VLAN for the Trunk port
Note:
z
To convert a Trunk port into a Hybrid port (or vice versa), you need to use the Access port as a medium. For example, the Trunk port has to be configured as an Access port first and then a Hybrid port.
Ensure that a VLAN already exists before configuring it to pass through a certain Trunk port. The default VLAN ID on the Trunk ports of the local and peer devices must be the same. Otherwise, packets of the default VLAN cannot be transmitted properly from the local end to the peer end.
Follow the following steps to configure the Hybrid-port-based VLAN: To do Enter system view Enter Ethernet port view Use the command system-view interface interface-type interface-number Use either command; Under Ethernet port view, the subsequent configurations only apply to the current port; under port group view, the subsequent configurations apply to all ports in the port group Required port link-type hybrid The link type of a port is Access by default Required By default, all Hybrid ports belong to VLAN 1 Optional VLAN 1 is the default by default Remarks
Configure the port link type as Hybrid Allow a specified VLAN to pass through the current Hybrid port Configure the default VLAN of the Hybrid port
port hybrid vlan vlan-id-list { tagged | untagged } port hybrid vlan-id pvid vlan
Note:
z
To configure a Trunk port into a Hybrid port (or vice versa), you need to use the Access port as a medium. For example, the Trunk port has to be configured as an Access port first and then a Hybrid port.
Ensure that a VLAN already exists before configuring it to pass through a certain Hybrid port.
Follow the following steps to configure the IP-subnet-based VLAN: To do Enter system view Use the command system-view Required Enter VLAN view vlan vlan-id For a nonexistent VLAN, this command will create a VLAN and enter view Required Configure the association between an IP subnet with the current VLAN ip-subnet-vlan [ ip-subnet-index ] ip ip-address [ mask ] The configured IP network segment or IP address cannot be a multicast network segment or a multicast address Required Use either command; Under Ethernet port view, the subsequent configurations only apply to the current port; under port group view, the subsequent configurations apply to all ports in the port group Required port link-type hybrid The link type of all ports is Access by default Required By default, all belong to VLAN 1 Required By default, no Hybrid port is associated with the IP-subnet-based VLAN. ports Remarks
Configure port link type as Hybrid Allow an IP-subnet-based VLAN to pass through the current Hybrid port Configure the association between the Hybrid port and the IP-subnet-based VLAN
port hybrid vlan vlan-id-list { tagged | untagged } port hybrid ip-subnet-vlan vlan vlan-id
Display VLAN interface information Display the IP-subnet-based VLAN information and IP subnet indexes of specified VLANs Display the IP-subnet-based VLAN information and IP subnet index of specified ports
Device A connects to Device B through the Trunk port Ethernet 1/0/1; The default VLAN ID of the port is 100; This port allows packets from VLAN 2, VLAN 6 to VLAN 50, and VLAN 100 to pass through.
# Configure Ethernet 1/0/1 as a Trunk port and configure its default VLAN ID as 100.
[Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] port trunk pvid vlan 100
# Configure packets from VLAN 2, VLAN 6 to VLAN 50, and VLAN 100 to pass through Ethernet 1/0.
[Sysname-Ethernet1/0/1] port trunk permit vlan 2 6 to 50 100 Please wait... Done.
2)
Note:
z
As the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique identifier assigned to a vendor by IEEE. You can delete or add the default OUI address.
In automatic voice VLAN mode, the system identifies the source MAC address contained in the untagged packet sent when the IP phone is powered on and matches it against the OUI addresses. If a match is found, the system will automatically add the port into the Voice VLAN and apply ACL rules to ensure the packet precedence. An aging time can be configured for the voice VLAN. The system will remove a port from the voice VLAN if no voice packet is received from
it after the aging time. The adding and deleting of ports are automatically realized by the system.
z
In manual voice VLAN mode, administrators add the IP phone access port to the voice VLAN. It then identifies the source MAC address contained in the packet, matches it against the OUI addresses, and decides whether to forward the packet in the voice VLAN. The administrators apply ACL rules while adding or deleting a port from the voice VLAN. In this mode, the adding or deleting of ports is realized by the administrators.
Both modes forward tagged packets based on the VLAN IDs contained in the packets.
The above two modes are configured in Ethernet port view. Different voice VLAN modes can be configured on different ports, independent of one another. The following table lists the co-relation between the voice VLAN mode, the voice traffic type of an IP phone, and the type of an Ethernet port. Mode Voice traffic type Port link type Access: not supported Trunk: supported provided that the default VLAN of the access port exists and is not a voice VLAN and that the access port belongs to the voice VLAN Hybrid: supported provided that the default VLAN of the access port exists and is in the list of tagged VLANs whose packets can pass through the access port Untagged voice traffic Access, Trunk, Hybrid: not supported
Automatic mode
Mode
Port link type Access: not supported Trunk: supported provided that the default VLAN of the access port exists and is not a voice VLAN and that the access port belongs to the default VLAN Hybrid: supported provided that the default VLAN of the access port exists and is from the list of tagged VLANs whose packets can pass through the access port
Manual mode
Access: supported provided that the default VLAN of the access port is a voice VLAN Trunk: supported provided that the default VLAN of the access port is a voice VLAN and that the access port allows packets from the voice VLAN to pass through Hybrid port: supported provided that the default VLAN of the access port is a voice VLAN and that the voice VLAN is in the list of untagged VLANs whose packets are allowed to pass through the access port
Untagged traffic
voice
Caution:
z
If the voice traffic sent by an IP phone is tagged and that the access port has 802.1 x authentication and guest VLAN enabled, assign different VLAN IDs for the voice VLAN, the default VLAN of the access port, and the 802.1x guest VLAN.
If the voice traffic sent by an IP phone is untagged, to realize the voice VLAN feature, the default VLAN of the access port can only be configured as the voice VLAN. Note that at this time 802.1 x authentication function cannot be realized.
Note:
z
The default VLANs for all ports are VLAN 1. Using commands, users can either configure the default VLAN of a port, or configure to allow a certain VLAN to pass through the port. For more information, refer to 1.4 Configuring the Port-Based VLAN.
Use the display interface command in the Port Correlation Configuration module to display the default VLAN and the VLANs that are allowed to go through a certain port.
Security mode: only voice packets with source OUI MAC addresses can pass through the port (with the voice VLAN feature enabled), other non-voice packets will be discarded, including authentication packets, such as 802.1x authentication packet.
Normal mode: both voice packets and non-voice packets are allowed to pass through a port (with the voice VLAN feature enabled), the former will abide by the voice VLAN filtering mechanism whereas the latter normal VLAN filtering mechanism.
It is recommended that you do not mix voice packets with other types of data in a voice VLAN. If necessary, please ensure that the security mode is disabled.
Create the corresponding VLAN before configuring the voice VLAN; As a default VLAN, VLAN 1 does not need to be created. However, it cannot be enabled with the voice VLAN feature.
security
Configure the OUI address for the voice VLAN Enable the global voice VLAN feature
voice vlan mac-address oui mask oui-mask [ description text ] voice enable vlan vlan-id
To do...
Use the command... interface { interface-type interface-number | interface-name } voice vlan mode auto
Remarks
Set the voice VLAN mode on the port to automatic Enable the voice VLAN feature on the port
Note: For a port whose voice VLAN mode is set to automatic, you cannot configure the default VLAN of the port as the voice VLAN. Otherwise, the system will prompt error information.
Configure the OUI address of voice VLAN Enable the global voice VLAN feature Enter Ethernet port view Set the voice VLAN mode on the port to manual Return to system view
voice vlan mac-address oui mask oui-mask [ description text ] voice vlan vlan-id enable interface { interface-type interface-number | interface-name } undo voice vlan mode auto quit
To do... Access port Add a manual mode port to the voice VLAN Trunk port
Use the command... Refer to 1.4.2 Configuring the Access-Port-Based VLAN Refer to 1.4.3 Configuring the Trunk-Port-Based VLAN Refer to 1.4.4 Configuring the Hybrid-Port-Based VLAN Refer to 1.4.3 Configuring the Trunk-Port-Based VLAN
Remarks One of the three options is required. If you add an Access port to the voice VLAN, the voice VLAN automatically becomes the default VLAN of the port. Optional When the incoming voice stream is untagged, this configuration is required; when the incoming voice stream is tagged, this configuration is prohibited. Required Disabled by default
Hybrid port
Trunk port Configure the voice VLAN as the default VLAN of a port
Hybrid port
Note: When configuring voice VLAN (under automatic mode and manual mode), note that:
z
Only one static VLAN of a device can have the voice VLAN feature enabled at a time. A dynamic VLAN cannot be configured as a voice VLAN. A port that has the Link Aggregation Control Protocol (LACP for short) enabled cannot have the voice VLAN feature enabled at the same time. You are not recommended to configure both voice VLAN and Q-in-Q (including basic Q-in-Q and selective Q-in-Q) on a device. Otherwise, the voice VLAN cannot work properly.
Create VLAN 2 and configure it as a voice VLAN with an aging time of 100 minutes. Configure Ethernet 1/0/1 as a Trunk port. Its default VLAN is VLAN 6. The device allows voice packets from Ethernet 1/0/1 with an OUI address of 0011-2200-0000, a mask of ffff-ff00-0000, and a descriptive string of test to be forwarded through the voice VLAN.
z z
VLAN 2
Ethernet1/0/1
WAN
Figure 2-1 Network diagram for automatic voice VLAN mode configuration
# Configure the OUI address 0011-2200-0000 as the legal address of the voice VLAN.
[Sysname] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
description test
# Set the voice VLAN mode on Ethernet 1/0/1 to automatic. (Optional, by default, the voice VLAN mode on a port is automatic.)
[Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] voice vlan mode auto
# Configure the default VLAN of the port to be VLAN 6 and allow packets from VLAN 6 to pass through the port.
[Sysname-Ethernet1/0/1] port trunk permit vlan 6 [Sysname-Ethernet1/0/1] port trunk pvid vlan 6
Create VLAN 2 and configure it as a voice VLAN. IP phone type is untagged with the Hybrid port Ethernet 1/0/1 being the access port. Ethernet 1/0/1 works in manual mode. It only allows voice packets with an OUI address of 0011-2200-0000, a mask of ffff-ff00-0000, and a descriptive string of test to be forwarded.
VLAN 2
Ethernet1/0/1
WAN
Figure 2-2 Network diagram for manual voice VLAN mode configuration
# Configure the OUI address 0011-2200-0000 as the legal voice VLAN address.
[Sysname] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
description test
# Configure VLAN 2 as the default VLAN of the port and allow packets from VLAN 2 to pass through the port.
[Sysname-Ethernet1/0/1] port hybrid pvid vlan 2 [Sysname-Ethernet1/0/1] port hybrid vlan 2 untagged
IV. Verification
# Display information about the OUI addresses, OUI address masks, and descriptive strings.
[Sysname-Ethernet1/0/1] return <Sysname> display voice vlan oui Oui Address 0001-e300-0000 0003-6b00-0000 0011-2200-0000 00d0-1e00-0000 00e0-7500-0000 00e0-bb00-0000 Mask ffff-ff00-0000 ffff-ff00-0000 ffff-ff00-0000 ffff-ff00-0000 ffff-ff00-0000 ffff-ff00-0000 Description Siemens phone Cisco phone test Pingtel phone Polycom phone 3com phone
-------------------------------Ethernet1/0/1 MANUAL
GARP participants, which can be end stations or bridges, exchange attributes primarily by sending the following three types of messages:
z z
Join to announce the willingness to register attributes with other participants. Leave to announce the willingness to deregister with other participants. Together with Join messages, Leave messages guarantee attribute reregistration and deregistration.
LeaveAll to deregister all attributes. A LeaveAll message is sent upon expiration of a LeaveAll timer which starts upon the startup of a GARP application entity.
Through message exchange, all attribute information that needs registration propagates to all GARP participants throughout a bridged LAN. 2) GARP timers
GARP sets interval for sending GARP messages by using these four timers:
z
Hold timer When a GARP application entity receives the first registration request, it starts a hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one Join message. This can thus help you save bandwidth.
Join timer Each GARP application entity sends a Join message twice for reliability sake and uses a join timer to set the sending interval. Leave timer Starts upon receipt of a Leave message. When this timer expires, the GARP application entity removes attribute information as requested.
Leaveall timer Starts when a GARP application entity starts. When this timer expires, the entity sends a LeaveAll message so that other entities can re-register its attribute information. Then, a leaveall timer starts again.
Note:
z
The settings of GARP timers apply to all GARP applications, such as GVRP, running on a LAN. Unlike other three timers which are set on a port basis, the leaveall timer is set in system view and takes effect globally. A GARP application entity may send LeaveAll messages at the interval set by its LeaveAll timer or the leaveall timer of another GARP application entity on the network, whichever is smaller.
The following table describes the GARP message fields. Table 3-1 Description on the GARP message fields: Field Protocol ID Message Description Protocol identifier for GARP One or multiple messages, each containing an attribute type and an attribute list Defined by application the concerned GARP 1 0x01 for GVRP, indicating the VLAN ID attribute Value
Consists of one or multiple attributes Consists of an Attribute Length, an Attribute Event, and an Attribute Value. If the Attribute Event is LeaveAll, Attribute Value is omitted Number of octets occupied by an attribute, inclusive of the attribute length field
Attribute
Attribute Length
Attribute Event
VLAN GVRP
ID
for
Normal Enables a port to dynamically register and deregister VLANs, and to propagate both dynamic and static VLAN information. Fixed Disables the port to dynamically register VLANs or propagate dynamic VLAN information, but allows the port to propagate static VLAN information. A
Huawei Technologies Proprietary 3-3
trunk port with fixed registration type thus allows only manually configured VLANs to pass through even though it is configured to carry all VLANs.
z
Forbidden Disables the port to dynamically register VLANs, and to propagate VLAN information except for VLAN 1. A trunk port with forbidden registration type thus allows only VLAN 1 to pass through even though it is configured to carry all VLANs.
port-group { manual port-group-name | aggregation agg-id } gvrp gvrp registration { fixed | forbidden | normal }
Depending on the view you accessed, the subsequent configuration takes effect on a port or all ports in a port-group. Required Disabled by default. Optional The default is normal.
Enable GVRP on the port Configure the GVRP registration mode on the port
Note: The BPDU tunneling function is incompatible with the GVRP function. Before enabling GVRP on a BPDU tunnelingenabled Ethernet port, disable BPDU tunneling.
Depending on the view you accessed, the subsequent configuration takes effect on a port or all ports in a port-group. Optional
The default is 10 centiseconds for the hold timer, 20 centiseconds for the join timer, and 60 centiseconds for the leave timer.
When configuring GARP timers, note that their values are dependent on one another and must be a multiplier of five centiseconds. If the value range for a timer is not desired, you may change it by tuning the value of another related timer as shown in the following table: Table 3-2 Dependencies of GARP timers Timer Hold Join Leave Lower limit 10 centiseconds Not less than two times the hold timer setting Greater than two times the join timer setting Upper limit Not greater than half of the join timer setting Less than half of the leave timer setting Less than the leaveall timer setting
Timer LeaveAll
Ethernet 1/0/1
Ethernet 1/0/2
Switch A
Switch B
Configure Switch A
# Create VLAN 2.
[Sysname-Ethernet1/0/1] quit [Sysname] vlan 2 [Sysname-vlan2]
z
Configure Switch B
# Create VLAN 3.
[Sysname-Ethernet1/0/2] quit [Sysname] vlan 3 [Sysname-vlan3]
z
3.4.2 Example 2
I. Network requirements
Enable GVRP on devices and configure the port registration mode as fixed to realize dynamic registration and update of some VLAN information between devices.
Ethernet 1/0/1
Ethernet 1/0/2
Switch A
Switch B
2)
Configure Switch B
3)
3.4.3 Example 3
I. Network requirements
Enable GVRP on devices and configure the port registration mode as forbidden to forbid dynamic registration and update of VLAN information between devices.
Ethernet 1/0/1
Ethernet 1/0/2
Switch A
Switch B
2)
Configure Switch B
3)