Scribd
Upload
136 views

08 VLAN Principles and Configuration

HCIA

Uploaded by

dembi86
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
136 views

08 VLAN Principles and Configuration

HCIA

Uploaded by

dembi86
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 46

VLAN Principles and Configuration

Page 2 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Foreword
 Ethernet technology implements data communication over shared media based on carrier sense
multiple access with collision detection (CSMA/CD). If there are a large number of PCs on the
Ethernet, security risks and broadcast storms may occur, deteriorating network performance and
even causing network breakdowns.
 The virtual local area network (VLAN) technology is therefore introduced to solve the preceding
problem.
 This course describes basic VLAN principles, working principles of different Layer 2 interfaces,
VLAN applications, data forwarding principles, and basic VLAN configuration methods.

Page 3 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Objectives
 On completion of this course, you will be able to:
▫ Understand the background of the VLAN technology.

▫ Identify the VLAN to which data belongs.

▫ Master different VLAN assignment modes.

▫ Describe how data communication is implemented through VLANs.

▫ Master basic VLAN configuration methods.

Page 4 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. What Is VLAN
2. VLAN Principles
3. VLAN Applications
4. VLAN Configuration Examples

Page 5 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Issues Facing a Traditional Ethernet
 On a typical switching
Layer 2 broadcast domain
network,broadcast frames or
unknown unicast frames sent by
SW4 SW5
a PC are flooded in the entire
broadcast domain.
Unicast frame
PC2  The larger the broadcast domain
is, the more serious network
PC1 SW1 SW2 SW3
security and junk traffic
problems are.
SW6 SW7

Valid traffic

Junk traffic
(Note: This example assumes that the MAC address entry of PC2 exists in the MAC
address tables of SW1, SW3, and SW7 rather than SW2 and SW5.)

Page 6 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN

VLAN
(multiple broadcast domains) • The VLAN technology
isolates broadcast
SW4 SW5
domains.
Broadcast
frame PC2 • Characteristics:
▫ Geographically
PC1 SW1 SW2 SW3
independent.

▫ Only devices in the same


SW6 SW7
VLAN can directly
communicate at Layer 2.

Page 7 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. What Is VLAN
2. VLAN Principles
3. VLAN Applications
4. VLAN Configuration Examples

Page 8 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

VLAN Implementation
Switch1 Frame Switch2

1 2 3 4 5 5 4 3 2 1

Frame

PC1 PC2 PC3 PC4


VLAN 10 VLAN 20 VLAN 20 VLAN 10

 Switch1 and Switch2 belong to the network of the same enterprise. VLANs are planned for the network, with VLAN 10 for department A and VLAN
20 for department B. Employees in departments A and B are connected to both Switch1 and Switch2.

 Assume that a frame sent from PC1 reaches Switch2 through the link between Switch1 and Switch2. If no processing is implemented, Switch2 can
neither identify the VLAN to which the frame belongs nor determine the local VLAN to which the frame should be sent.

Page 9 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

VLAN Tag
 How does a switch identify the VLAN to which a received frame belongs?
Which VLAN does the
received frame belong
to? VLAN Tag
20
IEEE 802.1Q defines a 4-byte
VLAN tag for Ethernet frames,
enabling switches to identify the
VLANs to which received frames
belong.

VLAN 20 VLAN 10

Page 10 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

VLAN Frame
Original Ethernet frame Destination MAC Length/
Source MAC address Data FCS
(untagged frame) address Type

802.1Q tag inserted between


the two fields

TPID (0x8100) PRI CFI VLAN ID


16 bits 3 bits 1 bit 12 bits
802.1Q tag • Tag protocol identifier (TPID): identifies the type of a frame. The value 0x8100 indicates
an IEEE 802.1Q frame.
• PRI: identifies the priority of a frame, which is mainly used for QoS.
• Canonical format indicator (CFI): indicates whether a MAC address is in the canonical
format. For Ethernet frames, the value of this field is 0.
• VLAN ID: identifies the VLAN to which a frame belongs.

802.1Q frame Destination MAC Length/


Source MAC address Tag Data FCS
(tagged frame) address Type

Page 11 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

VLAN Implementation
Tagged frame
Switch1 Switch2
Tagged frame
1 2 3 4 5 5 4 3 2 1

Original frame 2 Original frame 1

Original frame 1 Original frame 2

PC1 PC2 PC3 PC4


VLAN 10 VLAN 20 VLAN 20 VLAN 10

 The link between Switch1 and Switch2 carries data of multiple VLANs. In this situation, a VLAN-based data tagging
method is required to distinguish the frames of different VLANs.
 IEEE 802.1Q, often referred to as Dot1q, defines a system of VLAN tagging for Ethernet frames by inserting an
802.1Q tag into the frame header to carry VLAN information.

Page 13 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

VLAN Assignment Methods


 How are VLANs assigned on a network?
SW1
VLAN Assignment
VLAN 10 VLAN 20
Method
Interface-based

GE
GE 0/0/1 and GE 0/0/3 GE 0/0/2 and GE 0/0/4
1
0/

assignment
0/

0/
2

GE
0/0/

0/
GE

4
0/ MAC address-based
MAC 1 and MAC 3 MAC 2 and MAC 4
GE

0/3
assignment
IP subnet-based
10.0.1.* 10.0.2.*
assignment
Protocol-based
IP IPv6
assignment
PC1 PC2 PC3 PC4 10.0.1.* + GE 0/0/1 + 10.0.2.* + GE 0/0/2 +
10.0.1.1 10.0.2.1 10.0.1.2 10.0.2.2 Policy-based assignment
MAC 1 MAC 2
MAC 1 MAC 2 MAC 3 MAC 4

Page 14 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

Interface-based VLAN Assignment


Interface-based VLAN Assignment
• Principles
10 SW1 SW2
▫ VLANs are assigned based on interfaces.
PVID 1 PVID 1
▫ A network administrator preconfigures a PVID for
PVID 10 PVID 10 PVID 20 PVID 20
each switch interface and assigns each interface to
a VLAN corresponding to the PVID.
▫ After an interface receives an untagged frame, the
switch adds a tag carrying the PVID of the
interface to the frame. The frame is then
transmitted in the specified VLAN.
• Port Default VLAN ID: PVID
PC1 PC2 PC3 PC4
VLAN 10 VLAN 20 ▫ Default VLAN ID for an interface
▫ Value range: 1–4094
The VLAN needs to be reconfigured if
PCs move.

Page 16 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

MAC Address-based VLAN Assignment


Mapping Between MAC Addresses
and VLAN IDs on SW1 MAC Address-based VLAN Assignment
MAC Address VLAN ID
• Principles
MAC 1 10
▫ VLANs are assigned based on the source MAC
MAC 2 10
addresses of frames.
... ...
▫ A network administrator preconfigures the mapping
SW1 SW2 between MAC addresses and VLAN IDs.
10 ▫ After receiving an untagged frame, a switch adds the
VLAN tag mapping the source MAC address of the
GE 0/0/1 GE 0/0/2
frame to the frame. The frame is then transmitted in the
specified VLAN.
• Mapping table
▫ Records the mapping between MAC addresses and
VLAN IDs.
PC1 PC2 PC3 PC4
MAC 1 VLAN 10 MAC 2 MAC 3 VLAN 20 MAC 4

The VLAN does not need to be reconfigured


even if PCs move.

Page 17 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

Layer 2 Ethernet Interface Types


Interface Types
• Access interface
An access interface is used to connect a switch to a terminal, such as a PC
or server. In general, the NICs on such a terminal receive and send only
untagged frames. An access interface can be added to only one VLAN.

• Trunk interface
A trunk interface allows frames that belong to multiple VLANs to pass
through and differentiates the frames using the 802.1Q tag. This type of
interface is used to connect a switch to another switch or a sub-interface
on a device, such as a router or firewall.

• Hybrid interface
VLAN10 VLAN20 VLAN10 VLAN20 Similar to a trunk interface, a hybrid interface also allows frames that
belong to multiple VLANs to pass through and differentiates the frames
using the 802.1Q tag. You can determine whether to allow a hybrid
Access interface Trunk interface interface to carry VLAN tags when sending the frames of one or more
VLANs.

Page 18 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

Access Interface
Frame receiving Frame sending

Inside a switch Inside a switch Inside a switch Inside a switch

10 10 10 20

GE 0/0/1 GE 0/0/1 GE 0/0/1 GE 0/0/1


Access (VLAN 10) Access (VLAN 10) Access (VLAN 10) Access (VLAN 10)

Untagged frame 10 Untagged frame

After receiving an untagged After receiving a tagged frame: If the VLAN ID of the frame is the If the VLAN ID of the frame is
frame: If the VLAN ID of the frame is the same as the PVID of the interface: different from the PVID of the
The interface permits the frame same as the PVID of the interface, the The interface removes the VLAN tag interface:
and adds a VLAN tag carrying interface permits the frame. from the frame and then sends the The interface discards the frame.
the PVID of the interface. frame.
If the VLAN ID of the frame is
different from the PVID of the
interface, the interface discards the Untagged frame 10Tagged frame
frame.

Page 19 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

Trunk interface
Frame receiving Frame sending

Inside a switch Inside a switch Inside a switch Inside a switch

10 10 10 20

GE 0/0/1 GE 0/0/1 GE 0/0/1 GE 0/0/1


Permitted VLAN ID: 10 Permitted VLAN ID: 10 Permitted VLAN ID: 10 Permitted VLAN ID: 20
Trunk (PVID = 10) Trunk (PVID = 1) Trunk (PVID = 10) Trunk (PVID = 10)

Untagged frame 10 Untagged frame 20

After receiving an untagged frame: After receiving a tagged frame: If the VLAN ID of the frame is the If the VLAN ID of the frame is
The interface adds a VLAN tag with If the VLAN ID of the frame is in the same as the PVID of the interface: different from the PVID of the
the VID being the PVID of the list of VLAN IDs permitted by the If the VLAN ID of the frame is in the interface:
interface to the frame and permits the interface, the interface permits the list of VLAN IDs permitted by the If the VLAN ID of the frame is in the
frame only when the VID is in the list frame. Otherwise, the interface interface, the interface removes the tag list of VLAN IDs permitted by the
of VLAN IDs permitted by the discards the frame. from the frame and sends the frame interface, the interface sends the frame
interface. If the VID is not in the list, out. Otherwise, the interface discards out without removing the tag of the
the interface discards the frame. the frame. frame. Otherwise, the interface
Untagged frame 10Tagged frame discards the frame.

Page 20 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

Example for Frame Processing on Access and


Trunk Interfaces
 Describe how inter-PC access is implemented in this example.
10
SW1 SW2 Trunk Interfaces on SW1 and SW2
20
List of Permitted VLAN IDs
PVID 1 PVID 1
PVID 10 PVID 20 PVID 10 PVID 20 1
VLAN ID 10
20

PC1 PC2 PC3 PC4


VLAN 10 VLAN 20 VLAN 10 VLAN 20

Trunk interface Access interface

Page 22 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

Hybrid Interface
Frame receiving Frame sending

Inside a switch Inside a switch Inside a switch Inside a switch

10 10 10 20

GE 0/0/1 GE 0/0/1 GE 0/0/1 GE 0/0/1


Permitted VLAN ID: 10 Permitted VLAN ID: 10 Permitted VLAN ID: 10 Permitted VLAN ID: 20
Hybrid (PVID = 10) Hybrid (PVID = 1) Hybrid (PVID = 10) Hybrid (PVID = 10)

Untagged frame 10 Untagged frame 20

After receiving an untagged frame: After receiving a tagged frame: If the VLAN ID of the frame is in If the VLAN ID of the frame is in
the list of VLAN IDs permitted by the list of VLAN IDs permitted by
The interface adds a VLAN tag with If the VLAN ID of the frame is in the
the interface: the interface:
the VID being the PVID of the list of VLAN IDs permitted by the
interface to the frame and permits the interface, the interface permits the If the interface has been configured not If the interface has been configured to
frame only when the VID is in the list frame. Otherwise, the interface to carry VLAN tags when sending carry VLAN tags when sending
of VLAN IDs permitted by the discards the frame. frames, it removes the tag from the frames, it sends the frame out without
interface. If the VID is not in the list, frame and then sends the frame out. removing the tag of the frame.
the interface discards the frame.
Untagged frame 10Tagged frame

Page 23 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

Example for Frame Processing on Hybrid Interfaces


 Describe how PCs access the server in this example.
List of VLAN IDs Permitted by Interfaces on SW1
10
Interface 1 Interface 2 Interface 3
SW1 20 Interface 3 SW2
Interface 3
PVID 1 PVID 1 Untagged Untagged Tagged

Interface 1 Interface 2 1 1 10
PVID 10 PVID 20 Interface 1 VLAN VLAN VLA
PVID 100 10 20 10
ID ID N ID
100 100 100

List of VLAN IDs Permitted by Interfaces on SW2


Interface 1 Interface 3

PC1 PC2 Server


Untagged Tagged
VLAN 10 VLAN 20 VLAN 100 1 10
VLAN
VLAN 10 20
ID
ID 20 100
Hybrid Interface
100

Page 25 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN VLAN VLAN Frame
Identification Assignment Processing

Summary
Access Interface Trunk Interface Hybrid Interface
Frame receiving Frame receiving Frame receiving
▫ Untagged frame: adds a tag with the VID being the ▫ Untagged frame: adds a tag with the VID being the ▫ Untagged frame: adds a tag with the VID being the
PVID of the interface and permits the frame. PVID of the interface and checks whether the VID PVID of the interface and checks whether the VID
▫ is in the list of permitted VLAN IDs. If yes, permits is in the list of permitted VLAN IDs. If yes, permits
Tagged frame: checks whether the VID in the tag of
the frame. If not, discards it. the frame. If not, discards it.
the frame is the same as the PVID of the interface.
If they are the same, permits the frame; otherwise, ▫ Tagged frame: checks whether the VID is in the list ▫ Tagged frame: checks whether the VID is in the list
discards the frame. of permitted VLAN IDs. If yes, permits the frame. of permitted VLAN IDs. If yes, permits the frame.
If not, discards it. If not, discards it.

Frame sending Frame sending Frame sending


▫ Checks whether the VID in the tag of the frame is ▫ If the VID is in the list of permitted VLAN IDs and ▫ If the VID is not in the list of permitted VLAN IDs,
the same as the PVID of the interface. If they are the same as the PVID of the interface, removes the discards the frame.
the same, removes the tag and sends the frame out; tag and sends the frame out. ▫ If the VID is in the untagged VLAN ID list,
otherwise, discards the frame. ▫ If the VID is in the list of permitted VLAN IDs but removes the tag and sends the frame out.
different from the PVID of the interface, sends the ▫ If the VID is in the tagged VLAN ID list, sends the
frame out without removing the tag.
frame out without removing the tag.
▫ If the VID is not in the list of permitted VLAN IDs,
discards the frame.

Page 26 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. What Is VLAN
2. VLAN Principles
3. VLAN Applications
4. VLAN Configuration Examples

Page 27 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Planning
• VLAN assignment rules • Tips for VLAN assignment
▫ VLAN IDs can be randomly assigned within the supported
By service: voice, video, and data VLANs
range. To improve VLAN ID continuity, you can associate
▫ By department: e.g. VLANs for engineering, marketing, and VLAN IDs with subnets during VLAN assignment.
financing departments

▫ By application: e.g. VLANs for servers, offices, and classrooms


• Example for VLAN planning
 Assume that there are three buildings: administrative building with offices, classrooms, and financing sections, teaching building with
offices and classrooms, and office building with offices and financing sections. Each building has one access switch, and the core
switch is deployed in the administrative building.
 The following table describes the VLAN plan.
VLAN ID IP Address Segment Description
1 X.16.10.0/24 VLAN to which office users belong
2 X.16.20.0/24 VLAN to which the users of the financing department belong
3 X.16.30.0/24 VLAN to which classroom users belong
100 Y.16.100.0/24 VLAN to which the device management function belongs

Page 28 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN Assignment
 Applicable scenario:
Internet
▫ There are multiple enterprises in a building. These enterprises share
network resources to reduce costs. Networks of the enterprises
connect to different interfaces of the same Layer 2 switch and
access the Internet through the same egress device.
L3 switch
 VLAN assignment:
▫ To isolate the services of different enterprises and ensure service L2 switch
security, assign interfaces connected to the enterprises' networks to
different VLANs. In this way, each enterprise has an independent
network, and each VLAN works as a virtual work group.

Enterprise 1 Enterprise 2 Enterprise 3


VLAN 2 VLAN 3 VLAN 4

Page 29 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
MAC Address-based VLAN Assignment
 Applicable scenario:
Enterprise
▫ The network administrator of an enterprise assigns PCs in network
the same department to the same VLAN. To improve
GE 0/0/1
information security, the enterprise requires that only SW1
employees in the specified department be allowed to access

GE
0/

GE 0/0/3
0/

0/
specific network resources.

GE

0/
4
 VLAN assignment:
▫ To meet the preceding requirement, configure MAC
address-based VLAN assignment on SW1, preventing new
PC1 PC2 PC3 PC4
PCs connected to the network from accessing the network 001e-10dd-dd01 001e-10dd-dd02 001e-10dd-dd03 001e-10dd-dd04

resources. VLAN 10

Page 30 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. What Is VLAN
2. VLAN Principles
3. VLAN Applications
4. VLAN Configuration Examples

Page 31 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Basic VLAN Configuration Commands


1. Create one or more VLANs.

[Huawei] vlan vlan-id

This command creates a VLAN and displays the VLAN view. If the VLAN to be created already exists, this command directly
displays the VLAN view.
• The value of vlan-id is an integer ranging from 1 to 4094.

[Huawei] vlan batch { vlan-id1 [ to vlan-id2 ] }

This command creates VLANs in a batch. In this command:


• batch: creates VLANs in a batch.
• vlan-id1: specifies a start VLAN ID.
• vlan-id2: specifies an end VLAN ID.

Page 32 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Basic Access Interface Configuration Commands


1. Set the link type of an interface.

[Huawei-GigabitEthernet0/0/1] port link-type access

In the interface view, set the link type of the interface to access.

2. Configure a default VLAN for the access interface.

[Huawei-GigabitEthernet0/0/1] port default vlan vlan-id

In the interface view, configure a default VLAN for the interface and add the interface to the VLAN.
• vlan-id: specifies an ID for the default VLAN. The value is an integer ranging from 1 to 4094.

Page 33 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Basic Trunk Interface Configuration Commands


1. Set the link type of an interface.

[Huawei-GigabitEthernet0/0/1] port link-type trunk

In the interface view, set the link type of the interface to trunk.

2. Add the trunk interface to specified VLANs.

[Huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } | all }

In the interface view, add the trunk interface to specified VLANs.

3. (Optional) Configure a default VLAN for the trunk interface.

[Huawei-GigabitEthernet0/0/1] port trunk pvid vlan vlan-id

In the interface view, configure a default VLAN for the trunk interface.

Page 34 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Basic Hybrid Interface Configuration Commands


1. Set the link type of an interface.

[Huawei-GigabitEthernet0/0/1] port link-type hybrid

In the interface view, set the link type of the interface to hybrid.

2. Add the hybrid interface to specified VLANs.

[Huawei-GigabitEthernet0/0/1] port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } | all }

In the interface view, add the hybrid interface to specified VLANs in untagged mode.

[Huawei-GigabitEthernet0/0/1] port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } | all }

In the interface view, add the hybrid interface to specified VLANs in tagged mode.

3. (Optional) Configure a default VLAN for the hybrid interface.

[Huawei-GigabitEthernet0/0/1] port hybrid pvid vlan vlan-id

In the interface view, configure a default VLAN for the hybrid interface.

Page 35 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Case1:Configuring Interface-based VLAN


Assignment
 Networking requirements:
▫ On the network shown in the left figure, the switches (SW1 and
SW1 SW2
GE 0/0/3 GE 0/0/3 SW2) of an enterprise are connected to multiple PCs, and PCs
PVID 1 PVID 1
with the same services access the network using different devices.
GE 0/0/1 GE 0/0/2 GE 0/0/1 GE 0/0/2 To ensure communication security, the enterprise requires that
PVID 10 PVID 20 PVID 10 PVID 20
only PCs with the same service can directly communicate.

▫ To meet this requirement, configure interface-based VLAN


assignment on the switches and add interfaces connected to PCs
with the same service to the same VLAN. In this way, PCs in
different VLANs cannot directly communicate at Layer 2, but PCs
PC1 PC2 PC3 PC4
in the same VLAN can directly communicate.
VLAN 10 VLAN 20 VLAN 10 VLAN 20

Access interface

Trunk interface

Page 36 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Creating VLANs

SW1 SW2
GE 0/0/3 GE 0/0/3
PVID 1 PVID 1 Create VLANs.

GE 0/0/1 GE 0/0/2 GE 0/0/1 GE 0/0/2 [SW1] vlan 10


PVID 10 PVID 20 PVID 10 PVID 20 [SW1-vlan10] quit
[SW1] vlan 20
[SW1-vlan20] quit

[SW2] vlan batch 10 20


PC1 PC2 PC3 PC4
VLAN 10 VLAN 20 VLAN 10 VLAN 20

Page 37 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Configuring Access and Trunk Interfaces


Configure access interfaces and add the interfaces to
corresponding VLANs.

[SW1] interface GigabitEthernet 0/0/1


SW1 SW2
GE 0/0/3 GE 0/0/3 [SW1-GigabitEthernet0/0/1] port link-type access
PVID 1 PVID 1
[SW1-GigabitEthernet0/0/1] port default vlan 10
GE 0/0/1 GE 0/0/2 GE 0/0/1 GE 0/0/2
PVID 10 PVID 20 PVID 10 PVID 20 [SW1] interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2] port link-type access
[SW1] vlan 20
[SW1-vlan20] port GigabitEthernet0/0/2
[SW1-vlan20] quit

Configure a trunk interface and specify a list of VLAN IDs


PC1 PC2 PC3 PC4
permitted by the interface.
VLAN 10 VLAN 20 VLAN 10 VLAN 20
[SW1] interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3] port link-type trunk
[SW1-GigabitEthernet0/0/3] port trunk pvid vlan 1
[SW1-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20
Note: The configuration on SW2 is similar to that on SW1.

Page 38 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Verifying the Configuration

[SW1]display vlan
SW1 SW2 The total number of vlans is : 3
GE 0/0/3 GE 0/0/3 -------------------------------------------------------------------------------
PVID 1 PVID 1 U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
GE 0/0/1 GE 0/0/2 GE 0/0/1 GE 0/0/2 #: ProtocolTransparent-vlan; *: Management-vlan;
PVID 10 PVID 20 PVID 10 PVID 20 -------------------------------------------------------------------------------
VID Type Ports
-------------------------------------------------------------------------------
1 common UT:GE0/0/3(U) ……
10 common UT:GE0/0/1(U)
TG:GE0/0/3(U)
PC1 PC2 PC3 PC4 20 common UT:GE0/0/2(U)
TG:GE0/0/3(U)
VLAN 10 VLAN 20 VLAN 10 VLAN 20
……

Page 39 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Case2:Configuring Interface-based VLAN


Assignment
 Networking requirements:
SW1 SW2
GE 0/0/3 GE 0/0/3 ▫ On the network shown in the left figure, the switches
PVID 1 PVID 1
(SW1 and SW2) of an enterprise are connected to
GE 0/0/1 GE 0/0/2
PVID 10 PVID 20 GE 0/0/1 multiple PCs, and PCs in different departments need to
PVID 100
access the server of the enterprise. To ensure
communication security, the enterprise requires that
PCs in different departments cannot directly
communicate.
PC1 PC2 Server
VLAN 10 VLAN 20 VLAN 100
▫ To meet this requirement, configure interface-based
VLAN assignment and hybrid interfaces on the
switches to enable PCs in different departments to
Hybrid interface
access the server but disable them from directly
communicating at Layer 2.

Page 40 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Configuring Hybrid Interfaces (1)

SW1 configuration:
SW1 SW2
GE 0/0/3 GE 0/0/3
PVID 1 PVID 1 [SW1] vlan batch 10 20 100
[SW1] interface GigabitEthernet 0/0/1
GE 0/0/1 GE 0/0/2
PVID 10 PVID 20 GE 0/0/1 [SW1-GigabitEthernet0/0/1] port link-type hybrid
PVID 100 [SW1-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SW1-GigabitEthernet0/0/1] port hybrid untagged vlan 10 100
[SW1-GigabitEthernet0/0/1] interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2] port link-type hybrid
[SW1-GigabitEthernet0/0/2] port hybrid pvid vlan 20
PC1 PC2 Server
[SW1-GigabitEthernet0/0/2] port hybrid untagged vlan 20 100
VLAN 10 VLAN 20 VLAN 100 [SW1-GigabitEthernet0/0/2] interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3] port link-type hybrid
[SW1-GigabitEthernet0/0/3] port hybrid tagged vlan 10 20 100

Page 41 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Configuring Hybrid Interfaces (2)

SW2 configuration:
SW1 SW2
GE 0/0/3 GE 0/0/3
PVID 1 PVID 1 [SW2] vlan batch 10 20 100
[SW2] interface GigabitEthernet 0/0/1
GE 0/0/1 GE 0/0/2
PVID 10 PVID 20 GE 0/0/1 [SW2-GigabitEthernet0/0/1] port link-type hybrid
PVID 100 [SW2-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[SW2-GigabitEthernet0/0/1] port hybrid untagged vlan 10 20 100
[SW2-GigabitEthernet0/0/1] interface GigabitEthernet 0/0/3
[SW2-GigabitEthernet0/0/3] port link-type hybrid
[SW2-GigabitEthernet0/0/3] port hybrid tagged vlan 10 20 100
PC1 PC2 Server
VLAN 10 VLAN 20 VLAN 100

Page 42 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Verifying the Configuration

[SW1]display vlan
The total number of vlans is : 4
SW1 SW2 -----------------------------------------------------------------------------------------
GE 0/0/3 GE 0/0/3
PVID 1 PVID 1 U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
GE 0/0/1 GE 0/0/2
PVID 10 PVID 20 GE 0/0/1 #: ProtocolTransparent-vlan; *: Management-vlan;
PVID 100 -----------------------------------------------------------------------------------------
VID Type Ports
-----------------------------------------------------------------------------------------
1 common UT:GE0/0/1(U) GE0/0/2(U) GE0/0/3(U) ……
10 common UT:GE0/0/1(U)
TG:GE0/0/3(U)
20 common UT:GE0/0/2(U)
PC1 PC2 Server
TG:GE0/0/3(U)
VLAN 10 VLAN 20 VLAN 100
100 common UT:GE0/0/1(U) GE0/0/2(U)
TG:GE0/0/3(U)
……

Page 43 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Basic VLAN Configuration Commands


1. Associate a MAC address with a VLAN.

[Huawei-vlan10] mac-vlan mac-address mac-address [ mac-address-mask | mac-address-mask-length ]

This command associates a MAC address with a VLAN.


• mac-address: specifies the MAC address to be associated with a VLAN. The value is a hexadecimal number in the format
of H-H-H. Each H contains one to four digits, such as 00e0 or fc01. If an H contains less than four digits, the left-most
digits are padded with zeros. For example, e0 is displayed as 00e0. The MAC address cannot be 0000-0000-0000, FFFF-
FFFF-FFFF, or any multicast address.
• mac-address-mask: specifies the mask of a MAC address. The value is a hexadecimal number in the format of H-H-H. Each
H contains one to four digits.
• mac-address-mask-length: specifies the mask length of a MAC address. The value is an integer ranging from 1 to 48.

2. Enable MAC address-based VLAN assignment on an interface.

[Huawei-GigabitEthernet0/0/1] mac-vlan enable

This command enables MAC address-based VLAN assignment on an interface.


Page 44 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Example for Configuring MAC Address-based


VLAN Assignment
 Networking requirements:
Enterprise
network ▫ The network administrator of an enterprise assigns PCs in the
GE 0/0/1 same department to the same VLAN. To improve information
security, the enterprise requires that only employees in the
SW1
department be allowed to access the network resources of the
/2

GE
0
0/

enterprise.
0/
GE 0/0/3
GE

0/
4

▫ PCs 1 through 3 belong to the same department. According to the


enterprise' requirement, only the three PCs can access the
enterprise network through SW1.

▫ To meet this requirement, configure MAC address-based VLAN


PC1 PC2 PC3 PC4
001e-10dd-dd01 001e-10dd-dd02 001e-10dd-dd03 001e-10dd-dd04 assignment and associate the MAC addresses of the three PCs
VLAN 10 with the specified VLAN.

Page 45 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Creating a VLAN and Associating MAC


Addresses with the VLAN
Enterprise Create a VLAN.
Network
[SW1] vlan 10
GE0/0/1
[SW1-vlan10] quit
SW1
2

GE
0/

GE0/0/3
0/

0
Associate MAC addresses with the VLAN.
/0
GE

/4
[SW1] vlan 10
[SW1-vlan10] mac-vlan mac-address 001e-10dd-dd01 [SW1-
vlan10] mac-vlan mac-address 001e-10dd-dd02 [SW1-vlan10] mac-
vlan mac-address 001e-10dd-dd03 [SW1-vlan10] quit
PC1 PC2 PC3
001e-10dd-dd01 001e-10dd-dd02 001e-10dd-dd03

VLAN 10

Page 46 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Adding Interfaces to the VLAN and Enabling


MAC Address-based VLAN Assignment
Add interfaces to the VLAN.
Enterprise
[SW1] interface gigabitethernet 0/0/1
Network
[SW1-GigabitEthernet0/0/1] port link-type hybrid
GE0/0/1 [SW1-GigabitEthernet0/0/1] port hybrid tagged vlan 10
SW1
[SW1] interface gigabitethernet 0/0/2
2

GE
0/

[SW1-GigabitEthernet0/0/2] port link-type hybrid


GE0/0/3
0/

0 /0
GE

/4
[SW1-GigabitEthernet0/0/2] port hybrid untagged vlan 10

Enable MAC address-based VLAN assignment on


the specified interface.
PC1 PC2 PC3 [SW1] interface gigabitethernet 0/0/2
001e-10dd-dd01 001e-10dd-dd02 001e-10dd-dd03
[SW1-GigabitEthernet0/0/2] mac-vlan enable
VLAN 10 [SW1-GigabitEthernet0/0/2] quit

Note: The configuration of GE 0/0/3 and GE 0/0/4 is similar to that of GE 0/0/2.

Page 47 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Interface-based VLAN MAC Address-based VLAN
Assignment Assignment

Verifying the Configuration

[SW1]display vlan [SW1]display mac-vlan mac-address all


The total number of vlans is : 2 ----------------------------------------------------------------------
----------------------------------------------------------------------------------------------- MAC Address MASK VLAN Priority
U: Up; D: Down; TG: Tagged; UT: Untagged; ----------------------------------------------------------------------
MP: Vlan-mapping; ST: Vlan-stacking; 001e-10dd-dd01 ffff-ffff-ffff 10 0
001e-10dd-dd02 ffff-ffff-ffff 10 0
#: ProtocolTransparent-vlan; *: Management-vlan;
001e-10dd-dd03 ffff-ffff-ffff 10 0
-----------------------------------------------------------------------------------------------
VID Type Ports
Total MAC VLAN address count: 3
-----------------------------------------------------------------------------------------------
1 common UT:GE0/0/1(U) GE0/0/2(U) GE0/0/3(U) ……
10 common UT:GE0/0/2(U) GE0/0/3(U) GE0/0/4(U)
TG:GE0/0/1(U)
……

Page 48 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Quiz
1. (Multiple) Which of the following statements about the VLAN technology are incorrect? ( )
A. The VLAN technology can isolate a large collision domain into several small collision domains.

B. The VLAN technology can isolate a large Layer 2 broadcast domain into several small Layer 2 broadcast
domains.

C. PCs in different VLANs cannot communicate.

D. PCs in the same VLAN can communicate at Layer 2.

2. If the PVID of a trunk interface is 5 and the port trunk allow-pass vlan 2 3 command is run on the
interface, which VLANs' frames can be transmitted through the trunk interface?

Page 49 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Summary
 This course describes the VLAN technology, including the functions, identification, assignment,
data exchange, planning, application, and basic configuration of VLANs.
 The VLAN technology can divide a physical LAN into multiple broadcast domains so that
network devices in the same VLAN can directly communicate at Layer 2, while devices in
different VLANs cannot.

Page 50 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Thank You
www.huawei.com

Page 51 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.

You might also like