Configuring VLANs

Thisdocumentprovidesthefollowinginformationaboutconfiguringandmonitoring802.1Q VLANsonEnterasysNSeries,SSeries,KSeries,andXSeriesmodularswitches,ASeries,B Series,CSeriesstackablefixedswitches,andDSeries,GSeries,andISeriesstandalonefixed switches.

For information about... What Is a VLAN? Why Would I Use VLANs in My Network? How Do I Implement VLANs? Understanding How VLANs Operate VLAN Support on Enterasys Switches Configuring VLANs Terms and Definitions Refer to page... 1 1 3 3 6 9 18

Note: This document describes the configuration and operation of VLANs as defined by the IEEE 802.1Q standard and assumes that all devices being configured support that standard. No other types of VLANs will be covered.

What Is a VLAN?
AVLANisaVirtualLocalAreaNetworkagroupingofnetworkdevicesthatislogically segmentedbyfunctions,projectteams,orapplicationswithoutregardtothephysicallocationof users.Forexample,severalendstationsmightbegroupedasadepartment,suchasEngineering orFinance,havingthesameattributesasaLAN,eventhoughtheyarenotallonthesamephysical LANsegment. Toaccomplishthislogicalgrouping,thenetworkadministratoruses802.1QVLANcapable switchingdevicesandassignseachswitchportinaparticulargrouptoaVLAN.PortsinaVLAN sharebroadcasttrafficandbelongtothesamebroadcastdomain.BroadcasttrafficinoneVLANis nottransmittedoutsidethatVLAN.

Why Would I Use VLANs in My Network?

VirtualLANsallowyoutopartitionnetworktrafficintologicalgroupsandcontroltheflowofthat trafficthroughthenetwork.Oncethetrafficand,ineffect,theuserscreatingthetraffic,are assignedtoaVLAN,thenbroadcastandmulticasttrafficiscontainedwithintheVLANandusers canbeallowedordeniedaccesstoanyofthenetworksresources.Also,youhavetheoptionof configuringsomeoralloftheportsonadevicetoallowframesreceivedwithaparticularVLAN IDandprotocoltobetransmittedonalimitednumberofports.Thiskeepsthetrafficassociated withaparticularVLANandprotocolisolatedfromtheotherpartsofthenetwork.
March 15, 2011 Page 1 of 20

Why Would I Use VLANs in My Network?

Theprimarybenefitof802.1QVLANtechnologyisthatitallowsyoutolocalizeandsegregrate traffic,improvingyouradministrativeefficiency,andenhancingyournetworksecurityand performance. Figure 1showsasimpleexampleofusingportbasedVLANstoachievethesebenefits.Inthis example,twobuildingshousetheSalesandFinancedepartmentsofasinglecompany,andeach buildinghasitsowninternalnetwork.Theendstationsineachbuildingconnecttoaswitchonthe bottomfloor.Thetwoswitchesareconnectedtooneanotherwithahighspeedlink. Figure 1 VLAN Business Scenario

Building One

Building Two

F
10 9

A
S

trunk

7 6

SmartSwitch
Member of Sales Network
F

SmartSwitch
Member of Finance Network

WithoutanyVLANsconfigured,theentirenetworkintheexampleinFigure 1wouldbea broadcastdomain,andtheswitcheswouldfollowtheIEEE802.1Dbridgingspecificationtosend databetweenstations.AbroadcastormulticasttransmissionfromaSalesworkstationinBuilding OnewouldpropagatetoalltheswitchportsonSwitchA,crossthehighspeedlinktoSwitchB, andthenbepropagatedoutallswitchportsonSwitchB.Theswitchestreateachportasbeing equivalenttoanyotherport,andhavenounderstandingofthedepartmentalmembershipsof eachworkstation. OnceSalesandFinanceareplacedontwoseparateVLANs,eachswitchunderstandsthatcertain individualportsorframesaremembersofseparateworkgroups.Inthisenvironment,abroadcast ormulticastdatatransmissionfromoneoftheSalesstationsinBuildingOnewouldreachSwitch A,besenttotheportsconnectedtootherlocalmembersoftheSalesVLAN,crossthehighspeed linktoSwitchB,andthenbesenttoanyotherportsandworkstationsonSwitchBthatare membersoftheSalesVLAN.SeparateVLANsalsoprovidesunicastseparationbetweenSalesand Finance.FinancecannotpingSalesunlessthereisaroutedVLANconfiguredforbothFinanceand Sales. AnotherbenefittoVLANuseintheprecedingexamplewouldbeyourabilitytoleverageexisting investmentsintimeandequipmentduringcompanyreorganization.If,forinstance,theFinance userschangelocationbutremaininthesameVLANconnectedtothesameswitchport,their networkaddressesdonotchange,andswitchandrouterconfigurationisleftintact.

March 15, 2011

Page 2 of 20

How Do I Implement VLANs?

How Do I Implement VLANs?

Bydefault,allEnterasysswitchesrunin802.1QVLANoperationalmode.Allportsonall EnterasysswitchesareassignedtoadefaultVLAN(VLANID1),whichisenabledtooperateand assignsallportsanegressstatusofuntagged.Thismeansthatallportswillbeallowedtotransmit framesfromtheswitchwithoutaVLANtagintheirheader.Also,therearenoforbiddenports (preventedfromtransmittingframes)configured. YoucanusetheCLIcommandsdescribedinthisdocumenttocreateadditionalVLANs,to customizeVLANstosupportyourorganizationalrequirements,andtomonitorVLAN configuration.

Preparing for VLAN Configuration

AlittleforethoughtandplanningisessentialtoasuccessfulVLANimplementation.Before attemptingtoconfigureasingledeviceforVLANoperation,considerthefollowing: WhatisthepurposeofmyVLANdesign?(Forexample:securityortrafficbroadcast containment). HowmanyVLANswillberequired? Whatstations(endusers,servers,etc.)willbelongtothem? Whatportsontheswitchareconnectedtothosestations? WhatportswillbeconfiguredasGARPVLANRegistrationProtocol(GVRP)awareports?

Determininghowyouwantinformationtoflowandhowyournetworkresourcescanbebestused toaccomplishthiswillhelpyoucustomizethetasksdescribedinthisdocumenttosuityourneeds andinfrastructure. Onceyourplanningiscomplete,youwouldproceedthroughthestepsdescribedinConfiguring VLANsonpage9.

Understanding How VLANs Operate

802.1QVLANoperationdiffersslightlyfromhowaswitchednetworkingsystemoperates.These differencesareduetotheimportanceofkeepingtrackofeachframeanditsVLANassociationas itpassesfromswitchtoswitch,orfromporttoportwithinaswitch. VLANenabledswitchesactonhowframesareclassifiedintoaparticularVLAN.Sometimes, VLANclassificationisbasedontagsintheheadersofdataframes.TheseVLANtagsareaddedto dataframesbytheswitchastheframesaretransmittedoutcertainports,andarelaterusedto makeforwardingdecisionsbytheswitchandotherVLANawareswitches.Intheabsenceofa VLANtagheader,theclassificationofaframeintoaparticularVLANdependsuponthe configurationoftheswitchportthatreceivedtheframe. ThefollowingbasicconceptsofVLANoperationwillbediscussedinthissection: LearningModesandFilteringDatabases(page4) VLANAssignmentandForwarding(page4) ExampleofaVLANSwitchinOperation(page5)

March 15, 2011

Page 3 of 20

Understanding How VLANs Operate

Learning Modes and Filtering Databases

AddressinginformationtheswitchlearnsaboutaVLANisstoredinthefilteringdatabase assignedtothatVLAN.Thisdatabasecontainssourceaddresses,theirsourceports,andVLAN IDs,andisreferredtowhenaswitchmakesadecisionastowheretoforwardaVLANtagged frame.EachfilteringdatabaseisassignedaFilteringDatabaseID(FID). AswitchlearnsandusesVLANaddressinginformationbythefollowingmodes: IndependentVirtualLocalAreaNetwork(VLAN)Learning(IVL):EachVLANusesitsown filteringdatabase.Transparentsourceaddresslearningperformedasaresultofincoming VLANtrafficisnotmadeavailabletoanyotherVLANforforwardingpurposes.Thissetting isusefulforhandlingdevices(suchasservers)withNICsthatshareacommonMACaddress. OneFIDisassignedperVLAN.ThisisthedefaultmodeonEnterasysswitches. SharedVirtualLocalAreaNetwork(VLAN)Learning(SVL):TwoormoreVLANsare groupedtosharecommonsourceaddressinformation.Thissettingisusefulforconfiguring morecomplexVLANtrafficpatterns,withoutforcingtheswitchtofloodtheunicasttrafficin eachdirection.ThisallowsVLANstoshareaddressinginformation.Itenablesportsor switchesindifferentVLANstocommunicatewitheachother(whentheirindividualportsare configuredtoallowthistooccur).OneFIDisusedbytwoormoreVLANs.

VLAN Assignment and Forwarding

Receiving Frames from VLAN Ports
Bydefault,Enterasysswitchesrunin802.1Qoperationalmode,whichmeansthateveryframe receivedbytheswitchmustbelongto,orbeassignedto,aVLAN.Thetypeofframeunder considerationandthefiltersettingoftheswitchdetermineshowitforwardsVLANframes.This involvesprocessingtrafficasitenters(ingresses)andexits(egresses)theVLANswitchportsas describedbelow.

Untagged Frames
When,forexample,theswitchreceivesaframefromPort1anddeterminestheframedoesnot currentlyhaveaVLANtag,butrecognizesthatPort1isamemberofVLANA,itwillclassifythe frametoVLANA.Inthisfashion,alluntaggedframesenteringaVLANswitchassume membershipinaVLAN.

Note: A VLAN ID is always assigned to a port. By default, it is the default VLAN (VLAN ID = 1).

Theswitchwillnowdecidewhattodowiththeframe,asdescribedinForwardingDecisionson page5.

Tagged Frames
When,forexample,theswitchreceivesataggedframefromPort4anddeterminestheframeis taggedforVLANC,itwillclassifyittothatVLANregardlessofitsportVLANID(PVID).This framemayhavealreadybeenthroughaVLANawareswitch,ororiginatedfromastationcapable ofspecifyingaVLANmembership.Ifaswitchreceivesaframecontainingatag,theswitchwill classifytheframeinregardtoitstagratherthanthePVIDforitsport,followingtheingress precedenceruleslistedbelow.

March 15, 2011

Page 4 of 20

Understanding How VLANs Operate

Ingress Precedence
VLANassignmentforreceived(ingress)framesisdeterminedbythefollowingprecedence: 1. 2. 3. 802.1QVLANtag(taggedframesonly). PolicyorTrafficClassification(whichmayoverwritethe802.1QVLANtag).Formore information,refertoConfiguringProtocolBasedVLANClassificationonpage 16. PortVLANID(PVID).

Forwarding Decisions
VLANforwardingdecisionsfortransmittingframesisdeterminedbywhetherornotthetraffic beingclassifiedisorisnotintheVLANsforwardingdatabaseasfollows: Unlearnedtraffic:WhenaframesdestinationMACaddressisnotintheVLANsforwarding database(FDB),itwillbeforwardedoutofeveryportontheVLANsegresslistwiththe frameformatthatisspecified.RefertoBroadcasts,Multicasts,andUnlearnedUnicasts belowforanexample. Learnedtraffic:WhenaframesdestinationMACaddressisintheVLANsforwarding database,itwillbeforwardedoutofthelearnedportwiththeframeformatthatisspecified. RefertoLearnedUnicastsbelowforanexample.

Broadcasts, Multicasts, and Unlearned Unicasts

Ifaframewithabroadcast,multicast,orotherunknownaddressisreceivedbyan802.1QVLAN awareswitch,theswitchcheckstheVLANclassificationoftheframe.Theswitchthenforwards theframeoutallportsthatareidentifiedintheForwardingListforthatVLAN.Forexample,if Port3,shownintheexampleinFigure 2,receivedtheframe,theframewouldthenbesenttoall portsthathadVLANCintheirPortVLANList.

Learned Unicasts
WhenaVLANswitchreceivesaframewithaknownMACaddressasitsdestinationaddress,the actiontakenbytheswitchtodeterminehowtheframeistransmitteddependsontheVLAN,the VLANassociatedFID,andiftheportidentifiedtosendtheframeisenabledtodoso. Whenaframeisreceived,itisclassifiedintoaVLAN.Thedestinationaddressislookedupinthe FIDassociatedwiththeVLAN.Ifamatchisfound,itisforwardedouttheportidentifiedinthe lookupif,andonlyif,thatportisallowedtotransmitframesforthatVLAN.Ifamatchisnot found,thentheframeisfloodedoutallportsthatareallowedtotransmitframesbelongingtothat VLAN.

Example of a VLAN Switch in Operation

Theoperationofan802.1QVLANswitchisbestunderstoodfromapointofviewoftheswitch itself.Toillustratethisconcept,theexamplesthatfollowviewtheswitchoperationsfrominside theswitch. Figure 2depictstheinsideofaswitchwithsixports,numbered1through6.Theswitchhasbeen configuredtoassociateVLANAandBwithFID2,VLANCandDwithFID3,andVLANEwith FID4.ItshowshowaforwardingdecisionismadebycomparingaframesdestinationMACto theFIDtowhichitisclassified.

March 15, 2011

Page 5 of 20

VLAN Support on Enterasys Switches

Figure 2

Inside the Switch

Port 1 Port 2 Port 3

A FID 2 D FID 3

B FID 2 E FID 4

C FID 3 Default FID 1

Port 4

Port 5

Port 6

AssumeaunicastuntaggedframeisreceivedonPort3intheexampleinFigure 2.Theframeis classifiedforVLANC(theframesPVIDisVLANC).Theswitchwouldmakeitsforwarding decisionbycomparingthedestinationMACaddresstoinformationpreviouslylearnedand enteredintoitsfilteringdatabase.Inthiscase,theMACaddressislookedupintheFDBforFID3, whichisassociatedwithVLANsCandD.LetssaytheswitchrecognizesthedestinationMACof theframeasbeinglocatedoutPort4. HavingmadetheforwardingdecisionbasedonentriesintheFID,theswitchnowexaminesthe portVLANegresslistofPort4todetermineifitisallowedtotransmitframesbelongingtoVLAN C.Ifso,theframeistransmittedoutPort4.IfPort4hasnotbeenconfiguredtotransmitframes belongingtoVLANC,theframeisdiscarded. If,ontheotherhand,aunicastuntaggedframeisreceivedonPort5,itwouldbeclassifiedfor VLANE.Port5hasisownfilteringdatabaseandisnotawareofwhataddressinginformationhas beenlearnedbyotherVLANs.Port5looksupthedestinationMACaddressinitsFID.Ifitfindsa match,itforwardstheframeouttheappropriateport,ifandonlyif,thatportisallowedto transmitframesforVLANE.Ifamatchisnotfound,theframeisfloodedoutallportsthatare allowedtotransmitVLANEframes.

VLAN Support on Enterasys Switches

Dependingontheproductfamily,Enterasysswitchessupportamaximumofupto4094active VLANs.Thereisadistinction,however,betweenthemaximumnumberofactiveVLANssome switchessupportandtherangeofVLANID(VID)values.Forexample,whilethestackableand standaloneswitchproductssupport1024activeVLANs,theydosupportVIDsfromanywherein thefull802.1Qspecifiedrange.Thesedifferencesarelistedbelow.

Maximum Active VLANs

ThetotalnumberofactiveVLANssupportedonEnterasysswitchproductfamiliesis: Upto4094onNSeries,SSeries,KSeries,andXSeries Upto1024onstackable(ASeries,BSeries,CSeries)andstandalone(DSeries,GSeries,I Series)switchdevices

Configurable Range
TheallowableuserconfigurablerangeforVLANIDs(VIDs)is: From2through4094onNSeries,SSeries,KSeries,andXSeriesswitches

March 15, 2011

Page 6 of 20

VLAN Support on Enterasys Switches

From2through4093forstackableandstandaloneswitches

Thisrangeisbasedonthefollowingrules: VID0isthenullVLANID,indicatingthatthetagheaderintheframecontainspriority informationratherthanaVLANidentifier.ItcannotbeconfiguredasaportVLANID(PVID). VID1isdesignatedthedefaultPVIDvalueforclassifyingframesoningressthrougha switchedport.Thisdefaultcanbechangedonaperportbasis. VID4095isreservedbyIEEEforimplementationuse. VID4094isreservedonstackableandstandaloneswitches.

Notes: Each VLAN ID in a network must be unique. If you enter a duplicate VLAN ID, the Enterasys switch assumes you intend to modify the existing VLAN.

VLAN Types
EnterasysswitchessupporttrafficclassificationforthefollowingVLANtypes:

Static and Dynamic VLANs

AllVLANsonanEnterasysswitcharecategorizedasbeingeitherstaticordynamic.StaticVLANs arethosethatareexplicitlycreatedontheswitchitself,persistentlyremainingaspartofthe configuration,regardlessofactualusage.DynamicVLANs,ontheotherhand,arenotnecessarily persistent.TheirpresencereliesontheimplementationofGVRPanditseffectonegress membershipasdescribedinGARPVLANRegistrationProtocol(GVRP)Supportonpage8.

Port-Based VLANs
PortbasedVLANsareconfiguredbyassociatingswitchportstoVLANsintwoways:first,by manipulatingtheportVLANID(PVID);andsecond,byaddingtheportitselftotheegresslistof theVLANcorrespondingtothePVID.AnytrafficreceivedbyaportisassociatedtotheVLAN identifiedbytheportsPVID.Byvirtueofthisassociation,thistrafficmayegresstheswitchonly onthoseportslistedontheVLANsegresslist.Forexample,givenaVLANnamedMarketing, withanIDvalueof6,bychangingthePVIDvaluesofports1through3to6,andaddingthose portstotheegresslistoftheVLAN,weeffectivelyrestrictthebroadcastdomainofMarketingto thosethreeports.Ifabroadcastframeisreceivedonport1,itwillbetransmittedoutports2and3 only.Inthissense,VLANmembershipisdeterminedbythelocationoftrafficingress,andfrom theperspectiveoftheaccesslayerwhereusersaremostcommonlylocatedegressisgenerally untagged.

Policy-Based VLANs
RatherthanmakingVLANmembershipdecisionssimplybasedonportconfiguration,each incomingframecanbeexaminedbytheclassificationenginewhichusesamatchbasedlogicto assigntheframetoadesiredVLAN.Forexample,youcouldsetupapolicywhichdesignatesall emailtrafficbetweenthemanagementofficersofacompanytoaspecificVLANsothatthistraffic isrestrictedtocertainportionsofthenetwork.Withrespecttonetworkusage,theadministrative advantagesofpolicyclassificationwouldbeapplicationprovisioning,acceptableusepolicy,and distributionlayerpolicy.Alloftheseprovisionsmayinvolvesimultaneousutilizationofinter switchlinksbymultipleVLANs,requiringparticularattentiontotagged,forbidden,and untaggedegresssettings.

March 15, 2011

Page 7 of 20

VLAN Support on Enterasys Switches

Asdescribedabove,PVIDdeterminestheVLANtowhichalluntaggedframesreceivedon associatedportswillbeclassified.PolicyclassificationtoaVLANtakesprecedenceoverPVID assignmentif: policyclassificationisconfiguredtoaVLAN,and PVIDoverridehasbeenenabledforapolicyprofile,andassignedtoport(s)associatedwith thePVID.

Formoreinformation,refertothePolicyClassificationchapterinyourdevicesconfiguration guideortheConfiguringPolicyFeatureGuide.

GARP VLAN Registration Protocol (GVRP) Support

ThepurposeoftheGARP(GenericAttributeRegistrationProtocol)VLANRegistrationProtocol (GVRP)istodynamicallycreateVLANsacrossaswitchednetwork.GVRPallowsGVRPaware devicestodynamicallyestablishandupdatetheirknowledgeofthesetofVLANsthatcurrently haveactivemembers. Bydefault,GVRPisgloballyenabledbutdisabledattheportlevelonallEnterasysdevicesexcept theNSeries.OntheNSeries,GVRPisenabledgloballyandattheportlevel.ToallowGVRPto dynamicallycreateVLANs,itmustbeenabledgloballyandalsooneachindividualportas describedinConfiguringDynamicVLANsonpage15.

How It Works
WhenaVLANisdeclared,theinformationistransmittedoutGVRPconfiguredportsonthe deviceinaGARPformattedframeusingtheGVRPmulticastMACaddress.Aswitchthatreceives thisframeexaminestheframeandextractstheVLANIDs.GVRPthendynamicallyregisters (creates)theVLANsandaddsthereceivingporttoitstaggedmemberlistfortheextractedVLAN IDs.TheinformationisthentransmittedouttheotherGVRPconfiguredportsofthedevice. Figure 3showsanexampleofhowVLANBluefromendstationAwouldbepropagatedacrossa switchnetwork.Inthisfigure,port1ofSwitch4isregisteredasbeingamemberofVLANBlue andSwitch4declaresthisfactoutallitsports(2and3)toSwitch1andSwitch 2.Thesetwo switchesregisterthisintheportegresslistsoftheports(Switch1,port1andSwitch2,port1)that receivedtheframeswiththeinformation.Switch2,whichisconnectedtoSwitch3andSwitch5 declaresthesameinformationtothosetwoswitchesandtheportegresslistofeachportis updatedwiththenewinformation,accordingly.

March 15, 2011

Page 8 of 20

Configuring VLANs

Figure 3

Example of VLAN Propagation Using GVRP

Switch 1 Switch 2 Switch 3

R 2 D

D 3

D 3 D
Switch 4 1

End Station A

Switch 5

R D

= Port registered as a member of VLAN Blue = Port declaring VLAN Blue

Note: If a port is set to forbidden for the egress list of a VLAN, then the VLANs egress list will not be dynamically updated with that port.

AdministrativelyconfiguringaVLANonan802.1QswitchcreatesastaticVLANentrythatwill alwaysremainregisteredandwillnottimeout.However,GVRPcreateddynamicentrieswill timeout,andtheirregistrationswillberemovedfromthememberlistiftheendstationis removed.Thisensuresthat,ifswitchesaredisconnectedorifendstationsareremoved,the registeredinformationremainsaccurate. TheendresultofGVRPdynamicVLANconfigurationisthateachportsegresslistisupdated withinformationaboutVLANsthatresideonthatport,eveniftheactualstationontheVLANis severalhopsaway.

Configuring VLANs
OnceyouhaveplannedyourimplementationstrategyasdescribedinPreparingforVLAN Configurationonpage 3,youcanbeginconfiguringVLANsasdescribedinthissection.The followinginformationforconfiguringVLANsonanEnterasysswitchwillbecovered: PlatformSpecificDifferences(page10) DefaultSettings(page11) ConfiguringStaticVLANs(page12) CreatingaSecureManagementVLAN(page14) ConfiguringDynamicVLANs(page15) ConfiguringProtocolBasedVLANClassification(page16)

March 15, 2011

Page 9 of 20

Configuring VLANs

Platform Specific Differences

Enterasys X-Series Platform Configuration
TheconfigurationofVLANsontheXSeriesplatformisverysimilartotheconfigurationof VLANsontheNSeries,SSeries,KSeries,stackable,andstandaloneswitchplatforms,withone majorexception.Bydefault,physicalportsontheXSeriesareconfiguredtoroutetraffic,not switchtraffic,whichisthecasefortheotherswitchplatforms.Therefore,bydefault,noports resideontheegresslistforVLAN1unlesstheportisexplicitlyconfiguredtoswitchtrafficusing thesetportmode<portstring>switchedcommand,andexplicitlyconfiguredonVLAN1s egresslistusingthesetvlanegress<vid><portstring>commandasdescribedinConfiguring StaticVLANsonpage12.

VLAN Naming Convention for IP Interfaces

AVLANisidentifiedbyitsID,whichisanumberfrom14094.OntheXSeriesdevices,aVLAN entityconfiguredonaroutinginterfacecanbespecifiedinCLIcommandsintheformat: vlan.instance.vlan_id,whereinstanceisthebridginginstance,andvlan_idistheVLANID(1 4094).TheXSeriescurrentlysupportsonlyonebridginginstance.Therefore,instanceisalways1. So,forexample,todisplayinformationaboutVLAN100,ineitherswitchorroutermodes,you wouldenter:
show interface vlan.1.100

ThisconventionisdifferentfromotherEnterasysswitchplatforms,wheretheformatinthis instancewouldbevlanvlan_id.

VLAN Constraints
VLANconstraintsisaNSeries,SSeries,andKSeriesplatformfeaturethatcontrolsthefiltering databasetowhichVLANsareallowedtobelong.ThisfeatureisnotsupportedonXSeries, stackable,orstandaloneswitchplatforms.

Protected Ports
ProtectedPortsisafeaturesupportedonthestackableandstandaloneswitchplatformsthatis usedtopreventportsfromforwardingtraffictoeachother,evenwhentheyareonthesame VLAN.Portscanbedesignatedaseitherprotectedorunprotected.Portsareunprotectedby default.Multiplegroupsofprotectedportsaresupported. Portsthatareconfiguredtobeprotected: Cannotforwardtraffictootherprotectedportsinthesamegroup,regardlessofhavingthe sameVLANmembership. Canforwardtraffictoportswhichareunprotected(notlistedinanygroup). Canforwardtraffictoprotectedportsinadifferentgroup,iftheyareinthesameVLAN.

Unprotectedportscanforwardtraffictobothprotectedandunprotectedports.Aportmaybelong toonlyonegroupofprotectedports. Thisfeatureonlyappliestoportswithinaswitch.Itdoesnotapplyacrossmultipleswitchesina network.Also,itisnotsupportedonNSeries,SSeries,KSeries,orXSeriesplatforms.

March 15, 2011

Page 10 of 20

Configuring VLANs

Default Settings
Table 1listsVLANparametersandtheirdefaultvalues. Table 1 Default VLAN Parameters
Description Configures the three GARP timers. The setting is critical and should only be done by someone familiar with the 802.1Q standard. Enables or disables the GARP VLAN Registration Protocol (GVRP) on a specific set of ports or all ports. GVRP must be enabled to allow creation of dynamic VLANs. Ports can be set to discard frames based on whether or not they contain a VLAN tag. When enabled on a port, the VLAN IDs of incoming frames are compared to the ports egress list. If the received VLAN ID does not match a VLAN ID on the ports egress list, the frame is dropped. 802.1Q VLAN/port association. Prevents ports from forwarding traffic to each other, even when they are on the same VLAN. Configures VLANs to use an independent or shared filtering database. Enables or disables dynamic egress processing for a given VLAN. Configures the egress ports for a VLAN and the type of egress for the ports. Egress type can be tagged, untagged, or forbidden. Associates a text name to one or more VLANs. Default Value Join timer: 20 centiseconds Leave timer: 60 centiseconds Leaveall timer: 1000 centiseconds Disabled at the port level Enabled at the global level Note: The N-Series has GVRP enabled at the port level and enabled globally. No frames are discarded

Parameter garp timer

GVRP

port discard

port ingress filter

Enabled

port vlan ID (PVID) protected port (Applies to stackable and standalone switches only.) vlan constraint (Applies to N-Series, SSeries, K-Series only.) vlan dynamicegress vlan egress

VLAN1/ Default VLAN Unprotected

VLANs use an independent filtering database Disabled Tagged

vlan name

None

March 15, 2011

Page 11 of 20

Configuring VLANs

Configuring Static VLANs

Procedure 1describeshowtocreateandconfigureastaticVLAN.Unspecifiedparametersuse theirdefaultvalues. Procedure 1
Step 1. 2. 3. Task Show existing VLANs. (Applies to X-Series only.) Define the ports to be used for switched traffic. Create VLAN. Refer to Configurable Range on page 6 for valid id values. Each vlan-id must be unique. If an existing vlan-id is entered, the existing VLAN is modified. Optionally, assign a name to the VLAN. Valid strings are from 1 to 32 characters. Assign switched ports to the VLAN. This sets the port VLAN ID (PVID). The PVID determines the VLAN to which all untagged frames received on the port will be classified.

Static VLAN Configuration

Command(s) show vlan set port mode port-string switched set vlan create vlan-id

4. 5.

set vlan name vlan-id string set port vlan port-string vlan-id

Note: If the VLAN specified has not already been created, the set port vlan command will create it. It will also add the VLAN to the ports egress list as untagged, and remove the default VLAN from the ports egress list. This automatically changes the existing untagged VLAN egress permission to match the new PVID value. 6. Configure VLAN egress, which determines which ports a frame belonging to the VLAN may be forwarded out on. Static configuration: Add the port to the VLAN egress list for the device. The default setting, tagged, allows the port to transmit frames for a particular VLAN. The untagged setting allows the port to transmit frames without a VLAN tag. This setting is usually used to configure a port connected to an end user device. The forbidden setting prevents the port from participating in the specified VLAN and ensures that any dynamic requests for the port to join the VLAN will be ignored. If necessary, remove ports from the VLAN egress list. If specified, the forbidden setting will be cleared from the designated ports and the ports will be reset as allowed to egress frames, if so configured by either static or dynamic means. set vlan egress vlan-id portstring forbidden | tagged | untagged

clear vlan egress vlan-list portstring [forbidden]

March 15, 2011

Page 12 of 20

Configuring VLANs

Procedure 1
Step Task

Static VLAN Configuration (continued)

Command(s)

6. (cont) If forbidden is not specified, tagged and untagged egress settings will be cleared from the designated ports. Dynamic configuration: By default, dynamic egress is disabled on all VLANs. If dynamic egress is enabled for a VLAN, the device will add the port receiving a frame to the VLANs egress list as untagged according to the VLAN ID of the received frame. 7. (Applies to N -Series, S-Series, K-Series only.) Optionally, set VLAN constraints to control the filtering database a VLAN will use for forwarding traffic. Filtering databases can be shared or independent. By default, filtering databases are independent. Optionally, enable ingress filtering on a port to drop those incoming frames that do not have a VLAN ID that matches a VLAN ID on the ports egress list. Optionally, choose to discard tagged or untagged, (or both) frames on selected ports. Select none to allow all frames to pass through. (Applies to stackable and standalone switches only.) Optionally, configure protected ports. This prevents ports from forwarding traffic to each other, even when they are on the same VLAN. The group-id value identifies the assigned ports and can range from 0 to 2. You can also set a protected port group name of up to 32 characters in length. 11. If the device supports routing, enter router configuration mode and configure an IP address on the VLAN interface, as shown in the following sub-steps: 11a. X-Series configuration: router configure interface vlan.1.vlan_id ip address ip-address/maxlen no shutdown Stackable /Standalone configuration: router enable configure terminal interface vlan vlan_id ip address ip-address ip-mask no shutdown set vlan dynamicegress vlan-id {enable | disable}

set vlan constraint vlan-id setnum [shared | independent]

8.

set port ingress-filter portstring enable

9.

set port discard port-string {tagged | untagged | none | both} set port protected port-string group-id

10.

set port protected name group-id name

11b.

March 15, 2011

Page 13 of 20

Configuring VLANs

Procedure 1
Step 11c. Task

Static VLAN Configuration (continued)

Command(s) N-Series/S-series/K-Series configuration: configure terminal interface vlan vlan_id ip address ip-address ip-mask no shutdown

Note: Each VLAN interface must be configured for routing separately using the interface command shown above. To end configuration on one interface before configuring another, type exit at the command prompt. Enabling interface configuration mode is required for completing interface-specific configuration tasks.

Example Configuration
ThefollowingshowsanexampleSSeriesdeviceconfigurationusingthestepsinProcedure 1.In thisexample,VLAN100iscreatedandnamedVLANRED.Portsge.1.2,1.3and1.4areassignedto VLAN100andaddedtoitsegresslist.VLAN100isthenconfiguredasaroutinginterfacewithan IPaddressof120.20.20.24.
Note: Refer to Procedure 1to determine which platform-specific commands may apply to your device when following this example configuration. Switch1(su)->set vlan create 100 Switch1(su)->set vlan name 100 VLANRED Switch1(su)->set port vlan ge.1.2-4 100 The PVID is used to classify untagged frames as they ingress into a given port. Would you like to add the selected port(s) to this VLAN's untagged egress list and remove them from all other VLANs untagged egress list (y/n) [n]? NOTE: Choosing 'y' will not remove the port(s) from previously configured tagged egress lists. y Switch1(su)->configure terminal Switch1(su-config)->interface vlan 100 Switch1(su-config-intf-vlan.0.100)->ip address 120.20.20.1/24 Switch1(su-config-intf-vlan.0.100)->no shutdown

IfyouwanttoconfigureaporttodropincomingframesthatdonothaveaVLANIDthatmatches aVLANIDontheportsegresslist,usethesetportingressfiltercommand.Forexample:
Switch1(su)->set port ingress-filter ge.1.2-4 enable

Ifyouwanttoconfigureaporttodiscardtaggedoruntaggedincomingframes,usethesetport discardcommand.Forexample,toconfiguretheportstodroptaggedframesoningress:
Switch1(su)->set port discard ge.1.2-4 tagged

Creating a Secure Management VLAN

IfyouareconfiguringanEnterasysdeviceformultipleVLANs,itmaybedesirabletoconfigurea managementonlyVLAN.ThisallowsastationconnectedtothemanagementVLANtomanage thedevice.Italsomakesmanagementsecurebypreventingconfigurationthroughportsassigned tootherVLANs.

March 15, 2011

Page 14 of 20

Configuring VLANs

Procedure 2providesanexampleofhowtocreateasecuremanagementVLAN.Thisexample, whichsetsthenewVLANasVLAN2,assumesthemanagementstationisattachedtoge.1.1,and wantsuntaggedframes.Theprocessdescribedinthissectionwouldberepeatedoneverydevice thatisconnectedinthenetworktoensurethateachdevicehasasecuremanagementVLAN.

.

Procedure 2
Step 1. 2. 3. 4. Task

Secure Management VLAN Configuration

Command(s) set port mode host.0.1; ge.1.1 2 switched set vlan create 2 set port vlan host.0.1; ge.1.1 2 set vlan egress 2 host.0.1; ge.1.1 2 untagged

(Applies to X-Series only.) Configure the ports to be used as switch ports. Create a new VLAN. Set the PVID for the host port and the desired switch port to the VLAN created in Step 2. If not done automatically when executing the previous command, add the host port and desired switch port(s) to the new VLANs egress list. Set a private community name to assign to this VLAN for which you can configure access rights and policies.

5.

set snmp community private

Note: By default, community namewhich determines remote access for SNMP managementis set to public with read-write access. For more information, refer to your devices SNMP documentation.

Configuring Dynamic VLANs

Procedure 3describeshowtoenabletheGARP(GenericAttributeRegistrationProtocol)VLAN RegistrationProtocol(GVRP),whichisneededtocreatedynamicVLANs.Bydefault,GVRPis enabledgloballybutdisabledattheportlevel.GVRPmustbegloballyenabledandalsoenabled onspecificportsinordertogenerateandprocessGVRPadvertisementframes.
Note: Refer to GARP VLAN Registration Protocol (GVRP) Support on page 8 for conceptual information about GVRP.

Procedure 3
Step 1. Task

Dynamic VLAN Configuration

Command(s) show gvrp [port-string]

Show existing GVRP configuration for a port or list of ports. If no port-string is entered, the global GVRP configuration and all port GVRP configurations are displayed. If necessary, enable GVRP on those ports assigned to a VLAN. You must specifically enable GVRP on ports, since it is disabled on ports by default. Display the existing GARP timer values.

2.

set gvrp enable port-string

3.

show garp timer [port-string]

March 15, 2011

Page 15 of 20

Configuring VLANs

Procedure 3
Step 4. Task

Dynamic VLAN Configuration (continued)

Command(s) set garp timer {[join timer-value] [leave timer-value] [leaveall timer-value]} port-string

Optionally, set the GARP join, leave, and leaveall timer values. Each timer value is in centiseconds.

Caution: The setting of GARP timers is critical and should only be changed by personnel familiar with 802.1Q standards.

Configuring Protocol-Based VLAN Classification

ProtocolbasedVLANscanbeconfiguredusingthepolicyclassificationCLIcommands,asshown inthissection,orbyusingNetSightPolicyManager. Procedure 4describeshowtodefineprotocolbasedframefilteringpoliciestoassignframesto particularVLANs.RefertoyourEnterasyspolicyconfigurationandCLIdocumentationformore information.
Note: Depending on your Enterasys switching device, your options for configuring policy classification may differ from the examples provided in this section. Refer to your devices documentation for a list of CLI commands and functions supported.

Procedure 4
Step 1. 2. 3. Task

Configuring Protocol-Based VLAN Classification

Command(s) set port mode port-string switched set vlan create vlan-id set vlan egress vlan-id port-string [forbidden | tagged | untagged]

(Applies to X-Series only.) Configure the ports to be used as switch ports. Create the VLANs to which frames will be assigned by the policy. Valid values are 14094. Configure VLAN egress, which determines which ports a frame belonging to the VLAN may be forwarded out on. The default setting, tagged, allows the port to transmit frames for a particular VLAN. Disable ingress filtering on the ingress ports on which the policy will be applied. Create the policy profile that enables PVID override. This function allows a policy rule classifying a frame to a VLAN to override PVID assignment configured with the set port vlan command. When none of its associated classification rules match, the configuration of the policy profile itself will determine how frames are handled by default. In this case, the default VLAN is specified with the pvid pvid parameter. Configure the administrative rules that will assign the policy profile to all frames received on the desired ingress ports.

4. 5.

set port ingress-filter port-string disable set policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid]

6.

set policy rule admin-profile port port-string [port-string portstring] [admin-pid admin-pid]

March 15, 2011

Page 16 of 20

Configuring VLANs

Procedure 4
Step 7. Task

Configuring Protocol-Based VLAN Classification (continued)

Command(s) set policy rule profile-index {protocol data [mask mask]} [vlan vlan]

Configure the classification rules that will define the protocol to filter on and the VLAN ID to which matching frames will be assigned.

Example Configuration
ThefollowingshowsanexampleNSeriesdeviceconfigurationusingthestepsinProcedure 4. ThisexampleconfiguresapolicythatensuresthatIPtrafficreceivedonthespecifiedingressports willbemappedtoVLAN2,whileallothertypesoftrafficwillbemappedtoVLAN3. 1. 2. TwoVLANsarecreated:VLAN2andVLAN3. Ports1through5ontheGigabitEthernetmoduleinslot4areconfiguredasegressportsfor theVLANswhileports8through10ontheGigabitEthernetmoduleinslot5areconfigured asingressportsthatwilldothepolicyclassification. Policyprofilenumber1iscreatedthatenablesPVIDoverrideanddefinesthedefaultbehavior (classifytoVLAN3)ifnoneoftheclassificationrulescreatedfortheprofilearematched. Administrativerulesarecreatedthatapplypolicyprofilenumber1toallframesreceivedon theingressportsge.5.8through10. Classificationrulesarecreatedforpolicyprofilenumber1thatassignIPframestoVLAN2. TherulesidentifyIPframesbyusingtheetherprotocolparameter,whichclassifiesonthe TypefieldintheheadersofLayer2EthernetIIframes,andtheprotocoldataof0x0800(IP type),0x0806(ARPtype),and0x8035(RARPtype).
vlan create 2, 3 vlan egress 2 ge.4.1-2 vlan egress 3 ge.4.3-5 port ingress-filter ge.5.8-10 disable policy profile 1 name protocol_based_vlan pvid-status enable policy rule admin-profile port ge.5.8 port-string ge.5.8 policy rule admin-profile port ge.5.9 port-string ge.5.9 policy rule admin-profile port ge.5.10 port-string ge.5.10 policy rule 1 ether 0x0800 mask 16 vlan 2 policy rule 1 ether 0x0806 mask 16 vlan 2 policy rule 1 ether 0x8035 mask 16 vlan 2

3. 4. 5.

Switch1(su)->set Switch1(su)->set Switch1(su)->set Switch1(su)->set Switch1(su)->set pvid 3 Switch1(su)->set admin-pid 1 Switch1(su)->set admin-pid 1 Switch1(su)->set admin-pid 1 Switch1(su)->set Switch1(su)->set Switch1(su)->set

Monitoring VLANs
Table 2describestheshowcommandsthatdisplayinformationaboutVLANconfigurations.Refer toyourdevicesCLIdocumentationforadescriptionoftheoutputofeachshowcommand. Table 2
Task Display all existing VLANs.

Displaying VLAN Information

Command show vlan

March 15, 2011

Page 17 of 20

Terms and Definitions

Table 2
Task

Displaying VLAN Information (continued)

Command show vlan constraint [vlan id] show vlan dynamicegress [vlan id] show vlan static show port vlan [port-string] show gvrp [port-string] show igmp static [vlan id] show port protected [port-string] | [group-id] show port protected name group-id

(Applies to N-Series, S-Series, K-Series only.) Display the VLAN constraint setting. Display the VLAN dynamic egress setting. Display all static VLANs. Display ports assigned to VLANs. Display existing GVRP settings. Display static ports on the given vid, group. (Applies to stackable and standalone switches only.) Display port(s) configured in protected mode (Applies to stackable and standalone switches only.) Display the name of a specific group of protected ports.

Terms and Definitions

Table 3liststermsanddefinitionsusedinVLANconfiguration. Table 3
Term Default VLAN Filtering Database

VLAN Terms and Definitions

Definition The VLAN to which all ports are assigned upon initialization. The default VLAN has a VLAN ID of 1 and cannot be deleted or renamed. A database structure within the switch that keeps track of the associations between MAC addresses, VLANs, and interface (port) numbers. The Filtering Database is referred to when a switch makes a forwarding decision on a frame. Addressing information that the device learns about a VLAN is stored in the filtering database assigned to that VLAN. Several VLANs can be assigned to the same FID to allow those VLANs to share addressing information. This enables the devices in the different VLANs to communicate with each other when the individual ports have been configured to allow communication to occur. The configuration is accomplished using the Local Management VLAN Forwarding Configuration screen. By default a VLAN is assigned to the FID that matches its VLAN ID.

Filtering Database Identifier (FID)

Forwarding List GARP Multicast Registration Protocol (GMRP) GARP VLAN Registration Protocol (GVRP)

A list of the ports on a particular device that are eligible to transmit frames for a selected VLAN. A GARP application that functions in a similar fashion as GVRP, except that GMRP registers multicast addresses on ports to control the flooding of multicast frames. A GARP application used to dynamically create VLANs across a switched network.

March 15, 2011

Page 18 of 20

Terms and Definitions

Table 3
Term

VLAN Terms and Definitions (continued)

Definition GARP is a protocol used to propagate state information throughout a switched network. A per port list of all eligible VLANs whose frames can be forwarded out one specific port and the frame format (tagged or untagged) of transmissions for that port. The Port VLAN List specifies what VLANs are associated with a single port for frame transmission purposes. Four bytes of data inserted in a frame that identifies the VLAN/frame classification. The Tag Header is inserted into the frame directly after the Source MAC address field. Twelve bits of the Tag Header represent the VLAN ID. The remaining bits are other control information. A data frame that contains a Tag Header. A VLAN aware device can add the Tag Header to any frame it transmits. A data frame that does not have a Tag Header. A unique number (between 1 and 4094) that identifies a particular VLAN. A 32-character alphanumeric name associated with a VLAN ID. The VLAN Name is intended to make user-defined VLANs easier to identify and remember.

Generic Attribute Registration Protocol (GARP) Port VLAN List

Tag Header (VLAN Tag)

Tagged Frame Untagged Frame VLAN ID VLAN Name

March 15, 2011

Page 19 of 20

Revision History
Date 02-01-2008 02-20-2008 07-28-2008 01-07-2009 03-15-2011 Description New document. Corrected product naming conventions. Modifications due to product rebranding changes. Corrected error in configuration example. Added S-Series and K-Series. Removed IGMP snooping (covered in Multicast Feature Guide).

Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2011Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSNETSIGHT,andanylogosassociatedtherewith,are trademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnitedStatesandothercountries.Fora completelistofEnterasystrademarks,seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.