WeOSVLAN Support
Introduction
This document describes how to configure Virtual LANs (VLANs). The system supports port based VLANs and VLAN tagging according to IEEE 802.1Q. Each VLAN has a MAC filtering database, often referred to as Independent VLAN Learning. Up to 64 simultaneous VLANs are supported.
With VLAN you can segment your LAN infrastructure into multiple LANs (broadcast domains). In its simplest form you can segment a (physical) switch into multiple logical switches. We refer to this as a port based VLAN.
Physical View Logical View
.---------------------. .---------. .---------.
| | | | | |
| Switch | | Switch1 | | Switch2 |
| | | | | |
| 1 2 3 4 5 6 | | 1 2 3 | | 4 5 6 |
'--+-+-+-------+-+-+--' '--+-+-+--' '--+-+-+--'
| | | | | | | | | | | |
| | | | | | | | | | | |
VLAN 1 VLAN 2 VLAN 1 VLAN 2
Figure 1: Using VLANs to split a physical switch into two logical switches
It is possible to extend the VLAN to span multiple switches. In that case, VLANs typically share the cables connecting the switches. We refer to these cables as VLAN trunks, or trunk links.
Physical View
.---------------------. .---------------------.
| | | |
| Switch A | | Switch B |
| 1 2 3 4 5 6 7 | | 1 2 3 4 5 6 7 |
'--+-+-+----+-+-+---+-' '-+---+-+-+----+-+-+--'
| | | | | | | VLAN Trunk | | | | | | |
| | | | | | '----------------' | | | | | |
VLAN 1 VLAN 2 VLAN 1 VLAN 2
Logical View
.-----------. .-----------. .-----------. .-----------.
| | | | | | | |
| Switch A1 | | Switch B1 | | Switch A2 | | Switch B2 |
| | | | | | | |
| 1 2 3 7 | | 1 2 3 4 | | 4 5 6 7 | | 1 5 6 7 |
'--+-+-+-+--' '--+-+-+-+--' '--+-+-+-+--' '--+-+-+-+--'
| | | '-------' | | | | | | '-------' | | |
| | | | | | | | | | | |
VLAN 1 VLAN 1 VLAN 2 VLAN 2
Figure 2: VLANs sharing both switches and cable(s)
In order to multiplex the traffic over the VLAN trunks, a VLAN tag is inserted into the packet. The tag holds information about VLAN Identifier (here ‘1’ or ‘2’) along with some additional signalling information. See figure below for a detailed description.
VLAN Tag Control Information
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PCP |C| VID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
PCP: Priority Code Point (0-7)
C/CFI: Canonical Format Indicator
VID: VLAN Identifier (0-4095)
Figure 3: VLAN Tag Control Information (IEEE 802.1Q)
Segmenting Your Switch
.---------------.
| |
| Switch |
| |
| 1 2 3 4 5 6 |
'--+-+-+-+-+-+--'
| | | | | |
| | | | | |
VLAN 1
Figure 4a: Default VLAN setup
By default, all Ethernet ports on a switch are associated with VLAN 1 untagged, as shown in Figure 4a.
.---------------------.
| |
| Switch |
| |
| 1 2 3 4 5 6 |
'--+-+-+-------+-+-+--'
| | | | | |
| | | | | |
VLAN 1 VLAN 2
Figure 4b: Intended VLAN Setup
If we wish to allocate some ports to another VLAN as in Figure 4b, we create VLAN 2 and assign it the ports untagged. Implicitly, these ports will be removed from VLAN 1, as a port can only be associated untagged with one VLAN at a time.
Switch:/#> configure Switch:/config/#> vlan 2 Creating new VLAN vid:2 with name: vlan2 Switch:/config/vlan-2/#> untagged eth4..eth6 Moving untagged port eth4 from vid 1 to vid 2. Moving untagged port eth5 from vid 1 to vid 2. Moving untagged port eth6 from vid 1 to vid 2. Switch:/config/vlan-2/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). Switch:/#>
Warning Be careful when configuring VLANs on your switch remotely, as the configuration change may affect the connectivity. For example, if you connect via port 5 (Figure 4A), you may lose connectivity when the new VLAN configuration takes effect.
Now consider the case when we wish the VLAN to span multiple switches, see Figure 5 below.
Physical View
.---------------------. .---------------------.
| | | |
| Switch A | | Switch B |
| 1 2 3 4 5 6 7 | | 1 2 3 4 5 6 7 |
'--+-+-+----+-+-+---+-' '-+---+-+-+----+-+-+--'
| | | | | | | VLAN Trunk | | | | | | |
| | | | | | '----------------' | | | | | |
VLAN 1 VLAN 2 VLAN 1 VLAN 2
Figure 5: VLANs spanning multiple switches
Ports 1-6 on switch A are configured as the example above (Figure 4). Port 7 on switch A is a VLAN trunk port, and can be configured as follows.
SwitchA:/#> configure SwitchA:/config/#> vlan 2 SwitchA:/config/vlan-2/#> tagged eth7 SwitchA:/config/vlan-2/#> end SwitchA:/config/#> vlan 1 SwitchA:/config/vlan-1/#> tagged eth7 SwitchA:/config/vlan-1/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). SwitchA:/#>
Port 1 on Switch B needs to be configured in the same way.
Concepts
Ports, VLANs, and Interfaces
Figure 6 gives a simplified view of how Ethernet ports, VLANs and network interfaces are related on your switch. It shows the factory default port assignments on the left, and a sample configuration with multiple VLANS on the right, where port 7 is used as a VLAN trunk port:
.---------------------. .--------------------------.
| Layer 2/3 Switch | | Layer 2/3 Switch |
| .-----------------. | | .----------------------. |
| | Routing | | Network Interfaces | | Routing | |
| | | | (routing/mgmt/...) | | | |
| | vlan1 | | | |vlan1 vlan2 vlan3| |
| '--------+--------' | | '--+-------+--------+--' |
| | | | | | | |
| .--------+--------. | VLANs | .--+--..---+---. .--+--. |
| | VLAN1 | | (switching) | |VLAN1|| VLAN2 | |VLAN3| |
| '+-+-+-+-+-+-+-+-+' | | '+-+-+''+-+-+-+' '+-+-+' |
| | | | | | | | | | | | | | | | | | \ / | | |
| 1 2 3 4 5 6 7 8 9 | Ethernet Ports | 1 2 3 4 5 6 7 8 9 |
'--+-+-+-+-+-+-+-+-+--' '--+-+-+--+-+-+---+---+-+--'
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
Figure 6: Relationship between Ethernet ports, VLANs and Network Interfaces
At factory default, all ports are associated with VLAN 1. There is connectivity between all ports, using regular layer-2 switching. For every VLAN, there is also a network interface, here vlan1. It can be assigned one or more IP addresses, enabling management of the switch via SSH, HTTP/HTTPS, and the switch can act as DHCP server to the LAN, etc.
By creating additional VLANs 2 and 3, we segment the ports into three broadcast domains. For each new VLAN, there is also a network interface, vlan2 and vlan3. Switching is possible within each LAN, but to communicate across VLANs, packets need to be routed at layer 3 (IP forwarding). IP forwarding is available for products of software level Extended.
LAN Port Types
Two main categories of LAN port types are available:
- Physical LAN ports: This includes Ethernet ports. In the future, this will also include link aggregate ports (IEEE 802.1AX).
- Virtual LAN ports: This includes Layer-2 SSL VPN ports, available for products of software level Extended.
Virtual LAN ports have not been covered in the examples above, thus a brief introduction to virtual LAN ports and how to use them with VLANs is shown below.
Alice Internet Bob
.------. .--.-. .------.
| L2/3 | ( ( )__ | L2/3 |
|Switch| (_, \ ) ,_) |Switch|
'-+--+-' / '-'--`--'\ '-+--+-'
| '-----------' '---------' |
| <----------------------------------> |
| L2 SSL VPN |
--+--+--+--+-- --+--+--+--+--
| | | | | | | |
LAN (A-side) LAN (B-side)
Figure 7: Extending (V)LANs using L2 VPN bridging
Alice and Bob in Figure 7 can be referred to as half-bridges. They extend the LAN over some kind of backbone, in this case the Internet. Conceptually, you can think of Alice and Bob as a single switch (bridge) split into two halves (half-bridges), connected by some Layer-2 tunnelling technique, in this case an L2 SSL VPN.
Alice
.--------------------------.
| Layer 2/3 Switch |
| .--------------------. |
| | Routing/Tunnelling | |
| | | | Network Interface
| | L2VPN----------. | | (routing/tunneling/mgmt)
| | ssl0 | | |
| | | | | |
| | | vlan1 vlan2| |
| '---|----+--------+--' |
| .---' | | |
| | .-----+----..--+--. | VLANs
| | | VLAN1 ||VLAN2| | (switching)
| | '+-+-+-+-+-'.--+--' |
| | | | | | | | |
| '---' 1 2 3 4 5 | Ethernet Ports
'-------+-+-+-+------+-----'
| | | | |
| | | | '-----> (towards Internet)
LAN (A-side)
Figure 8: Switch internal view of ports, VLANs and network interfaces for a half-bridge (simplified)
Creating L2 SSL VPNs is not covered here. Instead we focus on the VLAN configuration needed, assuming that the virtual L2 port ssl0 already exists. Furthermore, we assume that all ports reside on VLAN 1 at the start, thus VLAN 2 needs to be created too.
alice:/#> configure alice:/config/#> vlan 1 alice:/config/vlan-1/#> untagged ssl0 alice:/config/vlan-1/#> show untagged U:eth1..eth5, ssl0 alice:/config/vlan-1/#> end alice:/config/#> vlan 2 Creating new VLAN vid:2 with name: vlan2 alice:/config/vlan-2/#> untagged eth5 Moving untagged port eth5 from vid 1 to vid 2. alice:/config/vlan-2/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). alice:/#>
Access Ports & Trunk Ports
.---------------------. .---------------------.
| | | |
| Switch A | | Switch B |
| 1 2 3 4 5 6 7 | | 1 2 3 4 5 6 7 |
'--+-+-+----+-+-+---+-' '-+---+-+-+----+-+-+--'
| | | | | | | VLAN Trunk | | | | | | |
| | | | | | '----------------' | | | | | |
VLAN 1 VLAN 2 VLAN 1 VLAN 2
Access Ports Access Ports
Figure 9: Access ports and VLAN trunk ports
We refer to ports where end devices connect as access ports. On the switch, access ports are associated with a single VLAN untagged.
VLAN trunk ports are used to interconnect VLAN capable switches. Trunk ports are (typically) associated tagged with all VLANs it carries traffic for. In the example in Figure 9, port 7 on Switch A would be associated tagged with VLAN 1 and VLAN 2.
To distinguish between VLANs over a VLAN trunk, it is not strictly required to associate all VLANs tagged; it is possible to have one VLAN untagged, and all the others tagged. Still, the general recommendation is to configure the VLAN trunk ports tagged on all VLANs it carries. Using VLAN tagging enables packets to carry priority (see Figure 3 above), and avoids unintended VLAN leakage if the switches at each side of the trunk happens to configure different VLANs untagged.
As an example of VLAN tagging, consider a host (H1) connected to port 4 on Switch A:
- H1 sends a broadcast packet
- Switch A will forward the packet untagged to ports 5 and 6, and tagged (VID 2) on ports 7
- Switch B receives the packet on its port 1 and determines it is associated with VLAN 2
- Switch B forwards the packet untagged on ports 5-7
The distinction between access ports and VLAN trunk ports should not be taken too strictly. For example, there may be VLAN aware hosts, capable of sending/receiving tagged packets. A special case is when host sends priority tagged packets, i.e., a tagged packet with VID 0 (zero). Hosts can do that to signal the (wished) priority of its traffic on a packet by packet basis. For example, if a host on port 4 of switch A sends a priority tagged packet (VID 0), switch A will still associate it with VID 2. Thus, switch A will tag it with VID 2 when forwarding the packet over the trunk. Depending on the L2 QoS configuration on switch A, it may determine the packet’s priority based on the information in the tag.
Isolated Port Interfaces
The systems allows for isolating ports by removing them from any VLAN membership. This has the added benefit of making the available for use as a layer-3 interface.
The below figure show the factory default port assignments on the left, and an isolated port, or simply port interface, on the right:
.---------------------. .-----------------------.
| Layer 2/3 Switch | | Layer 2/3 Switch |
| .-----------------. | | .-------------------. |
| | Routing | | Network Interfaces | | Routing | |
| | | | (routing/mgmt/...) | | | |
| | vlan1 | | | | vlan1 eth9| |
| '--------+--------' | | '-------+---------+-' |
| | | | | | |
| .--------+--------. | VLANs | .-------+-------. | |
| | Bridge | | (switching) | | Bridge | | |
| '+-+-+-+-+-+-+-+-+' | | '+-+-+-+-+-+-+-+' | |
| | | | | | | | | | | | | | | | | | | | | |
| 1 2 3 4 5 6 7 8 9 | Ethernet ports | 1 2 3 4 5 6 7 8 9 |
'--+-+-+-+-+-+-+-+-+--' '--+-+-+-+-+-+-+-+--+---'
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
Figure 10: Removing port 9 from VLAN 1 turns it into a port interface
Note
The bridge shown in the image exists both in the switching fabric and in the software stack. When a port is isolated it is removed from the software bridge, and in the switching fabric it is isolated from all other ports using device specific mechanisms similar to that used for implementing IEEE 802.1X port authentication.
An example of the port interface concept is shown in Figure 10. The steps to achieve this are as follows:
Switch:/#> configure Switch:/config/#> vlan 1 Switch:/config/vlan-1/#> no untagged eth9 Switch:/config/vlan-1/#> show untagged U:eth1..eth8 Switch:/config/vlan-1/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). Switch:/#>
Port eth9 can then be used as a regular network interface, e.g., one can assign an IP address to it.
Switch:/#> configure Switch:/config/#> iface eth9 Switch:/config/iface-eth9/#> inet static 192.168.2.1/24 Switch:/config/iface-eth9/inet-static-192.168.2.1/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). Switch:/#>
With port interfaces, the half-bridge configuration for L2 SSL VPNs above could be simplified. Port 5 could be turned into a port interface, removing the need to create a second VLAN for the connection to the Internet.
Alice
.--------------------------.
| Layer 2/3 Switch |
| .--------------------. |
| | Routing/Tunnelling | |
| | | | Network Interface
| | L2VPN----------. | | (routing/tunneling/mgmt)
| | ssl0 | | |
| | | | | |
| | | vlan1 eth5 | |
| '--|----+--------+---' |
| .---' | | |
| | .-----+----. | | VLANs
| | | VLAN | | | (switching)
| | '+-+-+-+-+-' | |
| | | | | | | | |
| '---' 1 2 3 4 5 | Ethernet Ports
'-------+-+-+-+-----+------'
| | | | |
| | | | '-----> (towards Internet)
LAN (A-side)
Figure 11: Use of port interface removes the need for a second VLAN
Compare this with Figure 8, above.
Oper and Admin Status
A VLAN is by default configured as enabled, i.e., its administrative status is enabled or up. The VLAN’s operational status will be up if:
- it is enabled (administratively enabled), and
- at least one of the associated ports have operational status up.
An example of how to disable a VLAN is shown below.
Switch:/#> configure Switch:/config/#> vlan 2 Switch:/config/vlan-2/#> no enable Switch:/config/vlan-2/#> leave Configuration activated. Remember "copy run start" to save to f. Switch:/#>
Note
A VLAN which is disabled (administratively down), will not forward packets between its associated ports, even if those ports are up.
Configuration
Individual VLANs
Individual VLAN configuration is accessed from the global configuration
context. When creating a VLAN the VID must be in the range 1-4095.
For example to configure VLAN 10:
example:/#> configure example:/config/#> vlan 10 Creating new VLAN vid:10 with name: vlan10 example:/config/vlan-10/#>
To remove a configured VLAN the following command can be executed:
example:/#> configure example:/config/#> no vlan 10
Syntax
[no] enable-
Enable, or disable this VLAN.
- no
- Disable the VLAN.
[no] name <STRING>-
Set a name, or description, of the VLAN.
- no
- Remove the configured name.
- STRING
- Free from string representation of the name.
[no] tagged [PORT | PORT..PORT | PORT,PORT | all]-
Set tagged ports for the VLAN.
Note
A port can be configured tagged in multiple VLANs. However, a port cannot be associated both tagged and untagged in the same VLAN. Configuring a port as tagged automatically remove any untagged configuration for the port on that VLAN.
Warning
Be extra careful when configuring VLANs remotely!
Example:
example:/config/vlan-10/#> tagged eth1, eth10..eth12
- no
- Remove all configured ports.
- PORT
- Name of a port, example: eth1, ssl1, lag1.
[no] untagged [PORT | PORT..PORT | PORT,PORT | all]-
Set untagged ports for the VLAN.
Note
A port can only be configured untagged for one specific VLAN at a time. When configuring a port as untagged on a VLAN the system automatically moves it from any other VLAN it was untagged in. Configuring a port as untagged automatically removes any tagged configuration for the port in that VLAN.
Warning
Be extra careful when configuring VLANs remotely!
Example:
example:/config/vlan-10/#> untagged eth1, eth10..eth12
- no
- Remove all configured ports.
- PORT
- Name of a port, example: eth1, ssl1, lag1.
[no] forbid [PORT | PORT..PORT | PORT,PORT | all]-
Set forbidden ports, only applicable when dynamic VLANs are active.
- no
- Remove all configured ports.
- PORT
- Name of a port, example: eth1, ssl1, lag1.
[no] multicast-snooping-
Enable, or disable IGMP/MLD snooping for the specific VLAN interface.
- no
- Disable IGMP/MLD snooping.
General VLAN settings
General VLAN configuration is accessed from the global configuration context, and are global to all individual VLANs. It can be accessed in the following manner:
example:/#> configure example:/config/#> vlans example:/config/vlans/#>
Syntax
[no] vlan-iface-mac-mode [base-mac | port-inherit-lbit]-
Set the default mac assignment mode for all VLAN interfaces. This command allows changing the default behavior how MAC addresses are assigned to VLAN interfaces. This setting is inherited to all VLANs on the device.
Default:
base-mac- no
- Revert to the default setting.
- base-mac
- The MAC address for each VLAN will be the same as the Base MAC address on the unit.
- port-inherit-lbit
-
Generate a locally administered address based on the ports that constitute the VLAN. Addresses are considered in the following order:
-
A globally administered address is preferred over a locally administered address.
-
An address belonging to an untagged member of the VLAN is peferred over one belonging to a tagged member.
-
A lower address is preferred over a higher one.
This assignment mode is useful when interoperating with networking equipment that does not support independent VLAN learning (IVL) as it typically generates a distinct address for each VLAN.
-
Status Overview
In order to see all VLANs that have been configured on the system, the following command can be executed from the exec context in the CLI:
example:/#> show vlan
VID NAME OPER UNTAGGED/TAGGED
1 vlan1 UP U:eth0..eth6
T:
2 vlan10 UP U:eth7
T: