VLAN Configuration Guide

introduction introduction ethernet is a data network communication technology based on csma/cd (carrier sense multiple access/collision detection) shared communication medium when the number of hosts is high, it can lead to serious conflicts, broadcast flooding, significant performance degradation and even network unavailability although lan interconnection through switches can solve the problem of serious conflicts, it still cannot isolate broadcast packets and improve the quality of the network vlan (virtual local area network) is a communication technology that logically divides a physical lan into multiple broadcast domains, allowing direct communication between hosts within a vlan, but not between vlans, thus limiting broadcast packets to a single vlan basic concepts basic concepts users between different vlans cannot interoperate, but layer 3 interworking between vlans can be achieved by configuring vlan interfaces on the switch vlan interface is a layer 3 virtual interface that does not exist as a physical entity on the switch each vlan corresponds to a vlan interface, and once ip address is configured for the vlan interface, the ip address can be used as a gateway address for network devices within the vlan, and ip address based layer 3 forwarding is performed for packets that need to cross network segments vlan tag vlan tag vlan tag is a unique identifier for a vlan, also known as 802 1q tag interface type interface type whether an interface can be assigned to more than one vlan is related to the link type and the interface type depending on the identification of vlan frames, interfaces can be divided into three types access, trunk and hybrid table 1 access, trunk and hybrid table 1 access, trunk and hybrid interface type connecting device number of vlans that can be specified access hosts 1 trunk switches or routers 1 4094 hybrid hosts, switches, routers access link 1trunk link 1 4094 notes hosts can only forward untagged packets tagged packets are transmitted both within and between switches the interface type of this series of switches is similar to hybrid port, which can be added to one vlan or multiple vlans; currently there is no command to specify the interface type for the interface, only the number of vlans in which the interface is located to distinguish the type of port when the interface is added to only one vlan, it is considered as access interface; when the interface is added to multiple vlans, it is considered as trunk interface classification classification we use the simplest and most intuitive way to divide vlans based on interfaces this way, vlan members are defined according to the interfaces of the switches after the specified interface is added to the specified vlan, the interface can forward packets from that vlan, thus enabling hosts within the vlan to interoperate directly (i e layer 2 interworking), while hosts between vlans cannot interoperate directly, limiting broadcast packets to one vlan vid and pvid vid and pvid vid refers to the vlan id e g if you add a vlan100, then the member ports that are classified to that vlan all have a vid of 100 and they can receive packets with tag100 pvid refers to port base vlan id, which is an interface based vlan id an interface can join multiple vlans, but can only have one pvid when an interface receives a packet without a tag, it is tagged with the vlan tag of the pvid and processed as packets for that vlan a physical port can only have one pvid, and when a physical port has a pvid, it must have a vid equal to the pvid, and on that vid, the physical port must be untagged port e g , if a port is added to vlan100 in untagged mode and to vlan200, the pvid of the port will be 100 notes the pvid is only used for tagging when the switch is receiving untagged data frames from the outside, it does not play any role when the switch is forwarding data internally when two devices are connected, it is recommended to configure the pvid of the local port to be the same as the pvid of the opposite port rules for sending and receiving packets rules for sending and receiving packets for different interface types, the switch handles the packets differently, as shown in the table below table 2 rules for sending and receiving packets table 2 rules for sending and receiving packets interface type direction of entry outward direction untag packet tag packet access allow access and tagging if the vlan tag of the packet is the same as the pvid of the port, it is received and processed remove tag forwarding trunk if the vlan tag of the packet corresponds to the port allow packet tag, it is received and processed, otherwise it is discarded when the vlan tag of the packet is the same as the pvid of the port, it is de tagged and forwarded, otherwise it is tagged hybrid when the vlan id of the packet is configured as tag on the port, it is tagged and forwarded, otherwise it is de tagged vlan configuration vlan configuration vlan default setting vlan default setting the default setting of vlan interface is shown in the table below table 3 vlan default setting table 3 vlan default setting parameters default value mac learning for vlan interfaces enable mtu of the vlan interface 9216 bytes broadcast packet handling policy for vlan interfaces flood configure vlan configure vlan table 4 configure vlan table 4 configure vlan purpose commands description enter global configuration view configure terminal create vlan vlan vlan id batch creation of vlans vlan range vlan id batch create continuous vlans, connect the starting vlan id and ending vlan id with " ", batch create discontinuous vlans, separate them with "," notes this machine supports 4096 vlans, of which vlan0 and vlan4095 are reserved vlans, vlan1 is the default vlan and vlan4094 is the vlan dedicated to high availability routing policy scenarios, so the range of vlan id that users can create is 2 4093 under standard circumstances, users cannot manually create and delete vlan 1 although there are currently no restrictions on this series, it is recommended that vlan 1 not be used as a management vlan or service vlan configure vlan member port configure vlan member port table 5 configure vlan member port table 5 configure vlan member port purpose commands description enter global configuration view configure terminal enter ethernet interface view interface ethernet interface name switch to layer 2 interface switchport if the interface is in layer 3 interface mode, please switch to layer 2 interface mode first add member ports switchport { trunk | access } vlan vlan id batch add member ports switchport trunk range vlan vlan id note a port can only be joined in one vlan in untagged mode, but can be joined in multiple vlans in tagged mode configure the ip of vlan configure the ip of vlan table 6 configure the ip of vlan table 6 configure the ip of vlan purpose commands description enter global configuration view configure terminal enter vlanif configuration view interface vlan vlan id configure ip address for the vlan interface ip address { a b c d/m | a b/m } ipv4 address with subnet mask /32 is not allowed to be configured addresses with subnet mask /31 is allowed in other subnet masks, addresses with the host portion all zeros or all ones are not allowed ipv6 address with subnet mask /127 or /128 is not allowed to be configured in other subnet masks, addresses with the host portion all zeros are not allowed, but all ones are allowed configure the mtu of vlan configure the mtu of vlan table 7 configure the mtu of vlan table 7 configure the mtu of vlan purpose commands description enter global configuration view configure terminal enter vlanif configuration view interface vlan vlan id configure the mtu of vlan interface mtu mtu configure the mac address of vlan configure the mac address of vlan by default, the mac address of the interface is dynamically assigned by the system or is the same as the mac address of the switch this series supports users to reconfigure the mac of physical interfaces, vlan interfaces and link aggregation interfaces table 8 configure the mac address of vlan table 8 configure the mac address of vlan purpose commands description enter global configuration view configure terminal enter vlan interface view interface vlan vlan id configure the mac address of vlanif mac address hh\ hh\ hh\ hh\ hh \ hh mac addresses are not case sensitive shutdown vlan shutdown vlan table 9 shutdown vlan table 9 shutdown vlan purpose commands description enter global configuration view configure terminal enter vlanif configuration view interface vlan vlan id shutdown vlanif shutdown disable mac learning for vlan disable mac learning for vlan table 10 disable mac learning for vlan table 10 disable mac learning for vlan purpose commands description enter global configuration view configure terminal enter vlan configuration view vlan vlan id disable mac learning for vlan interface no mac address learning display and maintenance display and maintenance table 11 vlan display and maintenance table 11 vlan display and maintenance purpose commands description display vlan summary information show vlan summary display specific vlan information show vlan vlan id display all vlan information show vlan all display vlan interface count show counters vlan typical configuration example typical configuration example communication between vlans of the same device communication between vlans of the same device networking requirements assume that user 1 and user 2 belong to the same department in a company, but belong to different vlans and are located in different network segments the requirement is to implement user 1 and user 2 interoperability topology procedure \#create vlan sonic# configure terminal sonic(config)# vlan 100 sonic(config vlan 100)# ex sonic(config)# vlan 200 sonic(config vlan 200)# ex \#add interfaces to vlans sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# switchport trunk vlan 100 sonic(config if 0/0)# ex sonic(config)# interface ethernet 0/1 sonic(config if 0/1)# switchport trunk vlan 200 sonic(config if 0/1)# ex \#set the ip for vlan interfaces sonic(config)# interface vlan 100 sonic(config vlanif 100)# ip address 100 0 0 1/24 sonic(config vlanif 100)# ex sonic(config)# interface vlan 200 sonic(config vlanif 200)# ip address 200 0 0 1/24 sonic(config vlanif 200)# ex verify configuration sonic# show vlan summary + + + + + + \| vlan id | ip address | ports | port tagging | dhcp helper address | +===========+==============+===========+================+=======================+ \| 100 | 100 0 0 1/24 | ethernet0 | untagged | | + + + + + + \| 200 | 200 0 0 1/24 | ethernet1 | untagged | | + + + + + + user 1 and user 2 can ping each other vlans communication across devices vlans communication across devices networking requirements suppose a company network has device a connected to servers server1 and server2, belonging to department 1 and department 2 respectively, and device b connected to users user 1 and user 2, belonging to department 1 and department 2 respectively to ensure network communication security, the company requires that employees in each department can only access the servers in their own department according to the communication principle of vlan same vlans can interoperate directly, layer 2 isolated layer 3 interoperability between different vlans therefore, user1 and server1 are divided into the same vlan, and user2 and server2 are divided into the same vlan to realize that the employees of this department can only access the servers of this department topology procedure configure device a \#create vlan sonic# configure terminal sonic(config)# vlan 100 sonic(config vlan 100)# ex sonic(config)# vlan 200 sonic(config vlan 200)# ex \#add interfaces to vlans sonic# configure terminal sonic(config)# interface ethernet 0/1 sonic(config if 0/1)# switchport access vlan 100 sonic(config if 0/1)# ex sonic(config)# interface ethernet 0/2 sonic(config if 0/2)# switchport access vlan 200 sonic(config if 0/2)# ex configure device b as above, without further ado configure the ip set user1 and server1 to the same network segment, e g 192 168 100 0/24, and set user2 and server2 to the same network segment, e g 192 168 200 0/24 verify configuration \#check vlan configuration sonic# show vlan summary + + + + + + + + \| vlan id | ip address | ports | port tagging | proxy arp | description | dhcp helper address | + + + + + + + + \| 100 | | 0/0 | tagged | disable | n/a | | \| | | 0/1 | tagged | | | | + + + + + + + + \| 200 | | 0/0 | tagged | disable | n/a | | \| | | 0/2 | tagged | | | | + + + + + + + + \#on user1, ping server1 is ok, ping server2 is not ok admin\@user1 $ ping 192 168 100 1 ping 192 168 100 1 (192 168 100 1) 56(84) bytes of data 64 bytes from 192 168 100 1 icmp seq=1 ttl=64 time=2 49 ms 64 bytes from 192 168 100 1 icmp seq=2 ttl=64 time=0 464 ms 64 bytes from 192 168 100 1 icmp seq=3 ttl=64 time=0 518 ms 64 bytes from 192 168 100 1 icmp seq=4 ttl=64 time=0 531 ms 64 bytes from 192 168 100 1 icmp seq=5 ttl=64 time=0 413 ms 64 bytes from 192 168 100 1 icmp seq=6 ttl=64 time=3 82 ms ^c \ 192 168 100 1 ping statistics 6 packets transmitted, 6 received, 0% packet loss, time 5110ms rtt min/avg/max/mdev = 0 413/1 371/3 819/1 317 ms admin\@user1 $ ping 192 168 200 1 ping 192 168 200 1 (192 168 200 1) 56(84) bytes of data ^c \ 192 168 200 1 ping statistics 4 packets transmitted, 0 received, 100% packet loss, time 3065ms \#on user2, ping server1 is not ok, ping server2 is ok admin\@user2 $ ping 192 168 200 1 ping 192 168 200 1 (192 168 200 1) 56(84) bytes of data 64 bytes from 192 168 200 1 icmp seq=1 ttl=64 time=2 61 ms 64 bytes from 192 168 200 1 icmp seq=2 ttl=64 time=1 29 ms 64 bytes from 192 168 200 1 icmp seq=3 ttl=64 time=4 33 ms ^c \ 192 168 200 1 ping statistics 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 1 286/2 742/4 334/1 248 ms admin\@user2 $ ping 192 168 100 1 ping 192 168 100 1 (192 168 100 1) 56(84) bytes of data ^c \ 192 168 100 1 ping statistics 4 packets transmitted, 0 received, 100% packet loss, time 3065ms