Login
| Title | Size | Downloads |
|---|---|---|
| 09-VLAN Configuration.pdf | 341.28 KB |
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-VLAN Configuration | 341.28 KB |
Table of Contents
Configuring Basic VLAN Settings
Configuring Basic Settings of a VLAN Interface
Introduction to Port-Based VLAN
Assigning an Access Port to a VLAN
Assigning a Trunk Port to a VLAN
Assigning a Hybrid Port to a VLAN
Protocol-Based VLAN Configuration
Introduction to Protocol-Based VLAN
Configuring a Protocol-Based VLAN
IP Subnet-Based VLAN Configuration
Configuring an IP Subnet-Based VLAN
Displaying and Maintaining VLAN
Security Mode and Normal Mode of Voice VLANs
Setting a Port to Operate in Automatic Voice VLAN Assignment Mode
Configuring the Priority Trust Setting for Voice VLAN Traffic on an Interface
Setting a Port to Operate in Manual Voice VLAN Assignment Mode
Displaying and Maintaining Voice VLAN
Voice VLAN Configuration Examples
When configuring VLAN, go to these sections for information you are interested in:
l Configuring Basic VLAN Settings
l Configuring Basic Settings of a VLAN Interface
l Port-Based VLAN Configuration
l Protocol-Based VLAN Configuration
l Displaying and Maintaining VLAN
Introduction to VLAN
VLAN Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts cannot be avoided on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced.
The idea is to break a LAN down into separate VLANs, that is, Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast traffic is contained within it, as shown in Figure 1-1.
A VLAN is logically divided on an organizational basis rather than on a physical basis. For example, all workstations and servers used by a particular workgroup can be connected to the same LAN, regardless of their physical locations.
VLAN technology delivers the following benefits:
2) Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves network performance.
3) Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required.
4) Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations, network construction and maintenance is much easier and more flexible.
VLAN Fundamentals
To enable a network device to identify frames of different VLANs, a VLAN tag field is inserted into the data link layer encapsulation.
The format of VLAN-tagged frames is defined in IEEE 802.1Q issued by IEEE in 1999.
In the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address is the Type field indicating the upper layer protocol type, as shown in Figure 1-2.
Figure 1-2 The format of a traditional Ethernet frame
IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 1-3.
Figure 1-3 The position and format of VLAN tag
A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.
l The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN-tagged.
l The 3-bit priority field indicates the 802.1p priority of the frame. For information about frame priority, refer to QoS Configuration in the QoS Volume.
l The 1-bit CFI field specifies whether the MAC addresses are encapsulated in the standard format when packets are transmitted across different media. Value 0 indicates that MAC addresses are encapsulated in the standard format; value 1 indicates that MAC addresses are encapsulated in a non-standard format. The filed is 0 by default.
l The 12-bit VLAN ID field identifies the VLAN the frame belongs to. The VLAN ID range is 0 to 4095. As 0 and 4095 are reserved by the protocol, a VLAN ID actually ranges from 1 to 4094.
When receiving a frame, a network device handles the frame depending on whether the frame is VLAN tagged and the value of the VLAN tag, if any. For more information, refer to section Introduction to Port-Based VLAN.
l The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification.
l For a frame with multiple VLAN tags, the device handles it according to its outer-most VLAN tag and transmits its inner VLAN tags as payload.
Types of VLAN
You can implement VLAN based on:
l Port
l Protocol
l IP subnet
This chapter covers port-based VLAN, protocol-based VLAN, and IP-based VLAN. You can configure the three types of VLANs on a port at the same time. When determining to which VLAN a packet passing through the port should be assigned, the device looks up the VLANs in the default order of IP-based VLANs, protocol-based VLANs, and port-based VLANs.
Configuring Basic VLAN Settings
Follow these steps to configure basic VLAN settings:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create VLANs |
vlan { vlan-id1 [ to vlan-id2 ] | all } |
Optional Use this command to create VLANs in bulk. |
|
Enter VLAN view |
vlan vlan-id |
Required If the specified VLAN does not exist, this command creates the VLAN first. By default, only the default VLAN (that is, VLAN 1) exists in the system. |
|
Configure a name for the current VLAN |
name text |
Optional By default, the name of a VLAN is its VLAN ID, VLAN 0001 for example. |
|
Configure the description of the current VLAN |
description text |
Optional VLAN ID is used by default, VLAN 0001 for example. |
l As the default VLAN, VLAN 1 cannot be created or removed.
l You cannot manually create or remove VLANs reserved for special purposes.
l Dynamic VLANs cannot be removed with the undo vlan command.
l A VLAN with a QoS policy applied cannot be removed.
l A VLAN operating as a probe VLAN for remote port mirroring or an RRPP protected VLAN cannot be removed with the undo vlan command. To do that, remove the remote mirroring VLAN or RRPP protected VLAN configuration from it first.
Configuring Basic Settings of a VLAN Interface
For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3 forwarding. To achieve this, VLAN interfaces are used.
VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface. You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the VLAN.
Follow these steps to configure basic settings of a VLAN interface:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a VLAN interface and enter VLAN interface view |
interface vlan-interface vlan-interface-id |
Required If the VLAN interface already exists, you enter its view directly. |
|
Assign an IP address to the VLAN interface |
ip address ip-address { mask | mask-length } [ sub ] |
Optional No IP address is assigned to any VLAN interface by default. |
|
Configure the description of the VLAN interface |
description text |
Optional VLAN interface name is used by default, for example, Vlan-interface1 Interface. |
|
Bring up the VLAN interface |
undo shutdown |
Optional By default, a VLAN interface is in the up state. In this case, the VLAN interface is up so long as one port in the VLAN is up and goes down if all ports in the VLAN go down. An administratively shut down VLAN interface however will be in the down state until you bring it up, regardless of how the state of the ports in the VLAN changes. |
Before creating a VLAN interface for a VLAN, create the VLAN first.
Port-Based VLAN Configuration
Introduction to Port-Based VLAN
Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.
Port link type
You can configure the link type of a port as access, trunk, or hybrid. The three link types use different VLAN tag handling methods. When configuring the link type of a port, note that:
l An access port can belong to only one VLAN. Usually, ports directly connected to PCs are configured as access ports.
l A trunk port can carry multiple VLANs to receive and send traffic for them. Except traffic of the default VLAN, traffic passes through a trunk port will be VLAN tagged. Usually, ports connecting network devices are configured as trunk ports to allow members of the same VLAN to communicate with each other across multiple network devices.
l Like a trunk port, a hybrid port can carry multiple VLANs to receive and send traffic for them. Unlike a trunk port, a hybrid port allows traffic of all VLANs to pass through VLAN untagged. You can configure a port connected to a network device or user terminal as a hybrid port for access link connectivity or trunk connectivity.
Default VLAN
By default, VLAN 1 is the default VLAN for all ports. You can configure the default VLAN for a port as required.
Use the following guidelines when configuring the default VLAN on a port:
l Because an access port can join only one VLAN, its default VLAN is the VLAN to which it belongs and cannot be configured.
l Because a trunk or hybrid port can join multiple VLANs, you can configure a default VLAN for the port.
l You can use a nonexistent VLAN as the default VLAN for a hybrid or trunk port but not for an access port. Therefore, after you remove the VLAN that an access port resides in with the undo vlan command, the default VLAN of the port changes to VLAN 1. The removal of the VLAN specified as the default VLAN of a trunk or hybrid port, however, does not affect the default VLAN setting on the port.
l Do not set the voice VLAN as the default VLAN of a port in automatic voice VLAN assignment mode. Otherwise, the system prompts error information. For information about voice VLAN, refer to Voice VLAN Configuration.
l You are recommended to set the same default VLAN ID for the local and remote ports.
l Ensure that a port is assigned to its default VLAN. Otherwise, when the port receives frames tagged with the default VLAN ID or untagged frames (including protocol packets such as STP BPDUs), the port filters out these frames.
Ports of different link types handle frames as follows:
|
Port type |
Actions (in the inbound direction) |
Actions (in the outbound direction) |
|
|
Untagged frame |
Tagged frame |
||
|
Access |
Tag the frame with the default VLAN tag. |
l Receive the frame if its VLAN ID is the same as the default VLAN ID. l Drop the frame if its VLAN ID is different from the default VLAN ID. |
Remove the default VLAN tag and send the frame. |
|
Trunk |
Check whether the default VLAN is permitted on the port: l If yes, tag the frame with the default VLAN tag. l If not, drop the frame. |
l Receive the frame if its VLAN is carried on the port. l Drop the frame if its VLAN is not carried on the port. |
l Remove the tag and send the frame if the frame carries the default VLAN tag and the port belongs to the default VLAN. l Send the frame without removing the tag if its VLAN is carried on the port but is different from the default one. |
|
Hybrid |
Send the frame if its VLAN is carried on the port. The frame is sent with the VLAN tag removed or intact depending on your configuration with the port hybrid vlan command. This is true of the default VLAN. |
||
Assigning an Access Port to a VLAN
You can assign an access port to a VLAN in VLAN view, Layer 2 interface view, or port group view.
1) In VLAN view
Follow these steps to assign one or multiple access ports to a VLAN in VLAN view:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter VLAN view |
vlan vlan-id |
Required If the specified VLAN does not exist, this command creates the VLAN first. |
|
Assign one or a group of access ports to the current VLAN |
port interface-list |
Required By default, all ports belong to VLAN 1. |
2) In interface or port group view
Follow these steps to assign an access port (in Layer-2 interface view) or multiple access ports (in port group view) to a VLAN:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter interface view or port group view |
Enter Layer-2 Ethernet interface view |
interface interface-type interface-number |
Required Use either command. l In Layer-2 Ethernet interface view, the subsequent configurations apply to the current port. l In port group view, the subsequent configurations apply to all ports in the port group. l In Layer-2 aggregate interface view, the subsequent configurations apply to the Layer-2 aggregate interface and all its member ports. |
|
Enter Layer-2 aggregate interface view |
interface bridge-aggregation interface-number |
||
|
Enter port group view |
port-group manual port-group-name |
||
|
Configure the link type of the port or ports as access |
port link-type access |
Optional The link type of a port is access by default. |
|
|
Assign the current access port(s) to a VLAN |
port access vlan vlan-id |
Optional By default, all access ports belong to VLAN 1. |
|
Before assigning an access port to a VLAN, create the VLAN first.
Assigning a Trunk Port to a VLAN
A trunk port can carry multiple VLANs. You can assign it to a VLAN in interface view or port group view.
Follow these steps to assign a trunk port to one or multiple VLANs:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter interface view or port group view |
Enter Layer-2 Ethernet interface view |
interface interface-type interface-number |
Required Use either command. l In Layer-2 Ethernet interface view, the subsequent configurations apply to the current port. l In port group view, the subsequent configurations apply to all ports in the port group. l In Layer-2 aggregate interface view, the subsequent configurations apply to the Layer-2 aggregate interface and all its member ports. |
|
Enter Layer-2 aggregate interface view |
interface bridge-aggregation interface-number |
||
|
Enter port group view |
port-group manual port-group-name |
||
|
Configure the link type of the port or ports as trunk |
port link-type trunk |
Required |
|
|
Assign the trunk port(s) to the specified VLAN(s) |
port trunk permit vlan { vlan-id-list | all } |
Required By default, a trunk port carries only VLAN 1. |
|
|
Configure the default VLAN of the trunk port(s) |
port trunk pvid vlan vlan-id |
Optional VLAN 1 is the default VLAN by default. |
|
l To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first.
l After configuring the default VLAN for a trunk port, you must use the port trunk permit vlan command to configure the trunk port to allow packets from the default VLAN to pass through, so that the egress port can forward packets from the default VLAN.
l After you configure a command on a Layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports. If it fails to do that on an aggregation member port, it simply skips the port and moves to the next port.
Assigning a Hybrid Port to a VLAN
A hybrid port can carry multiple VLANs. You can assign it to a VLAN in Layer-2 Ethernet interface view or port group view.
Follow these steps to assign a hybrid port to one or multiple VLANs:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter interface view or port group view |
Enter Ethernet interface view |
interface interface-type interface-number |
Required Use either command. l In Layer-2 Ethernet interface view, the subsequent configurations apply to the current port. l In port group view, the subsequent configurations apply to all ports in the port group. l In Layer-2 aggregate interface view, the subsequent configurations apply to the Layer-2 aggregate interface and all its member ports. |
|
Enter Layer-2 aggregate interface view |
interface bridge-aggregation interface-number |
||
|
Enter port group view |
port-group manual port-group-name |
||
|
Configure the link type of the port(s) as hybrid |
port link-type hybrid |
Required |
|
|
Assign the hybrid port(s) to the specified VLAN(s) |
port hybrid vlan vlan-id-list { tagged | untagged } |
Required By default, a hybrid port allows only packets of VLAN 1 to pass through untagged. |
|
|
Configure the default VLAN of the hybrid port |
port hybrid pvid vlan vlan-id |
Optional VLAN 1 is the default by default. |
|
l To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first.
l Before assigning a hybrid port to a VLAN, create the VLAN first.
l After configuring the default VLAN for a hybrid port, you must use the port hybrid vlan command to configure the hybrid port to allow packets from the default VLAN to pass through, so that the egress port can forward packets from the default VLAN.
l After you configure a command on a Layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports. If it fails to do that on an aggregation member port, it simply skips the port and moves to the next port.
Protocol-Based VLAN Configuration
Introduction to Protocol-Based VLAN
Protocol-based VLANs are only applicable on hybrid ports.
In this approach, inbound packets are assigned to different VLANs based on their protocol types and encapsulation formats. The protocols that can be used for VLAN assignment include IP, IPX, and AppleTalk (AT). The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
A protocol-based VLAN is defined by a protocol template comprised of encapsulation format and protocol type. A port can be associated with multiple protocol templates. An untagged packet reaching a port associated with protocol-based VLANs will be processed as follows.
l If the packet matches a protocol template, the packet will be tagged with the VLAN tag corresponding to the protocol template.
l If the packet matches no protocol template, the packet will be tagged with the default VLAN ID of the port.
The port processes a tagged packet as it processes tagged packets of a port-based VLAN.
l If the port permits the VLAN ID of the packet to pass through, the port forwards the packet.
l If the port does not permit the VLAN ID of the packet to pass through, the port drops the packet.
This feature is mainly used to assign packets of the specific service type to a specific VLAN.
Configuring a Protocol-Based VLAN
Follow these steps to configure a protocol-based VLAN:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter VLAN view |
vlan vlan-id |
Required If the specified VLAN does not exist, this command creates the VLAN first. |
|
|
Create a protocol template for the VLAN |
protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw | snap } | mode { ethernetii etype etype-id | llc { dsap dsap-id [ ssap ssap-id ] | ssap ssap-id } | snap etype etype-id } } |
Required |
|
|
Exit VLAN view |
quit |
Required |
|
|
Enter interface view or port group view |
Enter Layer-2 Ethernet interface view |
interface interface-type interface-number |
Required Use either command. l In Layer-2 Ethernet interface view, the subsequent configurations apply to the current port. l In port group view, the subsequent configurations apply to all ports in the port group. l In Layer-2 aggregate interface view, the subsequent configurations apply to the Layer-2 aggregate interface and all its member ports. |
|
Enter Layer-2 aggregate interface view |
interface bridge-aggregation interface-number |
||
|
Enter port group view |
port-group manual port-group-name |
||
|
Configure the port link type as hybrid |
port link-type hybrid |
Required |
|
|
Configure current hybrid port(s) to permit the packets of the specified protocol-based VLANs to pass through |
port hybrid vlan vlan-id-list { tagged | untagged } |
Required By default, all hybrid ports permit packets of VLAN 1 to pass through only. |
|
|
Associate the hybrid port(s) with the specified protocol-based VLAN |
port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-end ] | all } |
Required |
|
l Do not configure both the dsap-id and ssap-id arguments in the protocol-vlan command as 0xe0 or 0xff when configuring the user-defined template for llc encapsulation. Otherwise, the encapsulation format of the matching packets will be the same as that of the ipx llc or ipx raw packets respectively.
l When you use the mode keyword to configure a user-defined protocol template, do not set etype-id in ethernetii etype etype-id to 0x0800, 0x8137, 0x809b, or 0x86dd. Otherwise, the encapsulation format of the matching packets will be the same as that of the IPv4, IPX, AppleTalk, and IPv6 packets respectively.
l A protocol-based VLAN on a hybrid port can process only untagged inbound packets, whereas the voice VLAN in automatic mode on a hybrid port can process only tagged voice traffic. Therefore, do not configure a VLAN as both a protocol-based VLAN and a voice VLAN. For more information, refer to Voice VLAN Configuration.
l After you configure a command on a Layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports. If it fails to do that on an aggregation member port, it simply skips the port and moves to the next port.
IP Subnet-Based VLAN Configuration
Introduction
In this approach, packets are assigned to VLANs based on their source IP addresses and subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet to a VLAN based on the source address of the packet.
This feature is used to assign packets from the specified network segment or IP address to a specific VLAN.
Configuring an IP Subnet-Based VLAN
This feature is only applicable on hybrid ports.
Follow these steps to configure an IP subnet-based VLAN:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter VLAN view |
vlan vlan-id |
— |
|
|
Associate an IP subnet with the current VLAN |
ip-subnet-vlan [ ip-subnet-index ] ip ip-address [ mask ] |
Required The IP network segment or IP address to be associated with a VLAN cannot be a multicast network segment or a multicast address. |
|
|
Return to system view |
quit |
— |
|
|
Enter interface view or port group view |
Enter Layer-2 Ethernet interface view |
interface interface-type interface-number |
Required Use either command. l In Layer-2 Ethernet interface view, the subsequent configurations apply to the current port. l In port group view, the subsequent configurations apply to all ports in the port group. l In Layer-2 aggregate interface view, the subsequent configurations apply to the Layer-2 aggregate interface and all its member ports. |
|
Enter Layer-2 aggregate interface view |
interface bridge-aggregation interface-number |
||
|
Enter port group view |
port-group manual port-group-name |
||
|
Configure port link type as hybrid |
port link-type hybrid |
Required |
|
|
Configure the hybrid port(s) to permit the specified IP subnet-based VLANs to pass through |
port hybrid vlan vlan-id-list { tagged | untagged } |
Required |
|
|
Associate the hybrid port(s) with the specified IP subnet-based VLAN |
port hybrid ip-subnet-vlan vlan vlan-id |
Required |
|
After you configure a command on a Layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports. If it fails to do that on an aggregation member port, it simply skips the port and moves to the next port.
Displaying and Maintaining VLAN
|
To do... |
Use the command… |
Remarks |
|
Display VLAN information |
display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | reserved | static ] |
Available in any view |
|
Display VLAN interface information |
display interface vlan-interface [ vlan-interface-id ] |
Available in any view |
|
Display hybrid ports or trunk ports on the device |
display port { hybrid | trunk } |
Available in any view |
|
Display protocol information and protocol indexes of the specified VLANs |
display protocol-vlan vlan { vlan-id [ to vlan-id ] | all } |
Available in any view |
|
Display protocol-based VLAN information on specified interfaces |
display protocol-vlan interface { interface-type interface-number [ to interface-type interface-number ] | all } |
Available in any view |
|
Display IP subnet-based VLAN information and IP subnet indexes of specified VLANs |
display ip-subnet-vlan vlan { vlan-id [ to vlan-id ] | all } |
Available in any view |
|
Display the IP subnet-based VLAN information and IP subnet indexes of specified ports |
display ip-subnet-vlan interface { interface-list | all } |
Available in any view |
|
Clear statistics on a port |
reset counters interface [ interface-type [ interface-number ] ] |
Available in user view |
The reset counters interface command can be used to clear statistics on a VLAN interface. For more information, refer to Ethernet Interface Commands in the Access Volume.
VLAN Configuration Example
Network requirements
l Device A connects to Device B through a trunk port Ethernet 1/0/1;
l The default VLAN ID of Ethernet 1/0/1 is 100;
l Ethernet 1/0/1 allows packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through.
Figure 1-4 Network diagram for port-based VLAN configuration
Configuration procedure
1) Configure Device A
# Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 2
[DeviceA-vlan2] quit
[DeviceA] vlan 100
[DeviceA-vlan100] vlan 6 to 50
Please wait... Done.
# Enter Ethernet 1/0/1 interface view.
[DeviceA] interface Ethernet 1/0/1
# Configure Ethernet 1/0/1 as a trunk port and configure its default VLAN ID as 100.
[DeviceA-Ethernet1/0/1] port link-type trunk
[DeviceA-Ethernet1/0/1] port trunk pvid vlan 100
# Configure Ethernet 1/0/1 to deny the packets of VLAN 1 (by default, the packets of VLAN 1 are permitted to pass through on all the ports).
[DeviceA-Ethernet1/0/1] undo port trunk permit vlan 1
# Configure Ethernet 1/0/1 to permit packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through.
[DeviceA-Ethernet1/0/1] port trunk permit vlan 2 6 to 50 100
Please wait... Done.
[DeviceA-Ethernet1/0/1] quit
[DeviceA] quit
2) Configure Device B as you configure Device A.
Verification
Verifying the configuration on Device A is similar to that of Device B. So only Device A is taken for example here.
# Display the information about Ethernet 1/0/1 of Device A to verify the above configurations.
<DeviceA> display interface ethernet 1/0/1
Ethernet1/0/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 0000-5600-0000
Description: Ethernet1/0/1 Interface
Loopback is not set
Media type is twisted pair, Port hardware type is 100_BASE_TX
Unknown-speed mode, unknown-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
Flow-control is not enabled
The Maximum Frame Length is 1552
Broadcast MAX-ratio: 100%
Unicast MAX-ratio: 100%
Multicast MAX-ratio: 100%
Allow jumbo frame to pass
PVID: 100
Mdi type: auto
Link delay is 0(sec)
Port link-type: trunk
VLAN passing : 2, 6-50, 100
VLAN permitted: 2, 6-50, 100
Trunk port encapsulation: IEEE 802.1q
Port priority: 0
Last 300 seconds input: 0 packets/sec 0 bytes/sec
Last 300 seconds output: 0 packets/sec 0 bytes/sec
Input (total): 0 packets, 0 bytes
0 broadcasts, 0 multicasts
Input (normal): 0 packets, 0 bytes
0 broadcasts, 0 multicasts
Input: 0 input errors, 0 runts, 0 giants, 0 throttles
0 CRC, 0 frame, 0 overruns, 0 aborts
0 ignored, 0 parity errors
Output (total): 0 packets, 0 bytes
0 broadcasts, 0 multicasts, 0 pauses
Output (normal): 0 packets, 0 bytes
0 broadcasts, 0 multicasts, 0 pauses
Output: 0 output errors, 0 underruns, 0 buffer failures
0 aborts, 0 deferred, 0 collisions, 0 late collisions
0 lost carrier, 0 no carrier
The output above shows that:
l The port (Ethernet 1/0/1) is a trunk port.
l The default VLAN of the port is VLAN 100.
l The port permits packets of VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through.
Therefore, the configuration is successful.
When configuring a voice VLAN, go to these sections for information you are interested in:
l Overview
l Displaying and Maintaining Voice VLAN
Overview
A voice VLAN is configured specially for voice traffic. After assigning the ports connecting to voice devices to a voice VLAN, you can configure quality of service (QoS) parameters for the voice traffic, thus improving transmission priority and ensuring voice quality.
A device determines whether a received packet is a voice packet by checking its source MAC address. A packet whose source MAC address complies with the voice device Organizationally Unique Identifier (OUI) address is regarded as voice traffic and assigned to the voice VLAN.
You can configure the OUI addresses in advance or use the default OUI addresses. Table 2-1 lists the default OUI address for each vendor’s devices.
Table 2-1 The default OUI addresses of different vendors
|
Number |
OUI address |
Vendor |
|
||
|
1 |
0001-e300-0000 |
Siemens phone |
|||
|
2 |
0003-6b00-0000 |
Cisco phone |
|||
|
3 |
0004-0d00-0000 |
Avaya phone |
|||
|
4 |
00d0-1e00-0000 |
Pingtel phone |
|||
|
5 |
0060-b900-0000 |
Philips/NEC phone |
|||
|
6 |
00e0-7500-0000 |
Polycom phone |
|||
|
7 |
00e0-bb00-0000 |
3Com phone |
|||
l In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique identifier assigned to a vendor by IEEE. OUI addresses mentioned in this document, however, are different from those in common sense. OUI addresses in this document are used by the system to determine whether a received packet is a voice packet. They are the results of the AND operation of the two arguments mac-address and oui-mask in the voice vlan mac-address command.
l You can remove the default OUI address of a device manually and then add new ones manually.
Voice VLAN Assignment Modes
A port can be assigned to a voice VLAN in one of the following two modes:
l In automatic mode, the system matches the source MAC addresses in the untagged packets sent when the IP phone is powered on against the OUI addresses. If a match is found, the system automatically assigns the port to the voice VLAN, issues ACL rules and configures the packet precedence. You can configure voice VLAN aging time on the device. The system will remove a port from the voice VLAN if no packet is received from the port after the aging time expires. Assigning/removing ports to/from a voice VLAN are automatically performed by the system.
l In manual mode, you should assign an IP phone connecting port to a voice VLAN manually. Then, the system matches the source MAC addresses in the packets against the OUI addresses. If a match is found, the system issues ACL rules and configures the packet precedence. In this mode, assigning/removing ports to/from a voice VLAN are performed manually.
l Both modes forward tagged packets according to their tags.
The following table lists the co-relation between the port voice VLAN mode, the voice traffic type of an IP phone, and the port link type.
Table 2-2 Co-relation
|
Voice VLAN assignment mode |
Voice traffic type |
Port link type |
|
Automatic mode |
Tagged voice traffic |
Access: not supported |
|
Trunk: supported if the default VLAN of the connecting port exists and is not the voice VLAN and the connecting port belongs to the default VLAN |
||
|
Hybrid: supported if the default VLAN of the connecting port exists and is not the voice VLAN and the traffic of the default VLAN is permitted to pass through the connecting port tagged |
||
|
Untagged voice traffic |
Access, Trunk, hybrid: not supported |
|
|
Manual mode |
Tagged voice traffic |
Access: not supported |
|
Trunk: supported if the default VLAN of the connecting port exists and is not the voice VLAN and the connecting port belongs to the default VLAN |
||
|
Hybrid: supported if the default VLAN of the connecting port exists and is not the voice VLAN, and the traffic of the default VLAN is permitted to pass through the connecting port tagged |
||
|
Untagged voice traffic |
Access: supported if the default VLAN of the connecting port is the voice VLAN |
|
|
Trunk: supported if the default VLAN of the connecting port is the voice VLAN and that the voice VLAN is permitted to pass through the connecting port |
||
|
Hybrid port: supported if the default VLAN of the connecting port is the voice VLAN and is permitted to pass through the connecting port untagged |
l If an IP phone sends tagged voice traffic and its connecting port is configured with 802.1X authentication and guest VLAN, you should assign different VLAN IDs for the voice VLAN, the default VLAN of the connecting port, and the 802.1X guest VLAN.
l If an IP phone sends untagged voice traffic, to realize the voice VLAN feature, you must configure the default VLAN of the connecting port as the voice VLAN. In this case 802.1X authentication function cannot be realized.
l The default VLANs for all ports are VLAN 1. You can configure the default VLAN of a port and configure a port to permit a certain VLAN to pass through with commands. For more information, refer to Port-Based VLAN Configuration.
l Use the display interface command to display the default VLAN of a port and the VLANs permitted to pass through the port.
Security Mode and Normal Mode of Voice VLANs
Voice VLAN-enabled ports can operate in security mode or normal mode based on their inbound packet filtering mechanisms.
l Security mode: only voice packets whose source MAC addresses comply with the recognizable OUI addresses can pass through the voice VLAN-enabled inbound port, while other non-voice packets are dropped, including authentication packets, such as 802.1X authentication packets.
l Normal mode: both voice packets and non-voice packets are allowed to pass through a voice VLAN-enabled inbound port. Voice packets are forwarded according to the voice VLAN forwarding mechanism whereas the non-voice packets are forwarded according to the normal VLAN forwarding mechanism.
It is recommended not to transmit both voice packets and non-voice packets in a voice VLAN. If necessary, please ensure that the voice VLAN security mode is disabled.
Configuring a Voice VLAN
Configuration Prerequisites
Before configuring a VLAN as a voice VLAN, create the VLAN first. Note that you cannot configure VLAN 1 (the system-default VLAN) as a voice VLAN.
Setting a Port to Operate in Automatic Voice VLAN Assignment Mode
Follow these steps to set a port to operate in automatic voice VLAN assignment mode:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the voice VLAN aging time |
voice vlan aging minutes |
Optional 1440 minutes by default. The voice VLAN aging time configuration is only applicable on ports in automatic voice VLAN assignment mode. |
|
Enable the voice VLAN security mode |
voice vlan security enable |
Optional Enabled by default. |
|
Add a recognizable OUI address |
voice vlan mac-address oui mask oui-mask [ description text ] |
Optional By default, each voice VLAN has default OUI addresses configured. Refer to Table 2-1 for the default OUI addresses of different vendors. |
|
Enter Layer-2 Ethernet interface view |
interface interface-type interface-number |
— |
|
Configure the port to operate in automatic voice VLAN assignment mode |
voice vlan mode auto |
Optional Automatic voice VLAN assignment mode is enabled by default. The voice VLAN assignment modes on different ports are independent of one another. |
|
Enable voice VLAN on the port |
voice vlan vlan-id enable |
Required Not enabled by default |
l A protocol-based VLAN on a hybrid port can process only untagged inbound packets, whereas the voice VLAN in automatic mode on a hybrid port can process only tagged voice traffic. Therefore, do not configure a VLAN as both a protocol-based VLAN and a voice VLAN. For more information, refer to Protocol-Based VLAN Configuration.
l Do not configure the default VLAN of a port in automatic voice VLAN assignment mode as the voice VLAN.
Configuring the Priority Trust Setting for Voice VLAN Traffic on an Interface
In order to improve transmission quality of voice traffic, the device by default does not trust the priority carried in voice VLAN traffic and re-marks the priority of the traffic in the voice VLAN as follows:
l Set the CoS (802.1p) priority to 6.
l Set the DSCP value to 46.
You can tune the priority values marked for incoming voice VLAN traffic on an interface. Alternatively, you can configure the interface to trust and use the priority carried in incoming voice VLAN traffic instead.
Follow these steps to configure the priority trust setting for voice VLAN traffic on an interface:
|
To do... |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter interface view |
interface interface-type interface-number |
— |
|
|
Set the priority trust setting on the interface |
Set the interface not to trust priority carried in incoming voice VLAN traffic |
voice vlan qos cos-value dscp-value |
Optional Use either command. By default, an interface does not trust the priority carried in incoming voice VLAN traffic, and the CoS precedence value and the DSCP value marked for voice VLAN traffic are 6 and 46 respectively.
|
|
Set the interface to trust the priority carried in incoming voice VLAN traffic |
voice vlan qos trust |
||
l Configure the QoS priority trust mode and priority settings for voice VLAN traffic on an interface before enabling voice VLAN on the interface. If the configuration order is reversed, your priority trust setting will fail.
l The voice vlan qos cos-value dscp-value command and the voice vlan qos trust command can overwrite the other, whichever is configured the last.
Setting a Port to Operate in Manual Voice VLAN Assignment Mode
Follow these steps to set a port to operate in manual voice VLAN assignment mode:
|
To do... |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enable the voice VLAN security mode |
voice vlan security enable |
Optional Enabled by default. |
|
|
Add a recognizable OUI address |
voice vlan mac-address oui mask oui-mask [ description text ] |
Optional By default, each voice VLAN has default OUI addresses configured. Refer to Table 2-1 for the default OUI addresses of different vendors. |
|
|
Enter Layer-2 interface view |
interface interface-type interface-number |
— |
|
|
Configure the port to operate in manual voice VLAN assignment mode |
undo voice vlan mode auto |
Required Disabled by default |
|
|
Assign the port in manual voice VLAN assignment mode to the voice VLAN |
Access port |
Refer to Assigning an Access Port to a VLAN. |
Use one of the three approaches. After you assign an access port to the voice VLAN, the voice VLAN becomes the default VLAN of the port automatically. |
|
Trunk port |
Refer to Assigning a Trunk Port to a VLAN. |
||
|
Hybrid port |
Refer to Assigning a Hybrid Port to a VLAN. |
||
|
Configure the voice VLAN as the default VLAN of the port |
Trunk port |
Refer to section Assigning a Trunk Port to a VLAN. |
Optional This operation is required for untagged inbound voice traffic and prohibited for tagged inbound voice traffic. |
|
Hybrid port |
Refer to Assigning a Hybrid Port to a VLAN. |
||
|
Enable voice VLAN on the port |
voice vlan vlan-id enable |
Required |
|
l You can configure different voice VLANs on different ports at the same time. However, one port can be configured with only one voice VLAN, and this voice VLAN must be a static VLAN that already exists on the device.
l Voice VLAN cannot be enabled on a port with Link Aggregation Control Protocol (LACP) enabled.
l To make voice VLAN take effect on a port that is enabled with voice VLAN and operates in manual voice VLAN assignment mode, you need to assign the port to the voice VLAN manually.
Displaying and Maintaining Voice VLAN
|
To do... |
Use the command... |
Remarks |
|
Display the voice VLAN state |
display voice vlan state |
Available in any view |
|
Display the OUI addresses currently supported by system |
display voice vlan oui |
Available in any view |
Voice VLAN Configuration Examples
Automatic Voice VLAN Mode Configuration Example
Network requirements
As shown in Figure 2-1,
l The MAC address of IP phone A is 0011-1100-0001. The phone connects to a downstream device named PC A whose MAC address is 0022-1100-0002 and to Ethernet 1/0/1 on an upstream device named Device A.
l The MAC address of IP phone B is 0011-2200-0001. The phone connects to a downstream device named PC B whose MAC address is 0022-2200-0002 and to Ethernet 1/0/2 on Device A.
l Device A uses voice VLAN 2 to transmit voice packets for IP phone A and voice VLAN 3 to transmit voice packets for IP phone B.
Configure Ethernet 1/0/1 and Ethernet 1/0/2 to work in automatic voice VLAN assignment mode. In addition, if one of them has not received any voice packet in 30 minutes, the port is removed from the corresponding voice VLAN automatically.
Figure 2-1 Network diagram for automatic voice VLAN assignment mode configuration
Configuration procedure
# Create VLAN 2 and VLAN 3.
<DeviceA> system-view
[DeviceA] vlan 2 to 3
# Set the voice VLAN aging time to 30 minutes.
[DeviceA] voice vlan aging 30
# Since Ethernet 1/0/1 may receive both voice traffic and data traffic at the same time, to ensure the quality of voice packets and effective bandwidth use, configure voice VLANs to work in security mode, that is, configure the voice VLANs to transmit only voice packets. (Optional. By default, voice VLANs work in security mode.)
[DeviceA] voice vlan security enable
# Configure the allowed OUI addresses as MAC addresses prefixed by 0011-1100-0000 or 0011-2200-0000. In this way, Device A identifies packets whose MAC addresses match any of the configured OUI addresses as voice packets.
[DeviceA] voice vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP phone A
[DeviceA] voice vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP phone B
# Configure Ethernet 1/0/1 to operate in automatic voice VLAN assignment mode. (Optional. By default, a port operates in automatic voice VLAN assignment mode.)
[DeviceA] interface ethernet 1/0/1
[DeviceA-Ethernet1/0/1] voice vlan mode auto
# Configure Ethernet 1/1 as a hybrid port.
[DeviceA-Ethernet1/0/1] port link-type access
Please wait... Done.
[DeviceA-Ethernet1/0/1] port link-type hybrid
# Configure VLAN 2 as the voice VLAN for Ethernet 1/0/1.
[DeviceA-Ethernet1/0/1] voice vlan 2 enable
[DeviceA-Ethernet1/0/1] quit
# Configure Ethernet 1/0/2.
[DeviceA] interface ethernet 1/0/2
[DeviceA-Ethernet1/0/2] voice vlan mode auto
[DeviceA-Ethernet1/0/2] port link-type access
Please wait... Done.
[DeviceA-Ethernet1/0/2] port link-type hybrid
[DeviceA-Ethernet1/0/2] voice vlan 3 enable
Verification
# Display the OUI addresses, OUI address masks, and description strings supported currently.
<DeviceA> display voice vlan oui
Oui Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
0011-1100-0000 ffff-ff00-0000 IP phone A
0011-2200-0000 ffff-ff00-0000 IP phone B
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3com phone
# Display the current states of voice VLANs.
<DeviceA> display voice vlan state
Maximum of Voice VLANs: 16
Current Voice VLANs: 2
Voice VLAN security mode: Security
Voice VLAN aging time: 30 minutes
Voice VLAN enabled port and its mode:
PORT VLAN MODE
-----------------------------------------------
Ethernet1/0/1 2 AUTO
Ethernet1/0/2 3 AUTO
Manual Voice VLAN Assignment Mode Configuration Example
Network requirements
l Create VLAN 2 and configure it as a voice VLAN permitting only voice traffic to pass through.
l The IP phones send untagged voice traffic. Configure Ethernet 1/0/1 as a hybrid port.
l Configure Ethernet 1/0/1 to operate in manual voice VLAN assignment mode. Configure Ethernet 1/0/1 to allow voice traffic with an OUI address of 0011-2200-0000, a mask of ffff-ff00-0000, and a description string test to be forwarded through the voice VLAN.
Figure 2-2 Network diagram for manual voice VLAN assignment mode configuration
Configuration procedure
# Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security mode by default.)
<DeviceA> system-view
[DeviceA] voice vlan security enable
# Add a recognizable OUI address 0011-2200-0000.
[DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test
# Create VLAN 2 and configure it as the voice VLAN.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
# Configure Ethernet 1/0/1 to operate in manual voice VLAN assignment mode.
[DeviceA] interface ethernet 1/0/1
[DeviceA-Ethernet1/0/1] undo voice vlan mode auto
# Configure Ethernet 1/0/1 as a hybrid port.
[DeviceA-Ethernet1/0/1]port link-type access
Please wait... Done.
[DeviceA-Ethernet1/0/1]port link-type hybrid
# Configure the voice VLAN (VLAN 2) as the default VLAN of Ethernet 1/0/1 and configure Ethernet 1/0/1 to permit the voice traffic of VLAN 2 to pass through untagged.
[DeviceA-Ethernet1/0/1] port hybrid pvid vlan 2
[DeviceA-Ethernet1/0/1] port hybrid vlan 2 untagged
# Enable voice VLAN on Ethernet 1/0/1.
[DeviceA-Ethernet1/0/1] voice vlan 2 enable
Verification
# Display the OUI addresses, OUI address masks, and description strings supported currently.
<DeviceA> display voice vlan oui
Oui Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
0011-2200-0000 ffff-ff00-0000 test
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3com phone
# Display the current voice VLAN state.
<DeviceA> display voice vlan state
Maximum of Voice VLANs: 16
Current Voice VLANs: 1
Voice VLAN security mode: Security
Voice VLAN aging time: 1440 minutes
Voice VLAN enabled port and its mode:
PORT VLAN MODE
-----------------------------------------------
Ethernet1/0/1 2 MANUAL
