Configuring VLANs· 1

Overview·· 1

VLAN frame encapsulation· 2

VLAN types 3

Protocols and standards 3

Configuring basic VLAN settings 3

Configuration restrictions and guidelines 3

Configuration procedure· 3

Configuring basic settings of a VLAN interface· 4

Configuration procedure· 4

VLAN interface configuration example· 5

Configuring port-based VLANs 7

Introduction to port-based VLAN·· 7

Assigning an access port to a VLAN·· 9

Assigning a trunk port to a VLAN·· 10

Assigning a hybrid port to a VLAN·· 11

Port-based VLAN configuration example· 12

Configuring MAC-based VLANs 14

Introduction to MAC-based VLAN·· 14

Configuration restrictions and guidelines 15

Configuration procedure· 15

MAC-based VLAN configuration example· 16

Displaying and maintaining VLAN·· 19

Overview

Ethernet is a shared-media network based on the CSMA/CD mechanism. A LAN built by using Ethernet is both a collision domain and a broadcast domain. In a LAN with plenty of hosts, the LAN might be full of collisions and broadcasts. As a result, the LAN performance is degraded or even the LAN becomes unavailable. You can deploy bridges or Layer 2 switches in the LAN to reduce the collisions, but this cannot confine broadcasts. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs. Hosts in the same VLAN can directly communicate, and hosts of different VLANs cannot directly communicate. For example, hosts in VLAN 2 can communicate with each other, but cannot communicate with the hosts in VLAN 5. A VLAN is a broadcast domain, and contains all broadcast traffic within it, as shown in Figure 1.

Figure 1 A VLAN diagram

 

A VLAN is logically divided on an organizational basis rather than on a physical basis. For example, using VLAN, all workstations and servers that a particular workgroup uses can be assigned to the same VLAN, regardless of their physical locations.

VLAN technology delivers the following benefits:

·          Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves network performance.

·          Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required.

·          Creating flexible virtual workgroups. Because users from the same workgroup can be assigned to the same VLAN regardless of their physical locations, network construction and maintenance are much easier and more flexible.

VLAN frame encapsulation

In order that a network device can identify frames of different VLANs, a VLAN tag field is inserted into the data link layer encapsulation.

The format of VLAN-tagged frames is defined in IEEE 802.1Q issued in 1999.

As shown in Figure 2, in the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address (DA&SA) field is the Type field, which indicates the upper layer protocol type.

Figure 2 Traditional Ethernet frame format

 

IEEE 802.1Q inserts a four-byte VLAN tag between the DA&SA field and the Type field to identify the VLAN information, as shown in Figure 3.

Figure 3 Position and format of VLAN tag

 

The fields of a VLAN tag are as follows:

·          TPID—The 16-bit TPID field indicates whether a frame is VLAN-tagged. By default, the TPID value is 0x8100, which indicates that the frame is VLAN-tagged. Devices vendors can set the TPID to different values. For compatibility with these devices, modify the TPID value so that frames carry a TPID value identical to the value of a particular vendor, allowing interoperability with devices from that vendor. The device determines whether a received frame carries a VLAN tag by checking the TPID value. If the TPID value of a frame is the configured value or 0x8100, the frame is considered as a VLAN-tagged frame.

·          Priority—The 3-bit priority field indicates the 802.1p priority of the frame.

·          CFI—The 1-bit CFI field indicates whether the MAC addresses are encapsulated in standard format when packets are transmitted across different media. A value of 0 indicates that MAC addresses are encapsulated in standard format. A value of 1 indicates that MAC addresses are encapsulated in a non-standard format. The value of this field is 0 by default.

·          VLAN ID—The 12-bit VLAN ID field identifies the VLAN that the frame belongs to. The VLAN ID range is 0 to 4095. Because 0 and 4095 are reserved, a VLAN ID actually ranges from 1 to 4094.

A network device handles an incoming frame depending on whether the frame is VLAN tagged and the value of the VLAN tag, if any. For more information, see "Introduction to port-based VLAN."

Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and 802.3 raw. The Ethernet II encapsulation format is used here. For how the VLAN tag fields are added to frames encapsulated in these formats for VLAN identification, see related protocols and standards.

When a frame carrying multiple VLAN tags passes through, the device processes the frame according to its outer VLAN tag, and transmits the inner tags as payload.

VLAN types

VLANs can be designed and implemented based on the following criteria:

·          Port

·          MAC address

·          Protocol

·          IP subnet

·          Policy

·          Other criteria

The device supports only the port-based VLAN and MAC-based VLAN.

Protocols and standards

·          IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks

Configuring basic VLAN settings

Configuration restrictions and guidelines

·          The system default VLAN (VLAN 1) cannot be created or removed.

·          You cannot manually create or remove VLANs reserved for special purposes.

·          To remove a protocol reserved VLAN, management VLAN, dynamic VLAN, or VLAN with a QoS policy applied, remove the configuration from the VLAN first, and then execute the undo vlan command.

Configuration procedure

To configure basic VLAN settings:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Create a VLAN and enter its view, or create VLANs in batch.	vlan { vlan-id1 [ to vlan-id2 ] }	Optional. By default, only the default VLAN (VLAN 1) exists in the system.
3.       Enter VLAN view.	vlan vlan-id	Required only when you create VLANs in bulk.
4.       Configure a name for the VLAN.	name text	Optional. The default name is VLAN vlan-id, which is the ID of the VLAN. For example, the name of VLAN 100 is VLAN 0100 by default.
5.       Configure a description for the VLAN.	description text	Optional. The default description is VLAN vlan-id, which is the ID of the VLAN. For example, the description of VLAN 100 is VLAN 0100 by default.

 

Configuring basic settings of a VLAN interface

You can use VLAN interfaces to provide Layer 3 communication between hosts of different VLANs. VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface. You can assign the VLAN interface an IP address and specify the IP address as the gateway address for the devices in the VLAN, so that traffic can be routed to other IP subnets.

Configuration procedure

Before you create a VLAN interface for a VLAN, make sure the VLAN already exists.

To configure basic settings of a VLAN interface:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Create a VLAN interface and enter VLAN interface view.	interface vlan-interface vlan-interface-id	If the specified VLAN interface already exists, you enter its view directly.
3.       Assign an IP address to the VLAN interface.	ip address ip-address { mask | mask-length } [ sub ]	Optional. By default, the IP address of VLAN-interface 1 is 192.168.0.50. No IP addresses are assigned to other VLAN-interfaces.
4.       Configure the description of the VLAN interface.	description text	Optional. By default, the description of a VLAN is the VLAN interface name. For example, Vlan-interface1 Interface.
5.       Set the MTU for the VLAN interface.	mtu size	Optional. By default, the MTU is 1500 bytes.
6.       Restore the default settings for the VLAN interface.	default	Optional.
7.       Cancel the action of manually shutting down the VLAN interface.	undo shutdown	Optional. By default, a VLAN interface is not manually shut down. The VLAN interface is up if one or more ports in the VLAN is up, and goes down if all ports in the VLAN go down.

 

VLAN interface configuration example

Network requirements

As shown in Figure 4:

·          Client 1 and Client 2 connect to the network through an AP.

·          Client 1 is assigned to VLAN 5. Client 2 is assigned to VLAN 10.

·          The clients belong to different IP subnets and cannot communicate with each other.

Configure the AP, the one-arm router, and clients to enable Layer 3 inter-VLAN communication between the PCs.

Figure 4 Network diagram

 

Configuration procedure

1.        Configure the AP

# Create WLAN-BSS interfaces.

<AP> system-view

[AP] interface wlan-bss 1

[AP-WLAN-BSS1] quit

[AP] interface wlan-bss 2

[AP-WLAN-BSS2] quit

# Create VLAN 5 and assign WLAN-BSS 1 to it.

<AP> system-view

[AP] vlan 5

[AP-vlan5] port wlan-bss 1

# Create VLAN 10 and assign WLAN-BSS 2 to it.

[AP-vlan5] vlan 10

[AP-vlan10] port wlan-bss 2

[AP-vlan10] quit

# Create service template 1 for Client 1. Set the template type to clear and the SSID to service1. Configure open system authentication for the service template and enable the service template.

[AP] wlan service-template 1 clear

[AP-wlan-st-1] ssid service1

[AP-wlan-st-1] authentication-method open-system

[AP-wlan-st-1] service-template enable

[AP-wlan-st-1] quit

# Create service template 2 for Client 2. Set the template type to clear and the SSID to service2. Configure open system authentication for the service template and enable the service template.

[AP] wlan service-template 2 clear

[AP-wlan-st-2] ssid service2

[AP-wlan-st-2] authentication-method open-system

[AP-wlan-st-2] service-template enable

[AP-wlan-st-2] quit

# On WLAN-Radio 1/0/2, bind service template 1 to WLAN-BSS 1, and bind service template 2 to WLAN-BSS 2.

[AP] interface wlan-radio 1/0/2

[AP-WLAN-Radio1/0/2] radio-type dot11g

[AP-WLAN-Radio1/0/2] channel 6

[AP-WLAN-Radio1/0/2] service-template 1 interface WLAN-BSS 1

[AP-WLAN-Radio1/0/2] service-template 2 interface WLAN-BSS 2

[AP-WLAN-Radio1/0/2] quit

# Configure GigabitEthernet 1/0/1 as a trunk port and assign it to VLANs 5 and 10.

<AP> system-view

[AP] interface gigabitethernet 1/0/1

[AP-GigabitEthernet1/0/1] port link-type trunk

[AP-GigabitEthernet1/0/1] port trunk permit vlan 5 10

2.        Configure the router

# Create subinterface GigabitEthernet 1/0/1.1, configure it to terminate Dot1q packets with VLAN 5, and assign IP address 192.168.0.10/24 to the subinterface.

<Router> system-view

[Router] interface gigabitethernet 1/0/1.1

[Router-GigabitEthernet1/0/1.1] vlan-type dot1q vid 5

[Router-GigabitEthernet1/0/1.1] ip address 192.168.0.100 24

[Router-GigabitEthernet1/0/1.1] quit

# Create subinterface GigabitEthernet 1/0/1.2, configure it to terminate Dot1q packets with VLAN 10, and assign IP address 192.168.1.20/24 to the subinterface.

[Router] interface gigabitethernet 1/0/1.2

[Router-GigabitEthernet1/0/1.2] vlan-type dot1q vid 10

[Router-GigabitEthernet1/0/1.2] ip address 192.168.1.200 24

3.        Configure Client 1

Configure the default gateway of the PC as 192.168.0.10.

4.        Configure Client 2

Configure the default gateway of the PC as 192.168.1.20.

Verifying the configuration

# Verify that Client 1 can ping Client 2 successfully.

C:\Documents and Settings\Administrator>ping 192.168.1.1

 

Pinging 192.168.1.1 with 32 bytes of data:

 

Reply from 192.168.1.1: bytes=32 time<1ms TTL=128

Reply from 192.168.1.1: bytes=32 time<1ms TTL=128

Reply from 192.168.1.1: bytes=32 time<1ms TTL=128

Reply from 192.168.1.1: bytes=32 time<1ms TTL=128

 

Ping statistics for 192.168.1.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Configuring port-based VLANs

Introduction to port-based VLAN

Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.

Port link type 

You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods:

·          Access port—Belongs to only one VLAN and sends traffic untagged. Access ports are usually used to connect a terminal device unable to identify VLAN-tagged packets, or are used when separating different VLAN members is unnecessary. As shown in Figure 5, Device A is connected to common PCs that cannot recognize VLAN-tagged packets, and you must configure Device A's ports that connect to the PCs as access ports.

·          Trunk port—Carries multiple VLANs to receive and send traffic for them. Except traffic from the port VLAN ID (PVID), traffic sent through a trunk port will be VLAN-tagged. Usually, ports that connect network devices are configured as trunk ports. As shown in Figure 5, Device A and Device B need to transmit packets of VLAN 2 and VLAN 3, and you must configure the ports interconnecting Device A and Device B as trunk ports and assign them to VLAN 2 and VLAN 3.

·          Hybrid port—A hybrid port allows traffic of some VLANs to pass through untagged and traffic of some other VLANs to pass through tagged. Usually, hybrid ports are configured to connect devices whose support for VLAN-tagged packets you are uncertain about. As shown in Figure 5, Device C connects to a small-sized LAN in which some PCs belong to VLAN 2 and other PCs belong to VLAN 3, and Device B is uncertain about whether Device C supports VLAN-tagged packets. On Device B, configure the port connecting to Device C as a hybrid port to allow packets from VLAN 2 and VLAN 3 to pass through untagged.

Figure 5 Network diagram

 

PVID 

By default, VLAN 1 is the port VLAN ID (PVID) for all ports. You can configure the PVID for a port as required.

When you configure the PVID on a port, use the following guidelines:

·          An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.

·          A trunk or hybrid port can join multiple VLANs, and you can configure a PVID for the port.

·          You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access port. After you use the undo vlan command to remove the VLAN where an access port resides, the PVID of the port changes to VLAN 1. The removal of the VLAN specified as the PVID of a trunk or hybrid port, however, does not affect the PVID setting on the port.

·          H3C recommends that you set the same PVID for local and remote ports.

·          Make sure a port permits the traffic from its PVID to pass through. Otherwise, when the port receives frames tagged with the PVID or untagged frames, the port drops these frames.

Frame handling on a port 

The following table shows how ports of different link types handle frames:

 

Actions	Access	Trunk	Hybrid
Incoming untagged frame	Tags the frame with the PVID tag.	Determines whether the PVID is permitted on the port, as follows: ·         If yes, tags the frame with the PVID tag. ·         If not, drops the frame.
Incoming tagged frame	·         Receives the frame if its VLAN ID is the same as the PVID. ·         Drops the frame if its VLAN ID is different from the PVID.	·         Receives the frame if its VLAN is permitted on the port. ·         Drops the frame if its VLAN is not permitted on the port.
Outgoing frames	Removes the VLAN tag and sends the frame.	·         Removes the tag and sends the frame if the frame carries the PVID tag and the port belongs to the PVID. ·         Sends the frame without removing the tag if its VLAN is carried on the port but is different from the PVID.		Sends the frame if its VLAN is permitted on the port. The frame is sent with the VLAN tag removed or intact depending on your configuration with the port hybrid vlan command. This is true of the PVID.

 

Assigning an access port to a VLAN

You can assign an access port to a VLAN in VLAN view or interface view. Before you assign an access port to a VLAN, create the VLAN.

In VLAN view, you can assign only Layer 2 Ethernet interfaces to the VLAN.

To assign one or multiple access ports to a VLAN in VLAN view:

 

Step	Command	Remarks
1.       Enter system view	system-view	N/A
2.       Enter VLAN view	vlan vlan-id	N/A
3.       Assign one or a group of access ports to the VLAN	port interface-list	By default, all ports belong to VLAN 1.

 

To assign an access port to a VLAN in interface view:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Enter interface view.	·         Enter Layer 2 Ethernet interface view: interface interface-type interface-number ·         Enter Layer 2 aggregation interface view: interface bridge-aggregation interface-number ·         Enter WLAN-BSS interface view: interface wlan-bss interface-number	Use one of the commands. ·         The configuration made in Layer 2 Ethernet or WLAN-BSS interface view applies only to the port. ·         The configuration made in Layer 2 aggregate interface view applies to the aggregate interface and its aggregation member ports. If the system fails to apply the configuration to the aggregate interface, it stops applying the configuration to aggregation member ports. If the system fails to apply the configuration to an aggregation member port, it skips the port and moves to the next member port.
3.       Configure the link type of the ports as access.	port link-type access	Optional. By default, all ports are access ports.
4.       Assign the access ports to a VLAN.	port access vlan vlan-id	Optional. By default, all access ports belong to VLAN 1.

 

Assigning a trunk port to a VLAN

A trunk port can carry multiple VLANs. You can assign it to a VLAN in interface view.

To assign a trunk port to one or multiple VLANs:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Enter interface view.	·         Enter Layer 2 Ethernet interface view: interface interface-type interface-number ·         Enter Layer 2 aggregation interface view: interface bridge-aggregation interface-number	Use one of the commands. ·         The configuration made in Layer 2 Ethernet interface view applies only to the port. ·         The configuration made in Layer 2 aggregate interface view applies to the aggregate interface and its aggregation member ports. If the system fails to apply the configuration to the aggregate interface, it stops applying the configuration to aggregation member ports. If the system fails to apply the configuration to an aggregation member port, it skips the port and moves to the next member port.
3.       Configure the link type of the ports as trunk.	port link-type trunk	By default, all ports are access ports.
4.       Assign the trunk ports to the specified VLANs.	port trunk permit vlan { vlan-list | all }	By default, a trunk port carries only VLAN 1.
5.       Configure the PVID of the trunk ports.	port trunk pvid vlan vlan-id	Optional. By default, the PVID is VLAN 1.

 

To change the link type of a port from trunk to hybrid or from hybrid to trunk, you must set the link type to access first.

After configuring the PVID for a trunk port, you must use the port trunk permit vlan command to configure the trunk port to allow packets from the PVID to pass through.

Assigning a hybrid port to a VLAN

A hybrid port can carry multiple VLANs. You can assign it to a VLAN in interface view. Before assigning a hybrid port to a VLAN, create the VLAN first.

To assign a hybrid port to one or multiple VLANs:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Enter interface view.	·         Enter Layer 2 Ethernet interface view: interface interface-type interface-number ·         Enter Layer 2 aggregation interface view: interface bridge-aggregation interface-number ·         Enter WLAN-BSS interface view: interface wlan-bss interface-number	Use one of the commands. ·         The configuration made in Layer 2 Ethernet or WLAN-BSS interface view applies only to the port. ·         The configuration made in Layer 2 aggregate interface view applies to the aggregate interface and its aggregation member ports. If the system fails to apply the configuration to the aggregate interface, it stops applying the configuration to aggregation member ports. If the system fails to apply the configuration to an aggregation member port, it skips the port and moves to the next member port.
3.       Configure the link type of the ports as hybrid.	port link-type hybrid	By default, all ports are access ports.
4.       Assign the hybrid ports to the specified VLANs.	port hybrid vlan vlan-list { tagged | untagged }	By default, a hybrid port allows only packets of VLAN 1 to pass through untagged.
5.       Configure the PVID of the hybrid ports.	port hybrid pvid vlan vlan-id	Optional. By default, the PVID is VLAN 1.

 

To change the link type of a port from trunk to hybrid or from hybrid to trunk, you must set the link type to access first.

After you configure the PVID for a hybrid port, you must use the port hybrid vlan command to configure the hybrid port to allow packets from the PVID to pass through.

Port-based VLAN configuration example

Network requirements

As shown in Figure 6:

·          Client 1 and Client 3 belong to Department A, and access the enterprise network through different fat APs. Client 2 and Client 4 belong to Department B. They also access the enterprise network through different fat APs.

·          To ensure communication security and avoid broadcast storms, VLANs are configured in the enterprise network to isolate Layer 2 traffic of different departments. VLAN 100 is assigned to Department A, and VLAN 200 is assigned to Department B.

Configure port-based VLANs so hosts within the same VLAN can communicate with each other. Client 1 can communicate with Client 3, and Client 2 can communicate with Client 4.

Figure 6 Network diagram

 

 

Configuration procedure

1.        Configure AP 1

# Create WLAN-BSS interfaces.

<AP1> system-view

[AP1] interface wlan-bss 1

[AP1-WLAN-BSS1] quit

[AP1] interface wlan-bss 2

[AP1-WLAN-BSS2] quit

# Create VLAN 100, and assign WLAN-BSS 1 to VLAN 100.

<AP1> system-view

[AP1] vlan 100

[AP1-vlan100] port wlan-bss 1

[AP1-vlan100] quit

# Create VLAN 200, and assign WLAN-BSS 2 to VLAN 200.

[AP1] vlan 200

[AP1-vlan200] port wlan-bss 2

[AP1-vlan200] quit

# Create service template 1 for Client 1. Set the template type to clear and the SSID to service1. Configure open system authentication for the service template and enable the service template.

[AP1] wlan service-template 1 clear

[AP1-wlan-st-1] ssid service1

[AP1-wlan-st-1] authentication-method open-system

[AP1-wlan-st-1] service-template enable

[AP1-wlan-st-1] quit

# Create service template 2 for Client 2. Set the template type to clear and the SSID to service2. Configure open system authentication for the service template and enable the service template.

[AP1] wlan service-template 2 clear

[AP1-wlan-st-2] ssid service2

[AP1-wlan-st-2] authentication-method open-system

[AP1-wlan-st-2] service-template enable

[AP1-wlan-st-2] quit

# On WLAN-Radio 1/0/2, bind service template 1 to WLAN-BSS 1, and bind service template 2 to WLAN-BSS 2.

[AP1] interface wlan-radio 1/0/2

[AP1-WLAN-Radio1/0/2] radio-type dot11g

[AP1-WLAN-Radio1/0/2] channel 6

[AP1-WLAN-Radio1/0/2] service-template 1 interface WLAN-BSS 1

[AP1-WLAN-Radio1/0/2] service-template 2 interface WLAN-BSS 2

[AP1-WLAN-Radio1/0/2] quit

# Configure port GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 100 and 200, enabling the port to forward traffic of VLANs 100 and 200 to AP 2.

[AP1] interface gigabitethernet 1/0/1

[AP1-GigabitEthernet1/0/1] port link-type trunk

[AP1-GigabitEthernet1/0/1] port trunk permit vlan 100 200

Please wait... Done.

2.        Configure AP 2 in the same way AP 1 is configured.

3.        Configure the ports on the device as trunk ports, and assign them to VLANs 100 and 200.

4.        Configure clients:

¡  Configure Client 1 and Client 3 to be on the same IP subnet. For example, 192.168.100.0/24.

¡  Configure Client 2 and Client 4 to be on the same IP subnet. For example, 192.168.200.0/24.

Verifying the configuration

1.        Verify that Client 1 and Client 3 can ping each other successfully, but they both fail to ping Client 2.

2.        Verify that Client 2 and Client 4 can ping each other successfully, but they both fail to ping Client 1.

3.        Verify VLAN information.

# Display information about VLANs 100 and 200 on AP 1.

[AP1-GigabitEthernet1/0/1] display vlan 100

 VLAN ID: 100

 VLAN Type: static

 Route Interface: not configured

 Description: VLAN 0100

 Name: VLAN 0100

 Tagged   Ports:

    GigabitEthernet1/0/1

 Untagged Ports:

    WLAN-BSS1

[AP1-GigabitEthernet1/0/1] display vlan 200

 VLAN ID: 200

 VLAN Type: static

 Route Interface: not configured

 Description: VLAN 0200

 Name: VLAN 0200

Tagged   Ports:

    GigabitEthernet1/0/1

 Untagged Ports:

    WLAN-BSS2

Configuring MAC-based VLANs 

Introduction to MAC-based VLAN

The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is usually used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices.

Static MAC-based VLAN assignment

Static MAC-based VLAN assignment applies to networks containing a small number of VLAN users. In such a network, you can create a MAC address-to-VLAN map containing multiple MAC address-to-VLAN entries on a port, enable the MAC-based VLAN feature on the port, and assign the port to MAC-based VLANs.

With static MAC-based VLAN assignment configured on a port, the device processes received frames by using the following guidelines:

·          When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map based on the source MAC address of the frame for a match.

¡  The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC address-to-VLAN entries whose masks are not all-Fs and performs a logical AND operation on the source MAC address and each mask. If the result of an AND operation matches the corresponding MAC address, the device tags the frame with the corresponding VLAN ID.

¡  If the fuzzy match fails, the device performs an exact match. In the exact match, the device searches the MAC address-to-VLAN entries whose masks are all-Fs. If the MAC address of a MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the device tags the frame with the corresponding VLAN ID.

¡  If no match is found, the device tags the frame with the PVID of the receiving port and forwards the frame.

·          When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is permitted by the port, and otherwise it drops the frame.

Dynamic MAC-based VLAN

You can use dynamic MAC-based VLAN with access authentication (such as 802.1X authentication based on MAC addresses) to implement secure, flexible terminal access. After configuring dynamic MAC-based VLAN on the device, you must configure the username-to-VLAN entries on the access authentication server.

When a user passes authentication of the access authentication server, the device obtains VLAN information from the server, generates a MAC address-to-VLAN entry by using the source MAC address of the user packet and the VLAN information, and assigns the port to the MAC-based VLAN. When the user goes offline, the device automatically deletes the MAC address-to-VLAN entry, and removes the port from the MAC-based VLAN. For more information about 802.1X, MAC, and portal authentication, see Security Configuration Guide.

Configuration restrictions and guidelines

The following guidelines apply for MAC-based VLAN configuration:

·          MAC-based VLANs are available only on hybrid ports.

·          The MAC-based VLAN feature is mainly configured on downlink ports of user access devices. Do not enable this function together with link aggregation.

Configuration procedure

To configure static MAC-based VLAN assignment:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Associate a specific MAC address with a VLAN.	mac-vlan mac-address mac-address [ mask mac-mask ] vlan vlan-id [ priority priority ]	N/A
3.       Enter interface view.	interface interface-type interface-number	N/A
4.       Configure the link type of the ports as hybrid.	port link-type hybrid	By default, all ports are access ports.
5.       Configure the hybrid ports to permit packets from specific MAC-based VLANs to pass through.	port hybrid vlan vlan-list { tagged | untagged }	By default, a hybrid port only permits packets from VLAN 1 to pass through.
6.       Enable the MAC-based VLAN feature.	mac-vlan enable	By default, MAC-based VLAN is disabled.

 

To configure dynamic MAC-based VLAN:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Enter interface view.	interface interface-type interface-number	N/A
3.       Configure the link type of the ports as hybrid.	port link-type hybrid	By default, all ports are access ports.
4.       Configure the hybrid ports to permit packets from specific MAC-based VLANs to pass through.	port hybrid vlan vlan-list { tagged | untagged }	By default, a hybrid port only permits the packets of VLAN 1 to pass through.
5.       Enable the MAC-based VLAN feature.	mac-vlan enable	By default, MAC-based VLAN is disabled.
6.       Configure 802.1X, MAC, portal authentication, or any combination.	For more information, see Security Command Reference.	N/A

 

MAC-based VLAN configuration example

Network requirements

As shown in Figure 7:

·          WLAN-BSS 1 of AP 1 and AP 2 are each connected to a meeting room. Client 1 and Client 2 are used for meetings in one of the two meeting rooms.

·          Client 1 and Client 2 are owned by different departments. One department uses VLAN 100 and the other department uses VLAN 200.

Configure MAC-based VLANs so each laptop can access only its own department server no matter which meeting room it is used in.

Figure 7 Network diagram

 

Configuration consideration

·          Create VLANs 100 and 200.

·          Configure the uplink ports of AP 1 and AP 2 as trunk ports, and assign them to VLANs 100 and 200.

·          Configure the downlink ports of the device as trunk ports, and assign them to VLANs 100 and 200. Assign the uplink ports of the device to VLANs 100 and 200.

·          Associate the MAC address of Client 1 with VLAN 100, and the MAC address of Client 2 with VLAN 200.

Configuration procedure

1.        Configure AP 1

# Create interface WLAN-BSS 1.

<AP1> system-view

[AP1] interface wlan-bss 1

# Create VLANs 100 and 200.

<AP1> system-view

[AP1] vlan 100

[AP1-vlan100] quit

[AP1] vlan 200

[AP1-vlan200] quit

# Associate the MAC address of Client 1 with VLAN 100, and the MAC address of Client 2 with VLAN 200.

[AP1] mac-vlan mac-address 000d-88f8-4e71 vlan 100

[AP1] mac-vlan mac-address 0014-222c-aa69 vlan 200

# Configure WLAN-BSS 1 as a hybrid port that sends packets from VLANs 100 and 200 untagged, and enable the MAC-based VLAN feature on it, so that Client 1 and Client 2 can access the network through WLAN-BSS 1.

[AP1] interface wlan-bss 1

[AP1-WLAN-BSS1] port link-type hybrid

[AP1-WLAN-BSS1] port hybrid vlan 100 200 untagged

 Please wait... Done.

[AP1-WLAN-BSS1] mac-vlan enable

[AP1-WLAN-BSS1] quit

# Create service template 1 of clear type, set its SSID to service1, configure open system authentication for the service template, and enable the service template.

[AP1] wlan service-template 1 clear

[AP1-wlan-st-1] ssid service1

[AP1-wlan-st-1] authentication-method open-system

[AP1-wlan-st-1] service-template enable

[AP1-wlan-st-1] quit

# On WLAN-Radio 1/0/2, bind service template 1 to WLAN-BSS 1.

[AP1] interface wlan-radio 1/0/2

[AP1-WLAN-Radio1/0/2] radio-type dot11g

[AP1-WLAN-Radio1/0/2] channel 6

[AP1-WLAN-Radio1/0/2] service-template 1 interface WLAN-BSS 1

[AP1-WLAN-Radio1/0/2] quit

# Configure the uplink port GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 100 and 200.

[AP1] interface gigabitethernet 1/0/1

[AP1-GigabitEthernet1/0/1] port link-type trunk

[AP1-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AP1-GigabitEthernet1/0/1] quit

2.        Configure the device

# Create VLANs 100 and 200. Assign GigabitEthernet 1/0/13 to VLAN 100, and GigabitEthernet 1/0/14 to VLAN 200.

<Device> system-view

[Device] vlan 100

[Device-vlan100] port gigabitethernet 1/0/13

[Device-vlan100] quit

[Device] vlan 200

[Device-vlan200] port gigabitethernet 1/0/14

[Device-vlan200] quit

# Configure GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 as trunk ports, and assign them to VLANs 100 and 200.

[Device] interface gigabitethernet 1/0/3

[Device-GigabitEthernet1/0/3] port link-type trunk

[Device-GigabitEthernet1/0/3] port trunk permit vlan 100 200

[Device-GigabitEthernet1/0/3] quit

[Device] interface gigabitethernet 1/0/4

[Device-GigabitEthernet1/0/4] port link-type trunk

[Device-GigabitEthernet1/0/4] port trunk permit vlan 100 200

[Device-GigabitEthernet1/0/4] quit

3.        Configure AP 2 in the same way AP 1 is configured.

Verifying the configuration

1.        Verify that Client 1 can access Server 1 only, and Client 2 can access Server 2 only.

2.        On AP 1 and AP 2, verify that VLAN 100 is associated with the MAC address of Client 1, and VLAN 200 is associated with the MAC address of Client 2.

[AP1] display mac-vlan all

  The following MAC VLAN addresses exist:

  S:Static  D:Dynamic

  MAC ADDR         MASK             VLAN ID   PRIO   STATE

  --------------------------------------------------------

  000d-88f8-4e71   ffff-ffff-ffff   100       0      S

  0014-222c-aa69   ffff-ffff-ffff   200       0      S

 

  Total MAC VLAN address count:2

Configuration guidelines

1.        MAC-based VLAN can be configured only on hybrid ports.

2.        MAC-based VLAN is usually configured on the downlink ports of access layer devices, and cannot be configured together with the link aggregation function.

Displaying and maintaining VLAN

 

Task	Command	Remarks
Display VLAN information.	display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | reserved | static ] [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display VLAN interface information.	display interface [ vlan-interface ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface vlan-interface vlan-interface-id [ brief ] [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display hybrid ports or trunk ports on the device.	display port { hybrid | trunk } [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display MAC address-to-VLAN entries.	display mac-vlan { all | dynamic | mac-address mac-address [ mask mac-mask ] | static | vlan vlan-id } [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display all interfaces with MAC-based VLAN enabled.	display mac-vlan interface [ | { begin | exclude | include } regular-expression ]	Available in any view.
Clear statistics on a port.	reset counters interface vlan-interface [ vlan-interface-id ]	Available in user view.