· Flexibility—A VLAN can be logically divided on a workgroup basis. Hosts in the same workgroup can be assigned to the same VLAN, regardless of their physical locations.

VLAN frame encapsulation

To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag between the destination and source MAC address (DA&SA) field and the Type field.

Figure 1 VLAN tag placement and format

‌

A VLAN tag includes the following fields:

· TPID—16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default, the hexadecimal TPID value 8100 identifies a VLAN-tagged frame. A device vendor can set the TPID to a different value. For compatibility with a neighbor device, set the TPID value on the device to be the same as the neighbor device.

· Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL and QoS Configuration Guide.

· CFI—1-bit long canonical format indicator that indicates whether the MAC addresses are encapsulated in the standard format when packets are transmitted across different media. Available values include:

¡ 0 (default)—The MAC addresses are encapsulated in the standard format.

¡ 1—The MAC addresses are encapsulated in a non-standard format.

This field is always set to 0 for Ethernet.

· VLAN ID—12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0 to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.

The way a network device handles an incoming frame depends on whether the frame has a VLAN tag and the value of the VLAN tag (if any).

Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and 802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag fields in other frame encapsulation formats, see related protocols and standards.

For a frame that has multiple VLAN tags, the device handles it according to its outermost VLAN tag and transmits its inner VLAN tags as the payload.

Port-based VLANs

Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it is assigned to the VLAN.

Port link type

You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling methods:

· Access—An access port can forward packets only from one VLAN and send these packets untagged. An access port is typically used in the following conditions:

¡ Connecting to a terminal device that does not support VLAN packets.

¡ In scenarios that do not distinguish VLANs.

· Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network devices are typically configured as trunk ports.

· Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the packets forwarded by a hybrid port depends on the port configuration.

PVID

The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered as the packets from the port PVID.

An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port. A trunk or hybrid port supports multiple VLANs and the PVID configuration.

How ports of different link types handle frames

Actions	Access	Trunk	Hybrid
In the inbound direction for an untagged frame	Tags the frame with the PVID tag.	· If the PVID is permitted on the port, tags the frame with the PVID tag. · If not, drops the frame.
In the inbound direction for a tagged frame	· Receives the frame if its VLAN ID is the same as the PVID. · Drops the frame if its VLAN ID is different from the PVID.	· Receives the frame if its VLAN is permitted on the port. · Drops the frame if its VLAN is not permitted on the port.
In the outbound direction	Removes the VLAN tag and sends the frame.	· Removes the tag and sends the frame if the frame carries the PVID tag and the port belongs to the PVID. · Sends the frame without removing the tag if its VLAN is carried on the port but is different from the PVID.		Sends the frame if its VLAN is permitted on the port. The tagging status of the frame depends on the port hybrid vlan command configuration.

‌

Layer 3 communication between VLANs

Hosts of different VLANs use VLAN interfaces to communicate at Layer 3. VLAN interfaces are virtual interfaces that do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the VLAN to forward packets at Layer 3. When the IP addresses of multiple VLAN interfaces are on different subnets, you must configure IP routing protocols to enable Layer 3 communication between these IP addresses. Then, the devices can forward packets at Layer 3 across subnets between different VLANs. For more information about IP routing protocols, see Layer 3—IP Routing Configuration Guide.

Protocols and standards

IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks

Configuring a VLAN

Restrictions and guidelines

· As the system default VLAN, VLAN 1 cannot be created or deleted.

· Before you delete a dynamic VLAN or a VLAN locked by an application, you must first remove the configuration from the VLAN.

VLAN configuration tasks at a glance

To configure VLANs, perform the following tasks:

1. Creating VLANs

2. (Optional.) Enabling packet dropping in the VLAN

Creating VLANs

1. Enter system view.

system-view

2. Create one or multiple VLANs.

¡ Create a VLAN and enter its view.

vlan vlan-id

¡ Create multiple VLANs and enter VLAN view.

Create VLANs.

vlan { vlan-id-list | all }

Enter VLAN view.

vlan vlan-id

By default, only the system default VLAN (VLAN 1) exists.

3. (Optional.) Set a name for the VLAN.

name text

By default, the name of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For example, the name of VLAN 100 is VLAN 0100.

4. (Optional.) Configure the description for the VLAN.

description text

By default, the description of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For example, the default description of VLAN 100 is VLAN 0100.

Enabling packet dropping in the VLAN

About this task

This feature enables the device to drop packets (including protocol packets) forwarded by the software in a VLAN. To drop all packets that are received and transmitted in the VLAN, you must configure a QoS policy. For more information about configuring QoS policies, see QoS configuration in ACL and QoS Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter VLAN view.

vlan vlan-id

3. Enable packet dropping in the VLAN.

block outbound

By default, packet dropping is disabled in a VLAN.

Configuring port-based VLANs

Restrictions and guidelines for port-based VLANs

· When you use the undo vlan command to delete the PVID of a port, either of the following events occurs depending on the port link type:

¡ For an access port, the PVID of the port changes to VLAN 1.

¡ For a hybrid or trunk port, the PVID setting of the port does not change.

You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access port.

· As a best practice, set the same PVID for a local port and its peer.

· To prevent a port from dropping untagged packets or PVID-tagged packets, assign the port to its PVID.

Assigning an access port to a VLAN

About this task

You can assign an access port to a VLAN in VLAN view or interface view.

Assigning one or multiple access ports to a VLAN in VLAN view

1. Enter system view.

system-view

2. Enter VLAN view.

vlan vlan-id

3. Assign one or multiple access ports to the VLAN.

port interface-list

By default, all ports belong to VLAN 1.

Assigning an access port to a VLAN in interface view

1. Enter system view.

system-view

2. Enter interface view.

¡ Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

¡ Enter Layer 2 aggregate interface view.

interface bridge-aggregation interface-number

3. Set the port link type to access.

port link-type access

By default, all ports are access ports.

4. Assign the access port to a VLAN.

port access vlan vlan-id

By default, all access ports belong to VLAN 1.

Assigning a trunk port to a VLAN

About this task

A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.

Restrictions and guidelines

To change the link type of a port from trunk to hybrid, set the link type to access first.

To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the PVID by using the port trunk permit vlan command.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

¡ Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

¡ Enter Layer 2 aggregate interface view.

interface bridge-aggregation interface-number

3. Set the port link type to trunk.

port link-type trunk

By default, all ports are access ports.

4. Assign the trunk port to the specified VLANs.

port trunk permit vlan { vlan-id-list | all }

By default, a trunk port permits only VLAN 1.

5. (Optional.) Set the PVID for the trunk port.

port trunk pvid vlan vlan-id

The default setting is VLAN 1.

Assigning a hybrid port to a VLAN

About this task

A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view. Make sure the VLANs have been created.

Restrictions and guidelines

To change the link type of a port from trunk to hybrid, set the link type to access first.

To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the PVID by using the port hybrid vlan command.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

¡ Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

¡ Enter Layer 2 aggregate interface view.

interface bridge-aggregation interface-number

3. Set the port link type to hybrid.

port link-type hybrid

By default, all ports are access ports.

4. Assign the hybrid port to the specified VLANs.

port hybrid vlan vlan-id-list { tagged | untagged }

By default, the hybrid port is an untagged member of the VLAN to which the port belongs when its link type is access.

5. (Optional.) Set the PVID for the hybrid port.

port hybrid pvid vlan vlan-id

By default, the PVID of a hybrid port is the ID of the VLAN to which the port belongs when its link type is access.

Configuring a VLAN group

About this task

A VLAN group includes a set of VLANs.

On an authentication server, a VLAN group name represents a group of authorization VLANs. When an 802.1X or MAC authentication user passes authentication, the authentication server assigns a VLAN group name to the device. The device then uses the received VLAN group name to match the locally configured VLAN group names. If a match is found, the device selects a VLAN from the group and assigns the VLAN to the user. For more information about 802.1X and MAC authentication, see Security Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Create a VLAN group and enter its view.

vlan-group group-name

3. Add VLANs to the VLAN group.

vlan-list vlan-id-list

By default, no VLANs exist in a VLAN group.

You can add multiple VLAN lists to a VLAN group.

Configuring VLAN interfaces

VLAN interfaces configuration tasks at a glance

To configure VLAN interfaces, perform the following tasks:

1. Creating a VLAN interface

2. (Optional.) Specifying a traffic processing slot for the VLAN interface

3. (Optional.) Restoring the default settings for the VLAN interface

Prerequisites

Before you create a VLAN interface for a VLAN, create the VLAN first.

Creating a VLAN interface

1. Enter system view.

system-view

2. Create a VLAN interface and enter its view.

interface vlan-interface interface-number

3. Assign an IP address to the VLAN interface.

ip address ip-address { mask | mask-length } [ sub ]

By default, no IP address is assigned to a VLAN interface.

4. (Optional.) Configure the description for the VLAN interface.

description text

The default setting is the VLAN interface name. For example, Vlan-interface1 Interface.

5. (Optional.) Set the MTU for the VLAN interface.

mtu size

By default, the MTU of a VLAN interface is 1500 bytes.

6. (Optional.) Set the expected bandwidth for the interface.

bandwidth bandwidth-value

By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.

7. Bring up the VLAN interface.

undo shutdown

By default, a VLAN interface is not manually shut down.

Specifying a traffic processing slot for the VLAN interface

About this task

Specify a traffic processing slot for a VLAN interface if all traffic on the VLAN interface must be processed on the same slot.

Procedure

1. Enter system view.

system-view

2. Enter a VLAN interface view.

interface vlan-interface interface-number

3. Specify a traffic processing slot for the VLAN interface.

service slot slot-number

By default, no traffic processing slot is specified for the VLAN interface.

Restoring the default settings for the VLAN interface

Restrictions and guidelines

This feature might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands, and then use their undo forms or follow the command reference to restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.

Procedure

1. Enter system view.

system-view

2. Enter a VLAN interface view.

interface vlan-interface interface-number

3. Restore the default settings for the VLAN interface.

default

‌

CAUTION:

This feature might interrupt ongoing network services. Make sure you are fully aware of the impact of this feature when you use it on a live network.

‌

Enabling the function of setting VLAN tags for sent protocol packets on an interface

About this task

With this feature enabled on an interface, the interface records all layers of VLAN tags of received LACP or BFD protocol packets. When the interface sends the same protocol packets, the interface adds the recorded VLAN tags to the sent protocol packets, regardless of whether the link type of the interface allows these packets to carry these VLAN tags. For more information about LACP, see Ethernet link aggregation configuration in Layer 2—LAN Switching Configuration Guide. For more information about BFD, see BFD configuration in High Availability Configuration Guide.

Restrictions and guidelines

Executing the port outbound-vlan-tag enable command and then its undo form on an interface will cause BFD sessions on the interface to go down. Perform this operation with caution.

Executing this command on an aggregation group member port does not affect the other member ports in the same aggregation group or affect the Selected state of aggregation group member ports. To ensure configuration consistency within an aggregation group, manually execute this command on all aggregation group member ports.

Procedure

1. Enter system view.

system-view

2. Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

3. Enable the function of setting VLAN tags for sent protocol packets on the interface.

port outbound-vlan-tag enable

Configuring the 802.1p priority for control packets sent by a device

About this task

By default, the 802.1p priority is 6 for control packets sent by a device. However, some devices will drop or not process packets with 802.1p priority 6, which affects the operation of protocols in the network. To resolve this problem, configure the 802.1p priority for control packets sent by a device.

Restrictions and guidelines

This feature configures the 802.1p priority for packets of the following protocols: ARP, NTP, OSPF, BGP, PIM, SSH, Telnet, and LDP.

Procedure

1. Enter system view.

system-view

2. Configure the 802.1p priority for control packets sent by the device

control-packet dot1p priority

By default, the 802.1p priority is 6 for control packets sent by a device.

Display and maintenance commands for VLANs

Execute display commands in any view and reset commands in user view.

Task	Command
Display VLAN interface information.	display interface [ vlan-interface [ interface-number ] ] [ brief [ description \| down ] ]
Display hybrid ports or trunk ports on the device.	display port { hybrid \| trunk }
Display VLAN information.	display vlan [ vlan-id1 [ to vlan-id2 ] \| all \| dynamic \| reserved \| static ]
Display brief VLAN information.	display vlan brief
Display VLAN group information.	display vlan-group [ group-name ]
Clear statistics on a VLAN interface.	reset counters interface [ vlan-interface [ interface-number ] ]

‌

VLAN configuration examples

Example: Configuring port-based VLANs

Network configuration

As shown in Figure 2:

· Host A and Host C belong to Department A. VLAN 100 is assigned to Department A.

· Host B and Host D belong to Department B. VLAN 200 is assigned to Department B.

Configure port-based VLANs so that only hosts in the same department can communicate with each other.

Figure 2 Network diagram

‌

Procedure

1. Configure Device A:

# Create VLAN 100, and assign Twenty-FiveGigE 1/0/1 to VLAN 100.

<DeviceA> system-view

[DeviceA] vlan 100

[DeviceA-vlan100] port twenty-fivegige 1/0/1

[DeviceA-vlan100] quit

# Create VLAN 200, and assign Twenty-FiveGigE 1/0/2 to VLAN 200.

[DeviceA] vlan 200

[DeviceA-vlan200] port twenty-fivegige 1/0/2

[DeviceA-vlan200] quit

# Configure Twenty-FiveGigE 1/0/3 as a trunk port, and assign the port to VLANs 100 and 200.

[DeviceA] interface twenty-fivegige 1/0/3

[DeviceA-Twenty-FiveGigE1/0/3] port link-type trunk

[DeviceA-Twenty-FiveGigE1/0/3] port trunk permit vlan 100 200

Please wait... Done.

2. Configure Device B in the same way Device A is configured. (Details not shown.)

3. Configure hosts:

a. Configure Host A and Host C to be on the same IP subnet. For example, 192.168.100.0/24.

b. Configure Host B and Host D to be on the same IP subnet. For example, 192.168.200.0/24.

Verifying the configuration

# Verify that Host A and Host C can ping each other, but they both fail to ping Host B and Host D. (Details not shown.)

# Verify that Host B and Host D can ping each other, but they both fail to ping Host A and Host C. (Details not shown.)

# Verify that VLANs 100 and 200 are correctly configured on Device A.

[DeviceA-Twenty-FiveGigE1/0/3] display vlan 100

VLAN ID: 100

VLAN type: Static

Route interface: Not configured

Description: VLAN 0100

Name: VLAN 0100

Tagged ports:

Twenty-FiveGigE1/0/3(U)

Untagged ports:

Twenty-FiveGigE1/0/1(U)

[DeviceA-Twenty-FiveGigE1/0/3] display vlan 200

VLAN ID: 200

VLAN type: Static

Route interface: Not configured

Description: VLAN 0200

Name: VLAN 0200

Tagged ports:

Twenty-FiveGigE1/0/3(U)

Untagged ports:

Twenty-FiveGigE1/0/2(U)

02-Layer 2-LAN Switching Configuration Guide

Configuring VLANs

About VLANs

Port link type

PVID

How ports of different link types handle frames

About this task

Procedure

Assigning an access port to a VLAN

About this task

Assigning one or multiple access ports to a VLAN in VLAN view

Assigning an access port to a VLAN in interface view

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

Configuring a VLAN group

About this task

Procedure

About this task

Procedure

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

Display and maintenance commands for VLANs

Network configuration

Procedure

Verifying the configuration

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us