VLAN Network for Extreme Networks

© 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.

Introduction to VLAN Technology

ExtremeXOS™ Operation and Configuration, Version 12.1

Student Objectives

Upon completion of this module, you will be able to:

Define VLANs.

Describe port-based (untagged) VLANs.

Describe tagged VLANs.

Describe protocol-based VLANs.

Describe the benefits of VLANs.

Manage port-based (untagged) VLANs.

Manage tagged VLANs.

Manage protocol-based VLANs.

Virtual LANs

Virtual Local Area Network (VLAN) provide a way of grouping different network devices to ensure that those devices can communicate directly with one another.

VLANs can span multiple layer 2 switches and do not restrict node placement.

Broadcast packets are flooded only within a VLAN / broadcast domain.

VLAN Operation

A VLAN emulates a LAN by managing how Ethernet frames are propagated throughout the network.

• Broadcast, multicast, and unknown unicast Ethernet frames must be forwarded to all the stations in the VLAN.

• A VLAN defines the parts of the network where broadcast packets are to be forward (broadcast domain).

A router (Layer 3 forwarding device) is required to forward traffic from one VLAN to another.

• An external layer 3 router or routing a routing process inside the switch.

Slide 4

A router is required for traffic to go from one VLAN to another.

Types of VLANs

VLANs associate network devices with one another based upon some criteria:

• 802.1Q Tagged VLAN

• Port-based (Untagged) VLAN

• Protocol VLAN

Slide 5

Port-based VLANsProtocol-based

VLAN

802.1Q Tagged VLAN

Port-Based VLANs

Port-based VLAN membership is based upon which ports are assigned to the VLAN.

If a tagged Ethernet frame is received on an untagged port , a switch may:

• Drop the frame. The switch assumes that the port is only meant for untagged frames.

• Forward the frame based upon the VLAN ID in the frame.

• Forward the frame as if the incoming frame didn't have a tag.

The network administrator associates ports with the VLAN.

A port can be a member of only one port-based VLAN.

Slide 6

Refer to the product documentation to determine how to configure port-based VLANs.

802.1Q Tagged VLANs

802.1Q VLAN membership is based upon the VLAN ID in the 802.1Q field in the incoming packet.

The 801.Q Tag contains four fields:

• Tag Protocol ID (TPID)

• User Priority

• Canonical Format Indicator (CFI)

• VLAN Identifier (VID)

Slide 7

802.1Q Ethernet Frame6 Bytes 6 Bytes 2 Bytes 3 bits 1 bit 12 bits 2 Bytes 42 to 1500 Bytes 4 Bytes

DestinationMAC

SourceMAC

TPID(0x8100) 802.1p CFI VLAN

IDType / Length

Data(Payload / Padding) CRC

64 Bytes Minimum. 1522 Bytes Maximum.

802.1Q Tagged VLANs Uses

Tagging is most commonly used to create VLANs that span switches.

Tagging also can be used to differentiate one type of incoming traffic from another.

Another use for tagged VLANs is the ability to have a port configured as a member of multiple VLANs.

Slide 8

802.1Q Ethernet Frame6 Bytes 6 Bytes 2 Bytes 3 bits 1 bit 12 bits 2 Bytes 42 to 1500 Bytes 4 Bytes

DestinationMAC

SourceMAC

TPID(0x8100) 802.1p CFI VLAN

IDType / Length



Remember, a single port can only be a member of one port-based VLAN. Tags may be used to associate that port with additional VLANs.

Protocol-Based VLANs

Protocol-based VLANs enable you to define a packet filter that the switch uses as the matching criteria to determine if a particular packet belongs to a particular VLAN.

• Type

• Logical Link Control (LLC)

• Subnetwork Access Protocol (SNAP)

Ethernet Frame6 Bytes 6 Bytes 2 Bytes 3 Bytes 5 Bytes 38 to 1492 Bytes 4 Bytes

DestinationMAC

SourceMAC Type

LLC(Logical Link

Control)

SNAP(Sub network Access

Protocol)



Slide 9

Benefits of VLANs

Help to control traffic.

Provide extra security.

• Only devices belonging to the same VLAN can communicate with each other.

Ease the change and movement of devices.

Marketing

Ports 1-4

Engineering

Ports 9-12

Operations

Ports 17-24


VLAN Implementation

ExtremeXOS™ Operation and Configuration, Version 12.1


Managing Port-Based VLANsDisplaying, creating, and enabling VLANs and managing VLAN ports.

Listing The Steps to Create a Port-Based VLAN

Creating a VLAN

• Determine current VLAN configuration

• Create the VLAN

• Add ports to the VLAN

• Verify VLAN functionality

Other management tools

• Enable a VLAN

• Disable a VLAN

• Rename a VLAN

Displaying VLAN Information

The first step in evaluating the switches VLAN configuration is displaying the current VLAN configuration.

To display the switches VLANs, including their tag values, use the following syntax:

• show vlan { detail | <vlan_name> }

Examples:

• To display a concise description of all VLANs configured on the device, enter the following command:

show vlan

• To display a detailed description of all VLANs configured on the switch, enter the following command:

show vlan detail

• To display a detailed description of the VLAN named accounting, enter the following command:

show vlan detail accounting

show vlan {detail | <vlan_name>}

Displaying VLAN Information (Continued…)

The show vlan command shows high-level info for all VLANs.

* VLAB-R3-BD10808.2 # show vlan

--------------------------------------------------------------------------------------

Name VID Protocol Addr Flags Proto Ports Virtual

Active router

/Total

--------------------------------------------------------------------------------------

Default 1 -------------------------------T---------- ANY 1 /198 VR-Default

Mgmt 4095 10.209.10.37 /24 ---------------------- ANY 1 /1 VR-Mgmt

--------------------------------------------------------------------------------------

* VLAB-R3-BD10808.2 # show vlan

--------------------------------------------------------------------------------------

Name VID Protocol Addr Flags Proto Ports Virtual

Active router

/Total

--------------------------------------------------------------------------------------

Default 1 -------------------------------T---------- ANY 1 /198 VR-Default

Mgmt 4095 10.209.10.37 /24 ---------------------- ANY 1 /1 VR-Mgmt

--------------------------------------------------------------------------------------


Creating and Deleting Port-Based VLANs

To create a port-based VLAN, use the following command syntax:

• create vlan <vlan_name>

To delete a port-based VLAN, enter the following command syntax:

• delete vlan <vlan_name>

VLAN names must be unique.

Example

• To create a VLAN named accounting, enter the following command:

create vlan accounting

• To remove the VLAN named accounting, enter the following command:

delete vlan accounting

When the VLAN is created, it has no ports as members.


Adding and Removing Ports to and from a Port-Based VLANs

To add ports to a port-based VLAN, use the following syntax:

• configure vlan <vlan_name> add ports <ports_list>

To remove ports from a port-based VLAN, use the following syntax:

• configure vlan <vlan_name> delete ports <port_list>

Implementation notes

• The VLAN must already exist before you can add (or delete) ports.

• Ports can only be in one VLAN as untagged.

• A port can be added to multiple VLANs only when it has multiple tags.

• By default, all ports are members of the default VLAN.

• In order to add untagged ports to a different VLAN, you must first remove them from the default VLAN. Failure to do so results in this error:

Error: Protocol conflict when adding untagged port 1:2. Either add this port as tagged or assign another protocol to this VLAN.

configure vlan <vlan_name> add ports <ports_list>configure vlan <vlan_name> delete ports <port_list>

Adding and Removing Ports to and from a Port-Based VLANs Examples

Examples:

• To add all ports to the VLAN named accounting, use the following command:

configure vlan accounting add ports all

• To remove ports 4, 6, and 10 from the port-based VLAN named accounting, use the following command:

configure vlan accounting delete ports 4, 6, 10

configure vlan <vlan_name> add ports <ports_list>configure vlan <vlan_name> delete ports <port_list>

Enabling and Disabling Port-Based VLANs

During complex configurations it might be useful to disable VLANs prior to deployment (i.e. MPLS).

To disable a port-based VLAN, use the following syntax:

• disable vlan <vlan_name>

To enable a port-based VLAN, use the following syntax:

• enable vlan <vlan_name>

Implementation notes

• Disabling a VLAN stops all traffic on all ports for the VLAN.

• You cannot disable a VLAN that is running a Layer-2 protocol such as ESRP or EAPS.

• If necessary, you can disable the default VLAN, however you cannot disable the management VLAN.

• You can remove ports from a disabled VLAN, however you cannot add ports.

disable vlan <vlan_name>enable vlan <vlan_name>

Enabling and Disabling Port-Based VLANs (Continued…)

Examples:

• To enable and disable a port-based VLAN named accounting, use the following command:

enable vlan accounting

disable vlan accounting

enable vlan accountingdisable vlan accounting

Renaming VLANs

To rename a VLAN, use the following command syntax:

• configure vlan <vlan_name> name <name>

To rename the accounting VLAN to finance, use the following command:

• configure vlan accounting name finance

configure vlan <vlan_name> name <name>

Verifying Port-Based VLAN Configuration

Verify VLAN configuration

show vlan blue

show vlan <vlan_name>

System VLAN – Default

Default VLAN

• Comes pre-configured on all switches

• All data ports are members

• Internal VLAN ID of 1

• Cannot be deleted or renamed

“Default" vlan

Data Ports

VR-Default

“Mgmt" vlan

Management Ethernet Port

VR-Mgmt

show vlan default

There are two pre-configured port-based VLANs: The Default VLAN and the Mgmt VLAN.

System VLANs - Mgmt

Mgmt VLAN

• Only exists on switches that have an Ethernet management port.

• Only contains the management port.

• Is only used for network management access:

Telnet, HTTP, SNMP, and TFTP

• Not capable of supporting switching or routing functions.

Not all platforms have a management port. Refer to product documentation for your systems.

“Default" vlan

Data Ports

VR-Default

“Mgmt" vlan

Management Ethernet Port

VR-Mgmt

show vlan mgmt

Extending Port-Based VLANs Across Switches

Create VLANs on each switch.

• The same VLAN name must be configured on each switch.

Add ports to each VLAN on each switch.

• Each switch must have at least one configured port for each VLAN.

Physically connect switches together using one port on each switch per VLAN.

• Each link between the switch ports must connect to a port that is a member of the same VLAN on the next switch.

Marketing

Ports 1-4

Engineering

Ports 9-12

Operations

Ports 17-24

Marketing

Ports 1-4

Engineering

Ports 9-12

Operations

Ports 17-24Create VLANs on each switch.

• The same VLAN name must be configured on each switch.

Add ports to each VLAN on each switch.

• Each switch must have at least one configured port for each VLAN.

Physically connect switches together using one port on each switch per VLAN.

• Each link between the switch ports must connect to a port that is a member of the same VLAN on the next switch.


Managing Tagged VLANs

Creating, and enabling VLANs and managing VLAN ports.

Listing The Steps to Create a Tagged VLAN

Creating a Tagged VLAN

1. Create the VLAN

2. Assign a tag value to the VLAN

3. Add ports to the VLAN

4. Verify tagged VLAN configuration

5. Verify tagged VLAN functionality

Creating a Tagged VLAN

Create the VLAN


Assign a tag value (VLAN ID) to the VLAN (2 - 4094):

• configure vlan <vlan_name> tag <tag_value>

Examples

• To create a VLAN named ENGINEERING with a VLAN ID of 2004, enter the following commands:

create vlan ENGINEERING

configure vlan ENGINEERING tag 2004

Implementation

• The tag range is 2 - 4094.

Adding and Deleting Ports to and from a Tagged VLAN

Ingress Processing is based upon:

• Ethernet frame’s VLAN ID.

• Port membership type (tagged / untagged).

• Presence of associated VLAN ID associated with port.

Egress Processing is based upon

• VLAN associated with frame.

• Port membership type.

Port VLAN ID VLAN Name Member As

1 2 FINANCE tagged1 3 FACILITIES tagged1 4 GUEST untagged

Adding and Deleting Ports to and from a Tagged VLAN

Before adding port, ensure it has been deleted from untagged VLANs such as the Default VLAN:

• configure vlan <vlan_name> delete port <port_list>

Add the port to the VLAN as with tagged or untagged membership:

• configure vlan <vlan_name> add port <port_list> [ tagged | untagged ]

Verify that the ports are tagged or untagged ports:

• show vlan <vlan_name>

Examples

• configure vlan default delete port 7

• configure vlan ENGINEERING add port 7 untagged

• configure vlan ENGINEERING add ports 2,3 tagged

• show vlan ENGINEERING

Verifying Tagged VLAN ConfigurationVerify VLAN configuration

show vlan blue

Verify

• name

• tag value

• ports

Note: For the purposes of VLAN classification, packets arriving on a port with an 802.1Q tag containing a VLAN ID of 0 are treated as untagged.

Slide 31

Verifying Tagged VLAN Functionality

Generate tagged and untagged Ethernet Frames

• IXIA, Network Packet Generator (npg.exe), switch, or PC.

Verify ingress and egress functionality

• Do untagged and untagged frames get forwarded the correct ports?

• Capture Frames

Wireshark, Sniffer, tcpdump, windump

• Onboard statistics

clear counters

configure port [<port_list> | all} monitor vlan <vlan name>

show ports {port_list} vlan statistics {no-refresh}

Frame Generator Frame Capture

create vlan red

configure vlan red tag 10

configure vlan red add port 1-3 untagged

configure vlan red add port 4 tagged

create vlan green

configure vlan green tag 20

configure vlan green add port 5-8 untagged

configure vlan green add port 4 tagged

D S 10 T/L Payload Padding CRD D S 20 T/L Payload Padding CRD

Example: Configuring Tagged VLANs on Multiple Switches

11 22 5 7 833 644

10

10

20

20

11 22 5 7 833 644

VLAN Rules:

Use consistent tag values on all links between switches.

Use consistent VLAN names and VLAN IDs across switches.

Configure links between switches to use tags.

VLAN Rules

10

T

U

T

U

T

T

10

10

U

U

30

30 T

T

Switch 1

Switch 2

Switch 3

U T

30

T

U

TT


Managing Protocol-Based VLANs

Creating, and enabling protocol-based VLANs and managing VLAN ports.

Listing The Steps to Create a Protocol-Based VLAN

Creating a Protocol-Based VLAN

1. Create the VLAN

2. Add tag to VLAN (optional)

3. Create and configure protocol filter (optional)

4. Assign a protocol filter to the VLAN

5. Add ports to the VLAN

6. Verify VLAN configuration

7. Verify VLAN functionality

Creating a Protocol-Based VLAN

The process of creating a protocol-based VLAN is exactly the same as with tagged and untagged VLANs.


You can associate a tag value with the VLAN (optional).

• configure vlan <vlan_name> tag <vlan_id>

The VLAN is defined, but has no ports.

"protoVLAN" vlan

VR-default

Define a protocol filter to be used as the matching criteria to determine if a particular packet belongs to a particular VLAN.

Manually define filters or use the pre-defined protocol filters on the switch.

Define a protocol filter to be used as the matching criteria to determine if a particular packet belongs to a particular VLAN.

Manually define filters or use the pre-defined protocol filters on the switch.

Creating a Protocol Filter

Blue Protocol VLAN (IPX)

Orange Protocol VLAN (IP)

Green Protocol VLAN (AppleTalk)

Multiple Incoming Protocols

ETYPE DA SA ETYPE Data CRC

Predefined Protocol Filters

Filter Name Type Value

IP ETYPE 0x0800, 0x0806

IPX ETYPE 0x8137

IPv6 ETYPE 0x86DD

MPLS ETYPE 0x8847

DECNet ETYPE 0x6003, 0x6004

NetBIOS LLC 0xF0F0, 0xF0F1

IPX_8022 LLC 0xE0E0

IPX_SNAP SNAP OUI = 0x8137

AppleTalk SNAP OUI = 0x809B, 0x80F3

There are eight predefined protocol filters

LLC DA SA LENGTH LLC CNTRL Data CRC

SNAP DA SA LENGTH SNAP 0xAAAA03 OUI Data CRC

Custom Protocol Filters

To create a custom VLAN protocol:• create protocol <protocol_name>

To add a custom filter to a custom VLAN protocol:• configure protocol <protocol_name> add [ etype | llc | snap]

<hex_value>

You may add multiple filters to a single protocol:• configure protocol myProtoFilter add etype 0xfeed

• configure protocol myProtoFilter add etype 0xface

adding two filters using two commands

• configure protocol myProtoFilter add etype 0xfeed etype 0xface

using one command to accomplish the same

A maximum of 15 protocol filters, each containing a maximum of 6 protocols, can be defined.

No more than 7 protocols can be active and configured for use.

* sanjose 3 # show protocolProtocol Name Type Value------------------------------------------------IP etype 0x0800 etype 0x0806ANY ANY 0xfffffoo llc 0xfbafipx etype 0x8137IPv6 etype 0x86ddfooz decnet etype 0x6003 etype 0x6004netbios llc 0xf0f0 llc 0xf0f1ipx_8022 llc 0xe0e0ipx_snap snap 0x8137appletalk snap 0x809b snap 0x80f3* sanjose 3 # show protocol IPv6Protocol Name Type Value------------------------------------------------IPv6 etype 0x86dd

Verifying Protocol-Based VLANs* sanjose 3 # show protocolProtocol Name Type Value------------------------------------------------IP etype 0x0800 etype 0x0806ANY ANY 0xfffffoo llc 0xfbafipx etype 0x8137IPv6 etype 0x86ddfooz decnet etype 0x6003 etype 0x6004netbios llc 0xf0f0 llc 0xf0f1ipx_8022 llc 0xe0e0ipx_snap snap 0x8137appletalk snap 0x809b snap 0x80f3* sanjose 3 # show protocol IPv6Protocol Name Type Value------------------------------------------------IPv6 etype 0x86dd

Assigning a Protocol Filter to a Protocol-Based VLANAdding a Port to a Protocol-Based VLAN

To assign a protocol to a VLAN, use the following syntax:

• configure vlan <vlan_name> protocol <protocol_name>

To add a port to a protocol-based VLAN:

• configure vlan <vlan_name> add ports <port_list>

The protocol-based VLAN is now configured. Now, when a frame is received on a port, the system checks:

• Is frame is tagged? If yes, and port is a member, then forward appropriately.

• Does frame have matching protocol filter? If yes then forward appropriately.

Protocol filters may include ANY

Protocol-Based VLAN Example Configuration

IPX Server

ATalk Server

IP Server

IPX Protocol

AppleTalk Protocol

IP ProtocolIP / IPX Client

AppleTalk / IPX Client IPX Client

IP / IPX Client

AppleTalk / IPX Client IPX ClientIPX Client

AppleTalk Client

IP Client

Port 2:17

Apple ServerPort 2:21

Novell ServerPort 2:22

IP ServerPort 2:20

Protocol-Based VLAN Example Configuration (Continued…)

Configure 3 Protocol-Based VLANs, each with four ports.

• All three VLANs have three ports in common. The ports are serving the Summit switches at the perimeter.

Port 2:18

Port 2:19

Configuring Protocol-Based VLANs

create vlan orange

configure orange protocol ip

configure orange add port 1-4

create vlan blue

configure blue protocol ipx

configure blue add port 4-8

Protocol Filter = IP Protocol Filter = IPX

orange blue

1 2 3 4 5 6 7 8

IP IP / IPX IP

Notes on Protocol-Based VLANs

When a new VLAN is created, it is assigned the ‘any’ protocol by default.

When a protocol filter is deleted, the VLANs which had the protocol filters assigned are now assigned a protocol filter of "none" or an error occurs.

• No traffic is forwarded until a protocol is assigned.

Tagged packets take precedence over protocol filters associated with a VLAN.

IPX

Tag=10

Ethernet Frame Tagged, IPX

When a new VLAN is created, it is assigned the “any” protocol by default.

When a protocol filter is deleted, the VLANs which had the protocol filters assigned are now assigned a protocol filter of "none" or an error occurs.

• No traffic is forwarded until a protocol is assigned.

Tagged packets take precedence over protocol filters associated with a VLAN.

Summary

You should now be able to:

Define VLANs.

Describe port-based (untagged) VLANs.

Describe tagged VLANs.

Describe protocol-based VLANs.

Describe the benefits of VLANs.

Manage port-based (untagged) VLANs.

Manage tagged VLANs.

Manage protocol-based VLANs.

Lab

Turn to the Port-based VLAN Configuration and the Tagged VLAN Configuration Lab in the ExtremeXOS™ Operations and Configuration - Lab Guide Rev. 12.1 and complete the hands-on portion of this module.


Review Questions


This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and “Risk Factors,” which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.

VLAN Network for Extreme Networks

Education

Transcript of VLAN Network for Extreme Networks