Port Based VLAN Configuration

2.5.4.4.1 Port Based VLAN Configuration

Port-based VLAN can effectively segment one network into

Port-based VLAN can effectively segment one network into several broadcast domains, andseveral broadcast domains, and broadcast, multicast

broadcast, multicast and unknowand unknown packets n packets will be limited will be limited to within the to within the VLAN. VLAN. Port-BasedPort-Based VLAN is uncomplicated and fairly rigid in implementation, it is best used by network VLAN is uncomplicated and fairly rigid in implementation, it is best used by network administrators who wish to quickly and easily set up VLAN in order to isolate the effect of administrators who wish to quickly and easily set up VLAN in order to isolate the effect of broadcast packets on their network

broadcast packets on their network

The following screen page shows up if you choose

The following screen page shows up if you choose Port-Based VLANPort-Based VLAN mode and thenmode and then Configure VLAN.

Configure VLAN.

When the Managed Switch is initially powered up or restored to the factory default setting, When the Managed Switch is initially powered up or restored to the factory default setting, all switch ports are a member of the Default VLAN and participate in the same broadcast all switch ports are a member of the Default VLAN and participate in the same broadcast domain. This allows devices connected to the

domain. This allows devices connected to the switch port to switch port to communicate with other devicescommunicate with other devices on the switch port.

on the switch port.

Use

Use NewNew to add a new VLAN entity, then the following screen page shows up.to add a new VLAN entity, then the following screen page shows up.

Use

Use EditEdit to view and edit the current VLAN setting.to view and edit the current VLAN setting.

Use

Use DeleteDelete to remove a VLAN entity.to remove a VLAN entity.

VLAN Name:

VLAN Name: Specify a VLAN name.Specify a VLAN name.

VLAN Members:

VLAN Members: Associate ports to this VLAN en Associate ports to this VLAN entry.try. Move the cursor to Move the cursor to VLAN member andVLAN member and mark the port with

mark the port with ““VV”” which means that the port belongs to this VLAN. which means that the port belongs to this VLAN.

2.5.4.4.2 802.1Q VLAN Concept 2.5.4.4.2 802.1Q VLAN Concept

Port-Based VLAN is simple to implement and use, but it

Port-Based VLAN is simple to implement and use, but it cannot deploy cross switches VLAN.cannot deploy cross switches VLAN.

Therefore, the 802.1Q protocol was developed in order to provide the solution. By tagging Therefore, the 802.1Q protocol was developed in order to provide the solution. By tagging VLAN membership information to Ethernet frames, the IEEE 802.1Q can help network VLAN membership information to Ethernet frames, the IEEE 802.1Q can help network administrators break large switched networks into smaller segments so that broadcast and administrators break large switched networks into smaller segments so that broadcast and multicast traffic will not occupy too much available bandwidth as well as provide a higher multicast traffic will not occupy too much available bandwidth as well as provide a higher level security between segments of internal networks.

level security between segments of internal networks.

The 802.1Q frame format is

The 802.1Q frame format is shown below.shown below.

PRE

PRE Preamble Preamble 62 62 bits bits Used Used to to synchronize synchronize traffictraffic SFD

SFD Start Start Frame Frame Delimiter Delimiter 2 2 bits bits Marks Marks the the beginning beginning of of the the headerheader DA

DA Destination Destination Address Address 6 6 bytes bytes The The MAC MAC address address of of the the destinationdestination SA

SA Source Source Address Address 6 6 bytes bytes The The MAC MAC address address of of the the sourcesource TCI

TCI Tag Tag Control Control Info Info 2 2 bytes bytes set set to to 8100 8100 for for 802.1p 802.1p and and Q Q tagstags P

P Priority Priority 3 3 bits bits Indicates Indicates 802.1p 802.1p priority priority level level 0-70-7 C

C Canonical Canonical Indicator Indicator 1 1 bit bit Indicates Indicates if if the the MAC MAC addresses addresses are are inin Canonical format - Ethernet set to "0"

Canonical format - Ethernet set to "0"

VID

VID VLAN VLAN Identifier Identifier 12 12 bits bits Indicates Indicates the the VLAN VLAN (0-4095)(0-4095) T/L

T/L Type/Length Type/Length Field Field 2 2 bytes bytes Ethernet Ethernet II II "type" "type" or or 802.3 802.3 "length""length"

Payload <

Payload < or or = 1500 = 1500 bytes Usebytes User datar data FCS

FCS Frame Frame Check Check Sequence Sequence 4 4 bytes bytes Cyclical Cyclical Redundancy Redundancy CheckCheck Important VLAN Concepts for Configuration

Important VLAN Concepts for Configuration There are two key concepts to

There are two key concepts to understand.understand.

-

- The The Default Default Port Port VLAN VLAN ID ID ((PVIDPVID) specifies the VID to the switch port that will assign the) specifies the VID to the switch port that will assign the PRE

PRE SFD SFD DA DA SASA TCI TCI P P C C VIDVID T/L T/L Payload Payload FCSFCS

-

- The The VLAN VLAN ID ID ((VIDVID) specifies the set of VLAN that a given port is allowed to receive and) specifies the set of VLAN that a given port is allowed to receive and send 802.1Q protocol assigns any single packet to just one VLAN). The PVID defines the default 802.1Q protocol assigns any single packet to just one VLAN). The PVID defines the default VLAN ID tag that will be added to un-tagged frames receiving from that port

VLAN ID tag that will be added to un-tagged frames receiving from that port (ingress traffic).(ingress traffic).

On the other hand, a port can be defined as a member of multiple VLAN (multiple VID).

On the other hand, a port can be defined as a member of multiple VLAN (multiple VID).

These VIDs constitute an access list for

These VIDs constitute an access list for the port. The access list can be the port. The access list can be used to filter taggedused to filter tagged ingress traffic (the switch will drop a tagged packet if the port is not one of the members of ingress traffic (the switch will drop a tagged packet if the port is not one of the members of that VLAN). The switch also consults the access list to filter packets it sends to that port that VLAN). The switch also consults the access list to filter packets it sends to that port (egress traffic). Packets will not be forwarded unless they belong to the VLANs that the port (egress traffic). Packets will not be forwarded unless they belong to the VLANs that the port is one of the members.

is one of the members.

The differences between

The differences between IngressIngress andand EgressEgress configurations can provide networkconfigurations can provide network segmentation.

segmentation. Moreover, they allow resourceMoreover, they allow resources to be shared across more s to be shared across more than one VLAN.than one VLAN.

Important VLAN Definitions

made. The switch examines the VID (if present) in the receivThe switch examines the VID (if present) in the received frames header and decided frames header and decideses whether or not and where to forward the frame. If the received frame is untagged, the switch whether or not and where to forward the frame. If the received frame is untagged, the switch will tag the frame w

will tag the frame with the PVID for the ith the PVID for the port on which it wport on which it was received. as received. It will then useIt will then use traditional Ethernet bridging algorithms to determine the port to which the packet should be traditional Ethernet bridging algorithms to determine the port to which the packet should be forwarded.

forwarded.

Next, it checks to see if each destination port is on the same VLAN as the PVID and thus Next, it checks to see if each destination port is on the same VLAN as the PVID and thus can transmit the frame. If the destination port is a member of the VLAN used by the ingress can transmit the frame. If the destination port is a member of the VLAN used by the ingress port, the frame will be forwarded. If the received frame is tagged with VLAN information, the port, the frame will be forwarded. If the received frame is tagged with VLAN information, the switch checks its address table to see whether the destination port is a member of the same switch checks its address table to see whether the destination port is a member of the same VLAN.

VLAN. Assuming both ports are meAssuming both ports are members of the tagged VLAN, the frame will be forwardedmbers of the tagged VLAN, the frame will be forwarded..

Ingress Filtering Ingress Filtering

The process of checking an incoming frame and comparing its VID with the ingress port The process of checking an incoming frame and comparing its VID with the ingress port VLAN membership is known as Ingress Filtering.

VLAN membership is known as Ingress Filtering.

On the Managed Switch, it can be either enabled or disabled On the Managed Switch, it can be either enabled or disabled..

1.

1. When When anan untaggeduntagged frame is received, theframe is received, the ingressingress portport PVIDPVID will be applied to thewill be applied to the frame.

frame.

2.

2. When When aa taggedtaggedframe is received, theframe is received, the VIDVID in the frame tag is used.in the frame tag is used.

When Ingress Filtering is

When Ingress Filtering is ““EnableEnabled”d”, the Managed Switch will first determine,, the Managed Switch will first determine, 1.

1. If If thethe ingressingress port itself is a member of the fport itself is a member of the frame VLAN, it will receive the frame.rame VLAN, it will receive the frame.

2.

2. If If thethe ingressingress port is not a member of the frame VLAN, the frame port is not a member of the frame VLAN, the frame will be dropped.will be dropped.

3.

3. If it is a member oIf it is a member of that VLAN, the Managf that VLAN, the Managed Switch then cheed Switch then checks its address cks its address table totable to see whether the destination port is a member of the same VLAN. Assuming both see whether the destination port is a member of the same VLAN. Assuming both ports are members of that VLAN, the frame will be forwarded.

ports are members of that VLAN, the frame will be forwarded.

 Administrators

 Administrators should should make make sure sure that that each each portport‟s‟s PVIDPVID is set up; otherwise, incomingis set up; otherwise, incoming frames may be dropped if

frames may be dropped if Ingress FilteringIngress Filtering is enabled. On the other hand, when Ingressis enabled. On the other hand, when Ingress Filtering is disabled, the Managed Switch will not compare the incoming frame

Filtering is disabled, the Managed Switch will not compare the incoming frame VIDVID with thewith the ingress

ingress port VLAN membership. It will only check its address table to see whether theport VLAN membership. It will only check its address table to see whether the destination VLAN exists.

destination VLAN exists.

1.

1. If the If the VLAN is VLAN is unknown, it unknown, it will be will be broadcasted.broadcasted.

2.

2. If the VLAN and the dIf the VLAN and the destination MAC addrestination MAC address are known, the ess are known, the frame will be forwarded.frame will be forwarded.

3.

3. If the VLAN is knowIf the VLAN is known and the destination Mn and the destination MAC address is unkAC address is unknown, the frame will benown, the frame will be flooded to all ports in the VLAN.

flooded to all ports in the VLAN.

Tagging Tagging

Every port on an 802.1Q

Every port on an 802.1Q compliant switch can be configured as tcompliant switch can be configured as tagging or un-taggingagging or un-tagging..

Ports with taggings Enable will put the VID number, priority and other VLAN information into Ports with taggings Enable will put the VID number, priority and other VLAN information into the header of all pac

the header of all packets that flow into and oukets that flow into and out of it. t of it. If a packet has bIf a packet has been tagged previously,een tagged previously, the port will not alter the packet and keep the VLAN information intact. The VLAN the port will not alter the packet and keep the VLAN information intact. The VLAN information in the tag can then be used by other 802.1Q compliant devices on the network information in the tag can then be used by other 802.1Q compliant devices on the network to make packet forwarding decisions.

to make packet forwarding decisions.

Un-tagging Un-tagging

Ports with un-taggings Enable will strip the 802.1Q tag f

Ports with un-taggings Enable will strip the 802.1Q tag f rom all packets that flow into and outrom all packets that flow into and out of those ports.

of those ports. If the packet dIf the packet does not have an 8oes not have an 802.1Q VLAN tag, the 02.1Q VLAN tag, the port will not alter theport will not alter the packet. Thus, all packets received by and forwarded by an un-tagging port will have no packet. Thus, all packets received by and forwarded by an un-tagging port will have no 802.1Q VLAN information. (Remember that the PVID is only used internally within the 802.1Q VLAN information. (Remember that the PVID is only used internally within the switch). Un-tagging is used to send packets from an 802.1Q-compliant network device to a switch). Un-tagging is used to send packets from an 802.1Q-compliant network device to a non-compliant network device. Simply put, un-tagging means that once you set up the port non-compliant network device. Simply put, un-tagging means that once you set up the port as

as ““UU”” (untagged), all egress packets (in the same VLAN group) from the port will have no(untagged), all egress packets (in the same VLAN group) from the port will have no tags.

tags.

In document CTS_ESH-PSH-SWH_2108-2109_RF_SERIES_NMS_V1.2_20101112.pdf (Page 32-36)