Virtual LAN Configuration Guide (VLAN)
1. Introduction
This document describes VLAN-related configuration and retrieval of status information.
An Ethernet VLAN (Virtual Local Area Network) is a technology that allows segmentation of a physical network into multiple logical networks, improving network performance, enhancing security, and simplifying management.
1.1. Basic Concepts
-
Segmentation: VLANs divide a single physical network into multiple logical networks. Each VLAN acts as a separate forwarding and learning domain, separating frames from devices in the different VLANs.
-
Tagging: VLANs use frame tagging (IEEE 802.1Q) to identify which VLAN a particular Ethernet frame belongs to.
-
VLAN ID: Each VLAN is assigned a unique identifier called a VLAN ID, which ranges from 1 to 4094.
1.2. How VLANs Work
VLANs are configured on network switches with a number of member ports. Frames in a VLAN can only be forwarded between member ports.
-
Access Ports: These ports are assigned to a single VLAN and are typically used to connect end devices like computers and printers.
-
Trunk Ports: These ports can carry traffic from multiple VLANs and are used to connect switches to each other. Frame tagging is used to identify which VLAN the traffic belongs to.
Tagging behavior depends on the type of port.
-
Access Ports: When a frame ingresses the port, it is classified to the VLAN ID associated with that port. Any tag in the frame is preserved. When a frame egresses the port, a tag is NOT pushed with the classified VLAN ID.
-
Trunk Ports: When a frame ingresses the port, it is classified to the VLAN ID based on the VID in the tag. The tag in the frame is NOT preserved (popped). When a frame egresses the port, a tag is pushed with the classified VLAN ID.
When a switch receives a frame, it uses the classified VLAN ID and forwards the frame only to ports that are part of that VLAN.
2. Custom EtherType
The switch can be configured with a Custom EtherType that can be the recognized Tag EtherType on a Custom-Tag aware port.
The port type has to be configured as provider-custom-network-port to be Custom-Tag aware.
In the following, the interface (port) name '1' is used.
Let’s see that the port type is d-bridge-port (TAG un-aware) by default:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='1']/\
ieee802-dot1q-bridge:bridge-port/port-type"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/ieee802-dot1q-bridge:bridge-port/\
port-type"
: ieee802-dot1q-bridge:d-bridge-portLet’s see that the switch Custom EtherType is 0x88A8 (S-TAG) by default:
FETCH request message:
- "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
mchp-velocitysp-bridge:custom-ethertype"FETCH response message:
- ? "/ieee802-dot1q-bridge:bridges/bridge/component/\
mchp-velocitysp-bridge:custom-ethertype"
: 88-A8The following two requests will configure the switch Custom EtherType to be 0x5555 and the port type as Custom-Tag aware on port '1':
iPATCH request message:
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
mchp-velocitysp-bridge:custom-ethertype"
: 55-AAiPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='1']/\
ieee802-dot1q-bridge:bridge-port/port-type"
: mchp-velocitysp-bridge:provider-custom-network-portNow an ingress frame on port '1' with an outer Tag containing EtherType 0x5555 is considered a tagged frame and is classified to the VLAN according to the VID in the Tag. On port '1' egress, a pushed Tag will contain EtherType 0x5555.
3. Discard frames - inner tag
Ingress frames can be discarded based on the inner (second) tag. By default, there is no discard on the inner tag enabled - the inner tag is considered as data.
There are the following possibilities:
-
No Tag: Discard if there is no inner tag - tag is required.
-
Any Tag: Discard if there is any tag - tag is not accepted.
-
C-Tag: Discard if there is a C-Tag (EtherType 0x8100).
-
S-Tag: Discard if there is an S-Tag (EtherType 0x88A0).
-
Custom Tag: Discard if there is a Custom-Tag (EtherType XXXX).
Let’s see that inner tag discard is not enabled by default:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='1']/\
ieee802-dot1q-bridge:bridge-port/\
mchp-velocitysp-bridge:inner-tag-discard"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/ieee802-dot1q-bridge:bridge-port/\
mchp-velocitysp-bridge:inner-tag-discard"
: ''Discard any inner tag - only allow single tagged frames:
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='1']/\
ieee802-dot1q-bridge:bridge-port/\
mchp-velocitysp-bridge:inner-tag-discard"
: any-tagDiscard inner C-Tag:
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='1']/\
ieee802-dot1q-bridge:bridge-port/\
mchp-velocitysp-bridge:inner-tag-discard"
: c-tagLet’s see that inner C-Tag discard is enabled:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='1']/\
ieee802-dot1q-bridge:bridge-port/\
mchp-velocitysp-bridge:inner-tag-discard"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/ieee802-dot1q-bridge:bridge-port/\
mchp-velocitysp-bridge:inner-tag-discard"
: c-tag4. Use case - how to set up a VLAN
This use case will show an example of how to set up VLANs in a network.
Network view:
There are two switches (S1 and S2) each with two Access ports and a Trunk port
connecting the switch into a VLAN switched Network.
+--+ +--+
+---+--+---------+--+---+
| Port1 Port2 |
| (S1) |
| Port3 |
+----------+--+---------+
+-++
|
+--------+--------+
| Network |
+--------+--------+
|
+-++
+----------+--+---------+
| Port3 |
| (S2) |
| Port1 Port2 |
+---+--+---------+--+---+
+--+ +--+| In the following, we only show the configuration of one switch (S1). |
Two important concepts:
On a TAG un-aware port, the ingress frame (tagged or un-tagged) is classified
to VLAN based on port default VID.
On a TAG aware port, the ingress frame is classified to VLAN based on TAG VID.
The ports involved:
Access Port1: TAG un-aware, any frames accepted. Classified to VLAN10.
Access Port2: TAG un-aware, any frames accepted. Classified to VLAN20.
Trunk Port3: TAG aware and only C-Tagged frames accepted. Classified to outer TAG VID.
The VLANs:
A VLAN10 is created with Port1 and Port3 as members.
A VLAN20 is created with Port2 and Port3 as members.
In this example:
Frames on Port1 are un-tagged.
Frames on Port2 are tagged.
Frames on Port3 are tagged and double-tagged.
Forwarding:
Frames are forwarded between Port1 and Port3 on VLAN10.
Frames are forwarded between Port2 and Port3 on VLAN20.
Access direction:
Access Ports:
Un-Tagged Tagged VID30
| |
v v
+--+ +--+
+---+--+---------+--+---+
| Port1 Port2 |
| pvid 10 pvid 20 |
| (S1) |
| Port3 |
+----------+--+---------+
+--+
Tagged VID10 | | Double-Tagged VID20 + VID30
v v
Trunk Port:Trunk direction:
Access Ports:
Un-Tagged Tagged VID30
^ ^
| |
+--+ +--+
+---+--+---------+--+---+
| Port1 Port2 |
| pvid 10 pvid 20 |
| (S1) |
| Port3 |
+----------+--+---------+
+--+
^ ^
Tagged VID10 | | Double-Tagged VID20 + VID30
Trunk Port:
4.1. Delete VLAN 1
Delete the default VLAN 1 to avoid any conflicts.
iPATCH request message:
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
filtering-database/\
vlan-registration-entry[database-id='0'][vids='1']"
:4.2. Set the VLAN TAG port type of the ports.
By default, the port-type is d-bridge-port (TAG un-aware) meaning that frames are not
classified based on the TAG content but based on PVID.
If the port-type is c-vlan-bridge-port, the port is C-TAG aware.
If the port-type is provider-network-port, the port is S-TAG aware.
If the port-type is provider-custom-network-port, the port is Custom-TAG aware.
The interface (port) name '1' and '2' by default have the correct port-type meaning TAG un-aware.
The interface (port) name '3' must have port-type as c-vlan-bridge-port meaning C-TAG aware.
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='3']/\
ieee802-dot1q-bridge:bridge-port/port-type"
: ieee802-dot1q-bridge:c-vlan-bridge-portLet’s confirm that the port type indeed has been changed:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='3']/\
ieee802-dot1q-bridge:bridge-port/port-type"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/ieee802-dot1q-bridge:bridge-port/\
port-type"
: ieee802-dot1q-bridge:c-vlan-bridge-port4.3. Set the acceptable frame type on the ports.
By default, the acceptable acceptable-frame type is set to admit-all-frames meaning un-tagged and tagged frames are admitted.
If acceptable-frame type is set to admit-only-VLAN-tagged-frames, only tagged frames are admitted.
If acceptable-frame type is set to admit-only-untagged-and-priority-tagged, only un-tagged and priority-tagged frames are admitted.
The interface (port) name '1' and '2' is TAG un-aware so this has no relevance.
The interface (port) name '3' must have acceptable-frame as admit-only-VLAN-tagged-frames.
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='3']/\
ieee802-dot1q-bridge:bridge-port/acceptable-frame"
: admit-only-VLAN-tagged-framesLet’s confirm that the port acceptable-frame indeed has been changed:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='3']/\
ieee802-dot1q-bridge:bridge-port/acceptable-frame"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/ieee802-dot1q-bridge:bridge-port/\
acceptable-frame"
: admit-only-VLAN-tagged-frames4.4. Enable Ingress filtering.
Ingress filtering means that an ingress frame classified to a VID is only forwarded if the port is a member of that VID.
By default, Ingress Filtering is disabled.
The interface (port) name '3' must have Ingress Filtering enabled.
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='3']/\
ieee802-dot1q-bridge:bridge-port/enable-ingress-filtering"
: trueLet’s confirm that Ingress Filtering is indeed enabled:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='3']/\
ieee802-dot1q-bridge:bridge-port/enable-ingress-filtering"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/ieee802-dot1q-bridge:bridge-port/\
enable-ingress-filtering"
: true4.5. Set the default VID on the ports.
By default, the pvid is 1.
The interface (port) name '1' must have PVID 10 in order to classify untagged frames to VLAN10.
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='1']/\
ieee802-dot1q-bridge:bridge-port/pvid"
: 10The interface (port) name '2' must have PVID 20 in order to classify untagged frames to VLAN20.
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='2']/\
ieee802-dot1q-bridge:bridge-port/pvid"
: 20Let’s confirm that the PVID has indeed been changed on port 1:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='1']/\
ieee802-dot1q-bridge:bridge-port/pvid"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/ieee802-dot1q-bridge:bridge-port/\
pvid"
: 104.6. Add the VLANs.
VLAN10 must have interface (port) name '1' and name '3' as members.
Port1 must be an untagged port and Port3 must be a tagged port.
iPATCH request message:
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
filtering-database/vlan-registration-entry"
: database-id: 0
vids: '10'
entry-type: static
port-map:
- port-ref: 1
static-vlan-registration-entries:
vlan-transmitted: untagged
- port-ref: 3
static-vlan-registration-entries:
vlan-transmitted: taggedVLAN20 must have interface (port) name '2' and name '3' as members.
Port2 must be an untagged port and Port3 must be a tagged port.
iPATCH request message:
- ? "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
filtering-database/vlan-registration-entry"
: database-id: 0
vids: '20'
entry-type: static
port-map:
- port-ref: 2
static-vlan-registration-entries:
vlan-transmitted: untagged
- port-ref: 3
static-vlan-registration-entries:
vlan-transmitted: taggedLet’s confirm that VLAN10 and VLAN20 have indeed been added:
FETCH request message:
- "/ieee802-dot1q-bridge:bridges/bridge[name='b0']/component[name='c0']/\
filtering-database/vlan-registration-entry"FETCH response message:
- ? "/ieee802-dot1q-bridge:bridges/bridge/component/filtering-database/\
vlan-registration-entry"
: - database-id: 0
vids: '10'
entry-type: static
port-map:
- port-ref: 1
static-vlan-registration-entries:
vlan-transmitted: untagged
- port-ref: 3
static-vlan-registration-entries:
vlan-transmitted: tagged
- database-id: 0
vids: '20'
entry-type: static
port-map:
- port-ref: 2
static-vlan-registration-entries:
vlan-transmitted: untagged
- port-ref: 3
static-vlan-registration-entries:
vlan-transmitted: tagged4.7. Verify the VLAN configuration.
Verify the configuration by injecting frames into the DUT:
UN-TAGGED frame into port1 observing the frame egressing port3 (only!) C-TAGGED with VID 10.
UN-TAGGED frame into port2 observing the frame egressing port3 (only!) C-TAGGED with VID 20.
C-TAGGED with VID 10 frame into port3 observing the frame egressing port1 (only!) UN-TAGGED.
C-TAGGED with VID 20 frame into port3 observing the frame egressing port2 (only!) UN-TAGGED.
UN-TAGGED frame into port3 observing the frame is not forwarded.
C-TAGGED with VID 100 frame into port1 observing the frame egressing port3 (only!). Outer C-TAG with VID 10 and Inner C-TAG with VID 100.
C-TAGGED with VID 100 frame into port2 observing the frame egressing port3 (only!). Outer C-TAG with VID 20 and Inner C-TAG with VID 100.