Virtual LAN Support

This chapter describes support for VLAN and for VLAN-to-VLAN bridging.

The following topics are covered:

     VLAN Overview

     VLAN-to-VLAN Bridging

VLAN Overview

A VLAN is a Layer 2 broadcast domain. MAC-layer broadcast traffic can be flooded within the VLAN but does not cross to other VLANs. For traffic to go from one VLAN to another, it must be routed.

You can segment the ACOS device into multiple VLANs. Each Ethernet data port can be a member of one or more VLANs, depending on whether the port is tagged or untagged:

     Tagged – Tagged ports can be members of multiple VLANs. The port can recognize the VLAN to which a packet belongs based on the VLAN tag included in the packet.

     Untagged – Untagged ports can belong to only a single VLAN. By default, all Ethernet data ports are untagged mem­bers of VLAN 1.

NOTE:                               A tagged port is a physical port to which a tagged VLAN is bound, while an untagged port is a physical port to which an untagged VLAN is bound. See the Example of Tagged and Untagged Ports section for how these ports are configured.

Default VLAN (VLAN 1)

By default, all the ACOS device’s Ethernet data ports are members of a single virtual LAN (VLAN), VLAN 1.

On a new or unconfigured ACOS device, as soon as you configure an IP address on any individual Ethernet data port or trunk interface, Layer 2 forwarding on VLAN 1 is disabled.

When Layer 2 forwarding on VLAN 1 is disabled, broadcast, multicast, and unknown unicast packets are dropped instead of being forwarded. Learning is also disabled on the VLAN. However, packets for the ACOS device itself (for example, LACP or OSPF) are not dropped.

To re-enable Layer 2 forwarding on VLAN 1, use the following command at the global configuration level of the CLI:

ACOS(config)# vlan-global enable-def-vlan-l2-forwarding

NOTE:                               Configuring an IP address on an individual Ethernet interface indicates you are deploy­ing in routed mode (also called “gateway mode”). If you deploy in transparent mode instead, in which the ACOS device has a single IP address for all data interfaces, Layer 2 forwarding is left enabled by default on VLAN 1.

Virtual Ethernet Interfaces

On ACOS devices deployed in routed mode (Layer 3 mode), you can configure IP addresses on VLANs. To configure an IP address on a VLAN, add a Virtual Ethernet (VE) interface to the VLAN, then assign the IP address to the VE.

Each VLAN can have one VE. The VE ID must be the same as the VLAN ID. For example, VLAN 2 can have VE 2, VLAN 3 can have VE 3, and so on.

Maximum Number of Supported Virtual Ethernet Interfaces

     For all FTA models: 128 VEs on a single port*

     For non-FTA models: 128 VEs on a single port

     For L3V partitions (both FTA and non-FTA models): 32 VEs on a single port

Example of Tagged and Untagged Ports

In the following example, two physical Ethernet ports are enabled. The first Ethernet port (interface ethernet 1) will be configured as a tagged port with two network interfaces, while the second Ethernet port (interface ethernet 7) will be configured as an untagged port with one network interface.

1.     Enable the physical Ethernet ports:

 

ACOS(config)# interface ethernet 1

ACOS(config-if:ethernet:1)# enable

ACOS(config-if:ethernet:1)# exit

 

ACOS(config)# interface ethernet 7

ACOS(config-if:ethernet:1)# enable

ACOS(config-if:ethernet:1)# exit

 

2.     Configure VLAN 10. Bind Ethernet port 1 to a tagged VLAN 10. The 802.1Q tag is 10. Bind a network interface to the tagged port:

 

ACOS(config) #vlan 10

ACOS(config-vlan:10)# tagged ethernet 1

ACOS(config-vlan:10)# router-interface ve 10

ACOS(config-vlan:10)# exit

 

3.     Configure VLAN 11. Bind Ethernet port 1 to a tagged VLAN 11. The 802.1Q tag is 11. Bind a network interface to the tagged port:

 

ACOS(config)# vlan 11

ACOS(config-vlan:11)# tagged ethernet 1

ACOS(config-vlan:11)# router-interface ve 11

ACOS(config-vlan:11)# exit

 

4.     Configure VLAN 5. Bind Ethernet port 7 to an untagged VLAN 5. Bind a network interface to the untagged port:

 

ACOS(config)# vlan 5

ACOS(config-vlan:5)# untagged ethernet 7

ACOS(config-vlan:5)# router-interface ve 5

ACOS(config-vlan:5)# exit

 

5.     Show the VLAN configuration:

 

ACOS# show config vlan

...

vlan 5

 untagged ethernet 7

 router-interface ve 5

!

vlan 10

 tagged ethernet 1

 router-interface ve 10

!

vlan 11

 tagged ethernet 1

 router-interface ve 11

!

6.     Show the VLANs:

 

ACOS# show vlan

Total VLANs: 4

 

VLAN 1, Name [DEFAULT VLAN]:

Untagged Ethernet Ports:    2   3   4   5   6   8

 Tagged Ethernet Ports:   None

Untagged Logical Ports:   None

  Tagged Logical Ports:   None

 

VLAN 5, Name [None]:

Untagged Ethernet Ports:    7

 Tagged Ethernet Ports:   None

Untagged Logical Ports:   None

  Tagged Logical Ports:   None

 

      Router Interface:   ve 5

 

VLAN 10, Name [none]:

Untagged Ethernet Ports:   None

 Tagged Ethernet Ports:    1

Untagged Logical Ports:   None

  Tagged Logical Ports:   None

 

      Router Interface:   ve 10

 

VLAN 11, Name [none]:

Untagged Ethernet Ports:   None

 Tagged Ethernet Ports:    1

Untagged Logical Ports:   None

  Tagged Logical Ports:   None

 

      Router Interface:   ve 11

VLAN-to-VLAN Bridging

This section contains the following topics:

     Overview of VLAN-to-VLAN Bridging

     VLAN-to-VLAN Bridging Configuration Notes

     VLAN-to-VLAN Bridging Configuration Examples

 

Overview of VLAN-to-VLAN Bridging

VLAN-to-VLAN bridging allows an ACOS device to selectively bridge traffic among multiple VLANs. The ACOS device selec­tively forwards packets from one VLAN to another based on the VLAN-to-VLAN bridging configuration on the ACOS device. This feature allows the traffic flow between VLANs to be tightly controlled through the ACOS device without the need to reconfigure the hosts in the separate VLANs.

VLAN-to-VLAN bridging is useful in cases where reconfiguring the hosts on the network either into the same VLAN, or into different IP subnets, is not desired or is impractical.

You can configure a bridge VLAN group to forward one of the following types of traffic:

     IP traffic only (the default) – This option includes typical traffic between end hosts, such as ARP requests and responses.

This option does not forward multicast packets.

     All traffic – This option forwards all types of traffic.

Figure 2 shows an example topology of VLAN-to-VLAN bridging:

FIGURE 2            

vlan-vlan_bridge_with_vrrp-a.png

VLAN-to-VLAN Bridging (with VRRP-A)

In this example, the ACOS devices are bridging traffic between VLAN 4 and VLAN 5.

VLAN-to-VLAN Bridging Configuration Notes

VLAN-to-VLAN bridging is supported on ACOS devices deployed in transparent mode (Layer 2) or in gateway mode (Layer 3).

Each VLAN to be bridged must be configured on the ACOS device. The normal rules for tagging apply:

     If an interface belongs to only one VLAN, the interface can be untagged.

     If the interface belongs to more than one VLAN, the interface must be tagged.

Each VLAN can belong to only a single bridge VLAN group.

Each bridge VLAN group can have a maximum of 8 member VLANs. Traffic from any VLAN in the group is bridged to all other VLANs in the group. The total number of bridge VLAN groups on the system (including those in L3V partitions) cannot exceed 255.

If the ACOS device is deployed in gateway mode, a Virtual Ethernet (VE) interface is required in the bridge VLAN group.

VLAN-to-VLAN Bridging Configuration Examples

To configure VLAN-to-VLAN bridging:

1.     Configure each of the VLANs to be bridged. In each VLAN, add the ACOS device’s interfaces to the VLAN.

2.     Configure a bridge VLAN group. Add the VLANs to the group.

If the ACOS device is deployed in routed mode, add a Virtual Ethernet (VE) interface to the group.

Optionally, you can assign a name to the group. You also can change the types of traffic to be bridged between VLANs in the group.

3.     If the ACOS device is deployed in routed mode, configure an IP address on the VE to place the ACOS device in the same subnet as the bridged VLANs.

CLI Example – Transparent Mode

The commands in this section configure an ACOS device deployed in transparent mode to forward IP traffic between VLANs 2 and 3.

The following commands configure the VLANs:

ACOS(config)# vlan 2

ACOS(config-vlan:2)# tagged ethernet 2

ACOS(config-vlan:2)# exit

ACOS(config)# vlan 3

ACOS(config-vlan:3)# tagged ethernet 3

ACOS(config-vlan:3)# exit

 

The following commands configure the bridge VLAN group:

ACOS(config)# bridge-vlan-group 1

ACOS(config-bridge-vlan-group:1)# vlan 2 to 3

ACOS(config-bridge-vlan-group:1)# exit

 

CLI Example – Routed Mode with VRRP-A

VLAN-to-VLAN bridging can also be configured with VRRP-A by specifying a VRID under the bridge VLAN configuration. Using the topology defined in Figure 2:

     Only the active device in the VRID will respond to ARP requests from devices in the bridged VLAN.

     The active VRRP-A device forwards any traffic passing through the bridge VLAN (destined for 10.1.1.1), and processes any traffic destined for the bridge VLAN VE IP address (10.1.1.2).

     The standby VRRP-A device drops any traffic passing through the bridge VLAN (destined for 10.1.1.1), but will pro­cesses any traffic destined for the bridge VLAN VE IP address (10.1.1.2).

     On a failover, the new active device will forward any traffic passing through the bridge VLAN (destined for 10.1.1.3).

The commands in this section configure the topology shown in Figure 2; two ACOS devices deployed in routed mode to for­ward IP traffic between VLANs 4 and 5 on IP subnet 10.10.1.x.

Configure VRRP-A, for Device 1:

ACOS1(config)# vrrp-a common

ACOS1(config-common)# device-id 1

ACOS1(config-common)# set-id 1

ACOS1(config-common)# enable

ACOS1(config-common)# exit

ACOS1(config)# vrrp-a l3-inline-mode

ACOS1(config)# vrrp-a restart-port-list

ACOS1(config-restart-port-list)# ethernet 7 to 8

ACOS1(config-restart-port-list)# exit

ACOS1(config)# vrrp-a vrid-lead lead

ACOS1(config-vrid-lead:lead)# partition shared vrid 0

ACOS1(config-vrid-lead:lead)# exit

ACOS1(config)#

 

Enabling l3-inline-mode and restart-port-list in the configuration are mandatory for VLAN-to-VLAN bridging with VRRP-A. All interfaces which are part of the bridge VLAN group must be included in the restart-port-list.

The vrid-lead configuration is used for L3V partitions to follow the vrid-lead of the shared partition. Since only one VRID can be configured in a given partition when l3-inline-mode is enabled, all L3V partitions will end up following same VRID of the shared partition.

To configure the vrid-lead in an L3V partition (for example, partition p1):

ACOS[p1](config-vrid:0)# vrrp-a vrid 0

ACOS[p1](config-vrid:0)# follow vrid-lead lead

ACOS[p1](config-vrid:0)#

 

Configure VRRP-A for Device 2:

ACOS2(config)# vrrp-a common

ACOS2(config-common)# device-id 2

ACOS2(config-common)# set-id 1

ACOS2(config-common)# enable

ACOS2(config-common)# exit

ACOS2(config)# vrrp-a l3-inline-mode

ACOS2(config)# vrrp-a restart-port-list

ACOS2(config-restart-port-list)# ethernet 2 to 3

ACOS2(config-restart-port-list)# exit

ACOS2(config)# vrrp-a vrid-lead lead

ACOS2(config-vrid-lead:lead)# partition shared vrid 0

ACOS2(config-vrid-lead:lead)# exit

ACOS2(config)#

 

On each ACOS device, the following commands configure the VLANs (example shown for Device 1):

ACOS1(config)# vlan 4

ACOS1(config-vlan:4)# tagged ethernet 2

ACOS1(config-vlan:4)# exit

ACOS1(config)# vlan 5

ACOS1(config-vlan:5)# tagged ethernet 3

ACOS1(config-vlan:5)# exit

 

On each ACOS device, the following commands configure the bridge VLAN group, which includes a VE (example shown for Device 1):

ACOS1(config)# bridge-vlan-group 1

ACOS1(config-bridge-vlan-group:1)# vlan 4 to 5

ACOS1(config-bridge-vlan-group:1)# router-interface ve 4

ACOS1(config-bridge-vlan-group:1)# exit

 

On ACOS device 1, The following commands assign an IP address to the VE:

ACOS1(config)# interface ve 4

ACOS1(config-if:ve:4)# ip address 10.1.1.2 /24

ACOS1(config-if:ve:4)# exit

 

On ACOS device 2, The following commands assign an IP address to the VE:

ACOS2(config)# interface ve 4

ACOS2(config-if:ve:4)# ip address 10.1.1.3 /24

ACOS2(config-if:ve:4)# exit

 

 

*.   An exception is model AX 5200, which supports 384.

Table of Contents

Index

Glossary

-Search-

Back