Static VLAN operation

A group of networked ports assigned to a VLAN form a broadcast domain configured on the switch. On a given switch, packets are bridged between source and destination ports that belong to the same VLAN. Thus, all ports passing traffic for a particular subnet address should be configured to the same VLAN. Cross-domain broadcast traffic in the switch is eliminated and bandwidth is saved by not allowing packets to flood out all ports.

Comparative operation of port based and protocol based VLANs

Function Port-Based VLANs Protocol-Based VLANs

IP Addressing

Usually configured with at least one unique IP address.

A port-based VLAN can have no IP address. However, this limits the switch features available to ports on that VLAN, see "How IP Addressing Affects Switch Operation" in the chapter "Configuring IP Addressing" in the Basic Operation Guide for the switch.

Multiple IP addresses allow multiple subnets within the same VLAN, see the chapter on "Configuring IP Addressing" in the Basic Operation Guide for the switch.

You can configure IP addresses on all protocol VLANs. However, IP addressing is used only on IPv4 and IPv6 VLANs.

Restrictions:

Loopback interfaces share the same IP address space with VLAN configurations.

The maximum number of IP addresses supported on a switch is 2048, which includes all IP addresses configured for both VLANs and loopback interfaces (except for the default loopback IP address 127.0.0.1).

Each IP address configured on a VLAN interface must be unique in the switch it cannot be used by a VLAN interface or another loopback interface.

For more information, see the chapter on "Configuring IP Addressing" in the Basic Operation Guide.

Untagged VLAN Membership

A port can be a member of one untagged, port-based VLAN. All other port-based VLAN assignments for that port must be tagged.

A port can be an untagged member of one protocol VLAN of a specific protocol type, such as IPX or IPv6. If the same protocol type is configured in multiple protocol VLANs, then a port can be an untagged member of only one of those. For example, if you have two protocol VLANs, 100 and 200 and both include IPX, then a port can be an untagged member of either VLAN 100 or VLAN 200, but not both

A port's untagged VLAN memberships can include up to four different protocol types. It can be an untagged member of one of the following:

Four single-protocol VLANs
Two protocol VLANs where one VLAN includes a single protocol and the other includes up to three protocols
One protocol VLAN where the VLAN includes four protocols

Tagged VLAN Membership A port can be a tagged member of any port-based VLAN (see above). A port can be a taggedmember of any protocol-based VLAN (see above).

Routing

The switch can internally route IP (IPv4) traffic between port-based VLANs and between port-based and IPv4 protocol-based VLANs if the switch configuration enables IP routing.

If the switch is not configured to route traffic internally between port-based VLANs, then an external router must be used to move traffic between VLANs.

If the switch configuration enables IP routing, the switch can internally route IPv4 traffic as follows:

Between multiple IPv4 protocol-based VLANs
Between IPv4 protocol-based VLANs and port-based VLANs.

Other protocol-based VLANs require an external router for moving traffic between VLANs.


	NOTE: NETbeui and SNA are non-routable protocols. End stations intended to receive traffic in these protocols must be attached to the same physical network.

Commands for Configuring Static VLANs

vlan <vid> [tagged | untagged [e|<port-list> ]]

vlan <vid> protocol [ipx | ipv4 | ipv6 | arp | appletalk | sna | netbeui]

vlan <vid> [tagged | untagged [e|<port-list> ]]

VLAN environments

You can configure different VLAN types in any combination. The default VLAN will always be present. For more on the default VLAN, see Special VLAN types.

VLAN environment	Elements
The default VLAN (port-based; VID of 1) only	In the default VLAN configuration, all ports belong to VLAN 1 as untagged members. VLAN 1 is a port-based VLAN, for IPv4 traffic.
Multiple VLAN environment	In addition to the default VLAN, the configuration can include one or more other port-based VLANs and one or more protocol VLANs. The switches covered in this guide allow up to 2048 (vids up to 4094) VLANs of all types. UsingVLAN tagging, ports can belong to multiple VLANs of all types. Enabling routing on the switch enables it route IPv4 traffic between port-based VLANs and between port-based VLANs and IPv4protocol VLANs. Routing other types of traffic between VLANs requires an external router capable of processing the appropriate protocols.

VLAN environment

Elements

The default VLAN (port-based; VID of 1) only

In the default VLAN configuration, all ports belong to VLAN 1 as untagged members.

VLAN 1 is a port-based VLAN, for IPv4 traffic.

Multiple VLAN environment

In addition to the default VLAN, the configuration can include one or more other port-based VLANs and one or more protocol VLANs.

The switches covered in this guide allow up to 2048 (vids up to 4094) VLANs of all types.

UsingVLAN tagging, ports can belong to multiple VLANs of all types.

Enabling routing on the switch enables it route IPv4 traffic between port-based VLANs and between port-based VLANs and IPv4protocol VLANs. Routing other types of traffic between VLANs requires an external router capable of processing the appropriate protocols.

VLAN operation

General VLAN operation

A VLAN is composed of multiple ports operating as members of the same subnet or broadcast domain.
Ports on multiple devices can belong to the same VLAN.
Traffic moving between ports in the same VLAN is bridged (or switched).
Traffic moving between different VLANs must be routed.
A static VLAN is an 802.1Q-compliant VLAN, configured with one or more ports that remain members regardless of traffic usage.
A dynamic VLAN is an 802.1Q-compliant VLAN membership that the switch temporarily creates on a port to provide a link to another port either in the same VLAN on another device.

Types of static VLANs available in the switch

Port-based VLANs

This type of static VLAN creates a specific layer-2 broadcast domain comprised of member ports that bridge IPv4 traffic among themselves. Port-Based VLAN traffic is routable on the switches covered in this guide.

Protocol-based VLANs

This type of static VLAN creates a layer-3 broadcast domain for traffic of a particular protocol and is composed of member ports that bridge traffic of the specified protocol type among themselves. Some protocol types are routable on the switches covered in this guide; see Comparative operation of port based and protocol based VLANs.

Designated VLANs

The switch uses these static, port-based VLAN types to separate switch management traffic from other network traffic. While these VLANs are not limited to management traffic, they provide improved security and availability.

Default VLAN:

This port-based VLAN is always present in the switch and, in the default configuration, includes all ports as members. See VLAN support and the default VLAN.

Except for an IP address and subnet, no configuration steps are needed.

A switch in the default VLAN configuration

In this example, devices connected to these ports are in the same broadcast domain.

Primary VLAN:

The switch uses this port-based VLAN to run certain features and management functions, including DHCP/Bootp responses for switch management. In the default configuration, the Default VLAN is also the Primary VLAN. However, any port-based, non-default VLAN can be designated the Primary VLAN. See The primary VLAN.

Secure Management VLAN:

This optional, port-based VLAN establishes an isolated network for managing HP switches that support this feature. Access to this VLAN and to the switch's management functions are available only through ports configured as members. See The primary VLAN.

Voice VLANs:

This optional, port-based VLAN type enables separating, prioritizing and authenticating voice traffic moving through your network, avoiding the possibility of broadcast storms affecting VoIP Voice-over-IP) operation. See Using voice VLANs.


	NOTE: In a multiple-VLAN environment that includes older switch models there may be problems related to the same MAC address appearing on different ports and VLANs on the same switch. In such cases the solution is to impose cabling and VLAN restrictions. For more on this topic, see Multiple VLAN considerations.

Multiple port-based VLANs

In A switch with multiple VLANs configured and internal routing disabled, routing within the switch is disabled (the default). Thus communication between any routable VLANs on the switch must go through the external router. In this case, VLANs W and X can exchange traffic through the external router, but traffic in VLANs Y and Z is restricted to the respective VLANs.

Note that VLAN 1(the default) is present but not shown. The default VLAN cannot be deleted from the switch, but ports assigned to other VLANs can be removed from the default VLAN. If internal (IP) routing is enabled on the switch, then the external router is not needed for traffic to move between port-based VLANs.

A switch with multiple VLANs configured and internal routing disabled

Protocol VLAN environment

A switch with multiple VLANs configured and internal routing disabled illustrates a protocol VLAN environment also. In this case, VLANs W and X represent routable protocol VLANs. VLANs Y and Z can be any protocol VLAN.

As noted for the discussion of multiple port-based VLANs, VLAN 1 is not shown. Enabling internal (IP) routing on the switch allows IP traffic to move between VLANs on the switch, but routable, non-IP traffic always requires an external router.

Routing options for VLANs

Options for routing between VLAN types in the switch

		Port-Based	IPX	IPv4	IPv6	ARP	AppleTalk	SNA^[2]	NETbeui^[2]
Port-Based		Yes	—	Yes	—	—	—	—	—
Protocol	IPX	—	Yes^[1]	—	—	—	—	—	—
	IPX4	Yes	—	Yes	—	—	—	—	—
	IPV6	—	—	—	Yes^[1]	—	—	—	—
	ARP	—	—	—	—	Yes^[1]	—	—	—
	AppleTalk	—	—	—	—	—	Yes^[1]	—	—
	SNA	—	—	—	—	—	—	—	—
	NETbeui	—	—	—	—	—	—	—	—

^[2] Not a routable protocol type. End stations intended to receive traffic in these protocols must be attached to the same physical network. ^[1] Requires an external router to route between VLANs.

802.1Q VLAN tagging

A port can be a member of more than one VLAN of the same type if the device to which the port connects complies with the 802.1Q VLAN standard.

For example, a port connected to a central server using a network interface card (NIC) that complies with the 802.1Q standard can be a member of multiple VLANs, allowing members of multiple VLANs to use the server.

Although these VLANs cannot communicate with each other through the server, they can all access the server over the same connection from the switch.
Where VLANs overlap in this way, VLAN "tags" are used in the individual packets to distinguish between traffic from different VLANs.
A VLAN tag includes the particular VLAN I.D. (VID) of the VLAN on which the packet was generated.

For more on this topic, see Configuring or changing static VLAN per-port settings (CLI).

Overlapping VLANs using the same server

Similarly, using 802.1Q-compliant switches, you can connect multiple VLANs through a single switch-to-switch link.

Connecting multiple VLANs through the same link

Introducing tagged VLANs into legacy networks running only untagged VLANs

You can introduce 802.1Q-compliant devices into networks that have built untagged VLANs based on earlier VLAN technology. The fundamental rule is that legacy/untagged VLANs require a separate link for each VLAN, while 802.1Q, or tagged VLANs can combine several VLANs in one link. Thus on the 802.1Q-compliant device, separate ports (configured as untagged) must be used to connect separate VLANs to non-802.1Q devices.

Tagged and untagged VLAN technology in the same network

VLAN tagging rules

When tagging is needed

When a port belongs to two or more VLANs of the same type, they remain as separate broadcast domains and cannot receive traffic from each other without routing.


	NOTE: If multiple, non-routable VLANs exist in the switch—such as NETbeui protocol VLANs—they cannot receive traffic from each other.

Inbound tagged packets

The switch requires VLAN tagging on a given port if the port will be receiving inbound, tagged VLAN traffic that should be forwarded. Even if the port belongs to only one VLAN, it forwards inbound tagged traffic only if it is a tagged member of that VLAN.

If a tagged packet arrives on a port that is not a tagged member of the VLAN indicated by the packet's VID, the switch drops the packet.

Similarly, the switch drops an inbound, tagged packet if the receiving port is an untagged member of the VLAN indicated by the packet's VID.

Untagged packet forwarding

If the only authorized, inbound VLAN traffic on a port arrives untagged, then the port must be an untagged member of that VLAN. This is the case where the port is connected to a non-802.1Q compliant device or is assigned to only one VLAN.

To enable an inbound port to forward an untagged packet, the port must be an untagged member of either a protocol VLAN matching the packet's protocol, or an untagged member of a port-based VLAN.

That is, when a port receives an incoming, untagged packet, it processes the packet according to the following ordered criteria:

If the port has no untagged VLAN memberships, the switch drops the packet.
If the port has an untagged VLAN membership in a protocol VLAN that matches the protocol type of the incoming packet, then the switch forwards the packet on that VLAN.
If the port is a member of an untagged, port-based VLAN, the switch forwards the packet to that VLAN. Otherwise, the switch drops the packet.

Untagged VLAN operation

Tagged packet forwarding

If a port is a tagged member of the same VLAN as an inbound, tagged packet received on that port, then the switch forwards the packet to an outbound port on that VLAN.

To enable the forwarding of tagged packets, any VLAN to which the port belongs as a tagged member must have the same VID as that carried by the inbound, tagged packets generated on that VLAN.

Tagged VLAN operation

Applying VLAN tagging

Example of tagged and untagged VLAN port assignments

If port 7 on an 802.1Q-compliant switch is assigned to only the Red VLAN, the assignment can remain "untagged" because the port will forward traffic only for the Red VLAN. However, if both the Red and Green VLANs are assigned to port 7, then at least one of those VLAN assignments must be "tagged" so that Red VLAN traffic can be distinguished from Green VLAN traffic.

Tagged and untagged VLAN port assignments

In switch X:

VLANs assigned to ports X1 - X6 can be untagged because there is only one VLAN assignment per port. Red VLAN traffic will go out only the Red ports, Green VLAN traffic will go out only the Green ports and so on. Devices connected to these ports do not have to be 802.1Q-compliant.
However, because both the Red VLAN and the Green VLAN are assigned to port X7, at least one of the VLANs must be tagged for this port.

In switch Y:

VLANs assigned to ports Y1 - Y4 can be untagged because there is only one VLAN assignment per port. Devices connected to these ports do not have to be 802.1Q-compliant.
Because both the Red VLAN and the Green VLAN are assigned to port Y5, at least one of the VLANs must be tagged for this port.

In both switches:

The ports on the link between the two switches must be configured the same. As shown in Example of VLAN ID numbers assigned in the VLAN names screen, the Red VLAN must be untagged on port X7 and Y5 and the Green VLAN must be tagged on port X7 and Y5, or vice-versa.


	NOTE: Each 802.1Q-compliant VLAN must have its own unique VID number and that VLAN must be given the same VID in every device where configured. That is, if the Red VLAN has a VID of 10 in switch X, then 10 must also be the Red VID in switch Y.

Example of VLAN ID numbers assigned in the VLAN names screen

Additional VLAN tagging considerations

Since the purpose of VLAN tagging is to allow multiple VLANs on the same port, any port that has only one VLAN assigned to it can be configured as "Untagged" (the default) if the authorized inbound traffic for that port arrives untagged.

Any port with two or more VLANs of the same type can have one such VLAN assigned as "Untagged." All other VLANs of the same type must be configured as "Tagged," that is:

Port-Based VLANs

Protocol VLANs

A port can be a member of one untagged, port-based VLAN. All other port-based VLAN assignments for that port must be tagged.

A port can be an untagged member of one protocol-based VLAN of each protocol type. When assigning a port to multiple, protocol-based VLANs sharing the same type, the port can be an untagged member of only one such VLAN.

A port can be a tagged member of any port-based VLAN.

A port can be a tagged member of any protocol-based VLAN. See above.


	NOTE: A given VLAN must have the same VID on all 802.1Q-compliant devices in which the VLAN occurs. Also, the ports connecting two 802.1Q devices should have identical VLAN configurations.

If all end nodes on a port comply with the 802.1Q standard and are configured to use the correct VID, you can configure all VLAN assignments on a port as "Tagged" if doing so either makes it easier to manage your VLAN assignments, or if the authorized, inbound traffic for all VLANs on the port will be tagged.

For a summary and flowcharts of untagged and tagged VLAN operation on inbound traffic, see the following under VLAN tagging rules:

"Inbound Tagged Packets"
"Untagged Packet Forwarding" and Untagged VLAN operation
"Tagged Packet Forwarding" and Tagged VLAN operation

Example of Networked 802.1Q-compliant devices with multiple VLANs on some ports

In the following network, switches X and Y and servers S1, S2 and the AppleTalk server are 802.1Q-compliant. (Server S3 could also be 802.1Q-compliant, but it makes no difference for this example.) This network includes both protocol-based (AppleTalk) VLANs and port-based VLANs.

The VLANs assigned to ports X4 - X6 and Y2 - Y5 can all be untagged because there is only one VLAN assigned per port.
Port X1 has two AppleTalk VLANs assigned, which means that one VLAN assigned to this port can be untagged and the other must be tagged.
Ports X2 and Y1 have two port-based VLANs assigned, so one can be untagged and the other must be tagged on both ports.
Ports X3 and Y6 have two port-based VLANs and one protocol-based VLAN assigned. Thus, one port-based VLAN assigned to this port can be untagged and the other must be tagged. Also, since these two ports share the same link, their VLAN configurations must match.

Switch X					Switch Y
Port	AT-1 VLAN	AT-2 VLAN	Red VLAN	Green VLAN	Port	AT-1 VLAN	AT-2 VLAN	Red VLAN	Green VLAN
X1	Untagged	Tagged	No^[*]	No^[*]	Y1	No^[*]	No^[*]	Untagged	Tagged
X2	No^[*]	No^[*]	Untagged	Tagged	Y2	No^[*]	No^[*]	No^[*]	Untagged
X3	No^[*]	Untagged	Untagged	Tagged	Y3	No^[*]	Untagged	No^[*]	No^[*]
X4	No^[*]	No^[*]	No^[*]	Untagged	Y4	No^[*]	No^[*]	No^[*]	Untagged
X5	No^[*]	No^[*]	Untagged	No^[*]	Y5	No^[*]	No^[*]	Untagged	No^[*]
X6	Untagged	No^[*]	No^[*]	No^[*]	Y6	No	Untagged	Untagged	Tagged
^[*] No means the port is not a member of that VLAN. For example, port X3 is not a member of the Red VLAN and does not carry Red VLAN traffic. Also, if GVRP were enabled (port-based only), Auto would appear instead of No.


	NOTE: VLAN configurations onports connected by the same link must match. Because ports X2 and Y5 are opposite ends of the same point-to-point connection, both ports must have the same VLAN configuration, configuring the Red VLAN as "Untagged" and the Green VLAN as "Tagged.”

Multiple VLAN considerations

Switches use a forwarding database to maintain awareness of which external devices are located on which VLANs. Some switches, such as the switches covered in this guide, have a multiple forwarding database, which means the switch allows multiple database entries of the same MAC address, with each entry showing the (different) source VLAN and source port. Other switch models have a single forwarding database, which allows only one database entry of a unique MAC address, along with the source VLAN and source port on which it is found. All VLANs on a switch use the same MAC address. Thus, connecting a multiple forwarding database switch to a single forwarding database switch where multiple VLANs exist imposes some cabling and port VLAN assignment restrictions. The following table illustrates the functional difference between the two database types.

Forwarding database content

Multiple forwarding database			Single forwarding database
MAC address	Destination VLAN ID	Destination port	MAC address	Destination VLAN ID	Destination port
0004ea-84d9f4	1	A5	0004ea-84d9f4	100	A9
0004ea-84d9f4	22	A12	0060b0-880af9	105	A10
0004ea-84d9f4	44	A20	0060b0-880a81	107	A17
0060b0-880a81	33	A20
This database allows multiple destinations for the same MAC address. If the switch detects a new destination for an existing MAC entry, it just adds a new instance of that MAC to the table.			This database allows only one destination for a MAC address. If the switch detects a new destination for an existing MAC entry, it replaces the existing MAC instance with a new instance showing the new destination.

Forwarding database structure for managed HP switches

Multiple forwarding databases*	Single forwarding database*
Series 8200zl switches	Switch 1600M/E2400M/E2424M
Switch 6600	Switch 4000M/8000M
Series 6400cl switches	Series 2500 switches
Switch 6200yl	Switch 2000
Switch 6108	Switch 800T
Series 5400zl switches
Series 5300xl switches
Series 4200vl switches
Series 4100gl switches
Series 3500 switches
Series 3500yl switches
Series 3400cl switches
Switch 2810
Series E2800 switches
Series 2600/2600-PWR switches
Series 2510 switches
*To determine whether other vendors' devices use single-forwarding or multiple-forwarding database architectures, see the documentation provided for those devices.

Single forwarding database operation

When a packet arrives with a destination MAC address that matches a MAC address in the switch's forwarding table, the switch tries to send the packet to the port listed for that MAC address. But if the destination port is in a different VLAN than the VLAN on which the packet was received, the switch drops the packet. This is not a problem for a switch with a multiple forwarding database because the switch allows multiple instances of a given MAC address, one for each valid destination. However, a switch with a single forwarding database allows only one instance of a given MAC address.


	TIP: If you (1) connect both switch types through multiple ports or trunks belonging to different VLANs and (2) enable routing on the switch with the multiple-forwarding database, then the port and VLAN record maintained on the switch with the single-forwarding database for the multiple-forwarding database can change frequently. This may cause poor performance and the appearance of an intermittent or broken connection.

Correcting an unsupported configuration

The following example provides a method to identify and correct an unsupported configuration.

The problem

In Invalid forwarding , the MAC address table for Switch 8000M will sometimes record the switch as accessed on port A1 (VLAN 1) and other times as accessed on port B1 (VLAN 2):

PC A sends an IP packet to PC B.

The packet enters VLAN 1 in the Switch 8000 with the 8212zl switch's MAC address in the destination field. Because the 8000M has not yet learned this MAC address, it does not find the address in its address table and floods the packet out all ports, including the VLAN 1 link (port "A1") to the 8212zl switch. The 8212zl switch then routes the packet through the VLAN 2 link to the 8000M, which forwards the packet on to PC "B". Because the 8000M received the packet from the 8212zl switch on VLAN 2 (port "B1"), the 8000M's single forwarding database records the 8212zl switch as being on port "B1" (VLAN 2).
PC "A" now sends a second packet to PC "B". The packet again enters VLAN 1 in the Switch 8000 with the 8212zl switch's MAC address in the destination field. However, this time the Switch 8000M's single forwarding database indicates that the 8212zl is on port B1 (VLAN 2) and the 8000M drops the packet instead of forwarding it.
Later, the 8212zl switch transmits a packet to the 8000M through the VLAN 1 link and the 8000M updates its address table to indicate that the 8212zl switch is on port A1 (VLAN 1) instead of port B1 (VLAN 2). Thus, the 8000M's information on the location of the 8212zl switch changes over time. For this reason, the 8000M discards some packets directed through it for the 8212zl switch, causing poor performance and the appearance of an intermittent or broken link.

Invalid forwarding

The solution

Use only one cable or port trunk between the single-forwarding and multiple-forwarding database devices
Configure the link with multiple, tagged VLANs.
To increase the network bandwidth of the connection between devices, use a trunk of multiple physical links.

Now, the 8000M forwarding database always lists the 8212zl MAC address on port A1 and the 8000M will send traffic to either VLAN on the 8212zl.

A solution for single-forwarding to multiple-forwarding database devices in a multiple VLAN environment

Connecting an HP Switch to another switch with a multiple forwarding database (Example)

Use one or both of the following connection options:

A separate port or port trunk interface for each VLAN. This results in a forwarding database having multiple instances of the same MAC address with different VLAN IDs and port numbers. See Forwarding database content. The fact that the switches covered by this guide use the same MAC address on all VLAN interfaces causes no problems.
The same port or port trunk interface for multiple (tagged) VLANs. This results in a forwarding database having multiple instances of the same MAC address with different VLAN IDs, but the same port number.

Allowing multiple entries of the same MAC address on different VLANs enables topologies such as the following:

Topology for devices with multiple forwarding databases in a multiple VLAN environment

prev	up	next
VLANs	home	Configuring VLANs