Static VLAN operation
HP wired switches are 802.1Q VLAN-enabled and allow for up to 256 static VLANs and 2048 total static and dynamic VLANs. Static VLANs are configured with a name, VLAN ID number (VID), and port members. With 802.1Q compatibility, you can assign each switch port to multiple VLANs.
A group of networked ports assigned to a VLAN form a broadcast domain configured on the switch. On a given switch, packets are bridged between source and destination ports that belong to the same VLAN. Thus, all ports passing traffic for a particular subnet address should be configured to the same VLAN. Cross-domain broadcast traffic in the switch is eliminated and bandwidth saved by not allowing packets to flood out all ports.
VLANS enable grouping users by logical function instead of physical location. They manage bandwidth usage in networks by:
Enabling grouping high-bandwidth users on low-traffic segments.
Organizing users from different LAN segments according to their need for common resources and individual protocols.
Improving traffic control at the edge of networks by separating traffic of different protocol types.
Enhancing network security by creating subnets to control in-band access to specific network resources.
Preventing packets from flooding out all ports to save bandwidth and eliminate cross-domain broadcast traffic.
Comparing port based and protocol based VLAN
Function | Port-Based VLANs | Protocol-Based VLANs | ||||||
---|---|---|---|---|---|---|---|---|
IP Addressing | Usually configured with at least one unique IP address. A port-based VLAN can have no IP address. However, this limits switch features available to ports on that VLAN. See "how IP addressing affects switch operation" in the chapter "Configuring IP Addressing" in the basic operation guide for the switch. Multiple IP addresses allow multiple subnets within the same VLAN. See the chapter on "Configuring IP Addressing" in the basic operation guide for the switch. |
You can configure IP addresses on all protocol VLANs, but IP addressing is used only on IPv4 and IPv6 VLANs. Restrictions: Loopback interfaces share the same IP address space with VLAN configurations. The maximum number of IP addresses supported on a switch is 2048; this includes all IP addresses configured for both VLANs and loopback interfaces (except for the default loopback IP address 127.0.0.1). Each IP address configured on a VLAN interface must be unique in the switch; it cannot be used by a VLAN interface or another loopback interface. For more information, see the chapter on "Configuring IP Addressing" in the Basic Operation Guide. | ||||||
Untagged VLAN Membership | A port can be a member of one untagged, port-based VLAN. All other port-based VLAN assignments for that port must be tagged. |
A port can be an untagged member of one protocol VLAN of a specific protocol type, such as IPX or IPv6. If the same protocol type is configured in multiple protocol VLANs, then a port can be an untagged member of only one of those. For example, if you have two protocol VLANs, 100 and 200 and both include IPX, then a port can be an untagged member of either VLAN 100 or VLAN 200, but not both. A port's untagged VLAN memberships can include up to four different protocol types. It can be an untagged member of one of the following:
| ||||||
Tagged VLAN Membership | A port can be a tagged member of any port-based VLAN. | A port can be a tagged member of any protocol-based VLAN. | ||||||
Routing | If the switch configuration enables IP routing, the switch can internally route IP (IPv4) traffic between port-based VLANs and between port-based and IPv4 protocol-based VLANs. If the switch is not configured to route traffic internally between port-based VLANs, then an external router must be used to move traffic between VLANs. |
If the switch configuration enables IP routing, the switch can internally route IPv4 traffic as follows:
Other protocol-based VLANs require an external router for moving traffic between VLANs.
| ||||||
Commands for Configuring Static VLANs |
|
|
VLAN environments
You can configure different VLAN types in any combination. The default VLAN will always be present. For more on the default VLAN, see Special VLAN types.
VLAN environment | Elements |
---|---|
The default VLAN (port-based; VID of 1) only | In the default VLAN configuration, all ports belong to VLAN 1 as untagged members. VLAN 1 is a port-based VLAN, for IPv4 traffic. |
Multiple VLAN environment | In addition to the default VLAN, the configuration can include one or more other port-based VLANs and one or more protocol VLANs. The switches covered in this guide allow up to 2048 (vids up to 4094) VLANs of all types. UsingVLAN tagging, ports can belong to multiple VLANs of all types. Enabling routing on the switch enables it to route IPv4 traffic between port-based VLANs and between port-based VLANs and IPv4protocol VLANs. Routing other types of traffic between VLANs requires an external router capable of processing the appropriate protocols. |
VLAN operation
General VLAN operation
A VLAN is composed of multiple ports operating as members of the same subnet or broadcast domain.
Ports on multiple devices can belong to the same VLAN.
Traffic moving between ports in the same VLAN is bridged (or switched).
Traffic moving between different VLANs must be routed.
A static VLAN is an 802.1Q-compliant VLAN, configured with one or more ports that remain members regardless of traffic usage.
A dynamic VLAN is an 802.1Q-compliant VLAN membership that the switch temporarily creates on a port to provide a link to another port either in the same VLAN on another device.
Types of static VLANs available in the switch
Port-based VLANs
This type of static VLAN creates a specific layer-2 broadcast domain comprised of member ports that bridge IPv4 traffic among themselves. Port-Based VLAN traffic is routable on the switches covered in this guide.
Protocol-based VLANs
This type of static VLAN creates a layer-3 broadcast domain for traffic of a particular protocol and is composed of member ports that bridge traffic of the specified protocol type among themselves. Some protocol types are routable on the switches covered in this guide; see Comparing port based and protocol based VLAN.
Designated VLANs
The switch uses these static, port-based VLAN types to separate switch management traffic from other network traffic. While these VLANs are not limited to management traffic, they provide improved security and availability.
Default VLAN:
This port-based VLAN is always present in the switch and, in the default configuration, includes all ports as members. See VLAN support and the default VLAN.
Except for an IP address and subnet, no configuration steps are needed.
A switch in the default VLAN configuration
In this example, devices connected to these ports are in the same broadcast domain.
Primary VLAN:
The switch uses this port-based VLAN to run certain features and management functions, including DHCP/Bootp responses for switch management. In the default configuration, the Default VLAN is also the Primary VLAN. However, any port-based, non-default VLAN can be designated the Primary VLAN. See The primary VLAN.
Secure Management VLAN:
This optional, port-based VLAN establishes an isolated network for managing HPE switches that support this feature. Access to this VLAN and to the switch's management functions are available only through ports configured as members. See The primary VLAN.
Voice VLANs:
This optional, port-based VLAN type enables separating, prioritizing, and authenticating voice traffic moving through your network, avoiding the possibility of broadcast storms affecting VoIP Voice-over-IP) operation. See Using voice VLANs.
NOTE: In a multiple-VLAN environment that includes older switch models there may be problems related to the same MAC address appearing on different ports and VLANs on the same switch. In such cases, the solution is to impose cabling and VLAN restrictions. For more on this topic, see Multiple VLAN considerations. | |
Multiple port-based VLANs
In A switch with multiple VLANs configured and internal routing disabled, routing within the switch is disabled (the default). Thus communication between any routable VLANs on the switch must go through the external router. In this case, VLANs W and X can exchange traffic through the external router, but traffic in VLANs Y and Z is restricted to the respective VLANs.
VLAN 1(the default) is present but not shown. The default VLAN cannot be deleted from the switch, but ports assigned to other VLANs can be removed from the default VLAN. If internal (IP) routing is enabled on the switch, then the external router is not needed for traffic to move between port-based VLANs.
Protocol VLAN environment
A switch with multiple VLANs configured and internal routing disabled illustrates a protocol VLAN environment also. In this case, VLANs W and X represent routable protocol VLANs. VLANs Y and Z can be any protocol VLAN.
As noted for the discussion of multiple port-based VLANs, VLAN 1 is not shown. Enabling internal (IP) routing on the switch allows IP traffic to move between VLANs on the switch, but routable, non-IP traffic always requires an external router.
Routing options for VLANs
Options for routing between VLAN types in the switch
Port-Based | IPX | IPv4 | IPv6 | ARP | AppleTalk | SNA[2] | NETbeui[2] | ||
---|---|---|---|---|---|---|---|---|---|
Port-Based | Yes | — | Yes | — | — | — | — | — | |
Protocol | IPX | — | Yes[1] | — | — | — | — | — | — |
IPX4 | Yes | — | Yes | — | — | — | — | — | |
IPV6 | — | — | — | Yes[1] | — | — | — | — | |
ARP | — | — | — | — | Yes[1] | — | — | — | |
AppleTalk | — | — | — | — | — | Yes[1] | — | — | |
SNA | — | — | — | — | — | — | — | — | |
NETbeui | — | — | — | — | — | — | — | — | |
[2] Not a routable protocol type. End stations intended to receive traffic in these protocols must be attached to the same physical network. [1] Requires an external router to route between VLANs. |
802.1Q VLAN tagging
A port can be a member of more than one VLAN of the same type if the device to which the port connects complies with the 802.1Q VLAN standard.
For example, a port connected to a central server using a network interface card (NIC) that complies with the 802.1Q standard can be a member of multiple VLANs, allowing members of multiple VLANs to use the server.
Although these VLANs cannot communicate with each other through the server, they can all access the server over the same connection from the switch.
Where VLANs overlap in this way, VLAN "tags" are used in the individual packets to distinguish between traffic from different VLANs.
A VLAN tag includes the particular VLAN I.D. (VID) of the VLAN on which the packet was generated.
For more on this topic, see Configuring or changing static VLAN per-port settings (CLI).
Similarly, using 802.1Q-compliant switches, you can connect multiple VLANs through a single switch-to-switch link.
Introducing tagged VLANs into legacy networks running only untagged VLANs
You can introduce 802.1Q-compliant devices into networks that have built untagged VLANs based on earlier VLAN technology. The fundamental rule is that legacy/untagged VLANs require a separate link for each VLAN, while 802.1Q, or tagged VLANs can combine several VLANs in one link. Thus on the 802.1Q-compliant device, separate ports (configured as untagged) must be used to connect separate VLANs to non-802.1Q devices.
VLAN tagging rules
When tagging is needed
When a port belongs to two or more VLANs of the same type, they remain as separate broadcast domains and cannot receive traffic from each other without routing.
NOTE: If multiple, non-routable VLANs exist in the switch—such as NETbeui protocol VLANs—they cannot receive traffic from each other. | |
Inbound tagged packets
The switch requires VLAN tagging on a given port if the port will be receiving inbound, tagged VLAN traffic that should be forwarded. Even if the port belongs to only one VLAN, it forwards inbound tagged traffic only if it is a tagged member of that VLAN.
If a tagged packet arrives on a port that is not a tagged member of the VLAN indicated by the packet's VID, the switch drops the packet.
Similarly, the switch drops an inbound, tagged packet if the receiving port is an untagged member of the VLAN indicated by the packet's VID.
Untagged packet forwarding
If the only authorized, inbound VLAN traffic on a port arrives untagged, then the port must be an untagged member of that VLAN. This is the case where the port is connected to a non-802.1Q compliant device or is assigned to only one VLAN.
To enable an inbound port to forward an untagged packet, the port must be an untagged member of either a protocol VLAN matching the packet's protocol, or an untagged member of a port-based VLAN.
That is, when a port receives an incoming, untagged packet, it processes the packet according to the following ordered criteria:
If the port has no untagged VLAN memberships, the switch drops the packet.
If the port has an untagged VLAN membership in a protocol VLAN that matches the protocol type of the incoming packet, then the switch forwards the packet on that VLAN.
If the port is a member of an untagged, port-based VLAN, the switch forwards the packet to that VLAN. Otherwise, the switch drops the packet.
Tagged packet forwarding
If a port is a tagged member of the same VLAN as an inbound, tagged packet received on that port, then the switch forwards the packet to an outbound port on that VLAN.
To enable the forwarding of tagged packets, any VLAN to which the port belongs as a tagged member must have the same VID as that carried by the inbound, tagged packets generated on that VLAN.
See also Multiple VLAN considerations.
Applying VLAN tagging
Example of tagged and untagged VLAN port assignments
If port 7 on an 802.1Q-compliant switch is assigned to only the Red VLAN, the assignment can remain "untagged" because the port will forward traffic only for the Red VLAN. However, if both the Red and Green VLANs are assigned to port 7, then at least one of those VLAN assignments must be "tagged" so that Red VLAN traffic can be distinguished from Green VLAN traffic.
Tagged and untagged VLAN port assignments
In switch X:
VLANs assigned to ports X1 - X6 can be untagged because there is only one VLAN assignment per port. Red VLAN traffic will go out only the Red ports, Green VLAN traffic will go out only the Green ports, and so on. Devices connected to these ports do not have to be 802.1Q-compliant.
However, because both the Red VLAN and the Green VLAN are assigned to port X7, at least one of the VLANs must be tagged for this port.
In switch Y:
VLANs assigned to ports Y1 - Y4 can be untagged because there is only one VLAN assignment per port. Devices connected to these ports do not have to be 802.1Q-compliant.
Because both the Red VLAN and the Green VLAN are assigned to port Y5, at least one of the VLANs must be tagged for this port.
In both switches:
The ports on the link between the two switches must be configured the same. As shown in Example of VLAN ID numbers assigned in the VLAN names screen, the Red VLAN must be untagged on port X7 and Y5 and the Green VLAN must be tagged on port X7 and Y5, or the opposite way.
NOTE: Each 802.1Q-compliant VLAN must have its own unique VID number and that VLAN must be given the same VID in every device where configured. That is, if the Red VLAN has a VID of 10 in switch X, then 10 must also be the Red VID in switch Y. | |
Additional VLAN tagging considerations
Since the purpose of VLAN tagging is to allow multiple VLANs on the same port, any port that has only one VLAN assigned to it can be configured as "Untagged" (the default) if the authorized inbound traffic for that port arrives untagged.
Any port with two or more VLANs of the same type can have one such VLAN assigned as "Untagged." All other VLANs of the same type must be configured as "Tagged," that is:
Port-Based VLANs Protocol VLANs A port can be a member of one untagged, port-based VLAN. All other port-based VLAN assignments for that port must be tagged. A port can be an untagged member of one protocol-based VLAN of each protocol type. When assigning a port to multiple, protocol-based VLANs sharing the same type, the port can be an untagged member of only one such VLAN. A port can be a tagged member of any port-based VLAN. A port can be a tagged member of any protocol-based VLAN. See above. NOTE: A given VLAN must have the same VID on all 802.1Q-compliant devices in which the VLAN occurs. Also, the ports connecting two 802.1Q devices should have identical VLAN configurations.
If all end nodes on a port comply with the 802.1Q standard and are configured to use the correct VID, you can configure all VLAN assignments on a port as "Tagged" if doing so either makes it easier to manage your VLAN assignments, or if the authorized, inbound traffic for all VLANs on the port will be tagged.
For a summary and flowcharts of untagged and tagged VLAN operation on inbound traffic, see the following under VLAN tagging rules:
"Inbound Tagged Packets"
"Untagged Packet Forwarding" and Untagged VLAN operation
"Tagged Packet Forwarding" and Tagged VLAN operation
Example of Networked 802.1Q-compliant devices with multiple VLANs on some ports
In the following network, switches X and Y and servers S1, S2, and the AppleTalk server are 802.1Q-compliant. (Server S3 could also be 802.1Q-compliant, but it makes no difference for this example.) This network includes both protocol-based (AppleTalk) VLANs and port-based VLANs.
The VLANs assigned to ports X4 - X6 and Y2 - Y5 can all be untagged because there is only one VLAN assigned per port.
Port X1 has two AppleTalk VLANs assigned, which means that one VLAN assigned to this port can be untagged and the other must be tagged.
Ports X2 and Y1 have two port-based VLANs assigned, so one can be untagged and the other must be tagged on both ports.
Ports X3 and Y6 have two port-based VLANs and one protocol-based VLAN assigned. Thus, one port-based VLAN assigned to this port can be untagged and the other must be tagged. Also, since these two ports share the same link, their VLAN configurations must match.
Switch X | Switch Y | ||||||||
---|---|---|---|---|---|---|---|---|---|
Port | AT-1 VLAN | AT-2 VLAN | Red VLAN | Green VLAN | Port | AT-1 VLAN | AT-2 VLAN | Red VLAN | Green VLAN |
X1 | Untagged | Tagged | No[*] | No[*] | Y1 | No[*] | No[*] | Untagged | Tagged |
X2 | No[*] | No[*] | Untagged | Tagged | Y2 | No[*] | No[*] | No[*] | Untagged |
X3 | No[*] | Untagged | Untagged | Tagged | Y3 | No[*] | Untagged | No[*] | No[*] |
X4 | No[*] | No[*] | No[*] | Untagged | Y4 | No[*] | No[*] | No[*] | Untagged |
X5 | No[*] | No[*] | Untagged | No[*] | Y5 | No[*] | No[*] | Untagged | No[*] |
X6 | Untagged | No[*] | No[*] | No[*] | Y6 | No | Untagged | Untagged | Tagged |
[*] No means that the port is not a member of that VLAN. For example, port X3 is not a member of the Red VLAN and does not carry Red VLAN traffic. Also, if GVRP were enabled (port-based only), Auto would appear instead of No. |
NOTE: VLAN configurations onports connected by the same link must match. Because ports X2 and Y5 are opposite ends of the same point-to-point connection, both ports must have the same VLAN configuration, configuring the Red VLAN as "Untagged" and the Green VLAN as "Tagged.” | |
Multiple VLAN considerations
Switches use a forwarding database to maintain awareness of which external devices are located on which VLANs. Some switches, such as the switches covered in this guide, have a multiple forwarding database, which means the switch allows multiple database entries of the same MAC address, with each entry showing the (different) source VLAN and source port. Other switch models have a single forwarding database, which allows only one database entry of a unique MAC address, along with the source VLAN and source port on which it is found. All VLANs on a switch use the same MAC address. Thus, connecting a multiple forwarding database switch to a single forwarding database switch where multiple VLANs exist imposes some cabling and port VLAN assignment restrictions. The following table illustrates the functional difference between the two database types.
Forwarding database content
Multiple forwarding database | Single forwarding database | ||||
---|---|---|---|---|---|
MAC address | Destination VLAN ID | Destination port | MAC address | Destination VLAN ID | Destination port |
0004ea-84d9f4 | 1 | A5 | 0004ea-84d9f4 | 100 | A9 |
0004ea-84d9f4 | 22 | A12 | 0060b0-880af9 | 105 | A10 |
0004ea-84d9f4 | 44 | A20 | 0060b0-880a81 | 107 | A17 |
0060b0-880a81 | 33 | A20 | |||
This database allows multiple destinations for the same MAC address. If the switch detects a new destination for an existing MAC entry, it just adds a new instance of that MAC to the table. |
This database allows only one destination for a MAC address. If the switch detects a new destination for an existing MAC entry, it replaces the existing MAC instance with a new instance showing the new destination. |
Single forwarding database operation
When a packet arrives with a destination MAC address that matches a MAC address in the switch's forwarding table, the switch tries to send the packet to the port listed for that MAC address. But if the destination port is in a different VLAN than the VLAN on which the packet was received, the switch drops the packet. This is not a problem for a switch with a multiple forwarding database because the switch allows multiple instances of a given MAC address, one for each valid destination. However, a switch with a single forwarding database allows only one instance of a given MAC address.
TIP: If you (1) connect both switch types through multiple ports or trunks belonging to different VLANs and (2) enable routing on the switch with the multiple-forwarding database, then the port and VLAN record maintained on the switch with the single-forwarding database for the multiple-forwarding database can change frequently. This may cause poor performance and the appearance of an intermittent or broken connection. | |
Switch performance is unreliable
The following example provides a method to identify and correct an unsupported configuration.
Symptom
Poor switch performance, unreliable switch performance, dropped packets, discarded packets, appearance of intermittent or broken links.
Cause
Incorrect switch configuration.
As shown in Invalid forwarding configuration, two switches are connected using two ports on each, and the MAC address table for Switch 8000M will sometimes record the switch as accessed on port A1 (VLAN 1) and at other times as accessed on port B1 (VLAN 2).
PC A sends an IP packet to PC B.
The packet enters VLAN 1 in the switch with the MAC address of the switch in the destination field. Because the switch has not yet learned this MAC address, it does not find the address in its address table and floods the packet out all ports, including the VLAN 1 link (port A1) to the switch. The switch then routes the packet through the VLAN 2 link to the switch, which forwards the packet on to PC B. Because the switch received the packet from the switch on VLAN 2 (port B1), the switch's single forwarding database records the switch as being on port B1 (VLAN 2).
PC A now sends a second packet to PC B. The packet again enters VLAN 1 in the switch with the MAC address of the switch in the destination field. However, this time the switch's single forwarding database indicates that the switch is on port B1 (VLAN 2) and the switch drops the packet instead of forwarding it.
Later, the switch transmits a packet to the switch through the VLAN 1 link and the switch updates its address table to show that the switch is on port A1 (VLAN 1) instead of port B1 (VLAN 2). Thus, the switch's information on the location of the switch changes over time, and the switch discards some packets directed through it for the switch. This causes poor performance and the appearance of an intermittent or broken link.
Action/solution
Reconfigure the switches in the configuration.
Use only one cable or port trunk between single-forwarding and multiple-forwarding database devices.
Configure the link with multiple, tagged VLANs.
To increase network bandwidth of the connection between devices, use a trunk of multiple physical links.
Following these rules, the switch forwarding database always lists the switch MAC address on port A1 and the switch will send traffic to either VLAN on the switch.
Connecting the Switch to another switch with a multiple forwarding database (Example)
Use one or both of the following connection options:
A separate port or port trunk interface for each VLAN. This results in a forwarding database having multiple instances of the same MAC address with different VLAN IDs and port numbers. See Forwarding database content. The fact that the switches covered by this guide use the same MAC address on all VLAN interfaces causes no problems.
The same port or port trunk interface for multiple (tagged) VLANs. This results in a forwarding database having multiple instances of the same MAC address with different VLAN IDs, but the same port number.
Allowing multiple entries of the same MAC address on different VLANs enables topologies such as the following: