IEEE 802.1Q VLANs are based on the IEEE 802.1Q Virtual Bridged Local Area Networks standard, which proposes a standardized format for MAC-Layer frame tagging. IEEE 802.1Q VLANs enable the switch to communicate VLAN membership information across multiple, multivendor devices. The standard enables you to assign ports to more than one VLAN. You can easily use one or more switch-to-switch connections that are known as trunks to create VLANs that span multiple switches You can enable a device such as a server to belong to more than one VLAN, as long as the device has a network interface card (NIC) that supports IEEE 802.1Q frame tagging.

When you create a tagged trunk between switches, a header is inserted into any frames that traverse the trunk, to uniquely identify the frame's VLAN. To enable the VLANs to communicate, make sure that the ports that connect the switches belong to all the VLANs that you define.

Device View enables you to set up IEEE 802.1Q VLANs on devices such as the SuperStack II Switch 1100, 3300, 3800 and 9000 SX.

This section contains the following topics:

• About IEEE 802.1Q VLANs

• Deciding When to Create Tagged VLANs

• Assigning VLAN Membership to Ports

• Rules for Creating IEEE 802.1Q VLANs

• Setting Up an IEEE 802.1Q VLAN

• Setting up 802.1Q VLANs using Enterprise VLAN Manager

The IEEE 802.1Q Virtual Bridged Local Area Networks draft proposes a standardized format for frame tagging, also known as encapsulation, to communicate VLAN membership information across multiple, multivendor devices.

Many switches support VLANs based on physical port, IEEE 802.1Q tag, or combinations of port and tag assignments. In practice, most VLANs use a combination of both methods.

Deciding When to Create Tagged VLANs

IEEE 802.1Q VLANs are most commonly used to create VLANs that span multiple switches. The switch-to-switch connections, which are called trunks, can carry traffic for all the VLANs that you create. The tagged VLANs provide a more effective means of connecting devices than port-based VLANs, which require a separate trunk for every VLAN that you create.

Another benefit of tagged VLANs is the ability to assign a port to more than one VLAN. This is particularly useful if you have a device, such as a file or print server, that must belong to multiple VLANs. The device must have a NIC that supports IEEE 802.1Q tagging.

A single port can be a member of only one port-based VLAN. Any additional VLAN membership for the port must involve the use of IEEE 802.1Q frame tagging. However, you do not need to tag all the ports in an IEEE 802.1Q VLAN. When the switch forwards traffic, it determines whether the port uses tagged or untagged packets and adds or removes tags as necessary.

Figure 30 provides an example of the physical layout of a network that uses tagged and untagged traffic, and a logical picture of VLAN membership.

Figure 30 Tagged and Untagged Ports on IEEE 802.1Q VLANs

The tagged trunk, which connects port 7 on Switch A to port 2 on Switch B, carries traffic for both Marketing and Sales VLANs. In addition, the server that is connected to port 1 on Switch A has a NIC that supports 802.1Q tagging. The server is a member of both Marketing and Sales VLANs.

As data passes into the switch, the switch determines if the destination port requires the frames to be tagged or untagged. All traffic to and from the trunk ports, and to and from the server, is tagged. All the other stations use untagged traffic.

Assigning VLAN Membership to Ports

You can configure VLANs using a combination of port-based and tagged assignments. A port can be a member of multiple VLANs, but only one of its VLANs can use untagged traffic. In other words, a port can simultaneously be a member of one port-based VLAN and multiple tag-based VLANs.

The mode of VLAN membership affects the way that the port behaves. However, as a general rule, both tagged and untagged ports only forward frames from VLANs in which they are a member.

For example, the SuperStack II Switch 9000 SX has three modes of port membership:

• Port Mode - The port is an untagged member of the VLAN, and does not belong to any tagged VLANs.

  • Receives traffic from the VLAN in which it is a PVid member.

  • Tags no frames.

  • Forwards untagged frames from VLANs in which it is a member. All tagged frames are dropped. Frames are sent out untagged.

• 802.1Q Mode - This means that the port is a tagged member of the VLAN, and inherits the IEEE 802.1Q tag that you assign to the VLAN. A port can belong to multiple VLANs in 802.1Q Mode.

  • Receives traffic from the VLAN in which it is a PVid member, and from the VLANs in which it is an 802.1Q Mode member.

  • Tags all frames.

  • Forwards tagged and untagged frames from VLANs in which it is a member. Untagged frames are tagged when forwarded.

• PVid - The port is an untagged member of the default VLAN. No matter how many VLANs that a port belongs to as an 802.1Q member, it always belongs to a different default (PVid) VLAN as an untagged member. When a port receives an untagged frame, it always forwards the frame to its default VLAN.

  • Receives traffic from the VLAN in which it is a PVid member.

  • Tags no frames.

  • Forwards untagged frames from VLANs in which it is a member. All tagged frames are dropped. Frames are sent out untagged.

Figure 31 shows that a tagged VLAN can contain tagged and untagged ports, and that a port can be a PVid member of one VLAN, and an 802.1Q Mode member of one or more other VLANs.

Figure 31 PVid and 802.1Q Mode VLAN Membership

In this example, tagged ports 2 and 3 belong to one or more VLANs as tagged members, and to their default VLANs as untagged members.

When you assign a port to be a tagged member of one or more VLANs, always make sure it is not a tagged member of the default (PVid) VLAN. A port that belongs to the VLAN in both 802.1Q and PVid modes can send tagged packets but receive untagged packets. Thus, the device that is connected to the port cannot send and receive traffic.

Observe the following guidelines when you create IEEE 802.1Q VLANs:

• VLANs can contain tagged or untagged ports.

• VLANs can only have one tag; no other VLANs may share the same tag.

• Ports can belong to multiple IEEE 802.1Q VLANs.

• Ports can be tagged or untagged. Even if a port is tagged, it always belongs to a default (PVid) VLAN.

• A port must not be a tagged member of its default (PVid) VLAN.

• Ports drop all frames that are not destined for a VLAN in which the port is a member.

• Tagged ports acquire their tag from the VLAN to which they belong. Thus, a tagged port can belong to more than one VLAN.

• Tagged ports insert an encapsulation tag into every frame that they forward.

• Tagged ports forward untagged frames to a default (PVid) VLAN.

Spanning Tree Protocol (STP) Bridge Protocol Data Unit (BPDU) traffic is always untagged and occurs on all ports when Spanning Tree is enabled.

If you are running non-routable protocols such as NetBIOS or DEC LAT, devices can communicate only with members of the same VLAN.

Setting Up an IEEE 802.1Q VLAN

IEEE 802.1Q frame tagging enables ports to be assigned to more than one VLAN. This means you can use one or more switch-to-switch connections that are known as trunks to create VLANs that span multiple switches. It also means you can enable a device such as a server to belong to more than one VLAN, as long as the device has a Network Interface Card (NIC) that supports IEEE 802.1Q frame tagging.

Creating a new 802.1Q VLAN involves performing the following steps using Device View:

1 .   Create 802.1Q tags

Encapsulation inserts a marker, which is known as a tag, into the Ethernet frame. The tag contains a decimal number that it derives from the VLANs in which it is a member. Thus, a port can belong to more than one VLAN. Before you can add an encapsulation tag to a VLAN, create tags that you can assign.

2 .   Add and edit VLANs

You can create VLANs and then assign tags to them. If a VLAN has an encapsulation tag, it is known as a tagged VLAN. If it does not, it is known as an untagged VLAN. Each of the VLANs that you create can have only one tag, and no VLANs may share the same tag.

3 .   Assign ports to VLANs

You can assign ports to be members of the VLANs that you have created. Ports can only communicate with other ports that belong to the same VLAN; only routed traffic can reach the members of different VLANs. However, the advantage of 802.1Q tagging is that a port can belong to more than one VLAN at the same time.

4 .   Set the port mode

You can choose whether the port is an IEEE 802.1Q member of the VLAN, or an untagged member. Even if a port is an 802.1Q member of one or more VLANs, it can still have port-based membership of one VLAN.

Enterprise VLAN Manager enables you to set up, discover, and map 802.1Q VLANs on the following packet switches:

• SuperStack II 1100, 3300, 3800, 3900, 9000 SX, 9300, and 9400

• CoreBuilder 3500, 9000

Enterprise VLAN Manager automatically discovers and models port-to-VLAN mappings across all the 3Com switches that support 802.1Q VLANs in your network:

• Using the VLAN Move wizard, select ports and the destination VLAN to automate creation and movement of VLANs across multiple switches. VLAN Move automatically provisions switching module backplane ports and fabric ports to recognize the new VLAN.

• To configure modules on a CoreBuilder 9000 chassis, select front panel ports on the device. You cannot configure trunks. However, if backplane trunks have been configured between modules within a chassis, each of the aggregated ports is automatically provisioned for VLAN tags.

• VLAN Move does not provision VLAN tags for inter-switch trunks automatically. You need to select and tag the uplink/downlink ports between switches. In most static VLAN environments, we recommend that you use Enterprise VLAN Manager to set uplink and downlink ports to recognize all known VLAN tags. This means that you only need to configure front panel ports in future.