After you select a VLAN mode for your modules and create VLAN interfaces with VLAN characteristics such as IEEE 802.1Q or no tagging, port membership, protocol type, and Layer 3 (network) address information, the system determines the details of VLAN operation by observing two main types of rules:

• Ingress rules - Assign an incoming frame to a specific VLAN.

• Egress rules - Use standard bridging rules to determine whether the frame is forwarded, flooded, or filtered. These rules also determine the tag status of the transmitted frame.

These rules are classified in the IEEE 802.1Q standard. In addition, the system relies on some module-specific rules, discussed next.

Ingress Rules

These rules determine the VLAN to which an incoming frame belongs. The frame is assigned to the VLAN that has the most specific match. The system uses this protocol match hierarchy to find the most specific match.

The ingress rules use the following hierarchy to determine the most specific match:

1 .   IEEE 802.1Q tag VID value.

2 .   For Multilayer Switching Modules, a specific protocol match (for example, IP, IPX, or AppleTalk).

3 .   The default VLAN (an untagged, unspecified protocol type VLAN with all ports and a VID of 1), or any VLAN that has the unspecified protocol type.

4 .   The null VLAN, a special VLAN that the system uses if the frame cannot be assigned to any VLAN. This VLAN has no ports and has no address table (in allClosed mode).

The Release 3.0 ingress rules are classified according to the tag status of the frame and the VLAN mode (allOpen for open VLANs or allClosed for closed VLANs). For the ingress rules, the system considers a priority tagged frame an untagged frame.

Figure 23 shows the flow chart for the Release 3.0 VLAN ingress rules for Multilayer Switching Modules.

Figure 23 Flow Chart for Release 3.0 Ingress Rules

The ingress rules for tagged frames also vary for the different releases. Table 57 summarizes the differences in ingress rules based on the releases.

Table 57 Ingress Rules for IEEE 802.1Q Tagged Frames Based on VLAN Mode and Release

VLAN Mode	Release 2.x	Release 3.0	Action Without Required Match
allOpen	The tagged frame is assigned to one of the configured VLANs if: The VID of the frame matches that of a VLAN and A port in that VLAN is tagged	The tagged frame is assigned to one of the configured VLANs if: The VID of the frame matches that of a VLAN and The protocol type of the frame matches that of the same VLAN	The frame is assigned to the null VLAN. It can still be forwarded (untagged) if the destination address of the frame is associated with another port in the bridge address table.
allClosed	The tagged frame is assigned to one of the configured VLANs if: The receive port is in a VLAN with a VID that matches that of the frame and A port in that VLAN is tagged.	The tagged frame is assigned to one of the configured VLANs if: The receive port is in a VLAN with a VID that matches that of the frame and The protocol type of the frame matches that of the same VLAN	The frame is assigned to the null VLAN and dropped.

Egress Rules

These rules determine whether the outgoing frame is forwarded, filtered (dropped), or flooded. They also determine the frame's tag status. The same standard bridging rules apply to both open and closed VLANs, but they result in different behavior depending on the allOpen mode (one address table for the module) versus allClosed mode (one address table for each VLAN). For example, on a Multilayer Switching Module, if a frame is associated with a VLAN that uses VID 1 and has a destination address associated with a VLAN that uses VID 2, the frame is flooded over the VID 1 VLAN in allClosed mode but forwarded untagged in allOpen mode.

Standard Bridging Rules for Outgoing Frames

The frame is handled according to these bridging rules:

• If the frame's destination address matches an address that was previously learned on the receive port, it is filtered (dropped).

• If the frame's destination address matches an address that was learned on a port other than the receive port, it is forwarded to that port.

• If a frame with an unknown, multicast, or broadcast destination address is received, then it is flooded (that is, forwarded to all ports on the VLAN that is associated with the frame, except the port on which it was received). See "Examples of Flooding and Forwarding Decisions" later in this chapter.

• If the frame's destination address matches a MAC address of one of the bridge's ports, or it matches an appropriate multicast address such as STP (if STP is enabled on the module), it is further processed and not forwarded immediately. This type of frame is either a management/configuration frame (such as a RIP update, SNMP get/set PDU, or an Administration Console Telnet packet), or it is a routed packet. If it is a routed packet, the Multilayer Switching Module performs the routing functions that is described in the appropriate routing chapter (for example, IP, IPX, or AppleTalk).

After the VLAN and the transmit ports are determined for the frame, the Tag Status rules determine whether the frame is transmitted with an IEEE 802.1Q tag. For Multilayer Switching Modules, priority tagged frames for QoS use the same frame format as IEEE 802.1Q tagging but with a VID of 0. Priority tagged frames received by the Multilayer Switching Module are transmitted as either untagged frames (that is, no priority tagging) or IEEE 802.1Q tagged frames.

For each port on which the frame is to be transmitted, if that port is tagged for the VLAN associated with the frame, transmit the frame as a tagged frame; otherwise, transmit the frame as an untagged frame.

If the transmit port is not a member of the assigned VLAN, the frame is transmitted untagged. For VLANs in allOpen mode on Multilayer Switching Modules, this result may occur in either of these situations:

If the frame is assigned to the null VLAN. (The frame can still be forwarded if the address was statically entered in the address table or dynamically learned on another VLAN.)

If the frame is assigned to a specific VLAN but the transmit port is not part of this VLAN.

Examples of Flooding and Forwarding Decisions

This section provides several examples of flooding and forwarding decisions.

Example 1: Flooding Decisions for Protocol-based VLANs

Table 58 lists how flooding decisions are made according to three VLANs that are set up by protocol (assuming a 12-port configuration).

Table 58 Protocol-based VLANs and Flooding Decisions

Index	VLAN	Ports
1	Default	1-12
2	IP	1-8
3	IPX	9-11

Data received on this port	Is flooded on this VLAN	Because
IP - port 1	VLAN 2	IP data received matches IP VLAN on the source (receive) port.
IPX - port 11	VLAN 3	IPX data received matches IPX VLAN on the source port.
XNS - port 1	VLAN 1	XNS data received matches no protocol VLAN, so the Default VLAN is used.

Example 2: VLAN Exception Flooding

If data arrives on a bridge port for a certain protocol and VLANs for that protocol are defined in the module but not on that bridge port, the default VLAN defines the flooding domain for that data. This case is called VLAN exception flooding. Table 59 lists how the VLAN exception flooding decision is made (assuming a 12-port configuration).

Table 59 VLAN Exception Flooding

Index	VLAN	Ports
1	Default	1-12
2	IP	1-8

Data received on this port	Is flooded on this VLAN	Because
XNS - port 1	VLAN 1	XNS data on port 1 matches the unspecified protocol of the default VLAN on port 1.
IP - port 2	VLAN 2	IP data received matches IP VLAN 2 for source ports 1 - 8.
IP - port 12	VLAN 1	IP data on port 12 matches the unspecified protocol of the default VLAN on port 12.

Rules for Network-based (Layer 3) VLANs

Whenever an IP VLAN is defined with Layer 3 information, another VLAN is defined over the same ports called the All IP Subnets VLAN. Information about this VLAN is not available to the network administrator. Also, this VLAN has no VID associated with it and has no IEEE 802.1Q tagging on any of the ports. Incoming IP frames are assigned to this VLAN if they cannot be assigned to any of the network-based IP VLANs.

The following IP protocols are applicable to network-based VLANs:

• IP (hexadecimal 0800 or 0x0800)

• ARP (0x0806)

• RARP is (0x8035)

The frames that are associated with these protocols have different ingress rules for assignment to the appropriate network-based VLAN:

• IP frames - These frames are assigned to the network-based IP VLAN if the IP source address is consistent with the VLAN subnet and the IP destination address is one of the following:

  • 0.0.0.0

  • 255.255.255.255

  • A Class D (multicast) address

    Otherwise, assign to the network-based IP VLAN if the IP destination address is consistent with the VLAN subnetwork. Otherwise, assign to the All IP Subnets VLAN.

• ARP frames - These frames are assigned to the network-based IP VLAN if the IP destination address is consistent with the VLAN subnet and the IP source address is 0.0.0.0. Otherwise, assign to the network-based IP VLAN if the IP source address is consistent with the VLAN subnetwork. Otherwise, assign to the All IP Subnets VLAN.

• RARP frames - These frames are assigned to the All IP Subnets (Multicast) VLAN.

Table 60 lists the information for one network-based IP VLAN and how forwarding and flooding decisions are made for this VLAN.

Table 60 One Network-based VLAN and Forwarding/Flooding Decisions

Index	VID	VLAN Name	Ports	IP Subnet
2	2	IP_100	1 (untagged) 2-6 (tagged)	158.101.100.0 mask: 255.255.255.0

Frame received on Port 1	Action
IP Frame (Protocol 0x0800), IP destination address (DA) 158.101.103.1, MAC DA is known on port 6	Frame is assigned to the IP_100 VLAN and transmitted on port 6 tagged.
RARP Response Frame (Protocol 0x8035), IP DA = 158.101.103.2, MAC DA is unknown	Frame is assigned to the IP_100 VLAN and transmitted on port 6 tagged.