Switch 4007 Implementation Guide

[previous]

[next]

VLAN Overview

A virtual LAN (VLAN) is a logical grouping that allows end users to communicate as if they were physically connected to a single LAN, independent of the physical configuration of the network. A VLAN is generally considered equivalent to a Layer 2 broadcast domain or a Layer 3 network.

Your system's point of attachment to a given VLAN is called a VLAN interface. For the Switch 4007, a VLAN interface exists entirely within a single switching module or switch fabric module; you control the configuration of the VLAN interfaces. A VLAN and a VLAN interface are analogous to an IP subnetwork and an IP interface on a router.

Need for VLANs

If a bridge port in a LAN switching device receives a frame with a broadcast, multicast, or unknown destination address, it forwards the data to all bridge ports in the VLAN that are associated with the frame, except the port on which it was received. This process is referred to as bridge flooding. As networks grow and the amount and types of traffic increase, bridge flooding may create unnecessary traffic problems that can clog the LAN.

To help control the flow of traffic through a switching device and meet the demands of growing networks, vendors have responded by:

Using customized packet filtering and IP multicast controls such as Internet Group Management Protocol (IGMP) snooping to provide further controls on which packets are forwarded through the bridge. These controls require more complex configuration by the administrator.
Using more and more routers as broadcast firewalls to divide the network into broadcast domains. As the number of legacy routers increase, latency begins to degrade network performance, increase administration overhead, and raise operating costs.
Using the Spanning Tree algorithm in switching devices to control the flow of traffic among LANs (for redundant links). These mechanisms work best only in certain types of LAN topologies.

VLAN technology provides a high-performance and easy-to-implement alternative to routers for broadcast containment. When you use switching devices with VLANs:

Each network segment can contain as few as one user (approaching private-port LAN switching), while broadcast domains can be as large as 1,000 users, or even more.
VLANs can help network administrators track workstation movements to new locations without manual reconfiguration of IP addresses.
VLANs can be used to isolate unicast traffic to a single broadcast domain, thereby providing a form of network security.

Benefits

You can use VLANs to:

Reduce the cost of equipment moves, upgrades, and other changes and simplify network administration.
Create virtual workgroups in which members of the same department or section appear to share the same LAN, with most of the network traffic staying in the same VLAN broadcast domain. They can isolate broadcast and multicast traffic to a single broadcast domain, as well as unicast traffic.
Help avoid flooding and minimize broadcast and multicast traffic.
Reduce the need for routing to achieve higher network performance, ease of administration, and reduced costs.
Control communication among broadcast domains.

VLANs on the Switch 4007

Your system offers a collection of modules that pass traffic to one another using a central switch called the Gigabit Ethernet (GEN) Switch Fabric Module. This switch fabric module, operating at Layer 2, controls the Ethernet traffic associated with its modules.

The switch fabric module supports a variety of Layer 2 Switching Modules, Multilayer Switching Modules, and Interface Modules. See the Switch 4007 Getting Started Guide for a list of supported modules.

The examples in this chapter represent the location of the switch fabric module logically to emphasize its central role in the configuration process.

To create VLANs in the Switch 4007 environment, you configure these components:

Layer 2 and Multilayer Switching Modules - You connect to these individually through the EME (Enterprise Management Engine) and configure the following ports based on your VLAN configuration:
Switch Fabric Module -The central backplane aggregator for the system. To ensure cross-module communication (for example, within VLANs that span modules), you must configure the switch fabric module to include the VLANs that you configure on your switching modules. You configure the switch fabric module's ports in accordance with:
- The chassis slot placement and VLAN configuration of your individual switching modules (configured through the EME).
- The chassis slot placement of your GEN interface modules. To create VLANs for these non-local switching modules, you configure their VLANs by configuring the corresponding switch fabric module ports.

Features

Your Switch 4007 supports the VLAN features listed in Table 48.

Table 48 VLAN Features

Feature

Layer 2 Modules and Switch Fabric Module

Multilayer Modules

Description

VLAN mode: allOpen or allClosed

Yes

Yes

On a per-module basis, establishes a less-restrictive VLAN environment (allOpen mode) or a more secure VLAN environment (allClosed mode). The VLAN mode dictates the requirements for the port-, protocol-, and network-based VLANs. See "VLAN allOpen or allClosed Mode" later in this chapter.

Per-port IEEE 802.1Q tagging

Yes

Yes

On a per-port basis, dictates that transmitted frames are encapsulated and tagged as specified in the IEEE 802.1Q standard and that received frames must be encapsulated and tagged. See the sections on port-, protocol-, and network-based VLANs later in this chapter for specific information on tagging for the different types of VLANs.

Port-based VLANS

Yes

Yes

Determine VLAN membership based solely on the port on which the frame was received. The system provides a special port-based VLAN by default, with all ports of all modules, called the default VLAN.
The system also supports static VLAN configuration for both Layer 2 and Multilayer Switching Modules, and dynamic port-based VLAN configuration for Multilayer Switching Modules. See "User-Configured Port-based VLANs" and "Dynamic Port-based VLANs Using GVRP" later in this chapter for information on static and dynamic VLAN configuration.

Protocol- based VLANs

No

Yes

Determine VLAN membership based on the port on which the frame was received, as well as the protocol of the frame. You can use the protocol-based VLANs (and applied routing interfaces) to establish routing between VLANs. See "Protocol-based VLANs" later in this chapter.
In addition to the user-defined protocol-based VLANs, the system supports a special type of protocol-based VLAN called a router port IP VLAN. This type of VLAN, which the system automatically generates when you define an IP interface as a router port IP interface, requires allClosed mode. See "VLANs Created by Router Port IP Interfaces" later in this chapter for more information.

Network- based VLANs (IP only)

No

Yes

Determine IP VLAN membership based on the port on which the frame was received, as well as the IP protocol and destination network address of the frame. See "Network-based IP VLANs" later in this chapter. .

Ignore STP mode

No

Yes, in allClosed mode

Ignores the blocking Spanning Tree Protocol (STP) mode for the ports of a designated VLAN. (One instance of STP runs on the module, but you can disable it on a per-VLAN basis.) This mode, only available in allClosed mode, is disabled by default. You select (on a per-VLAN basis), which VLANs ignore STP blocked ports. It is typically used for VLANs with router interfaces that ignore the STP state. This mode allows routing or bridging over a port that is blocked by STP. See "Ignore STP Mode" later in this chapter.

[previous]

[next]