Consider the following guidelines when you configure VLANs on your Switch 4007 system.

Migration Path for Network-based VLANs

On your multi-layer modules, you can either configure network-based IP VLANs or you can define a single VLAN with the protocol type IP and then define multiple IP routing interfaces fro that single protocol-based VLAN (an IP VLAN).

If you decide to convert an existing network-based VLAN to a protocol-based VLAN that has multiple interfaces associated with it, use the following procedure:

1 .   Remove any existing network-based VLANs on your Multilayer Switching Modules.

2 .   Define an IP VLAN or a VLAN that supports IP as one of its protocols.

3 .   Define multiple IP interfaces (with different IP addresses) to use that IP VLAN. (See Chapter 16.)

You can define up to 32 IP interfaces on each Multilayer Switching Module, including IP routing interfaces for static VLANs, router port IP VLANs (described in the next section), or any combination of static VLANs and router port IP VLANs.

If you define multiple interfaces for an IP VLAN, you cannot subsequently modify that IP VLAN to supply Layer 3 address information. If only one routing interface is defined for the IP VLAN, then (at Release 3.0) you can supply Layer 3 address information as long as it matches the Layer 3 information specified for the routing interface.

This latter procedure is not recommended, because it makes the IP VLAN a network-based VLAN, which will not be supported at releases higher than 3.0.

If you continue to use network-based VLANs for Release 3.0 on your Multilayer Switching Modules, you are limited to defining only one IP routing interface for that VLAN. When you define an IP routing interface with the interface type vlan, the system does not allow you to select a network-based IP VLAN that already has a routing interface defined for it. For more information on IP routing interfaces, see Chapter 16.

VLANs Created by Router Port IP Interfaces

By default, the Multilayer Switching Modules use a routing over bridging model, in which any frame is bridged before it is potentially routed. If you want to define IP routing interfaces that use a routing versus bridging model, however, you can bypass your static VLAN configuration and instead go directly to defining an IP interface on a single router port (a router port IP interface).

If you define a router port IP interface, note the following information:

• Defining an IP interface for a router port requires the interface type port. Defining an IP interface for a configured IP VLAN requires you to specify the interface type of vlan.

• The IP interface definition procedure for a router port requires that you place the Multilayer Switching Module in allClosed mode. The allClosed mode prevents MAC addresses from being shared between the router port IP VLAN and any other VLANs and enables the router port to ignore Spanning Tree states on the port.

• After you define the router port IP interface and change the VLAN mode to allClosed, the following events occur:

  • The Multilayer Switching Module deletes all other VLANs and redefines the default VLAN. You must redefine any VLANs that you had configured, keeping in mind that unicast traffic will no longer be forwarded between VLANs. You must define routing interfaces to allow forwarding between VLANs. Also, you cannot specify the bridge port owned by the router port IP interface in any VLAN that you configure or modify.

  • The Multilayer Switching Module creates a special protocol-based VLAN called a router port IP VLAN and assigns to it the next available VID. The VLAN displays identify the origin of a router port IP VLAN as router, as well as the port that is owned by the router port IP interface. You cannot modify or remove a router port IP VLAN, nor can you change its Ignore STP mode (which is always enabled).

• To disable bridging entirely for the router port, remove that port from the default VLAN.

For more information about defining a router port IP interface on a
Multilayer Switching Module, see Chapter 16.

Design Guidelines

• Before you create any VLANs, draw your chassis configuration and carefully identify how the VLANs that are associated with your modules are bridging (or, for Multilayer Switching Modules, bridging or routing). Remember that each VLAN constitutes a subnetwork. If a VLAN spans modules, each participating module must have its attached devices (and router interface, if applicable) configured for that subnetwork. Use your drawing to help you identify the configuration requirements for each port in a VLAN and to ensure that the switch fabric module is configured to pass traffic to the correct VLANs.

• To simplify your configuration, try to keep the number of VLANs as small as possible. Where possible, reduce the number of subnetworks.

• To ease configuration changes (such as moving a module to another slot while retaining the same VLAN configurations), you can use the staging option. To use this option, enable staging on the module by issuing the module nvData staging command and use the EME staging option to apply the configuration. You can also use EME commands to upload and download module configurations saved on a server. See the Switch 4007 Enterprise Management Engine User Guide for more information about the EME.

• If you lose track of your changes in a complicated VLAN configuration, it may be better to perform a nonvolatile data (nvData) reset operation than to make numerous VLAN changes. For example, you can use the module nvData reset command to return to a default module configuration, including the VLAN configuration. See Chapter 6 for more information.

• Evaluate whether you really need to use tagging on the front-panel ports of your switching modules. If you do need to tag front-panel ports in your user-configured VLANs, then your attached devices must be IEEE 802.1Q enabled.

• In general, tag the backplane ports of the switching modules and the corresponding switch fabric module ports when you define multiple VLANs that span modules (for bridging or routing). When multiple VLANs are defined across the backplane ports and switch fabric module ports, only one VLAN can be untagged and all others must be tagged.

  (Example: If the backplane and switch fabric module ports for the default VLAN are untagged, the backplane and switch fabric module ports for all other VLANs must be tagged.) It is safer to tag the backplane and switch fabric module ports of all VLANs, although in some configurations, some overhead could be associated with tagging.

Follow these procedural guidelines to configure VLANs on the modules in your system:

1 .   Use the EME to connect to each Layer 2 and Multilayer Switching Module individually and configure the VLAN mode and VLANs for each module.

2 .   On each switching module, select the VLAN mode of allOpen or allClosed.

3 .   On each switching module, create the appropriate number of VLANs for your configuration. For each VLAN definition:

a .   Select a VID for the VLAN and provide information based on the type of VLAN: port-based information for Layer 2 modules; port-based, protocol-based, and network-based information for Multilayer Switching Modules.

b .   Include the appropriate front-panel ports. Tag the front-panel ports if you need to (that is, if the ports overlap with another VLAN and tagging is the only distinguishing characteristic). Remember that if you tag a port, the attached device must support IEEE 802.1Q tagging. If you are configuring a Multilayer Switching Module that serves as a router, your VLAN may or may not include front-panel ports.

c .   Include the backplane port of the switching module in the VLAN definition unless the VLAN traffic is limited to that switching module only and will not pass through the switch fabric module. If the switching module supports two backplane ports (and resides in a slot that supports two switch fabric module ports), you typically configure the lower-numbered backplane port. (Example: On a 10-port Layer 2 switching module, you configure port 11; on a 12-port Multilayer Switching Module, you configure port 13.) When you have multiple VLANs, tag the backplane port. (In a subsequent step, you must tag the associated switch fabric module backplane port as well.)

4 .   On each Multilayer switching module with VLANs that you want to perform routing, define a routing interface for each protocol-based or network-based VLAN. Verify that the routing interface is defined to use the same network or subnetwork as any other module that supports the VLAN.

5 .   Use the EME to connect to the switch fabric module and configure all VLANs that will pass traffic through the Layer 2 switch fabric module (that is, VLANs that are associated with switching modules or the GEN interface modules).

a .   For each VLAN definition that is associated with one or more switching modules, include the switch fabric module backplane ports that correspond to the VLAN's participating switching modules. (For example, if the VLAN's participating modules reside in slots 3 and 5, include switch fabric module ports 5 and 9 in the VLAN definition on the switch fabric module.) Tag these switch fabric module ports if the backplane ports of the corresponding switching modules are tagged. (For each VLAN, verify that the tagging type for a switch fabric module port matches its associated backplane switching module port.)

b .   For each VLAN definition for 2-port GEN interface modules, include the switch fabric module backplane ports that correspond to the VLAN's GEN interface modules. (For example, if the VLAN's GEN interface module resides in slot 6, you define switch fabric module ports 11 and 12 to be part of the VLAN.) Tag these ports if the front-panel ports of the GEN interface modules are connected to IEEEE 802.1Q enabled devices, such as other Switch 4007 systems or other 3Com switches.

You must evaluate the number of VLANs on a per-module basis. The module type determines the number of VLANs that can be supported:

• Each Layer 2 switching module supports a maximum of 127 port-based VLANs.

• Each Multilayer switching module use the following equation to determine the number of VLANs that are supported.

To determine the number of VLANs of any type that you can have on a Multilayer Switching Module, use the following equation:

No._of_VLANs_supported = (125 / No._of_Protocol_Suites) minus 3

When you use the VLAN equation to calculate the number of VLANs that you may have on your Multilayer Switching Module, keep in mind that the formula provides only an estimate. You may see more or fewer VLANs, depending on your configuration, use of protocol suites, and chosen tag style. If, for example, you are using the Release 3.0 VLAN tag style of all ports, this formula generally yields a maximum; if you change to use the Release 1.2 tag style of taggedVlanPorts, then this formula generally yields a minimum number of VLANs.

A result of up to 64 is valid. If your result is greater than 64, you must observe 64 as the limit for the number of VLANs supported.

The number of allowable VLANs includes the default VLAN, and the number of protocol suites always includes the unspecified protocol type.

To perform the calculation, determine the total number of protocol suites used on your system. Remember to include the unspecified type for the default VLAN, even if you have removed the default VLAN and do not have other VLAN defined with the unspecified protocol type.

Use the following guidelines to count the protocol suites that are used on the Multilayer Switching Module:

• IP counts as one protocol suite for IP VLANs.

• AppleTalk counts as one protocol suite for AppleTalk VLANs.

• Generic IPX, which uses all four IPX types, counts as four protocol suites. (Each IPX type alone counts as one.) To conserve VLAN resources, it is better to specify a specific IPX frame type than to use generic IPX.

• DECnet counts as one protocol suite for DECnet VLANs.

• The unspecified type of protocol suite counts as one, whether or not the default VLAN or port-based VLANs are defined. Even if you have only the unspecified protocol suite on the system, the limit is still 64 VLANs.

• If you are using GVRP (for dynamic port-based VLANs), use the type unspecified in the VLAN formula.

• X25, SNA, Banyan VINES, and NetBIOS each count as one protocol suite for their respective VLANs.

  In addition to the limit on the number of VLANs, a limit of 15 different protocols can be implemented by the protocol suites on the module. See Table 53 later in this chapter for a list of the supported protocol suites and the number of protocols within each suite.

The following examples show how to use the equation.

Example 1

You have 7 protocol suites on the Multilayer Switching Module (IP, AppleTalk, unspecified for the default VLAN, and generic IPX, which counts as 4 protocol suites):

(125 / 7) minus 3 = 14

In this configuration, the module supports a minimum of 14 VLANs. As shown in Table 53, these 7 protocol suites use 8 protocols (3 IP, 2 AppleTalk, 1 unspecified, and 2 generic IPX).

Example 2

You have 5 protocol suites: IP, unspecified, AppleTalk, IPX 802.2 Sub-Network Access Protocol (SNAP), and IPX 802.3 Raw:

(125 / 5) minus 3 = 22

In this configuration, the Multilayer Switching Module supports a minimum of 22 VLANs. As shown in Table 53, these 5 protocol suites use 7 protocols: 3 IP, 1 unspecified, 2 AppleTalk, 1 IPX 802.2 SNAP, and 0 IPX 802.3 Raw (because it does not use an Ethernet protocol type).

If you are upgrading from a Switch 4007 2.x release and the VLAN resource limit is reached during a power-on with a serial port console connection, you can use the Administration Console command bridge vlan vlanAwareMode to change the VLAN aware mode to taggedVlanPorts. See the section "VLAN Aware Mode" next for more information.

VLAN Aware Mode

For Multilayer Switching Modules only, VLAN aware mode accommodates the difference in VLAN resource usage as well as tagged-frame ingress rules between Release 2.x and Release 3.0. For more information on ingress rules, see "Rules of VLAN Operation" later in this chapter.

The VLAN aware mode, which you set with the Administration Console command bridge vlan vlanAwareMode, reflects the difference in VLAN resource usage and modes of tagging on Multilayer Switching Modules as follows:

• In Release 2.x, all bridge ports were not VLAN aware (tagging aware) unless they were assigned to a VLAN that has one or more tagged ports.

• In Release 3.0.0, all bridge ports become VLAN aware after a software update or after an NV data reset and do not have to be explicitly tagged to forward tagged frames.

This difference in resource usage and modes of tagging has the following impact: After you upgrade the system from 2.x to 3.0, the release uses VLAN resources differently than did Release 2.x and may cause a change in the total number of allowable VLANs.

VLAN aware mode is currently supported only through the Administration Console, not through Web Management or SNMP.

Initial installation of Release 3.0 provides a default VLAN aware mode of allPorts, which is consistent with the 3.0 ingress rules and resource allocation. If you upgrade your Multilayer Switching Module and the VLAN resource limit is reached during a power up with a serial port console connection, the console displays an error message similar to the following one to identify the index of the VLAN that it was unable to create:

Could not create VLAN xx - Internal resource threshold exceeded

In this situation, the module removes all bridge ports from the VLAN that it could not restore from NV data, although it does maintain the previously stored NV data. To restore your VLANs after you see the resource error message, enter the bridge vlan vlanAwareMode command and then set the VLAN aware mode to taggedVlanPorts. If VLANs are already defined, the Administration Console prompts you to reboot the module to put the new mode into effect.

If you do not see the VLAN internal resource error message, maintain the default VLAN aware mode of allPorts. In this case, the module can accommodate the number of Release 2.x VLANs, but it now uses different ingress rules for tagged frames.

The Administration Console commands bridge vlan summary and bridge vlan detail display the current VLAN aware mode after the VLAN mode (allOpen or allClosed).

General Guidelines

• The VLAN mode of allOpen or allClosed applies to all VLANs that are associated with a switching module or the switch fabric module. (For Multilayer Switching Modules, this means VLANs with a static, dynamic, or router port origin). Configure the VLAN mode before you define any static VLANs. (As part of the configuration procedures for a router port IP interface on Multilayer Switching Modules, you must place the system in allClosed mode; see Chapter 16.

  If you change the VLAN mode after you have defined VLANs, the interface module or switch fabric module deletes all configured VLANs and redefines the default VLAN. See "Modifying the VLAN Mode" later in this chapter.

• You can control STP settings as follows:

  • For all types of modules, you can enable or disable STP for the entire module, but not individual VLANs.

  • For all types of modules (regardless of the VLAN mode), you can enable or disable STP for individual ports by using a bridge port option (bridge port stpState on the Administration Console). See Chapter 9 for bridging information.

  • For Multilayer switching modules only, if you configure the module for allClosed mode, you can enable Ignore STP mode on a per-VLAN basis. See "Ignore STP Mode" for information on Ignore STP mode.

• On Multilayer Switching Modules, to take advantage of GVRP for dynamic configuration or dynamic updates of port-based VLANs, you must explicitly enable GVRP as both a bridge-wide parameters and a bridge-port parameter. See Chapter 9 for information about bridging parameters. See "Dynamic Port-based VLANs Using GVRP" later in this chapter for information about GVRP.

• You can configure overlapping VLANs as long as the VLANs have some distinguishing characteristic. For example, a bridge port can be shared by multiple VLANs as long as there is a distinguishing characteristic for the shared port (for example, for Multilayer Switching Modules: protocol type or tagging type; for Layer 2 modules: tagging type). In allClosed mode, you must tag the shared ports of any overlapped network-based VLANs.

• Consider maintaining the system's default VLAN. The default VLAN preserves the flooding of unspecified traffic because it initially contains all of the system's ports, with unspecified protocol information and no tagging.

• If you are using a Multilayer Switching Module to establish routing between static VLANs and configure a VLAN interface to support one or more routing protocols, configure the VLAN for the protocols before you configure a routing interface. For protocols other than IP, the module does not define the routing interface for a protocol if a VLAN for that protocol does not exist. If you define an IP interface and specify vlan as the interface type, the system does not define the IP routing interface unless you have an IP VLAN configured. See the appropriate routing protocol chapter for an overview of your routing options and guidelines. See Chapter 16 for information on defining either a IP router interface for a static IP VLAN or a router port IP interface.

• If you plan to use trunks (aggregated links), define the appropriate trunks before you define your VLANs. (If you define a VLAN with certain ports and subsequently configure some of those ports to be part of a trunk, the module removes those ports from the VLAN and places them in the default VLAN.) See "Trunking and the Default VLAN" later in this chapter for information about how trunking actions affect the default VLAN. When you define a VLAN that includes trunk ports, you must specify the trunk's anchor port (lowest-numbered port). For trunking information, see Chapter 12.

• When a frame is received, the frame is assigned to a VLAN using the ingress rules. See "Ingress Rules" later in this chapter. When it transmits the frame, the module determines the tag status (none or IEEE 802.1Q tagging) by referring to the tag status of the transmit port in the frame's assigned VLAN. In allOpen mode, a frame may be transmitted on a port that does not belong to the assigned VLAN, in which case, the frame is transmitted untagged.