Port-based VLANs logically group together one or more bridge ports on the module. On Multilayer Switching Modules, they use the generic protocol type unspecified. Each collection of bridge ports is designated as a VLAN interface. The VLAN interface belongs to a given VLAN. Flooding of all frames that are received on bridge ports in a VLAN interface is constrained to that VLAN interface.

Port-based VLANs group together one or more tagged or untagged bridge ports. The Switch 4007 supports the 802.1Q IEEE frame tagging standard on a per-port basis. The standard dictates that frames are encapsulated and tagged, which gives them a unique identification.

Each switching module (and the switch fabric module) supports the following types of port-based VLANs:

• The default VLAN, a special predefined VLAN

• User-configured port-based VLANs

In addition, Multilayer Switching Modules support dynamic port-based VLANs created using GVRP.

The Default VLAN

The system predefines a port-based VLAN to initially include all of the system's bridge ports without any tagging. For example, if you have four 10-port 100BASE-FX Fast Ethernet Layer 2 modules installed on your system, the default VLAN initially contains all 40 ports, plus the module backplane ports and the corresponding switch fabric module ports.

The default VLAN has the following properties:

• VID - 1

• VLAN Name - Default

• VLAN Mode - allOpen

• Tag Type - none (nontagging mode)

  The default VLAN always uses a VID of 1, the name Default, and the protocol type unspecified (for Multilayer Switching Modules). No other VLAN can use a VID of 1.

This type of configuration has no restrictions on the flooding domain. You must set up your own VLANs to restrict the flooding domain.

Modifying the Default VLAN

The default VLAN is always associated with a VID of 1, the unspecified protocol type (for Multilayer Switching Modules), and the name Default. Initially, the default VLAN is also associated with all ports and no tagging. If necessary, you can modify the default VLAN on the modules in the system. For example, you may want to remove certain ports. Such a change does not prevent the system from adding a new module's bridge ports to the default VLAN.

The default VLAN is characterized by a VID of 1 and the unspecified protocol type. The following rules apply to the insertion of a new module:

• If you have modified the default VLAN to remove all ports, the ports of a newly inserted module are added to the default VLAN.

• If you have modified the default VLAN to tag a port, the ports of a newly inserted module are added to the default VLAN.

• If you have removed and subsequently redefine the default VLAN, the ports of a newly inserted module are added to the default VLAN.

• If you have removed the default VLAN and at least one other VLAN exists, the ports of a newly inserted module are not added to any VLAN.

• If you have removed the default VLAN and no other VLANs exist, a new default VLAN is created containing all ports when a new module is inserted.

  To ensure that data can be forwarded, verify that a bridge port is associated with a VLAN. This association is mandatory in allClosed mode. If you remove the default VLAN (and you do not have other VLANs defined for the modules in the system), your ports may not forward data until you create a VLAN for them.

The default VLAN is the flood domain in any of the following situations:

• A module receives data for a protocol that is not supported by any VLAN on the module

• A module receives data for a protocol that is supported by defined VLANs, but these VLANs do not contain the port receiving the data.

• A module receives untagged data for a port and protocol that is supported by the switching module, but the port is tagged.

See "Rules of VLAN Operation" later in this chapter.

Trunking and the Default VLAN

Another benefit of maintaining the default VLAN (with any number of ports) involves trunking. 3Com strongly recommends that you define your trunks before you define your VLANs.

Trunking with the default VLAN intact

Trunking actions affect the default VLAN in the following ways:

• If you have only the default VLAN with all ports and you define a trunk (or subsequently remove a trunk), the ports listed in the VLAN summary for a module's default VLAN do not change. In this case, maintaining the default VLAN with all ports ensures that trunks can come and go without causing any VLAN changes.

• If you have the default VLAN as well as additional VLANs on a module and you subsequently define a trunk for ports in one of the other VLANs, the module removes those ports from that VLAN and places them in the default VLAN. The same action occurs when you remove an existing trunk from a VLAN that you created after the trunk. For example, on a 12-port Multilayer Switching Module:

Ports Before Action	Trunking Action	Ports After Action
default VLAN: ports 1-4 ipvlan1: ports 5-11	Define a trunk with ports 7, 8.	default VLAN: ports 1-4, 7, 8 ipvlan1: ports 5, 6, 9-11

• If you have the default VLAN as well as other VLANs on a module and you subsequently modify an existing trunk that has ports in one of the VLANs, any port that is removed from the trunk is removed from the VLAN and placed in the default VLAN. For example, on a 12-port Multilayer Switching Module:

Ports Before Action	Trunking Action	Ports After Action
default VLAN: ports 1-4 ipvlan1: ports 5-11 (Ports 5-8 are trunk ports.)	Modify existing trunk to have ports 6-8. (Remove port 5, the anchor port.)	default VLAN: ports 1-5 ipvlan1: ports 6-11 (Port 6 becomes new anchor port.)

Trunking with the default VLAN removed

If you remove the default VLAN, there is no place to return ports altered by trunking, as discussed in these examples:

• If you have VLANs (but no default VLAN) and you then define a trunk for ports in one of the VLANs, those ports are removed from that VLAN and are not assigned to any other VLAN. If you later remove the trunk, these ports are not reassigned to the VLAN; they no longer have a VLAN associated with them. For example, on a 12-port Multilayer Switching Module:

Ports Before Action	Trunking Action	Ports After Action
ipvlan1: ports 1-11	Define trunk with ports 5-8.	ipvlan1: ports 1-4, 9-11

• If you have VLANs (but no default VLAN) and you subsequently modify an existing trunk that has ports in one VLAN, any port removed from the trunk is removed from the VLAN and no longer has a VLAN. For example, on a 12-port Multilayer Switching Module:

Ports Before Action	Trunking Action	Ports After Action
ipvlan1: ports 1-11 (Ports 5-8 are trunk ports.)	Modify existing trunk to have ports 6-8. (Remove port 5, the anchor port.)	ipvlan1: ports 1-4, 6-11. (Port 6 becomes new anchor port.)

See Chapter 12 for more information on using trunks.

User-Configured Port-based VLANs

You can explicitly configure port-based VLAN interfaces on the Layer 2 and Multilayer switching modules as well as the switch fabric module.

Important Considerations

When you create this type of VLAN interface, review these guidelines:

• When you select the bridge ports that you want to be part of the VLAN, the bridge ports that you specify as part of the VLAN are the same as your physical ports, unless you have created trunks.

• If you define trunks, a single bridge port called the anchor port (the lowest-numbered port in the trunk) represents all ports that are part of the trunk. Only the anchor bridge port for the trunk is selectable when you are creating VLANs; the other bridge ports in the trunk are not selectable. For more information, see Chapter 12.

• Decide whether you want the ports that you are specifying for the VLAN interface to be shared by any other VLAN interface. Shared ports produce overlapped VLANs; ports that are not shared produce nonoverlapped VLANs.

• The per-port tagging options are IEEE 802.1Q tagging or no tagging. The IEEE 802.1Q tagging option embeds explicit VLAN membership information in each frame.

• Overlapped VLANs require tagging; that is, two port-based VLAN interfaces may contain the same bridge port if one of the VLAN interfaces defines the shared port to use IEEE 802.1Q tagging. This rule is true for either allOpen or allClosed mode. For example, a shared bridge port is set to tagging none for one VLAN and IEEE 802.1Q tagging for the other VLAN, or IEEE 802.1Q tagging for each VLAN.

• Multiple VLANs can span several modules, which may or may not overlap on the front-panel ports of the modules. However, they do overlap on the backplane ports. When multiple VLANs span modules, only one VLAN (usually, the default VLAN) can be untagged. Because all VLAN traffic flow between modules takes place through the GEN Switch Fabric Module by way of the backplane ports (regardless of the front-panel port configurations), the backplane ports for additional overlapping VLANs require explicit 802.1Q tagging.

• On Multilayer Switching Modules, port-based VLANs use the protocol type unspecified. This setting is implicit on a Layer 2 module. On a Multilayer Switching Module, you must specify the protocol type unspecified to create a port-based VLAN.

To define a port-based VLAN interface, specify this information:

• VID, or accept the next available VID.

• Bridge ports that are part of the VLAN. (If you have trunk ports, specify the anchor port for the trunk.)

• Protocol type unspecified (on Multilayer Switching Modules)

• Tag status (none or IEEE 802.1Q).

• Unique name of the VLAN interface.

The configuration in Figure 15 shows a single VLAN (for example, a modified default VLAN) that spans two switching modules and pass traffic through the switch fabric module (which resides in slot 8 but is logically represented above the other modules).

Figure 15 Single VLAN Example

In this example:

• A single VLAN spans multiple switching modules. (It can be a modified default VLAN.)

• The backplane ports of the switching modules and the switch fabric module are part of the VLAN.

• All traffic that passes between switching modules flows through the switch fabric module:

  • The backplane port of Module-XX connects to Port 9 of the switch fabric module.

  • The backplane port of Module-YY connects to Port 21 of the switch fabric module.

• Station-A can pass traffic to Station-B.

The configuration in shows two VLANs that span two Layer 2 switching modules and pass traffic through the switch fabric module (which resides in slot 7 but is logically represented above the other modules):

• VLAN1 (the default, user-modified)

• VLAN2 (user-configured, port-based VLAN)

Because VLAN1 and VLAN2 span switching modules, they must be defined on the switch fabric module. One VLAN (VLAN1) must be tagged on the backplane ports of the switching modules and on the corresponding switch fabric module ports.

Figure 16 Two VLANs with Tagged Backplane Ports

Table 51 lists the VLAN definitions for these port-based VLANs:

Table 51 Port-based VLANs with Tagged Backplane Ports

Slot 1 Module	Slot 2 Module	Switch Fabric Module
VLAN1 (default): VLAN Index 1 VID 1 Ports 1-5, 21/22 Tagging none front-panel ports 1-5 Tagging 802.1Q backplane port 21/22	VLAN1 (default): VLAN Index 1 VID 1 Ports 1-5, 21/22 Tagging none front-panel ports 1-5 Tagging 802.1Q backplane port 21/22	VLAN1 (default): VLAN Index 1 VID 1 Ports 1,5 Tagging 802.1Q fabric ports 1,5
VLAN2: VLAN Index 2 VID 20 Ports 6-10, 21/22 Tagging none front-panel ports 6-10 Tagging none backplane port 21/22	VLAN2: VLAN Index 2 VID 20 Ports 6-10, 21/22 Tagging none front-panel ports 6-10 Tagging none backplane port 21/22	VLAN2: VLAN Index 2 VID 20 Ports 1,5 Tagging none fabric ports 1,5

Example 3: VLANs with Tagged Front-Panel Ports

The configuration in Figure 17 shows multiple overlapping VLANs that span two 20-port Layer 2 switching modules and pass traffic through the switch fabric module (which resides in slot 7 but is logically represented above the other modules).

In this example:

• There are two user-defined VLANs: VLAN2 and VLAN3. For the purposes of this example, assume that the default VLAN exists but is tagged on all ports that are shared by one or both of the user-configured VLANs. (You can also remove the shared ports from the default VLAN or remove the default VLAN.)

• VLAN2 and VLAN3 overlap on both the front-panel and backplane ports of Module-YY and on the switch fabric module backplane port (Port 17) that is connected to Module-YY.

• Because the membership of both VLANs is port-based, the shared ports (on both the front-panel and backplane ports) must be explicitly tagged.

• Station-E must support tagging because it is connected to a tagged port.

• The two overlapped front-panel ports on Module-YY can receive frames that are flooded on VLAN2 from Station-A, Station-B, and Station-E, or on VLAN3 from Station-C, Station-D, and Station-E.

  This communication is accomplished through the switch fabric module, which inserts an IEEE 802.1Q tag into the frame that contains the appropriate VLAN-ID. It then forwards the frame through its backplane port (Port 17) to Module-YY.

  When the backplane port of Module-YY receives the frame, the tag identifies and knows to which VLAN the frame belongs.

Figure 17 Multiple VLAN Example with Tagged Front-Panel Ports

Table 52 lists the VLAN definitions for these port-based VLANs.

Table 52 Port-based VLANs with Tagged Front-Panel and Backplane Ports

Slot 3 Module	Slot 5 Module	Slot 6 Module	Switch Fabric Module
VLAN2: VLAN Index 2 VID 20 Ports 1-3, 21/22 Tagging none front-panel ports 1-3 Tagging none for backplane port 21/22	VLAN2: VLAN Index 2 VID 20 Ports 1-4, 21/22 Tagging none front-panel ports 1,2 Tagging 802.1Q front-panel ports 3, 4 and backplane port 21/22	-	VLAN2: VLAN Index 2 VID 20 Ports 5,17 Tagging none port 5 Tagging 802.1Q port 17
-	VLAN3: VLAN Index 3 VID 30 Ports 3-6, 21/22 Tagging 802.1Q front-panel ports 3, 4 and backplane port 21/22 Tagging none front-panel ports 5,6	VLAN3: VLAN Index 3 VID 30 Ports 1-5, 21/22 Tagging none front-panel ports 1-5 Tagging none backplane port 21/22	VLAN3: VLAN Index 3 VID 30 Ports 17, 21 Tagging 802.1Q port 17 Tagging none port 21

Dynamic Port-based VLANs Using GVRP

For Multilayer Switching Modules, GARP VLAN Registration Protocol (GVRP) can help you simplify the management of VLAN configurations in your larger networks.

GVRP allows the Multilayer Switching Module to:

• Dynamically create a port-based VLAN (unspecified protocol) with a specific VID and a specific port, based on updates from GVRP-enabled devices

• Learn, on a port-by-port basis, about GVRP updates to an existing port-based VLAN with that VID and IEEE 802.1Q tagging

• Send dynamic GVRP updates about its existing port-based VLANs.

GVRP allows your Multilayer Switching Module to advertise its manually configured IEEE 802.1Q VLANs to other devices supporting GVRP. Because the VLANs are advertised, GVRP-aware devices in the core of the network do not need manual configuration to pass IEEE 802.1Q frames to the proper destination. The method of VLAN advertisement used by all GVRP-capable switches involves protocol data units (PDUs), similar to the method used by STP. GVRP-capable devices send their updates to a well-known multicast address and all GVRP-capable devices listen to this address for information changes.

Enabling GVRP allows the Multilayer Switching Module dynamically adjust active network topologies in response to configuration changes in one or more VLANs. GVRP then advertises VLAN changes on each bridge to all other GVRP bridges in the network.

Important Considerations

To use GVRP, consider the following:

• You must explicitly enable GVRP as an entire bridge state and then as an individual bridge port state for the appropriate ports (see Chapter 9) to take advantage of dynamic IEEE 802.1Q VLAN configuration. By default, GVRP is disabled as both a bridge state and a bridge port state. If GVRP is enabled, the VLAN origin for a port-based VLAN is dynamic (with GVRP). When GVRP is disabled, the VLAN origin is either static (traditional static VLAN without GVRP) or router (router port).

• In a GVRP environment, devices must be GVRP-enabled (that is, support GVRP). These devices could be end stations with 3Com's DynamicAccess^® software or other switches that explicitly enable GVRP.

• VLANs created dynamically with GVRP exist only as long as a GVRP-enabled device is sending updates. If the devices no longer send updates, or GVRP is disabled, or the module is rebooted, all dynamic VLANs are removed.

• GVRP updates are not sent out on any blocked STP ports. GVRP operates only on ports that are in the STP forwarding state. If GVRP is enabled, a port that changes to the STP forwarding state automatically begins to participate in GVRP. A port that changes to an STP state other than forwarding no longer participates in GVRP.

• The VLAN topologies that GVRP learns are treated differently from VLANs that are statically configured. GVRP's dynamic updates are not saved in NVRAM, while static updates are saved in NVRAM. When GVRP is disabled, the Multilayer Switching Module deletes all VLAN interfaces that were learned through GVRP and leaves unchanged all VLANs that were configured through the Administration Console, SNMP, or the Web Management software.

• GVRP manages the active topology, not nontopological data such as VLAN protocols. If you need to classify and analyze packets by VLAN protocols, you must manually configure protocol-based VLANs. But if the module needs to know only how to reach a given VLAN, then GVRP provides all necessary information.

• A GVRP-created VLAN is useful in situations where only Layer 2 switching needs to be performed for that VLAN. (Routing between a GVRP-created VLAN and another VLAN can be performed with an external router.) Because GVRP-created VLANs are assigned the unspecified protocol type, router interfaces cannot be assigned to them. Therefore, all communication within a GVRP-created VLAN is constrained to that VLAN in allClosed mode; in allOpen mode, only unicast frames with a known destination address can be transmitted to another VLAN.

Figure 18 shows how a GVRP update (with the VID) sent from one end station is propagated throughout the network.

Figure 18 Sample Configuration Using GVRP