Ethernet Switching Technologies

doi:10.1007/978-981-19-3029-4_7

Huawei Technologies Co., Ltd.

18k Accesses

Abstract

Most current campus networks use switches for networking. Using a switch to build a network makes network management flexible, allowing you to create virtual local area networks (VLAN) based on departmental, management, and security requirements, and assign computers in the same department or with the same management and security requirements to different VLANs.

You have full access to this open access chapter, Download chapter PDF

Most current campus networks use switches for networking. Using a switch to build a network makes network management flexible, allowing you to create virtual local area networks (VLAN) based on departmental, management, and security requirements, and assign computers in the same department or with the same management and security requirements to different VLANs.

This chapter will explain Ethernet knowledge such as the evolution of Ethernet, Ethernet frame format, MAC addresses, the process of building MAC address tables by switches, creation and management of VLANs, and implementation of inter-VLAN routing.

7.1 Ethernet Switching Fundamentals

7.1.1 Evolution of Ethernet

LANs originally used coaxial cables for networking and adopted a bus topology, where a coaxial cable was a link, as shown in Fig. 7.1. A link connects multiple network devices (network interface cards) through a T-shaped port, and two computers on the link can communicate. For example, if Computer A sends a frame to Computer B, the coaxial cable will transmit the digital signal carrying the frame to all terminals, and all computers on the link will receive it (which is called a broadcast channel). To achieve point to point communication in such a broadcast channel, it is necessary to add source and destination addresses to the frames sent, which requires that the network interface card of each computer in the network has a unique physical address, i.e., a MAC address. When the destination MAC address of the frame is the same as the MAC address of the computer’s network interface card, the network interface card receives the frame, and discards frames that are for it.

An MAC address consists of 48 binary bits and is globally unique. In Fig. 7.1, MA, MB, and MC are used to indicate the MAC addresses of Computer A, B, and C, respectively.

Multiple computers on the bus send data at the same time, which can cause signal superposition so that the receiver fails to recognize the signal. Therefore, computer communication should avoid conflicts. Before sending data, the computer fist listens if the channel is idle. If it is, then the computer will immediately send the data; if the channel is busy, the computer waits until the information transmission in the channel is completed to send the data. After the data transmission starts, the computer also detects whether there is a collision with the signals sent by other computers on the line. If there is a collision, these computers will wait for a random period of time before sending the data again. This mechanism is called Carrier Sense Multiple Access with Collision Detection (CSMA/CD), which is the data link layer protocol used for broadcast channels.

In addition to bus topography, broadcast channels can also be connected to a star topology using hub devices. As shown in Fig. 7.2, the digital signal sent from Computer A to Computer C is sent to all ports by the hub (which is the same as the bus topology) and is received by the network interface cards of Computer B, C and D in the network. The frame has the same destination MAC address as Computer C’s network interface card, so only Computer C receives this frame. To avoid collision, Computer B and Computer D would not be able to send frames at the same time, so the computers connected to the hub would also have to use the CSMA/CD protocol for communication.

For the LAN formed by using coaxial cable and hub, the computers on the link share the bandwidth, and the more computers there are, the less bandwidth is averaged to each computer. Later, switches replace coaxial cables and hubs. Switches have MAC address table and can forward frames according to their destination MAC address instead of forwarding them to all ports, which avoids collisions.

Now most of the enterprise LANs are formed using switches, as switches are able to build MAC address tables and forward frames based on MAC address tables. Figure 7.3 shows the advantages of switch networking.

The following are the features of using switch networking compared with hub networking.

1.
Port exclusive bandwidth.

Each port of the switch has exclusive bandwidth. 10 Mbit/s switch has 10 Mbit/s bandwidth per port, and for 24-port 10 Mbit/s switch, its overall switching capacity is 240 Mbit/s, which is different from hubs.
2.
Security.

Networks formed using switches are safer than the those formed using hubs. For example, for the frames sent from Computer A to Computer B, and from Computer D to Computer C, the switch only forwards them to the destination port according to the MAC address table, and Computer E in the figure cannot receive digital signals from the communication of other computers at all. And even if the packet capture tool is installed, it cannot capture packets from the communication of other computers.
3.
Full-duplex communication.

The switch port is directly connected to the computer, and the link between the computer and the switch can adopt full-duplex communication, that is, you can send and receive at the same time.
4.
Full-duplex communication no longer uses CSMA/CD protocol.

The switch port is directly connected to the computer, and if full-duplex communication is adopted, the data link layer no longer needs to use the CSMA/CD protocol, but we still call the network formed by the switch Ethernet, because the frame format is the same as Ethernet.
5.
The port can work using different rates.

The switch uses store-and-forward, which means that each port of the switch can store frames and use different rates when forwarding them from other ports. Usually, the port connected to the server and that connected to the switch have a higher bandwidth than the port connected to a normal computer.
6.
Forward broadcast frames.

Broadcast frames are forwarded to all ports except the sending port. The destination MAC address of a broadcast frame is all 1s when written in the 48-bit binary form, i.e., the destination MAC address is FF-FF-FF-FF-FF-FF. For example, ARP in Ethernet resolves the MAC address of a known IP address in this network segment through the broadcast frame sent. Some viruses also send broadcast frames in the network, so that the switch is occupied in forwarding these broadcast frames and the normal communication of computers in the network is affected, resulting in network congestion. Therefore, an Ethernet formed with a switch is a broadcast domain. Routers are responsible for forwarding packets on different network segments, and broadcast packets cannot cross routers, so it is said that routers isolate broadcasts.

As shown in Fig. 7.4, the router is connected to two switches, which are connected to computers and hubs, and the router isolates the broadcast. The broadcast domain and collision domain are marked in the figure.

7.1.2 MAC Addresses

In February 1980, the Institute of Electrical and Electronics Engineers (IEEE) held a meeting, and a huge technical standardization project called IEEE Project 802 is launched in the meeting. “80” in 802 refers to 1980, and “2” means February.

The IEEE Project 802 aims to develop a series of standards for local area networks (LANs). Ethernet standard (IEEE 802.3), token ring network standard (IEEE 802.5), token bus network standard (IEEE 802.4), and other LAN standards are the results of the IEEE Project 802. We collectively refer to the various standards developed by the IEEE 802 project as IEEE 802 standards.

MAC address is defined and standardized in the IEEE 802 standard. Any network interface card (such as Ethernet interface card and token ring network interface card) that complies with the IEEE 802 standard must have a MAC address.

As every person has an ID number to identify himself or herself, each network interface card also has a number to identify itself, which is the 48-bit (six-byte) MAC address. Different network interface cards have different MAC addresses. In other words, the MAC address of a network is unique in the whole world, and the router port connected to an Ethernet network also has a MAC address, just like a computer network interface card.

Before a manufacturer can produce and manufacture a network interface card, it must first register with IEEE to obtain a 24-bit (three-byte) vendor code, also known as Organizationally Unique Identifier (OUI). In the process of manufacturing network interface cards, the manufacturer will burn a 48-bit burned-in address (BIA) in the Read Only Memory (ROM) of each network interface card. The first three bytes of the BIA address is the manufacturer’s OUI, and the last three bytes are determined by the manufacturer. But for different network interface cards, the last three bytes of their BIA addresses shall be different. The BIA address burned into the network interface card cannot be changed, and can only be read and used. Figure 7.5 shows the format of the BIA address.

BIA address is a kind of MAC address, or, more precisely, it is a kind of unicast MAC address. There are three kinds of MAC addresses, namely unicast MAC address, multicast MAC address, and broadcast MAC address, as shown in Fig. 7.6.

1.
Unicast MAC address is the MAC address whose eighth bit of the first byte is 0.
2.
Multicast MAC address is the MAC address whose eighth bit of the first byte is 1.
3.
A broadcast MAC address is a MAC address whose every bit is 1.

A unicast MAC address (such as a BIA address) identifies a specific network interface card, a multicast MAC address identifies a group of network interface cards, and a broadcast MAC address is a special case of multicast MAC address that identifies all network interface cards.

From Fig. 7.6, we can find that it is not true that the first three bytes of any MAC address are OUI. Only the first three bytes of unicast MAC addresses are OUI, while those of multicast or broadcast MAC addresses are not OUI.

A MAC address has 48 bits, which is often represented by hexadecimal numbers for the purpose of convenience. Each two hexadecimal digits are one group (i.e., one byte), with a total of six groups, connected by short lines in between. You can also use a total of three groups of four hexadecimal digits (i.e., two bytes), which are connected by short lines. Figure 7.7 is an example of these two representations.

7.1.3 Ethernet Frame Format

The frames used by Ethernet technology are called Ethernet frames. There are two standards for the Ethernet frame format: one is defined by IEEE 802.3, which is called IEEE 802.3 format; the other is jointly defined by three companies, Digital Equipment Corporation (DEC), Intel, and Xerox, and is called Ethernet II format, also known as DIX format. The two Ethernet frame formats are shown in Figs. 7.8 and 7.9. Although there are some differences between the two formats, they can both be applied to Ethernet. Current network devices are compatible with both formats, but Ethernet II frames are more widely used. Generally, IEEE 802.3 format is only used for Ethernet frames that carry special protocol information, while Ethernet II format is used for the majority of Ethernet frames.

The following is a brief description of each field in an Ethernet frame of Ethernet II format.

1.
Destination MAC address: this field has six bytes and is used to indicate the receiver (destination) of the frame. The destination MAC address can be a unicast MAC address, a multicast MAC address, or a broadcast MAC address.
2.
Source MAC address: this field has six bytes and is used to indicate the sender (origin) of the frame. The source MAC address can only be a unicast MAC address.
3.
Type: this field has two bytes and is used to specify the type of load data. For example, if the value of this field is 0x0800, the load data is an IPv4 packet; if the value of this field is 0x86dd, the load data is an IPv6 packet; if the value is 0x0806, the load data is an ARP packet; and if the value is 0x8848, the load data is an MPLS message; etc.
4.
Load data: the length of this field is variable, with the shortest being 46 bytes, and the longest 1500 bytes. It is the payload of the frame, and the type of the load is indicated by the previous type field.
5.
CRC field: this field has four bytes. CRC is abbreviated for Cyclic Redundancy Check, which is used to check the frame for errors. The detailed description of its working mechanism is beyond the knowledge scope of this book, so it is omitted here.

The functions and roles of the destination MAC address field, source MAC address field, type field, load data field, and CRC field in Ethernet frames of IEEE 802.3 format are the same as those of Ethernet II format, so they are not repeated here. The descriptions of several other fields (length field, DSAP field, etc.) are beyond the knowledge scope of this book, so they are omitted here.

The network interface card has a filtering feature and the adapter first checks the destination address of the Ethernet frame using hardware for every Ethernet frame it receives from the network. If it is a frame sent to this site, it will be accepted for other processing. Otherwise, the frame will be discarded and no further processing is performed. In this way, CPU and memory resources of the host will not be wasted. It should be noted that, depending on the type of destination MAC address, Ethernet frames can be divided into the following three different types.

1.
Unicast Ethernet frames (or unicast frames for short): a frame whose destination MAC address is a unicast MAC address.
2.
Multicast Ethernet frames (or multicast frames for short): a frame whose destination MAC address is a multicast MAC address.
3.
Broadcast Ethernet frame (or broadcast frame for short): a frame whose destination MAC address is a broadcast MAC address.

7.2 Ethernet Switches

7.2.1 MAC Address Table of Switches

A switch maintains a MAC address table, on the basis of which the switch forwards unicast frames. The switch’s MAC address table is also called the MAC address mapping table, and each entry in it is also called an address table entry, which reflects the mapping of MAC addresses to ports.

As shown in Fig. 7.10, by using two switches and five computers to form a network, and pinging the IP addresses of PC2, PC3, PC4 and PC5 on PC1, the switch is able to build a complete MAC address table. By entering “display mac-address” on SW2, you can view the MAC address table, and that interface GE0/0/1 corresponds to the MAC addresses of PC1 and PC2, so you can conclude that the interface GE0/0/1 of switch SW2 correspondingly is connected to SW1. 300 s later, enter “display mac-address” on SW2 again to view the MAC address table, and you can see that the entries in the MAC address table are automatically cleared.

<SW2>display mac-address MAC address table of slot 0: ---------------------------------------------------------------- MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel ---------------------------------------------------------------- 5489-9853-3b60 1 - - GE0/0/1 dynamic 0/- 5489-9851-0fbe 1 - - Eth0/0/1 dynamic 0/- 5489-98a6-7d20 1 - - Eth0/0/2 dynamic 0/- 5489-985e-16b9 1 - - Eth0/0/3 dynamic 0/- 5489-986a-20ec 1 - - GE0/0/1 dynamic 0/- ----------------------------------------------------------------- Total matching items on slot 0 displayed = 5

From the above output, we can see that the Type is dynamic, which means the entry is dynamically built and will be automatically deleted after the aging time expires. Enter “display mac-address aging-time” to view the MAC address table aging time.

[SW2]display mac-address aging-time Aging time: 300 seconds

In reality, the MAC address table of a low-end switch can typically store up to a few thousand address table entries. The MAC address of a middle-end switch can usually store up to tens of thousands of address table entries. And the MAC address table of a high-end switch can normally store up to hundreds of thousands address table entries.

In reality, the location of a switch or computer in a network may change. If the location of the switch or computer does change, some of the original address table entries in the MAC address table of the switch will likely misrepresent the current mapping of MAC addresses to ports. In addition, if there are too many address table entries in the MAC address table, each time it will take an extremely long time for the switch to look up the table (in order for the switch to decide which forwarding operation to perform on a unicast frame, it needs to go through the MAC address table to look up the destination MAC address of that unicast frame). In other words, the forwarding speed of the switch will be affected to some extent. In view of the above two main reasons, an aging mechanism has been designed for the MAC address table.

The default aging time is 300 s, which means that an entry in the MAC address table is removed from the table if it is not used within 300 s. The aging time can also be configured using command. The shorter the aging time, the faster the MAC address table can learn new MAC address and entries corresponding to the port after the computer location or switch location is changed. If the computer and network locations do not change much and the aging time is short, the corresponding entries for MAC addresses and ports are quickly deleted and the switch floods when there are frames to that MAC address.

7.2.2 Three Forwarding Operations of Switches

The switch forwards every frame that enters its port through the transmission media, and the basic role of the switch is to forward frames.

As illustrated in Fig. 7.11, there are three types of switch forwarding operations for frames entering a port from the transmission media: flooding, forwarding and discarding.

1.
Flooding: the switch forwards a frame entering from one port to all other ports (note that “all other ports” means all ports except the one from which the frame enters the switch). Flooding is a point-to-multipoint forwarding. For example, flooding occurs when unknown unicast frames, broadcast frames, and multicast frames are received.
2.
Forwarding: the switch uses another port to forward the frame entering from one port (note that the “another port” cannot be the port from which the frame enters the switch). This is a point to point forwarding.
3.
Discarding: the switch discards the frame entering from a port. Discarding is actually not a forwarding operation.

The arrows in Fig. 7.11 indicate the trajectory of the frame’s movement. The three types of forwarding operations, flooding, forwarding, and discarding, are often referred to as forwarding in general (i.e., forwarding in the general sense). Therefore, when readers encounter the term “forwarding”, they need to clarify whether it refers to forwarding in the general sense or specifically to point to point forwarding, depending on the context.

7.2.3 MAC Address Table Building Process of a Single Switch

A switch forwards frames based on the MAC address table, which is a table corresponding to the port number and MAC address, and the switch automatically builds the MAC address table during computer communication, which is called “self-learning”.

As shown in Fig. 7.12, the switch has four ports, and the number after the port is the port number (Port No.), which is 1, 2, 3, and 4. Each port connects a computer, which is PC1, PC2, PC3, and PC4, and the corresponding MAC addresses are MAC1, MAC2, MAC3, and MAC4. In the beginning, the MAC address table is empty, which means that the switch also has no idea which MAC addresses correspond to the interfaces before the computers communicate.

As soon as a computer on the switch sends a frame, the switch is able to construct a MAC address table based on the source MAC address of the frame. Later, it forwards the frames based on the MAC address table.

As shown in Fig. 7.13, for example, PC1 sends a Frame X to PC3, whose source MAC address is MAC1 and destination MAC address is MAC3. The switch fails to find the port corresponding to the MAC3 address in the MAC address table, and the frame is flooded to all ports. The network interface cards of PC2 and PC4 will ignore the frame. Port1 receives the frame with a source MAC address of MAC1 and will add a mapping entry of MAC1 and Port1 to the MAC address table.

As shown in Fig. 7.14, PC4 sends PC1 a Frame Y with the destination MAC address of MAC1 and the source MAC address of MAC4. After receiving the frame, the switch checks the MAC address table and finds that MAC1 corresponds to Port1, so the switch forwards the frame to Port1 and, at the same time, adds a mapping entry of MAC4 and Port4 to the MAC address table.

If a computer sends a frame that needs to be received by all computers in the network, a broadcast frame is needed. The destination MAC address of the broadcast frame is FF-FF-FF-FF-FF-FF. As shown in Fig. 7.15, PC3 sends a broadcast frame, Frame W, and the switch will not check the MAC address table after receiving the broadcast frame, but directly floods Frame W, while adding a mapping entry of MAC3 and Port3 in the MAC address table.

7.2.4 MAC Address Table Building Process of Multiple Switches

As shown in Fig. 7.16, three switches are connected to four computers through twisted-pair cables, forming a relatively complex network. Assume that the MAC address tables of the switches are all empty at this moment. Some examples are presented in the following part to illustrate the process of frame forwarding in this network. Since the forwarding principles of the switches have been described in detail in the previous section, the following description is relatively concise.

As shown in Fig. 7.17, now assume that PC1 needs to send a unicast frame X to PC3, with a source MAC address of MAC1 and destination MAC address of MAC3. The MAC address tables of all three switches are empty. The switch does not find the port corresponding to the MAC3 address in the MAC address table, and the frame is flooded to all ports.

The following steps describe the entire process of how Frame X arrives at PC3 from PC1.

1.
After receiving Frame X, Switch 1 cannot find the port corresponding to the destination MAC address in the MAC address table, so it floods the frame to all ports and adds a corresponding entry of MAC1 and Port1 to the MAC address table.
2.
Switch 2 floods Frame X received by Port1, and Frame X reaches Port1 of Switch 3 through Port2 of Switch 2. Switch 2 writes the correspondence between MAC1 and Port1 in its own MAC address table.
3.
Switch 3 floods Frame X received by Port3, and Switch 3 writes the correspondence between MAC1 and Port3 in its own MAC address table.

At this point, the network state is as shown in Fig. 7.17. Frame X has successfully arrived from source host PC1 to destination host PC3, and although non-destination hosts PC2 and PC4 also receive Frame X, they both directly discard it.

In the network state shown in Fig. 7.18, assume that PC4 needs to send PC1 a unicast frame Y with a destination MAC address of MAC1 and a source MAC address of MAC4.

The following steps describe the entire process of how Frame Y arrives at PC1 from PC4.

1.
After Port3 of Switch 3 receives Frame Y, it checks the MAC address table and finds that the port corresponding to MAC1 is Port3. Then it forwards the frame to Port3, and at the same time adds the corresponding entries of MAC4 and Port2 to the MAC address table.
2.
After Port2 of Switch 2 receives Frame Y, it checks the MAC address table and finds that the port corresponding to MAC1 is Port1. Then it forwards the frame to Port1, and at the same time adds the corresponding entries of MAC4 and Port2 to the MAC address table.
3.
After Port3 of Switch 1 receives Frame Y, it checks the MAC address table and finds that the port corresponding to MAC1 is Port1. Then it forwards the frame to Port1, and at the same time adds the corresponding entries of MAC4 and Port3 to the MAC address table.

As shown in Fig. 7.19, carefully observe the MAC address tables on Switch 1 and Switch 2. In this case, PC2 sends a unicast frame Z to PC1. Switch 1 does not find the forwarding port corresponding to MAC1 in the MAC address table, and Frame Z is flooded to all ports. After Port1 of Switch 2 receives the frame, it checks the MAC address table and finds that the port corresponding to the frame is Port1, so the frame does not need to be forwarded and is discarded.

In the example here, a computer sends a broadcast frame. As shown in Fig. 7.20, PC3 sends a broadcast frame W with a destination MAC address of FF-FF-FF-FF-FF-FF and a source MAC address of MAC3. Port1 of Switch 3 receives the frame and floods it, while adding the corresponding entries of MAC3 and Port1 to the MAC address table. Port2 of Switch 2 receives the broadcast frame and floods it, adding the corresponding entries of MAC3 and Port2 to the MAC address table. Port3 of Switch 1 receives the broadcast frame and floods it, adding the corresponding entries of MAC3 and Port3 in the MAC address table. Computers PC1, PC2, and PC4 in the network can all receive the broadcast frame, so the network formed with the switch is a broadcast domain.

7.2.5 Typical Campus Network Architecture

Figure 7.21 shows a typical campus network architecture. In addition to the access layer, aggregation layer and core layer, in this network architecture, two routers connecting the Internet are also treated as a separate layer, that is, an “exit layer”. For network security, firewalls are deployed in the core layer. In order to achieve architectural security (to avoid single point of failure of key devices), dual aggregation layer switches and dual core layer switches are deployed at the aggregation layer and core layer, respectively, and two routers are also deployed at the exit layer, with dual links to the Internet.

7.3 VLANs

7.3.1 Concept and Meaning of VLAN

A virtual local area network (VLAN) is a set of logical devices and users that are not restricted by physical location, so that administrators can logically divide different users in the same physical LAN into different broadcast domains according to the actual application requirements. Each VLAN contains a group of computers or servers with the same requirements, and communicate with each other as if they are in the same network segment. This is why it is called a virtual local area network. VLANs work at Layer 2 and Layer 3 of the OSI reference model, and a VLAN is a broadcast domain. The communication between VLANs needs to be done through Layer 3 devices (routers or Layer 3 switches).

As shown in Fig. 7.22, a company deploys switches on the first, second and third floors of its office building, and all three switches are access layer switches, which are connected by aggregation layer switches. The company’s sales department, R&D department and finance department have computers on each floor. For security and the control of network broadcasts, a VLAN can be created for each department. The different VLANs on the switches are identified using numbers, and VLAN1 can be assigned for computers in the sales department, VlAN 2 for those in the R&D Department, and VLAN 3 for those in the finance department.

VLANs have the following advantages.

1.
Control of broadcast range.

A VLAN is a broadcast domain. Broadcast frames sent by computers in a VLAN will not spread to other VLANs, thus reducing the impact range of broadcasts.
2.
Security.

Different VLANs can be created according to security requirements and computers with the same security requirements can be put into the same VLAN. For instance, computers with sensitive data are isolated from other computers in the network, thus reducing the possibility of leaking confidential information. Computers in different VLANs are isolated from each other at the data link layer, i.e., users in one VLAN cannot directly communicate with users in other VLANs. For different VLANs to communicate, they need to go through Layer 3 devices such as routers or Layer 3 switches, and control the traffic on Layer 3 devices.
3.
Improvement of performance.

Dividing the Layer 2 flat network into multiple logical workgroups (broadcast domains) can reduce unnecessary traffic on the network and improve performance.
4.
Improvement of IT staff productivity.

VLANs bring convenience to network management because users with similar network requirements will share the same VLAN.

7.3.2 Multiple VLANs on a Single Switch

All ports of the switch belong to VLAN 1 by default, and VLAN 1 is the default VLAN that cannot be deleted. As shown in Fig. 7.23, all ports of Switch S1 are in VLAN 1. A frame entering the switch port is automatically tagged with the VLAN to which the port belongs, and the VLAN tag is removed when the frame exits the switch port. In Fig. 7.23, Computer A sends a frame to Computer D. The frame enters Port F0, and is tagged with a VLAN 1 tag, then it exits Port F3, at which point the VLAN 1 tag is removed. This process is transparent to the communicating computers A and D. If Computer A sends a broadcast frame, the frame is tagged with a VLAN 1 tag and forwarded to all ports of VLAN 1.

Suppose Switch S1 connects computers in two departments. A, B, C and D are computers in the sales department, and E, F, G and H are computers in the R&D department. For security reasons, the computers in the sales department are assigned to VLAN 1 and the computers in the R&D department are assigned to VLAN 2. As shown in Fig. 7.24, Computer E sends a frame to Computer H through Port F8, and it is tagged with VLAN 2 tag, and when the frame exits Port F11, the VLAN 2 tag is removed. The frames sent and received by the computer has no VLAN tag.

Switch S1 is divided into two VLANs, which is tantamount to logically dividing this switch into two separate switches S1-VLAN 1 and S1-VLAN 2, as shown in Fig. 7.25. As you can see from Fig. 7.25, commination between computers in different VLANs is impossible even if their IP addresses are set as one network segment. To achieve inter-VLAN communication, the frame must be forwarded by a router (Layer 3 device), which requires different VLANs to be assigned IP addresses of different network segments. The network segment assigned to S1-VLAN 1 in Fig. 7.25 is 192.168.1.0/24, and that assigned to S1-VLAN 2 is 192.168.2.0/24. In Fig. 7.25, a router is added to demonstrate the inter-VLAN communication process. Port F0 of the router is connected to Port F5 of S1-VLAN 1, while Port F1 is connected to Por F7 of S1-VLAN 2. Figure 7.25 shows how Computer C sends a packet to Computer E, frames entering and exiting the switch port, and the change in VLAN tags.

7.3.3 VLANs Across Switches

As mentioned earlier, multiple VLANs can be created on one switch. When sometimes computers in the same department are connected to different switches, they should also be classified into the same VLAN, which is the VLAN across switches.

As shown in Fig. 7.26, there are two switches S1 and S2 in the network, computers A, B, C and D belong to the sales department, and computers E, F, G and H belong to the R&D department. VLANs are divided by department, with VLAN 1 for the sales department and VLAN 2 for the R&D department. In order to enable the communication between VLAN 1 of S1 and VLAN 1 of S2, the VLAN 1 ports of the two switches are connected so that computers A, B, C, and D belong to the same VLAN and VLAN 1 spans across the two switches. Similarly, the VLAN 2 ports on both switches are connected, so VLAN 2 also spans across both switches. Pay attention to how VLAN tags of the frames change when Computer D communicates with Computer C.

Figure 7.26 makes it easy to understand how VLANs across switches are implemented. The figure shows two VLANs across switches, each using a separate network cable for connection. Multiple VLANs across switches can also share the same network cable, which is called a trunk link, and the switch port connected to the trunk link is called a trunk port, as shown in Fig. 7.27.

In the network shown in Fig. 7.27, the link where a computer connects to a switch is called an access link. The link between switches that allow multiple VLAN frames to pass is called a trunk link. Frames on an access link are untagged frames, and frames on a Trunk link can be tagged frames. The VLAN information is not lost when frames are passed over the trunk. For example, if Computer B sends a broadcast frame that travels over the trunk link to Switch S2, the latter knows that the broadcast frame came from VLAN 1 and forwards the frame to all ports of VLAN 1.

The ports on the switch are divided into access ports, trunk ports, and hybrid ports. Access ports can only belong to one VLAN and are generally used to connect computer ports; Trunk ports can allow frames from multiple VLANs to pass through, and frames in and out of the port can be tagged with VLANs; Hybrid ports are introduced in detail in the next section.

As shown in Fig. 7.28, there two switches and 3 VLANs/ Think about it. Can a broadcast frame sent by Computer A in VLAN 1 be sent to VLAN 2 and VLAN 3?

As seen in Fig. 7.28, the broadcast frame from Computer A is sent out of Port F2 without VLAN tags. After the frame enters Port F3 of S2 and is tagged with VLAN 2 tag, S2 forwards it to all VLAN 2 ports, and Computer B is able to receive the frame. The frame is sent from Port F5 of S2 and its VLAN 2 tag is removed. Then Port F6 of S1 receives the frame and forwards it to all VLAN 3 ports after the VLAN 3 tag is added, and Computer C can receive the frame.

From the above analysis, it is clear that for switches that create VLANs, it is better not to use access ports for the connection between switches. If the connection is wrong, it will cause inexplicable network failure. Originally, VLANs isolate broadcast frames, and this connection enables broadcast frames to spread to all 3 VLANs.

7.3.4 Link Types and Port Types

A VLAN frame may have a tag (called a tagged VLAN frame, or simply a tagged frame), or may not have a tag (called an untagged VLAN frame, or simply an untagged frame). When talking about VLAN technology, if a frame is classified by the switch to VLAN i (i = 1,2, 3, ...,4094), we refer to this frame as simply a VLAN i frame. For a VLAN i frame with a tag, i is actually the value of the VLAN ID field in the tag of that frame. Note that for tagged VLAN frames, the switch can obviously determine which VLAN it belongs to from the VID value in its tag; and for untagged VLAN frames (such as those from end computers), the switch needs to determine or classify which VLAN it belongs to according to some principles (such as the port through which the frame enters the switch).

In a VLAN-enabled switch network, we call the link directly connected the switch to the end computer an access link, and the ports on the switch side of the access link access ports. At the same time, we call the link directly connected between the switches a trunk link, and the ports on both sides of the trunk link trunk ports. Frames moving on an access link can (or should) only be untagged frames, and these frames can only belong to a specific VLAN; frames moving on a trunk link can be tagged frames, and these frames can belong to different VLANs. An access port can only belong to a specific VLAN and can only allow frames belonging to that specific VLAN to pass through; a trunk port can belong to multiple VLANs at the same time and allow frames belonging to different VLANs to pass through, as shown in Fig. 7.27.

In the actual implementation of VLAN technology, another type of port, that is hybrid port, is often defined and configured. Both the port on the switch connected to the end computer and the port on the switch connected to other switches can be configured as a hybrid port.

Each switch port (access, trunk, hybrid port) should be configured with a PVID (Port VLAN ID), and untagged frames arriving at this port will always be classified by the switch to the VLAN specified by the PVID. For example, if the PVID of a port is configured as 5, then all untagged frames arriving at this port will be identified as VLAN 5 frames. The value of PVID is 1 by default.

To summarize, frames moving on a link (path) may be either tagged frames or untagged frames. However, frames moving between different ports within a switch must be tagged frames.

Next, we illustrate in detail the rules for processing and forwarding frames on the access, trunk, and hybrid ports.

1.
Access ports.

When the access port receives an untagged frame from a link (path), the switch adds a tag with PVID as the VID to the frame and then forwards (floods, point to point forwards, and discards) the resulting tagged frame.

When the access port receives a tagged frame from a link (path), the switch checks whether the VID in the tag of this frame is the same as the PVID. If it is, the tagged frame is forwarded (flooded, point to point forwarded, discarded); if not, the tagged frame is directly discarded.

When a tagged frame arrives at an access port from another port of this switch, the switch checks whether the VID in the tag of the frame is the same as the PVID. If it is, the tag of this tagged frame is stripped and the resulting untagged frame is sent out from the link (path); if not, the tagged frame is directly discarded.
2.
Trunk ports

For each trunk port, in addition to the PVID, it must also be configured with a list of VLAN IDs allowed to pass through.

When a Trunk port receives an untagged frame from a link (path), the switch adds a tag with PVID as the VID to the frame and then checks if the PVID is in the list of VLAN IDs allowed to pass through. If it is, the resulting tagged frame is forwarded (flooded, point to point forwarded, discarded); if not, the resulting tagged frame is directly discarded.

When a trunk port receives a tagged frame from a link (path), the switch checks whether the VID in the tag of the frame is in the list of VLAN IDs allowed to pass through. If it is, the tagged frame is forwarded (flooded, point to point forwarded, discarded): if not, the tagged frame is directly discarded.

When a tagged frame arrives at a trunk port from another port of this switch, if the VID in the tag of this frame is not in the list of VLAN IDs allowed to pass through, the tagged frame is directly discarded.

When a tagged frame arrives at a trunk port from another port of this switch, if the VID in the tag of the frame is in the list of VLAN IDs allowed to pass through and the VID is the same as the PVID, the switch strips the tag of the tagged frame and sends the resulting untagged frame out of the link (path).

When a tagged frame arrives at a trunk port from another port of this switch, if the VID in the tag of this frame is in the list of VLAN IDs allowed to pass though, but the VID is not the same as the PVID, the switch does not strip the tag of this tagged frame, but sends it directly out of the link (path).
3.
Hybrid ports.

In addition to PVID, hybrid ports need to be configured with two VLAN ID lists, an untagged VLAN ID list, and a tagged VLAN ID list. All frames of VLANs in these two VLAN ID lists are allowed to pass through this hybrid port.

When the hybrid port receives an untagged frame from the link (path), the switch adds the tag with PVID as the VID to the frame and then checks whether or not the frame is in the untagged VLAN ID list or tagged VLAN ID list. If it is, the resulting tagged frame is forwarded (flooded, point to point forwarded, discarded); if not, the resulting tagged frame is directly discarded.

When a hybrid port receives a tagged frame from a link (path), the switch checks whether or not the VID in the tag of this frame is in the untagged VLAN ID list or tagged VLAN ID list. If it is, the tagged frame is forwarded (flooded, point to point forwarded, discarded); if not, the tagged frame is directly discarded.

When a tagged frame arrives at a hybrid port from another port of this switch, if the VID in the tag of this frame is neither in the untagged VLAN ID list nor in the tagged VLAN ID list, the tagged frame is directly discarded.

When a tagged frame arrives at a hybrid port from another port of this switch, if the VID in the tag of this frame is in the untagged VLAN ID list, the switch strips the tag of this tagged frame and sends the resulting untagged frame out of the link (path).

When a tagged frame arrives at a hybrid port from another port of this switch, if the VID in the tag of this frame is in the tagged VLAN ID list, the switch does not strip the tag of the tagged frame and directly sends it out of the link (path).

Hybrid ports have a richer and more flexible working mechanism than trunk and access ports: trunk and access ports can be seen as special cases of hybrid ports. When there is only PVID in the untagged VLAN ID list of the hybrid port configuration, the hybrid port is equivalent to a trunk port; when there is only PVID in the untagged VLAN ID list of the hybrid port configuration and the tagged VLAN ID list is empty , the hybrid port is tantamount to an access port.

7.3.5 VLAN Types

All frames sent by the computer are untagged. For a VLAN-supported switch network, once an untagged frame from a computer enters the switch, the switch must classify the frame into a specific VLAN by some sort of division principle. Depending on the classification principle, there are different types of VLANs.

1.
Port-based VLANs

Classification principle: the VLAN ID of a physical port is mapped to the physical port of the switch, and the untagged frames sent by the end computer and entering a switch through a certain physical port are assigned to the VLAN indicated by the VLAN ID of that port. This classification principle is simple and intuitive, easy to implement, and comparatively secure and reliable. Note that for this type of VLAN, when the port the computer uses to connect to the switch changes, the VLAN attribution of the frames sent by that computer may change. Port-based VLANs are often referred to as physical layer VLANs as well, or Layer 1 VLANs.
2.
MAC address-based VLANs

Classification principle: a correspondence table of MAC addresses and VLAN IDs is established and maintained within the switch. When the switch receives an untagged frame from a computer, it will analyze the source MAC address pf the frame, then query the correspondence table of MAC address and VLAN ID, and classify the frame into the corresponding VLAN according to the correspondence. This classification principle is slightly more complicated, but it is more flexible. For example, when the port the computer uses to connect to the switch changes, the VLAN attribution of frames sent by this computer does not change (because the computer’s MAC address does not change). However, it should be noted that the security of this type of VLAN is relatively low, because it is easy for some malicious computers to forge their MAC addresses. MAC address-based VLANs are also commonly referred to as Layer 2 VLANs.
3.
Protocol-based VLANs

Classification principle: the switch determines the VLAN attribution of a frame based on the value of the frame type field in the untagged frame sent by the computer. For example, a frame with a type value of 0x0800 can be assigned to a VLAN, and a frame with a type value of 0x86dd to another VLAN. This is actually classifying frames whose load data is IPv4 packets and frames whose load data is IPv6 packets into separate VIANs. Protocol-based VLANs are also commonly referred to as Layer 3 VLANs.

Three different VLANs are introduced above. In theory, there are far more types of VLANs, because the principles of VLAN classification are flexible and variable, and one classification principle can be a combination of several other principles. In reality, what kind of classification principle should be chosen needs to be decided according to factors such as the specific needs of the network and the implementation cost. For the time being, port-based VLANs are most widely used in real networks. Unless otherwise specified, all VLANs mentioned in this book refer to port-based VLANs.

7.3.6 Configure Port-Based VLANs

The following is an example of creating port-based VLANs across switches for a Layer 2 structured LAN.

As shown in Fig. 7.29, there are two access layer switches LSW2 and LSW3, one aggregation layer switch LSW1, and six computers in the network. PC1 and PC2 are in VLAN 1 in network segment 192.168.2.0/24, PC3 and PC4 are in VLAN 2 in network segment 192.168.2.0/24, and PC5 and PC6 are in VLAN 3 in network segment 192.168.3.0/24.

We need to complete the following functions.

1.
Create VLAN 1, VLAN 2 and VLAN 3 for each switch; VLAN 1 is the default VLAN and does not need to be created.
2.
Assign the access layer switch ports Ethernet0/0/1 to Ethernet0/0/5 to VLAN 1.
3.
Assign the access layer switch ports Ethernet0/0/6 to Ethernet0/0/10 to VLAN 2.
4.
Assign the access layer switch ports Ethernet0/0/11 to Ethernet0/0/15 to VLAN 3.
5.
Set the ports connecting to computers as access ports.
6.
Set the ports connecting between switches as trunk ports to allow frames from VLAN 1, VLAN 2 and VLAN 3 to pass through.
7.
Capture and analyze tagged VLAN frames on trunk link.

It is important to remember here that ports connecting computers should be set as access ports and the ports connecting between switches should be set as trunk ports. You can also remember it in this way. If the port needs frames from multiple VLANs to pass through, it needs to be set as a trunk port. It should also be noted that the PVID of these trunk ports of the switch should be the same. The aggregation layer switches need to create VLAN 2 and VLAN 3 even though there are no computers connected to VLAN 2 and VLAN 3, which means that these three switches in the network should have the same VLAN.

Create VLANs on Switch LSW2.

[LSW2]vlan ? INTEGER<1-4094> VLAN ID --The number of VLANs supported, and the maximum is 4094 batch Batch process --Create VLANs in batch [LSW2]vlan 2 --Create VLAN 2 [LSW2-vlan2]quit [LSW2]vlan 3 --Create VLAN 3 [LSW2-vlan3]quit [LSW2]display vlan summary --Display VLAN summary static vlan: Total 3 static vlan. --3 VLANs in total 1 to 3 dynamic vlan: Total 0 dynamic vlan. reserved vlan: Total 0 reserved vlan. [LSW2]

Note: VLAN 1 is the default VLAN and does not need to be created.

The following command creates VLAN 4, VLAN 5 and VLAN 6 in batch.

[LSW2]vlan batch 4 5 6

The following command creates VLAN 10 to VLAN 20 (11 VLANs in total) in batch.

vlan batch 10 to 20

Delete VLAN 4, VLAN 5 and VLAN 6 in batch.

[LSW2]undo vlan batch 4 5 6

Since the ports are to be configured in batch, it is necessary to create port groups for batch configuration. The following operation creates the port group vlan1port, sets the ports Ethernet0/0/1 to Ethernet0/0/5 as access ports, and assigns them to VLAN 1.

[LSW2]port-group vlan1port [LSW2-port-group-vlan1port]group-member Ethernet0/0/1 to Ethernet0/0/5 [LSW2-port-group-vlan1port]port link-type ? --View port type supported access Access port dot1q-tunnel QinQ port hybrid Hybrid port trunk Trunk port [LSW2-port-group-vlan1port]port link-type access --Set the port to access port [LSW2-port-group-vlan1port]port default vlan 1 --Assign the port group to VLAN 1, this command may not be executed [LSW2-port-group-vlan1port]quit

Create port group vlan2port for VLAN 2, set the ports Ethernet0/0/6 to Ethernet0/0/10 as access ports, and assign them to VLAN 2.

[LSW2]port-group vlan2port [LSW2-port-group-vlan2port]group-member Ethernet0/0/6 to Ethernet0/0/10 [LSW2-port-group-vlan2port]port link-type access [LSW2-port-group-vlan2port]port default vlan 2 --Assign the port group to VLAN 2. After executing this command, PVID of these ports is changed to 2 [LSW2-port-group-vlan2port]quit

Create port group vlan3port for VLAN 3, set the ports Ethernet0/0/11 to Ethernet0/0/15 as access ports, and assign them to VLAN 3.

[LSW2]port-group vlan3port [LSW2-port-group-vlan3port]group-member Ethernet0/0/11 to Ethernet0/0/15 [LSW2-port-group-vlan3port]port link-type access [LSW2-port-group-vlan3port]port default vlan 3 -- Assign the port group to VLAN 3. After executing this command, PVID of these ports is changed to 3 [LSW2-port-group-vlan3port]quit

Configure port GigabitEthernet0/0/1 as a trunk port to allow frames of VLAN 1, VLAN 2 and VLAN 3 to pass through.

[LSW2]interface GigabitEthernet0/0/1 [LSW2-GigabitEthernet0/0/1]port link-type trunk [LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan ? INTEGER<1-4094> VLAN ID all All --Allow all VLAN frames to pass through [LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 1 2 3 --Allow designated frames to pass through

Note: ① the default PVID of all ports is VLAN 1. Execute the following command to change the PVID of the trunk port to VLAN 2.

[LSW2-GigabitEthernet0/0/1]port trunk pvid vlan 2

② For an access port, the VLAN to which the port belongs is the PVID of the port. Enter the following command to view the PVID of the port.

[LSW2]display interface Ethernet0/0/1 Ethernet0/0/1 current state : UP Line protocol current state : UP Description: Switch Port, PVID : 2 , TPID : 8100(Hex), The Maximum Frame Length is 9216 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4c1f-cc8d-71bf

Display the VLAN settings, and you can see that port GE0/0/1 belongs to VLAN 1, VLAN 2 and VLAN 3 at the same time.

[LSW2]display vlan The total number of vlans is : 3 --The number of VLANs ------------------------------------------------------------------ U: Up; D: Down; TG: Tagged; UT: Untagged; --TG: tagged VLAN frame. UT: untagged VLAN frame MP: Vlan-mapping; ST: Vlan-stacking; #: ProtocolTransparent-vlan; *: Management-vlan; ---------------------------------------------------------------- VID Type Ports ---------------------------------------------------------------- 1 common UT:Eth0/0/1(U) Eth0/0/2(D) Eth0/0/3(D) Eth0/0/4(D) Eth0/0/5(D) Eth0/0/16(D) Eth0/0/17(D) Eth0/0/18(D) Eth0/0/19(D) Eth0/0/20(D) Eth0/0/21(D) Eth0/0/22(D) GE0/0/1(U) GE0/0/2(D) --The PVID of GE0/0/1 is VLAN 1, and VLAN 1 frames usually pass through without a VLAN tag 2 common UT:Eth0/0/6(U) Eth0/0/7(D) Eth0/0/8(D) Eth0/0/9(D) Eth0/0/10(D) TG:GE0/0/1(U) --TG means that VLAN 2 frames usually pass through with VLAN tags 3 common UT:Eth0/0/11(U) Eth0/0/12(D) Eth0/0/13(D) Eth0/0/14(D) Eth0/0/15(D) TG:GE0/0/1(U) --TG means VLAN 3 frames usually pass through with VLAN tags ……

Configure LSW3 by referring to the configuration of LSW2; create VLANs and specify the port types.

On the aggregation layer switch LSW1, create VLAN 2 and VLAN 3, set the two port types to trunk, and allow frames of VLAN 1, VLAN 2, and VLAN 3 to pass through.

[LSW1]vlan batch 2 3 --Create VLAN 2 and VLAN 3 in batch [LSW1]interface GigabitEthernet 0/0/1 [LSW1-GigabitEthernet0/0/1]port link-type trunk [LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 1 2 3 [LSW1-GigabitEthernet0/0/1]quit [LSW1]interface GigabitEthernet0/0/2 [LSW1-GigabitEthernet0/0/2]port link-type trunk [LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 1 2 3 [LSW1-GigabitEthernet0/0/2] quit

By capturing the trunk link frames, as shown in Fig. 7.30, you can see that the trunk link frames of the Huawei switch inserts VLAN tag between data link layer and network layer, using IEEE 802.1Q frame format. The VLAN ID is represented in 12 bits, and it takes the value between 0 and 4095. Since 0 and 4095 are reserved for protocols, the valid value range of VLAN ID is between 1 to 4094. The frame shown in Fig. 7.30 is a VLAN 2 frame.

7.3.7 Configure MAC Address-Based VLANs

MAC address-based VLAN classification is suitable for scenarios where mobile devices are connected to the enterprise network through the network cable. For example, enterprise employees use laptops in different offices to access the enterprise network through the network cable. No matter which port of the switch the laptop is connected to, the switch will assign it to the designated VLAN.

As shown in Fig. 7.31, ports GE1/0/1 of SwitchA and SwitchB are connected to two conference rooms, and Laptop1 and Laptop2 are laptops for conferences, which can be used in both conference rooms. Laptop1 and Laptop2 belongs to two departments that are isolated by VLAN 100 and VLAN 200. Now it is required that whichever conference room the two laptops are used in, they can access only their own department’s server, that is, Server1 and Server2, The MAC addresses of Laptop1 and Laptop2 are 0001-00ef-00c0 and 0001-00ef-00c1, respectively.

First, create VLANs on SwitchA and SwitchB, and configure trunk port and hybrid port. Then, classify VLANs on SwitchA and SwitchB based on MAC addresses. Finally, create VLANs on SwitchC and configure trunk and access ports to ensure that laptops can access the server.

1.
Configure SwitchA. The configuration of SwitchB is similar to that of SwitchA, so it will not be repeated.

<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 200 --Create VLAN 100 and VLAN 200 [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk -- Trunk ports are recommended for ports connecting between switches; the default port type is not trunk; it needs to be manually configured as trunk [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 --Allow VLAN 100 and VLAN 200 frames to pass through [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] vlan 100 [SwitchA-vlan100] mac-vlan mac-address 0001-00ef-00c0 --Messages whose MAC address is 0001-00ef-00c0 are forwarded in VLAN 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] mac-vlan mac-address 0001-00ef-00c1 -- Messages whose MAC address is 0001-00ef-00c1 are forwarded in VLAN 200 [SwitchA-vlan200] quit [SwitchA] interface gigabitethernet1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type hybrid --MAC-based VLAN classification can only be applied to hybrid ports; for V200R005C00 and later versions, the default port type is not hybrid, and it needs to be manually configured [SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 --For messages with VLAN 100 and VLAN 200, strip the VLAN tag [SwitchA-GigabitEthernet1/0/1] mac-vlan enable --Can enable the MAC-VLAN function of the port [SwitchA-GigabitEthernet1/0/1] quit

2.
Check the configuration result. Execute the display mac-vlan mac-address all command in any view to view the configuration of MAC address-based VLAN classification.

[SwitchA] display mac-vlan mac-address all --------------------------------------------------- MAC Address MASK VLAN Priority --------------------------------------------------- 0001-00ef-00c0 ffff-ffff-ffff 100 0 0001-00ef-00c1 ffff-ffff-ffff 200 0 Total MAC VLAN address count: 2

3.
Configure SwitchC. The configurations of GE1/0/3 and GE1/0/4 are the same, and configure them as trunk ports, allowing frames of VLAN 100 and VLAN 200 to pass through, so it is not repeated here. Port GE1/0/2 is the same as GE1/0/1, configured as access port, so it is not repeated here.

<HUAWEI> system-view [HUAWEI] sysname SwitchC [SwitchC] vlan batch 100 200 --Create VLAN 100 and VLAN 200 [SwitchC] interface gigabitethernet1/0/3 [SwitchC-GigabitEthernet1/0/3] port link-type trunk [SwitchC-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200 --Allow VLAN 100 and VLAN 200 frames to pass through [SwitchC-GigabitEthernet1/0/3] quit [SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] port link-type access [SwitchC-GigabitEthernet1/0/2] port default vlan 100 [SwitchC-GigabitEthernet1/0/2] quit

7.4 Implement Inter-VLAN Routing

7.4.1 Why Is Implementing Inter-VLAN Routing Needed

VLANs isolate the Layer 2 broadcast domain, and thus isolate any traffic between individual VLANs, so traffic between different VLANs cannot directly cross the VLAN borders. Communication of devices in different VLANs requires the forwarding of messages from one VLAN to another through a Layer 3 device (router or Layer 3 switch). Layer 3 switches are capable of functions of VLAN classification, Layer 2 switching within VLANs, and inter-VLAN routing.

7.4.2 Implement Inter-VLAN Routing Through Routers

Multiple VLANs are created on the switch, and inter-VLAN communication can be enabled using a router. As shown in Fig. 7.32, two switches are connected using trunk links to create three VLANs. The router’s ports, F0, F1, and F2, connect the access ports of the three VLANs, and the router forwards packets between the VLANs. A physical link of the router is figuratively called an “arm”, and the computer gateways in VLAN 1, VLAN 2, and VLAN 3 are the addresses of the router’s Port F0, F1, and F2, respectively. Figure 7.32 shows the use of a multi-armed router for inter-VLAN routing, and also shows how Computer A in VLAN 1 communicates with Computer L in VLAN 3. Pay attention to the VLAN tags of frames on the passing link. Think about the path of the frames and the VLAN tags as frames pass through each link when Computer H sends data to Computer L.

Connect the router’s ports to the access ports of VLANs. A VLAN requires one physical port of the router, so that when adding VLANs you have to take into consideration whether the router’s ports are sufficient. You can also connect the physical port of the router to the trunk port of the switch, as shown in Fig. 7.33, and divide the physical port of the router into multiple sub-interfaces, each of which corresponds to a VLAN. And then you can set the IP address of the sub-interface as the gateway of the corresponding VLAN, so one physical port is sufficient for inter-VLAN routing, which is using a one-armed router for inter-VLAN routing. Figure 7.33 shows the link the packet passes through when Computer A in VLAN 1 sends a packet to Computer L in VLAN 3.

7.4.3 Implement Inter-VLAN Routing Through a One-Armed Router

As shown in Fig. 7.34, the three VLANs across the switch have been created, and a router is connected to the LSW1 switch to realize inter-VLAN communication. You need to configure GE0/0/3 of Switch LSW1 as a trunk port to allow VLAN 1, VLAN 2 and VLAN 3 frames to pass. Configure the physical interface GE0/0/0 of router AR1 as the gateway for VLAN 1, configure the sub-interface GE0 /0/0.2 as the gateway for VLAN 2, and configure sub-interface GE0/0/0.3 as the gateway for VLAN 3.

Configure LSW1’s interface GigabitEthernet0/0/3 connecting the router as a trunk interface to allow frames of all VLANs to pass thorugh.

[LSW1]interface GigabitEthernet0/0/3 [LSW1-GigabitEthernet0/0/3]port link-type trunk [LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan all

All ports of the switch have a port-based VLAN ID (PVID), and the trunk port is no exception. By displaying GigabitEthernet0/0/3, you can see that the PVID of GigabitEthernet0/0/3 is 1. This interface removes the VLAN tag when sending VLAN 1 frames and adds the VLAN 1 tag when receiving untagged VLAN frames. When sending frames to and receiving frames from other VLANs, the VLAN tags of the frames remain unchanged.

[LSW1]display interface GigabitEthernet0/0/3 GigabitEthernet 0/0/3current state : UP Line protocol current state : UP Description: Switch Port, PVID : 1, TPID : 8100(Hex), The Maximum Frame Length is 9216 --PVID is 1

Configure GE0/0/0 and the sub-interfaces of router AR1. Since the interface PVID of the switch connected to the router is VLAN 1, then this physical port is designated as a gateway for VLAN 1 and receives untagged VLAN frames. By adding a number after the physical port, it becomes a sub-interface. The sub-interface number is not necessarily the same as the VLAN number, but to make it easier to memorize, here the sub-interface number and VLAN number are usually set to be the same.

[AR1]interface GigabitEthernet0/0/0 --Configure the physical interface as the gateway of VLAN 1 [AR1-GigabitEthernet0/0/0]ip address 192.168.1.1 24 [AR1-GigabitEthernet0/0/0]quit [AR1]interface GigabitEthernet0/0/0.2 --Enter the sub-interface [AR1-GigabitEthernet0/0/0.2]ip address 192.168.2.1 24 [AR1-GigabitEthernet0/0/0.2]dot1q termination vid 2 --Specify the VLAN corresponding to the sub-interface [AR1-GigabitEthernet0/0/0.2]arp broadcast enable --Enable ARP broadcast [AR1-GigabitEthernet0/0/0.2]quit [AR1]interface GigabitEthernet0/0/0.3 [AR1-GigabitEthernet0/0/0.3]ip address 192.168.3.1 24 [AR1-GigabitEthernet0/0/0.3]dot1q termination vid 3 --Specify the VLAN corresponding to the sub-interface [AR1-GigabitEthernet0/0/0.3]arp broadcast enable [AR1-GigabitEthernet0/0/0.3]quit

The arp broadcast enable command is used to enable the ARP broadcast function of a sub-interface. The undo arp broadcast enable command is adopted to disable the ARP broadcast function of a sub-interface. By default, the ARP broadcast function of the sub-interface is not enabled.

If the arp broadcast enable command is not configured for the sub-interface, then the system will directly discard the IP message. At this time, the routes of this sub-interface can be regarded as black hole routes (black hole routes are routes that direct all irrelevant routes into them, so that the routes have no return). If the arp broadcast enable command is configured for the sub-interface, then the system will construct tagged ARP broadcast messages and then send them out from this sub-interface.

7.4.4 Implement Inter-VLAN Routing Through Layer 3 Switching

Layer 3 switching is a network technology that introduces a routing module into the switch, thereby replacing the traditional router so as to combine switching with routing. It improves the processing of IP routing by simplifying the IP forwarding process and using dedicated ASIC chips for hardware forwarding, so that most of the messages can be processed in hardware, and only a limited number of messages need to be forwarded by software. In this way, the forwarding performance of the whole system can be improved by a thousand times, and the cost of the devices of similar performance can also be significantly reduced.

If a switch is capable of Layer 3 switching, is it a switch or a router? This may be difficult for many readers to understand. You can think of a Layer 3 switch as a combination of a virtual router and a switch. There are several VLANs on the switch, and the virtual router has several virtual interfaces (Vlanif) connecting these VLANs.

As shown in Fig. 7.35, VLAN 1 and VLAN 2 are created on the Layer 3 switch, and the virtual router has two virtual interfaces Vlanif 1 and Vlanif 2, which are equivalent to accessing an interface of VLAN 1 and an interface of VLAN 2, respectively. In the figure, interface F5 connects Vlanif 1, and interface F7 connects Vlanif 2. Figure 7.35 is purely for visual display; the virtual router is invisible, nor does it occupy the physical interface of the switch or the Vlanif interface for connection. All we can do is to configure the IP address and subnet mask for the virtual interface and make it a gateway of the VLAN so that computers in different VLANs can communicate with each other.

The experiment in 7.3.6 only configures VLANs across switches. Now we continue the experiment in 7.3.6 to implement inter-VLAN routing using a Layer 3 switch. In this example, LSW1 is a Layer 3 switch, and the LSW1 switch is configured to implement VLAN 1, VLAN 2, and VLAN 3 routing.

[LSW1]interface Vlanif 1 [LSW1-Vlanif1]ip address 192.168.1.1 24 [LSW1-Vlanif1]quit [LSW1]interface Vlanif 2 [LSW1-Vlanif2]ip address 192.168.2.1 24 [LSW1-Vlanif2]quit [LSW1]interface Vlanif 3 [LSW1-Vlanif3]ip address 192.168.3.1 24 [LSW1-Vlanif3]quit

Enter “display ip interface brief” to display the IP address information and the states Vlanif interface.

<LSW1>display ip interface brief *down: administratively down ^down: standby (l): loopback (s): spoofing The number of interface that is UP in Physical is 4 The number of interface that is DOWN in Physical is 1 The number of interface that is UP in Protocol is 4 The number of interface that is DOWN in Protocol is 1 Interface IP Address/Mask Physical Protocol MEth0/0/1 unassigned down down NULL0 unassigned up up(s) Vlanif1 192.168.1.1/24 up up Vlanif2 192.168.2.1/24 up up Vlanif3 192.168.3.1/24 up up

7.5 Exercises

1.
Which of the following descriptions of VLANs is incorrect ( )?
1. A.
  VLANs divide the switch into multiple logically independent switches
2. B.
  Trunk links can provide a common channel for communication of multiple VLANs
3. C.
  VLANs expand the collision domain because they contain multiple switches
4. D.
  A VLAN can span across switches
2.
As shown in Fig. 7.36, when Host A communicates with Host C, the trunk link between SWA and SWB passes untagged VLAN frames, but when Host B communicates with Host D, the trunk link between SWA and SWB passes data frames with VLAN tag of 20.

According to the above information, which of the following descriptions is correct ( ).
1. A.
  Interface G0/0/2 on SWA does not allow VLAN 10 to pass
2. B.
  The PVID of interface G0/0/2 on SWA is 10
3. C.
  The PVID of interface G0/0/2 on SWA is 20
4. D.
  The PVID of interface G0/0/2 on SWA is 1
3.
Which of the following descriptions of the forwarding state in Spanning Tree Protocol is incorrect ( )?
1. A.
  An interface in forwarding state can receive BPDU messages
2. B.
  An interface in forwarding state does not learn the source MAC addresses of messages
3. C.
  An interface in forwarding state can forward data packets
4. D.
  An interface in forwarding state can send BPDU messages
4.
As shown in Fig. 7.37, the ports connecting the switch and the host are all access ports. The PVID of G 0/0/1 of SWA is 2, the PVID of G0/0/1 of SWB is 2, and the PVID of G0/0/3 of SWB is 3. G0/0/2 of SWA is a trunk port with a PVID of 2 and allows all VLANs to pass through. G0/0/2 of SWB is a trunk port with a PVID of 3 and allows all VLANs to pass.

If the IP addresses of hosts A, B and C are in the same network segment, then which of the following descriptions is correct ( )?
1. A.
  Host A can only communicate with Host B
2. B.
  Host A can only communicate with Host C
3. C.
  Host A can communicate with both Host B and Host C
4. D.
  Host A can neither communicate with Host B nor with Host C
5.
When using a one-armed router to enable inter-VLAN communication, the common practice is to use sub-interfaces instead of directly using physical interfaces because ( ).
1. A.
  Physical interfaces cannot encapsulate 802.1Q
2. B.
  Sub-interface has a faster forwarding speed
3. C.
  Sub-interfaces can save physical interfaces
4. D.
  Sub-interfaces can be configured as access or trunk interfaces
6.
The number of VLANs that can be created by using the “vlan batch 10 20” command and “vlan batch 10 to 20” command is ( ), respectively.
1. A.
  2 and 2
2. B.
  11 and 11
3. C.
  11 and 2
4. D.
  2 and 11
7.
(Multi-selection) On the switch, which VLANs can be deleted by using the undo command? ( )
1. A.
  VLAN 1
2. B.
  VLAN 2
3. C.
  VLAN 1024
4. D.
  VLAN 4096
8.
As shown in Fig. 7.38, two hosts communicate between VLANs through a one-armed router. When the sub-interface G0/0/1.2 of RTA receives a data frame Host B sends to Host A, which of the following operations will RTA perform? ( )
1. A.
  RTA forwards the data frame directly through sub-interface G0/0/1.1
2. B.
  RTA deletes the VLAN tag of 20 and sends the data frame out through interface G0/0/1.1
3. C.
  RTA first removes the VLAN tag of 20, then adds a VLAN tag of 10 and sends the data frame out through the interface G0/0/1.1
4. D.
  RTA will discard the data frame
9.
Which of the following descriptions of VLAN configuration is correct ( )?
1. A.
  VLAN 1 can be deleted from the switch
2. B.
  VLAN 1 can be configured as Voice VLAN
3. C.
  All trunk ports allow VLAN 1 data frames to pass thoguh by default
4. D.
  Users can configure to use VLAN 4095
10.
A switch receives a tagged VLAN data frame, but the destination MAC address of the frame is not found in the MAC address table. Which of the following descriptions is correct ( )?
1. A.
  The switch broadcasts the frame to all interfaces
2. B.
  The switch broadcasts the frame to all interfaces (except the receiving interface) in the VLAN where the frame is located
3. C.
  The switch broadcasts the frame to all access interfaces
4. D.
  The switch discards the frame
11.
What does the port trunk allow-pass vlan all command do? ( )
1. A.
  It allows data frames of all VLANs to pass through the port
2. B.
  The peer port connected to the port must be configured with “port trunk permit vlan all” at the same time
3. C.
  The connected peer device can dynamically determine which VLAN IDs are allowed to pass through
4. D.
  If the port default vlan 3 command is configured for the connected remote device, the VLAN 3 between the two devices is not connected
12.
Which of the following descriptions of the trunk port and the access port is correct ( )?
1. A.
  Access port can only send untagged frames
2. B.
  Access port can only send tagged frames
3. C.
  Trunk port can only send untagged frames
4. D.
  Trunk port can only send tagged frames
13.
When an access port sends a message, it will ( ).
1. A.
  Send a tagged message
2. B.
  Strip the VLAN information of the message and send the message
3. C.
  Add the VLAN information of the message and send message
4. D.
  Add the PVID information of the port and then send the message
14.
A switch port belongs to VLAN 5, and after deleting the port from VLAN 5, which VLAN does the port belong to?
1. A.
  VLAN 0
2. B.
  VLAN 1
3. C.
  VLAN 1023
4. D.
  VLAN 1024

Author information

Authors and Affiliations

Consortia

Huawei Technologies Co., Ltd.

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (http://creativecommons.org/licenses/by-nc-nd/4.0/), which permits any noncommercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if you modified the licensed material. You do not have permission under this license to share adapted material derived from this chapter or parts of it.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Huawei Technologies Co., Ltd.. (2023). Ethernet Switching Technologies. In: Data Communications and Network Technologies. Springer, Singapore. https://doi.org/10.1007/978-981-19-3029-4_7

Download citation

DOI: https://doi.org/10.1007/978-981-19-3029-4_7
Published: 22 October 2022
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-3028-7
Online ISBN: 978-981-19-3029-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics