4086_vlan

5/21/2018 4086_VLAN

1/10

Matrix X Router Configuration Guide 10-1

10Layer 2 VLAN Configuration

Thischapterprovidesinformationaboutconfiguringandmonitoring802.1QVirtualLocalAreaNetworks(VLANs)ontheMatrixXRouter.Foradditionalinformationonthecommandsyntaxandparameters,refertotheCLIonlinehelportheMatrixXSecureCoreRouterCommandLineInterface

Reference

Guide.

TheMatrixXRoutercansupportupto4094802.1QVLANs.VLANID1isreservedasthedefaultVLANsinceallportshavetheirPVIDsetto1bydefaultwhenconfiguredforswitching.AllotheravailableVLANIDscanbeassignedandconfiguredwiththeCLI.

Default SettingsTable 101liststheVLANparametersandtheirdefaultvalues.

For information about... Refer to page...

Default Settings 10-1

Configuring Static VLANs 10-3

Configuring Dynamic VLANs 10-5

Configuring Protocol-Based VLAN Classification 10-6

Configuring IGMP Snooping 10-8

Monitoring VLANs 10-9

Table 10-1 VLAN Parameters

Parameter Description Default Value

vlan dynamicegress Enables or disables dynamic egress

processing for a given VLAN.

Disabled

vlan egress Configures the egress ports for a

VLAN and the type of egress for the

ports. Egress type can be tagged,

untagged, or forbidden.

Tagged

vlan name Associates a text name to one or more

VLANs.

None

garp timer Configures the three GARP timers.

The setting is critical and should only

be done by someone familiar with the

802.1Q standard.

Join timer: 20 centiseconds

Leave timer: 60 centiseconds

Leaveall timer: 1000 centiseconds

5/21/2018 4086_VLAN

2/10

Default Settings

10-2 Layer 2 VLAN Configuration

VLAN Naming Convention

AVLANisidentifiedbyitsID,whichisanumberfrom14094.OntheMatrixXRouter,aVLANentitycanbespecifiedinCLIcommandsintheformat:vlan.instance.vlan_id,whereinstanceisthebridginginstance,andvlan_idistheVLANID(14094).TheMatrixXRoutercurrentlysupportsonlyonebridginginstance.Therefore,instanceisalways1.So,forexample,todisplayinformationaboutVLAN100,ineitherswitchorroutermodes,youwouldenter:

show interfacevlan.1.100

gvrp Enables or disables the GARP VLAN

Registration Protocol (GVRP) on a

specific set of ports or all ports. GVRP

must be enabled to allow creation ofdynamic VLANs.

Disabled at the port level

Enabled at the global level

port vlan ID (PVID) 802.1Q VLAN/port association. VLAN1/ Default VLAN

port discard Ports can be set to discard frames

based on whether or not they contain a

VLAN tag.

No frames are discarded

port ingress filter When enabled on a port, the VLAN IDs

of incoming frames are compared to

the ports egress list. If the received

VLAN ID does not match a VLAN ID

on the ports egress list, the frame is

dropped.

Enabled

vlan IGMP query interval Configures the frequency (in seconds)

of host-query frame transmissions.

125 seconds

vlan IGMP version Selects the IGMP version. Options are

version 1 or version 2.

Version 2

vlan IGMP max

response time

Configures the maximum query

response time (in tenths of a second).

100 deciseconds

vlan IGMP robustness Configures the robustness value. 2

vlan IGMP last member

query interval

Configures the last member query

interval. This is the maximum

response time inserted into group-

specific queries which are sent in

response to Leave Group messages. Itis also the amount of time between

group-specific query messages.

10 seconds

Table 10-1 VLAN Parameters (continued)

Parameter Description Default Value

5/21/2018 4086_VLAN

3/10

Configuring Static VLANs



BeforeconfiguringtheMatrixXRouterforVLANoperation,considerthefollowing:

HowmanyVLANswillberequired?

Whatstationswillbelongtothem?

Whatports

are

connected

to

those

stations?

WhatportswillbeconfiguredasGVRPawareports?

ItmaybehelpfultosketchoutadiagramofyourVLANstrategy.

Procedure 101showsanexampleofconfiguringastaticVLAN.Unspecifiedparametersusetheirdefaultvalues.

Procedure 10-1 Creating a Static VLAN

Step Task Command(s)

1. Show existing VLANs. show vlan

2. Define the ports to be used for switched traffic. set port modeport-string switched

3. Create VLAN. Valid values are 14094. Each

vlan-id must be unique. If an existing vlan-id is

entered, the existing VLAN is modified.

set vlan createvlan-id

4. Optionally, assign a name to the VLAN. Valid

strings are from 1 to 32 characters.

set vlan namevlan-id string

5. Assign switched ports to the VLAN.

This command sets the port VLAN ID (PVID).

The PVID determines the VLAN to which all

untagged and P-tagged frames received on the

port will be classified. Note that policy

classification will override PVID.

set port vlanport-string vlan-id

6. Configure VLAN egress, which determines

which ports a frame belonging to the VLAN may

be forwarded out on.

Static configuration:

Add the port to the VLAN egress list for the

device.

The default setting, tagged, allows the port to

transmit frames for a particular VLAN.

The untaggedsetting allows the port to transmit

frames without a VLAN tag. This setting is

usually used to configure a port connected to an

end user device.

The forbiddensetting prevents the port from

participating in the specified VLAN and ensuresthat any dynamic requests for the port to join the

VLAN will be ignored.

Dynamic configuration:

By default, dynamic egress is disabled on all

VLANs. If dynamic egress is enabled for a

VLAN, the device will add the port receiving a

frame to the VLANs egress list as untagged

according to the VLAN ID of the received frame.

set vlan egressvlan-idport-string

forbidden|tagged|untagged

set vlan dynamicegressvlan-id

{enable| disable}

5/21/2018 4086_VLAN

4/10



ToremoveportsfromaVLANsegresslist:

clear vlan egressvlan-list port-string[forbidden]

Ifforbiddenisspecified,theforbiddensettingwillbeclearedfromthedesignatedportsandtheportswillberesetasallowedtoegressframes,ifsoconfiguredbyeitherstaticordynamicmeans.Ifforbiddenisnotspecified,taggedanduntaggedegresssettingswillbeclearedfromthedesignatedports.

Example Configuration

ThefollowingisasampleconfigurationscriptofthestepsinProcedure 101.

! Configure ports to be switching ports

set port mode ge.1.2-4 switched

!

set vlan create 100

set vlan name 100 VLANRED

!! Assign ports to VLAN

set port vlan ge.1.2 100



!

! Configure VLAN egress

set vlan egress 100 ge.1.2



!

! Configure ingress filtering

set port ingress-filter ge.1.2 enable

set port ingress-filter ge.1.3 enable

set port ingress-filter ge.1.4 enable!

!Configure ports to discard untagged frames

set port discard ge.1.2 untagged



!

!Configure IP address on VLAN interface

router

configure

7. Optionally, enable ingress filtering on a port to

drop those incoming frames that do not have a

VLAN ID that matches a VLAN ID on the ports

egress list.

set port ingress-filterport-string

enable

8. Optionally, choose to discard tagged or

untagged, (or both) frames on selected ports.

Select noneto allow all frames to pass through.

set port discardport-string {tagged

| untagged| none | both}

9. Enter router configuration mode and configure

an IP address on the VLAN interface.

router

configure

interface vlan.1.vlan_id

ip address ip-address/maxlen

no shutdown

Procedure 10-1 Creating a Static VLAN (continued)


5/21/2018 4086_VLAN

5/10

Configuring Dynamic VLANs


interface vlan.1.100

ip address 120.20.20.1/24

no shutdown

Configuring Dynamic VLANsProcedure 102describeshowtoenabletheGARP(GenericAttributeRegistrationProtocol)VLANRegistrationProtocol(GVRP),whichisneededtocreatedynamicVLANs.Bydefault,GVRPisenabledgloballybutdisabledattheportlevel.GVRPmustbegloballyenabledandalsoenabledonspecificportsinordertogenerateandprocessGVRPadvertisementpackets.

Note: Refer to GARP VLAN Registration Protocol (GVRP) on page 3-4for conceptual information

about GVRP.

Procedure 10-2 Creating a Dynamic VLAN Configuration


1. Show existing GVRP configuration for a port or

list of ports.

If noport-stringis entered, the global GVRP

configuration and all port GVRP configurations

are displayed.

show gvrp [port-string]

2. If necessary, enable GVRP on those ports

assigned to a VLAN. Ifport-stringis not

specified, GVRP is enabled on the device and

on all ports.

set gvrp enableport-string

3. Display the existing GARP timer values. show garp timer [port-string]

4. Optionally, set the GARP join, leave, and

leaveall timer values. Each timer value is incentiseconds..

set garp timer {[jointimer-value]

[leave timer-value][leaveall timer-value]}port-string

Caution: The setting of GARP timers is critical and should only be changed by personnel

familiar with 802.1Q standards.
http://4086_switching%20overview.pdf/http://4086_switching%20overview.pdf/http://4086_switching%20overview.pdf/http://4086_switching%20overview.pdf/

5/21/2018 4086_VLAN

6/10

Configuring Protocol-Based VLAN Classification



ProtocolbasedVLANscanbeconfiguredusingthepolicyclassificationCLIcommands.

ThefollowingproceduredescribeshowtodefineprotocolbasedpacketfilteringpoliciestoassignpacketstoparticularVLANs.RefertoChapter 12,Layer2PolicyClassificationConfigurationformoreinformationaboutpolicyclassification.

Example Configuration

ThefollowingisasampleconfigurationscriptofthestepsinProcedure 103.ThisexampleconfiguresapolicythatensuresthatIPtrafficreceivedonthespecifiedingressportswillbemappedtoVLAN2,whileallothertypesoftrafficwillbemappedtoVLAN3.

1. TwoVLANsarecreated:VLAN2andVLAN3.

2. Ports1through5ontheGigabitEthernetIOMinslot4areconfiguredasegressportsfortheVLANswhileports8through10ontheGigabitEthernetIOMinslot5areconfiguredasingressportsthatwilldothepolicyclassification.

3. Policyprofilenumber1iscreatedthatenablesPVIDoverrideanddefinesthedefaultbehavior(classifytoVLAN3)ifnoneoftheclassificationrulescreatedfortheprofilearematched.

4. Administrativerulesarecreatedthatapplypolicyprofilenumber1toallpacketsreceivedontheingressportsge.5.8through10.

Procedure 10-3 Configuring Protocol-Based VLAN Classification


1. Configure the ports to be used as switch ports. set port modeport-string switched

2. Create the VLANs to which packets will be

assigned by the policy. Valid values are 14094.

set vlan createvlan-id

3. Configure VLAN egress, which determines

which ports a frame belonging to the VLAN may

be forwarded out on.

The default setting, tagged, allows the port to

transmit frames for a particular VLAN.

set vlan egressvlan-idport-string

[forbidden |tagged | untagged]

4. Disable ingress filtering on the ingress ports on

which the policy will be applied.

set port ingress-filterport-string

disable

5. Create the policy profile that enables PVID

override. This function allows a policy rule

classifying a frame to a VLAN to override PVID

assignment configured with the set port vlan

command.

When none of its associated classification rules

match, the configuration of the policy profile

itself will determine how packets are handled by

default. In this case, the default VLAN is

specified with the pvidpvidparameter.

set policy profileprofile-index

[namename] [pvid-status{enable |

disable}] [pvidpvid]

6. Configure the administrative rules that will

assign the policy profile to all packets received

on the desired ingress ports.

set policy rule admin-profileport

port-string [port-stringport-

string] [admin-pidadmin-pid]

7. Configure the classification rules that will define

the protocol to filter on and the VLAN ID to which

matching packets will be assigned.

set policy ruleprofile-index

{protocoldata[maskmask]} [vlan

vlan]
http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/http://4086_policy.pdf/

5/21/2018 4086_VLAN

7/10



5. Classificationrulesarecreatedforpolicyprofilenumber1thatassignIPpacketstoVLAN2.TherulesidentifyIPpacketsbyusingtheetherprotocolparameter,whichclassifiesontheTypefieldintheheadersofLayer2EthernetIIpackets,andtheprotocoldataof0x0800(IPtype),0x0806(ARPtype),and0x8035(RARPtype).

! Configure egress and ingress ports to be switching ports

set port mode ge.4.1-5 switchedset port mode ge.5.8-10 switched

!

! Create VLANs for protocol classification

set vlan create 2

set vlan create 3

!

! Configure VLAN egress

set vlan egress 2 ge.4.1-2

set vlan egress 3 ge.4.3-5

!

! Disable ingress filtering on ingress ports

set port ingress-filter ge.5.8-10 disable

!

! Create policy profileset policy profile 1 name protocol_based_vlan pvid-status enable pvid 3

!

! Configure administrative rules

set policy rule admin-profile port ge.5.8 port-string ge.5.8 admin-pid 1



!

! Configure classification rules

set policy rule 1 ether 0x0800 mask 16 vlan 2



!

5/21/2018 4086_VLAN

8/10

Configuring IGMP Snooping


Configuring IGMP Snooping

IGMPLayer2snoopingallowstheMatrixXRouterforaspecificVLANtoactivelyparticipateinIGMPtrafficforwarding.IGMPsnoopingdependsonthepresenceofanupstreamIGMPquerier.WheneveritreceivesanIGMPquery,theMatrixXRouterforwardsthequeryouttheappropriateVLANports.IGMPsnoopingallowsperporttrafficpatternsinVLANswithmultipleports.IGMP

snoopingis

disabled

by

default.

Procedure 104describeshowtoconfigureIGMPsnooping.

Note: Refer to IGMP Snooping on page 3-18for conceptual information about IGMP.

Procedure 10-4 Configuring IGMP Snooping for a VLAN


1. Enable IGMP snooping for a VLAN or a range of

VLANs.

set igmp enablevlan-id

2. Enable querying on this VLAN, and specify theIGMP querier source address.

set igmp query-enablevlan-idaddressip-address

3. Set the version of IGMP to use. Enter 1for

IGMPV1, or 2for IGMPV2.

set igmp configvlan-idigmp-version

1|2

4. Set the Last Member interval value, which can

be 1255.

set igmp configvlan-idlast-member-

intervalvalue

5. Set the Max Response Time which can be 1

255 seconds.

set igmp configvlan-idmax-

response-timeseconds

6. Set the Query Interval, which can be 165535

seconds.

set igmp configvlan-idquery-

intervalseconds

7. Set the Robustness value, which can be 2255. set igmp configvlan-id

robustness

value

8. Optionally, create a static IGMP entry, or add

ports to an existing entry. The entry can be in the

form of an IP multicast address or IP group

address.

set igmpadd-static {IP-multicast-

address | IP-group-address vlan-id}

[modify]port-string
http://4086_switching%20overview.pdf/http://4086_switching%20overview.pdf/http://4086_switching%20overview.pdf/http://4086_switching%20overview.pdf/

5/21/2018 4086_VLAN

9/10

Monitoring VLANs


Monitoring VLANs

Table 102describestheshowcommandsthatdisplayinformationaboutVLANconfigurations.RefertotheMatrixXSecureCoreRouterCommandLineInterfaceReferenceGuideforadescriptionoftheoutputofeachshowcommand.

Table 10-2 Displaying VLAN Information

Task Command

Display all existing VLANs. show vlan

Display the VLAN dynamic egress setting. show vlan dynamicegress[vlan id]

Display all static VLANs. show vlan static

Display ports assigned to VLANs. show port vlan [port-string]

Display existing GVRP settings. show gvrp [port-string]

Display IGMP VLAN configuration. show igmp config [vlan id]

Display IGMP enable state of VLAN. show igmp enable [vlan id]

Display all groups on a given VLAN. show igmp groups [vlan id]

Display IGMP VLAN query state. show igmp query [vlan id]

Display static ports on the given vid, group. show igmp static [vlan id]

5/21/2018 4086_VLAN

10/10

Monitoring VLANs


4086_vlan

Documents