Matrix X Router Configuration Guide 10-1

10
Layer 2 VLAN Configuration
Thischapterprovidesinformationaboutconfiguringandmonitoring802.1QVirtualLocalArea
Networks(VLANs)ontheMatrixXRouter.Foradditionalinformationonthecommandsyntax
andparameters,refertotheCLIonlinehelportheMatrixXSecureCoreRouterCommandLine
InterfaceReferenceGuide.
TheMatrixXRoutercansupportupto4094802.1QVLANs.VLANID1isreservedasthedefault
VLANsinceallportshavetheirPVIDsetto1bydefaultwhenconfiguredforswitching.Allother
availableVLANIDscanbeassignedandconfiguredwiththeCLI.
Default Settings
Table 101liststheVLANparametersandtheirdefaultvalues.
For information about... Refer to page...
Default Settings 10-1
Configuring Static VLANs 10-3
Configuring Dynamic VLANs 10-5
Configuring Protocol-Based VLAN Classification 10-6
Configuring IGMP Snooping 10-8
Monitoring VLANs 10-9
Table 10-1 VLAN Parameters
Parameter Description Default Value
vlan dynamicegress Enables or disables dynamic egress
processing for a given VLAN.
Disabled
vlan egress Configures the egress ports for a
VLAN and the type of egress for the
ports. Egress type can be tagged,
untagged, or forbidden.
Tagged
vlan name Associates a text name to one or more
VLANs.
None
garp timer Configures the three GARP timers.
The setting is critical and should only
be done by someone familiar with the
802.1Q standard.
Join timer: 20 centiseconds
Leave timer: 60 centiseconds
Leaveall timer: 1000 centiseconds
Default Settings
10-2 Layer 2 VLAN Configuration
VLAN Naming Convention
AVLANisidentifiedbyitsID,whichisanumberfrom14094.OntheMatrixXRouter,aVLAN
entitycanbespecifiedinCLIcommandsintheformat:vlan.instance.vlan_id,whereinstanceis
thebridginginstance,andvlan_idistheVLANID(14094).TheMatrixXRoutercurrently
supportsonlyonebridginginstance.Therefore,instanceisalways1.So,forexample,todisplay
informationaboutVLAN100,ineitherswitchorroutermodes,youwouldenter:
show interface vlan.1.100
gvrp Enables or disables the GARP VLAN
Registration Protocol (GVRP) on a
specific set of ports or all ports. GVRP
must be enabled to allow creation of
dynamic VLANs.
Disabled at the port level
Enabled at the global level
port vlan ID (PVID) 802.1Q VLAN/port association. VLAN1/ Default VLAN
port discard Ports can be set to discard frames
based on whether or not they contain a
VLAN tag.
No frames are discarded
port ingress filter When enabled on a port, the VLAN IDs
of incoming frames are compared to
the ports egress list. If the received
VLAN ID does not match a VLAN ID
on the ports egress list, the frame is
dropped.
Enabled
vlan IGMP query interval Configures the frequency (in seconds)
of host-query frame transmissions.
125 seconds
vlan IGMP version Selects the IGMP version. Options are
version 1 or version 2.
Version 2
vlan IGMP max
response time
Configures the maximum query
response time (in tenths of a second).
100 deciseconds
vlan IGMP robustness Configures the robustness value. 2
vlan IGMP last member
query interval
Configures the last member query
interval. This is the maximum
response time inserted into group-
specific queries which are sent in
response to Leave Group messages. It
is also the amount of time between
group-specific query messages.
10 seconds
Table 10-1 VLAN Parameters (continued)
Parameter Description Default Value
Configuring Static VLANs
Matrix X Router Configuration Guide 10-3
Configuring Static VLANs
BeforeconfiguringtheMatrixXRouterforVLANoperation,considerthefollowing:
HowmanyVLANswillberequired?
Whatstationswillbelongtothem?
Whatportsareconnectedtothosestations?
WhatportswillbeconfiguredasGVRPawareports?
ItmaybehelpfultosketchoutadiagramofyourVLANstrategy.
Procedure 101showsanexampleofconfiguringastaticVLAN.Unspecifiedparametersusetheir
defaultvalues.
Procedure 10-1 Creating a Static VLAN
Step Task Command(s)
1. Show existing VLANs. show vlan
2. Define the ports to be used for switched traffic. set port mode port-string switched
3. Create VLAN. Valid values are 14094. Each
vlan-id must be unique. If an existing vlan-id is
entered, the existing VLAN is modified.
set vlan create vlan-id
4. Optionally, assign a name to the VLAN. Valid
strings are from 1 to 32 characters.
set vlan name vlan-id string
5. Assign switched ports to the VLAN.
This command sets the port VLAN ID (PVID).
The PVID determines the VLAN to which all
untagged and P-tagged frames received on the
port will be classified. Note that policy
classification will override PVID.
set port vlan port-string vlan-id
6. Configure VLAN egress, which determines
which ports a frame belonging to the VLAN may
be forwarded out on.
Static configuration:
Add the port to the VLAN egress list for the
device.
The default setting, tagged, allows the port to
transmit frames for a particular VLAN.
The untagged setting allows the port to transmit
frames without a VLAN tag. This setting is
usually used to configure a port connected to an
end user device.
The forbidden setting prevents the port from
participating in the specified VLAN and ensures
that any dynamic requests for the port to join the
VLAN will be ignored.
Dynamic configuration:
By default, dynamic egress is disabled on all
VLANs. If dynamic egress is enabled for a
VLAN, the device will add the port receiving a
frame to the VLANs egress list as untagged
according to the VLAN ID of the received frame.
set vlan egress vlan-id port-string
forbidden | tagged | untagged
set vlan dynamicegress vlan-id
{enable | disable}
Configuring Static VLANs
10-4 Layer 2 VLAN Configuration
ToremoveportsfromaVLANsegresslist:
clear vlan egress vlan-list port-string [forbidden]
Ifforbiddenisspecified,theforbiddensettingwillbeclearedfromthedesignatedportsandthe
portswillberesetasallowedtoegressframes,ifsoconfiguredbyeitherstaticordynamicmeans.
Ifforbiddenisnotspecified,taggedanduntaggedegresssettingswillbeclearedfromthe
designatedports.
Example Configuration
ThefollowingisasampleconfigurationscriptofthestepsinProcedure 101.
! Configure ports to be switching ports
set port mode ge.1.2-4 switched
!
set vlan create 100
set vlan name 100 VLANRED
!
! Assign ports to VLAN
set port vlan ge.1.2 100
set port vlan ge.1.3 100
set port vlan ge.1.4 100
!
! Configure VLAN egress
set vlan egress 100 ge.1.2
set vlan egress 100 ge.1.3
set vlan egress 100 ge.1.4
!
! Configure ingress filtering
set port ingress-filter ge.1.2 enable
set port ingress-filter ge.1.3 enable
set port ingress-filter ge.1.4 enable
!
!Configure ports to discard untagged frames
set port discard ge.1.2 untagged
set port discard ge.1.3 untagged
set port discard ge.1.4 untagged
!
!Configure IP address on VLAN interface
router
configure
7. Optionally, enable ingress filtering on a port to
drop those incoming frames that do not have a
VLAN ID that matches a VLAN ID on the ports
egress list.
set port ingress-filter port-string
enable
8. Optionally, choose to discard tagged or
untagged, (or both) frames on selected ports.
Select none to allow all frames to pass through.
set port discard port-string {tagged
| untagged | none | both}
9. Enter router configuration mode and configure
an IP address on the VLAN interface.
router
configure
interface vlan.1.vlan_id
ip address ip-address/maxlen
no shutdown
Procedure 10-1 Creating a Static VLAN (continued)
Step Task Command(s)
Configuring Dynamic VLANs
Matrix X Router Configuration Guide 10-5
interface vlan.1.100
ip address 120.20.20.1/24
no shutdown
Configuring Dynamic VLANs
Procedure 102describeshowtoenabletheGARP(GenericAttributeRegistrationProtocol)
VLANRegistrationProtocol(GVRP),whichisneededtocreatedynamicVLANs.Bydefault,
GVRPisenabledgloballybutdisabledattheportlevel.GVRPmustbegloballyenabledandalso
enabledonspecificportsinordertogenerateandprocessGVRPadvertisementpackets.
Note: Refer to GARP VLAN Registration Protocol (GVRP) on page 3-4 for conceptual information
about GVRP.
Procedure 10-2 Creating a Dynamic VLAN Configuration
Step Task Command(s)
1. Show existing GVRP configuration for a port or
list of ports.
If no port-string is entered, the global GVRP
configuration and all port GVRP configurations
are displayed.
show gvrp [port-string]
2. If necessary, enable GVRP on those ports
assigned to a VLAN. If port-string is not
specified, GVRP is enabled on the device and
on all ports.
set gvrp enable port-string
3. Display the existing GARP timer values. show garp timer [port-string]
4. Optionally, set the GARP join, leave, and
leaveall timer values. Each timer value is in
centiseconds..
set garp timer {[join timer-value]
[leave timer-value]
[leaveall timer-value]} port-string
Caution: The setting of GARP timers is critical and should only be changed by personnel
familiar with 802.1Q standards.
Configuring Protocol-Based VLAN Classification
10-6 Layer 2 VLAN Configuration
Configuring Protocol-Based VLAN Classification
ProtocolbasedVLANscanbeconfiguredusingthepolicyclassificationCLIcommands.
Thefollowingproceduredescribeshowtodefineprotocolbasedpacketfilteringpoliciestoassign
packetstoparticularVLANs.RefertoChapter 12,Layer2PolicyClassificationConfigurationfor
moreinformationaboutpolicyclassification.
Example Configuration
ThefollowingisasampleconfigurationscriptofthestepsinProcedure 103.Thisexample
configuresapolicythatensuresthatIPtrafficreceivedonthespecifiedingressportswillbe
mappedtoVLAN2,whileallothertypesoftrafficwillbemappedtoVLAN3.
1. TwoVLANsarecreated:VLAN2andVLAN3.
2. Ports1through5ontheGigabitEthernetIOMinslot4areconfiguredasegressportsforthe
VLANswhileports8through10ontheGigabitEthernetIOMinslot5areconfiguredas
ingressportsthatwilldothepolicyclassification.
3. Policyprofilenumber1iscreatedthatenablesPVIDoverrideanddefinesthedefaultbehavior
(classifytoVLAN3)ifnoneoftheclassificationrulescreatedfortheprofilearematched.
4. Administrativerulesarecreatedthatapplypolicyprofilenumber1toallpacketsreceivedon
theingressportsge.5.8through10.
Procedure 10-3 Configuring Protocol-Based VLAN Classification
Step Task Command(s)
1. Configure the ports to be used as switch ports. set port mode port-string switched
2. Create the VLANs to which packets will be
assigned by the policy. Valid values are 14094.
set vlan create vlan-id
3. Configure VLAN egress, which determines
which ports a frame belonging to the VLAN may
be forwarded out on.
The default setting, tagged, allows the port to
transmit frames for a particular VLAN.
set vlan egress vlan-id port-string
[forbidden | tagged | untagged]
4. Disable ingress filtering on the ingress ports on
which the policy will be applied.
set port ingress-filter port-string
disable
5. Create the policy profile that enables PVID
override. This function allows a policy rule
classifying a frame to a VLAN to override PVID
assignment configured with the set port vlan
command.
When none of its associated classification rules
match, the configuration of the policy profile
itself will determine how packets are handled by
default. In this case, the default VLAN is
specified with the pvid pvid parameter.
set policy profile profile-index
[name name] [pvid-status {enable |
disable}] [pvid pvid]
6. Configure the administrative rules that will
assign the policy profile to all packets received
on the desired ingress ports.
set policy rule admin-profile port
port-string [port-string port-
string] [admin-pid admin-pid]
7. Configure the classification rules that will define
the protocol to filter on and the VLAN ID to which
matching packets will be assigned.
set policy rule profile-index
{protocol data [mask mask]} [vlan
vlan]
Configuring Protocol-Based VLAN Classification
Matrix X Router Configuration Guide 10-7
5. Classificationrulesarecreatedforpolicyprofilenumber1thatassignIPpacketstoVLAN2.
TherulesidentifyIPpacketsbyusingtheetherprotocolparameter,whichclassifiesonthe
TypefieldintheheadersofLayer2EthernetIIpackets,andtheprotocoldataof0x0800(IP
type),0x0806(ARPtype),and0x8035(RARPtype).
! Configure egress and ingress ports to be switching ports
set port mode ge.4.1-5 switched
set port mode ge.5.8-10 switched
!
! Create VLANs for protocol classification
set vlan create 2
set vlan create 3
!
! Configure VLAN egress
set vlan egress 2 ge.4.1-2
set vlan egress 3 ge.4.3-5
!
! Disable ingress filtering on ingress ports
set port ingress-filter ge.5.8-10 disable
!
! Create policy profile
set policy profile 1 name protocol_based_vlan pvid-status enable pvid 3
!
! Configure administrative rules
set policy rule admin-profile port ge.5.8 port-string ge.5.8 admin-pid 1
set policy rule admin-profile port ge.5.9 port-string ge.5.9 admin-pid 1
set policy rule admin-profile port ge.5.10 port-string ge.5.10 admin-pid 1
!
! Configure classification rules
set policy rule 1 ether 0x0800 mask 16 vlan 2
set policy rule 1 ether 0x0806 mask 16 vlan 2
set policy rule 1 ether 0x8035 mask 16 vlan 2
!
Configuring IGMP Snooping
10-8 Layer 2 VLAN Configuration
Configuring IGMP Snooping
IGMPLayer2snoopingallowstheMatrixXRouterforaspecificVLANtoactivelyparticipatein
IGMPtrafficforwarding.IGMPsnoopingdependsonthepresenceofanupstreamIGMPquerier.
WheneveritreceivesanIGMPquery,theMatrixXRouterforwardsthequeryouttheappropriate
VLANports.IGMPsnoopingallowsperporttrafficpatternsinVLANswithmultipleports.IGMP
snoopingisdisabledbydefault.
Procedure 104describeshowtoconfigureIGMPsnooping.
Note: Refer to IGMP Snooping on page 3-18 for conceptual information about IGMP.
Procedure 10-4 Configuring IGMP Snooping for a VLAN
Step Task Command(s)
1. Enable IGMP snooping for a VLAN or a range of
VLANs.
set igmp enable vlan-id
2. Enable querying on this VLAN, and specify the
IGMP querier source address.
set igmp query-enable vlan-id
address ip-address
3. Set the version of IGMP to use. Enter 1 for
IGMPV1, or 2 for IGMPV2.
set igmp config vlan-id igmp-version
1|2
4. Set the Last Member interval value, which can
be 1255.
set igmp config vlan-id last-member-
interval value
5. Set the Max Response Time which can be 1
255 seconds.
set igmp config vlan-id max-
response-time seconds
6. Set the Query Interval, which can be 165535
seconds.
set igmp config vlan-id query-
interval seconds
7. Set the Robustness value, which can be 2255. set igmp config vlan-id robustness
value
8. Optionally, create a static IGMP entry, or add
ports to an existing entry. The entry can be in the
form of an IP multicast address or IP group
address.
set igmp add-static {IP-multicast-
address | IP-group-address vlan-id}
[modify] port-string
Monitoring VLANs
Matrix X Router Configuration Guide 10-9
Monitoring VLANs
Table 102describestheshowcommandsthatdisplayinformationaboutVLANconfigurations.
RefertotheMatrixXSecureCoreRouterCommandLineInterfaceReferenceGuideforadescriptionof
theoutputofeachshowcommand.
Table 10-2 Displaying VLAN Information
Task Command
Display all existing VLANs. show vlan
Display the VLAN dynamic egress setting. show vlan dynamicegress [vlan id]
Display all static VLANs. show vlan static
Display ports assigned to VLANs. show port vlan [port-string]
Display existing GVRP settings. show gvrp [port-string]
Display IGMP VLAN configuration. show igmp config [vlan id]
Display IGMP enable state of VLAN. show igmp enable [vlan id]
Display all groups on a given VLAN. show igmp groups [vlan id]
Display IGMP VLAN query state. show igmp query [vlan id]
Display static ports on the given vid, group. show igmp static [vlan id]
Monitoring VLANs
10-10 Layer 2 VLAN Configuration