Sunteți pe pagina 1din 61

VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Contents
3  VLAN Configuration
3.1 VLAN Overview
3.2 Principles
3.2.1 Basic Concepts of VLAN
3.2.1.1 VLAN Tags
3.2.1.2 Link and Interface Types
3.2.1.3 Default VLAN
3.2.1.4 Adding and Removing VLAN Tags
3.2.2 Intra-VLAN Communication
3.2.3 Inter-VLAN Communication
3.2.4 Intra-VLAN Layer 2 Isolation
3.2.5 Inter-VLAN Layer 3 Isolation
3.2.6 Management VLAN
3.3 Applications
3.3.1 Using VLAN Assignment to Implement Layer 2 Isolation
3.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer 3 Connectivity
3.3.3 Using a Traffic Policy to Implement Inter-VLAN Access Control
3.4 Configuration Task Summary
3.5 Default Configuration
3.6 Configuration Notes
3.7 Configuring VLAN
3.7.1 Configuring VLAN Assignment
3.7.2 Configuring Inter-VLAN Communication
3.7.3 Configuring a Traffic Policy to Implement Intra-VLAN Layer 2 Isolation
3.7.4 Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation
3.7.5 Configuring an mVLAN
3.8 Configuration Examples
3.8.1 Example for Configuring VLAN Assignment
3.8.2 Example for Configuring VLANIF Interfaces to Implement Inter-VLAN Communication
3.8.3 Example for Configuring VLANIF Interfaces to Implement Intra-VLAN Communication
3.8.4 Example for Configuring VLANIF Interfaces to Implement Communication of Hosts on Different Network
Segments in the Same VLAN
3.8.5 Example for Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation
3.8.6 Example for Configuring an mVLAN to Implement Remote Management
3.9 Common Misconfigurations
3.9.1 A VLANIF Interface Fails to Be Created
3.9.2 A VLANIF Interface Goes Down
3.9.3 Users in a VLAN Cannot Communicate
3.9.4 Directly Connected Devices Cannot Communicate
3.10 FAQ
3.10.1 How to Create and Delete VLANs in a Batch
3.10.2 How to Add Interfaces to a VLAN in a Batch
3.10.3 How to Restore the Default VLAN Configuration of an Interface

1 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

3.10.4 How to Change the Link Type of an Interface


3.10.5 How to Verify That an Interface Is Added to a VLAN
3.10.6 How to Rapidly Query the Link Types, Default VLANs, and Allowed VLANs of All Interfaces
3.10.7 Can Multiple Network Segments Be Configured in a VLAN
3.11 References

 VLAN Configuration

VLAN technology provides broadcast domain isolation, security hardening, flexible networking,
and high extensibility.

3.1 VLAN Overview


This section describes the definition, purpose, and benefits of VLAN.

3.2 Principles
This section describes the principles behind VLAN technology.

3.3 Applications
This section describes VLAN applications.

3.4 Configuration Task Summary


This section describes the VLAN configuration tasks.

3.5 Default Configuration


This section describes the default configuration of VLAN technology.

3.6 Configuration Notes


This section describes the product models that support VLAN technology and notes about
configuring VLAN technology.

3.7 Configuring VLAN


This section describes how to configure VLAN.

3.8 Configuration Examples


This section provides several configuration examples of VLAN technology, including
networking requirements, configuration roadmap, and configuration procedure.

3.9 Common Misconfigurations


This section describes common faults caused by incorrect configurations and provides the
troubleshooting procedure.

3.10 FAQ
This section describes the FAQ about VLAN technology.

3.11 References
This section lists the reference for VLAN technology.

2 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

3.1  VLAN Overview


This section describes the definition, purpose, and benefits of VLAN.

Definition
Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple broadcast
domains, each of which is called a VLAN. Hosts within a VLAN can communicate with each other
but cannot communicate directly with hosts in other VLANs. Consequently, broadcast packets are
confined to within a single VLAN.

Purpose
Ethernet technology implements data communication over shared media based on Carrier Sense
Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a large number
of hosts, collision becomes a serious problem and can lead to broadcast storms. As a result, network
performance deteriorates, or can even result in a complete breakdown. Using switches to connect
LANs can mitigate collisions, but cannot isolate broadcast packets or improve network quality.
VLAN technology divides a physical LAN into multiple VLANs to isolate broadcast domains.
Hosts within a VLAN can communicate with each other but cannot communicate directly with
hosts in other VLANs. Consequently, broadcast packets are confined to within a single VLAN.
Figure 3-1 VLAN networking

Figure 3-1 shows a typical VLAN networking environment. Device Router1 and device Router2 are
deployed in different locations (for example, on different floors of a building). Each device is
connected to two PCs belonging to different VLANs, which likely belong to different entities or
companies.

Benefits

VLAN technology offers the following benefits:

Limits broadcast domains. Broadcast domains are limited to conserve bandwidth and
improve network efficiency.
Enhances LAN security. Packets from different VLANs are transmitted separately. Hosts
in a VLAN cannot communicate directly with hosts in another VLAN.

3 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Improves network robustness. A fault in a VLAN does not affect hosts in other VLANs.
Allows flexible definition of virtual groups. With VLAN technology, hosts in different
geographical locations can be grouped together, thereby simplifying network construction
and maintenance.

3.2  Principles
This section describes the principles behind VLAN technology.

3.2.1  Basic Concepts of VLAN


3.2.1.1  VLAN Tags

Definition and Function


A device identifies packets from different VLANs according to the information contained in VLAN
tags. IEEE 802.1Q adds a 4-byte VLAN tag between the Source address and Length/Type fields of
an Ethernet frame, as shown in Figure 3-2.
Figure 3-2 IEEE 802.1Q tagged frame format

A VLAN tag contains four fields. Table 3-1 describes the fields.
Table 3-1 Fields in a VLAN tag

Field Length Description Value

TPID 2 bytes Tag Protocol Identifier (TPID), The value 0x8100 indicates an 802.1Q-tagged
indicating the frame type. frame. An 802.1Q-incapable device discards
the 802.1Q frames.
IEEE 802.1Q protocol defines the value of the
field as 0x8100. However, manufacturers can
define their own TPID values and users can
then modify the value to realize
interconnection of devices from different
manufacturers.
PRI 3 bits Priority (PRI), indicating the frame The value ranges from 0 to 7. A larger value
priority. indicates a higher priority. If congestion
occurs, the device sends packets with higher
priorities first.

4 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Field Length Description Value


CFI 1 bit Canonical Format Indicator (CFI), The value 0 indicates that the MAC address is
indicating whether a MAC address is encapsulated in canonical format, and the value
encapsulated in canonical format over 1 indicates that the MAC address is
different transmission media. CFI is encapsulated in non-canonical format. The CFI
used to ensure compatibility between field has a fixed value of 0 on Ethernet
Ethernet and token ring networks. networks.
VID 12 bits VLAN ID (VID), indicating the VLAN VLAN IDs range from 0 to 4095. The values 0
to which a frame belongs. and 4095 are reserved, and therefore valid
VLAN IDs range from 1 to 4094.

The device identifies the VLAN that a frame belongs to according to the information contained in
the VID field. Broadcast frames are forwarded only in the local VLAN. That is, a broadcast domain
is confined to within a single VLAN.

VLAN Tags in Received and Sent Frames

In a VLAN, Ethernet frames are classified into the following types:

Tagged frame: frame with a 4-byte VLAN tag


Untagged frame: frame without a 4-byte VLAN tag

Common devices process tagged and untagged frames as follows:

User hosts, servers and hubs can only receive and send untagged frames.
Switches, routers, and ACs can receive and send both tagged and untagged frames.
Voice terminals and APs can receive and send tagged and untagged frames simultaneously.

All frames processed in a device carry VLAN tags so as to improve frame processing efficiency.

3.2.1.2  Link and Interface Types


All frames processed in an AR carry VLAN tags. On a live network, some devices connected to an
AR can only receive and send untagged frames. To enable communication between the AR and
these devices, the AR interface must be able to identify the untagged frames and add or remove
VLAN tags from the frames. Hosts in the same VLAN may be connected to different ARs, and
more than one VLAN may span multiple ARs. To enable communication between hosts, interfaces
between ARs must be able to identify and send VLAN frames.
To accommodate different connections and networking, the device defines three interface types
(access, trunk, and hybrid) and two link types (access and trunk), as shown in Figure 3-3.
Figure 3-3 Link and interface types

5 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Link Types
As shown in Figure 3-3, Ethernet links fall into the following types, depending on the number of
allowed VLANs:

Access link
An access link can transmit data frames of only one VLAN. It connects a device to a user
terminal, such as a host or server. Generally, user terminals do not need to know the
VLANs to which they belong and cannot identify tagged frames; therefore, only untagged
frames are transmitted along an access link.
Trunk link
A trunk link can transmit data frames from multiple VLANs. It connects devices. Frames
on a trunk link must be tagged so that other network devices can correctly identify VLAN
information in the frames.

Interface Types
As shown in Figure 3-3, Ethernet interfaces are classified into the following types depending on the
objects connected to them and the way they process frames:

Access interface
An access interface often connects to a user terminal such as a user host or server that
cannot identify VLAN tags, or is used when VLANs do not need to be differentiated.
Access interfaces can only receive and send untagged frames, and can add only a unique
VLAN tag to untagged frames.
Trunk interface
A trunk interface often connects to a switch, router, AP, or voice terminal that can receive
and send tagged and untagged frames simultaneously. It allows tagged frames from
multiple VLANs and untagged frames from only one VLAN.

6 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Hybrid interface
A hybrid interface can connect to not only a user terminal (such as a user host or server) or
network device (such as a hub) that cannot identify tags, but also a switch, router, voice
terminal, or AP that can receive and send tagged and untagged frames. It allows tagged
frames from multiple VLANs. Frames sent out from a hybrid interface are tagged or
untagged according to the VLAN configuration.
Hybrid and trunk interfaces are interchangeable in some scenarios, yet hybrid interfaces
are required in certain specific scenarios. For example, if an interface connects to different
VLAN network segments (such as the router interface connected to a hub in Figure 3-3 ),
the interface must be a hybrid interface because it needs to add tags to untagged frames of
multiple VLANs.

3.2.1.3  Default VLAN


The default VLAN ID of an interface is called the port default VLAN ID (PVID). Frames processed
in a device all carry VLAN tags. When the device receives an untagged frame, it adds a VLAN tag
to the frame according to the default VLAN of the interface that receives the frame.
For details on how to add or remove tags when the interface receives and sends frames, see 3.2.1.4
Adding and Removing VLAN Tags.

Each interface has a default VLAN. By default, the default VLAN ID of all interfaces is VLAN 1.
You can change the default VLAN ID as required.

The default VLAN of an access interface is the VLAN allowed by the access interface.
You can change the default VLAN of an access interface to change the allowed VLAN.
Trunk and hybrid interfaces allow multiple VLANs but have only one default VLAN.
Default VLAN and VLANs allowed by the trunk and hybrid interfaces should be
configured separately.

3.2.1.4  Adding and Removing VLAN Tags


Ethernet data frames are tagged or untagged based on the interface type and default VLAN. The
following describes how access, trunk, and hybrid interfaces process data frames.

Access Interface
Figure 3-4 shows how an access interface adds and removes VLAN tags.
Figure 3-4 Access interface adding and removing VLAN tags

7 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Trunk Interface
Figure 3-5 shows how a trunk interface adds and removes VLAN tags.
Figure 3-5 Trunk interface adding and removing VLAN tags

Hybrid Interface
Figure 3-6 shows how a hybrid interface adds and removes VLAN tags.
Figure 3-6 Hybrid interface adding and removing VLAN tags

8 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Frame Processing on Different Interfaces


Table 3-2 Frame processing based on the port type

Port Type Untagged Frame Processing Tagged Frame Processing Frame Transmission

Access port Accepts an untagged frame and Accepts the tagged After the PVID tag is
adds a tag with the default frame if the frame's stripped, the frame is
VLAN ID to the frame. VLAN ID matches transmitted.
the default VLAN
ID.
Discards the tagged
frame if the frame's
VLAN ID differs
from the default
VLAN ID.

Trunk port Adds a tag with the Accepts a tagged If the frame's
default VLAN ID to frame if the VLAN VLAN ID
the untagged frame ID carried in the matches the
and then transmits it if frame is permitted by default VLAN
the default VLAN ID the port. ID and the
is permitted by the Discards a tagged VLAN ID is
port. frame if the VLAN permitted by the
Adds a tag with the ID carried in the port, the device
default VLAN ID to frame is denied by removes the tag
the untagged frame the port. and transmits the
and then discards it if frame.
the default VLAN ID If the frame's
is denied by the port. VLAN ID differs
from the default
VLAN ID, but
the VLAN ID is
still permitted by

9 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Port Type Untagged Frame Processing Tagged Frame Processing Frame Transmission

the port, the


device will
directly transmit
the frame.

Hybrid port Adds a tag with the Accepts a tagged If the frame's VLAN ID is
default VLAN ID to frame if the VLAN permitted by the port, the
an untagged frame and ID carried in the frame is transmitted. The
accepts the frame if frame is permitted by port can be configured
the port permits the the port. whether to transmit frames
default VLAN ID. Discards a tagged with tags.
Adds a tag with the frame if the VLAN
default VLAN ID to ID carried in the
an untagged frame and frame is denied by
discards the frame if the port.
the port denies the
default VLAN ID.

Interfaces process received frames as follows:

Access, trunk, and hybrid interfaces add VLAN tags to received untagged frames. Trunk
and hybrid interfaces determine whether to accept untagged frames depending on whether
VLANs specified by the VLAN IDs in the frames are allowed, whereas an access interface
accepts the untagged frames unconditionally.
Access, trunk, and hybrid interfaces determine whether to accept tagged frames depending
on whether VLANs specified by the VLAN IDs in the frames are allowed (the VLAN ID
allowed by an access interface is the default VLAN ID).
Interfaces send frames as follows:
An access interface directly removes VLAN tags from frames before sending the
frames.
A trunk interface removes VLAN tags from frames only when their VLAN IDs
are the same as the PVID on the interface.
A hybrid interface determines whether to remove VLAN tags from frames based
on the interface configuration.

Frames sent by an access interface are all untagged. On a trunk interface, only frames of
one VLAN are sent with tags, and frames of other VLANs are sent without tags. On a
hybrid interface, you can specify the VLANs of which frames are sent with or without
tags.

3.2.2  Intra-VLAN Communication


Packets transmitted between users in a VLAN go through three phases:

Packet transmission from the source user host


Before sending a frame, the source host compares its IP address with the destination IP
address. If the two IP addresses are on the same network segment, the source host obtains
the MAC address of the destination host and fills the destination field MAC address of the
frame with the obtained MAC address. If the two IP addresses are on different network

10 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

segments, the frame needs to be forwarded by the gateway. The source host obtains the
gateway's MAC address, and uses it as the destination MAC address to send the frame to
the gateway.
Ethernet switching in a device

The device determines whether to forward a received frame at Layer 2 or Layer 3 based on
the information in the destination MAC address, VLAN ID, and Layer 3 forwarding bit.
If the destination MAC address and VLAN ID of the frame match a MAC
address entry of the device and the Layer 3 forwarding bit is set, the device
searches for a Layer 3 forwarding entry based on the destination IP address. If no
entry is found, the device sends the frame to the CPU. The CPU then searches for
a route to forward the frame at Layer 3.
If the destination MAC address and VLAN ID of the frame match a MAC
address entry but the Layer 3 forwarding bit is not set, the device directly
forwards the frame from the outbound interface specified in the matching MAC
address entry.
If the destination MAC address and VLAN ID of the frame do not match any
MAC address entry, the device broadcasts the frame to all the interfaces allowing
the VLAN specified in the VID to obtain the MAC address of the destination
host.

Adding and removing VLAN tags during the exchange between devices
Frames processed in a device all carry VLAN tags. The device needs to add or remove
VLAN tags according to the interface setting to communicate with other network devices.
For details on how VLAN tags are added and removed on different interfaces, see 3.2.1.4
Adding and Removing VLAN Tags.

After VLANs are assigned, broadcast packets are forwarded at Layer 2 in the same VLAN. That is,
users in the same VLAN can directly communicate at Layer 2. There are two intra-VLAN
communication scenarios depending on whether hosts in the same VLAN connect to the same or
multiple devices.

Intra-VLAN Communication Through the Same Device


As shown in Figure 3-7, Host_1 and Host_2 connect to the same device, belong to VLAN 2, and are
located on the same network segment. The interfaces connected to Host_1 and Host_2 are access
interfaces.
Figure 3-7 Intra-VLAN communication through the same device

When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the router):

1. Host_1 determines that the destination IP address is on the same network segment as its

11 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

IP address, and therefore broadcasts an ARP Request packet to obtain the MAC address
of Host_2. The ARP Request packet carries the all-F destination MAC address and
destination IP address of 10.1.1.3 (Host_2's IP address).
2. When the packet reaches IF_1 on the Router, the Router detects that the ARP Request
packet is untagged and adds VLAN 2 (PVID of IF_1) to the packet. The Router then adds
the binding of the source MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) to its
MAC address table.
3. The Router does not find a MAC address entry matching the destination MAC address
and VLAN ID of the ARP Request packet, so it broadcasts the ARP Request packet to all
interfaces that allow VLAN 2 (IF_2 in this example).
4. Before sending the ARP Request packet, IF_2 on the Router removes the tag with VLAN
2 from the packet.
5. Host_2 receives the ARP Request packet and records the mapping between the MAC
address and IP address of Host_1 in the ARP table. Then Host_2 compares the
destination IP address with its own IP address. If they are the same, Host_2 sends an
ARP Reply packet. The ARP Reply packet carries Host_2's MAC address of 2-2-2 and
Host_1's IP address of 10.1.1.2 as the destination IP address.
6. After receiving the ARP Reply packet, IF_2 on the Router tags the packet with VLAN 2.
7. The Router adds the mapping between the source MAC address, VLAN ID, and interface
(2-2-2, 2, IF_2) to its MAC address table, and then searches for an entry in its MAC
address table based on the destination MAC address and VLAN ID (1-1-1, 2). The entry
is found because the mapping has been recorded before (see step 5). The Router forwards
the ARP Reply packet to IF_1.
8. Before forwarding the ARP Reply packet to IF_1, the Router removes the tag with
VLAN 2 from the packet.
9. Host_1 receives the ARP Reply packet and records the mapping between the MAC
address and IP address of Host_2 in the ARP table.

Host_1 and Host_2 have learned the MAC address of each other, so they directly fill the destination
MAC address fields of packets with the learned MAC addresses of the packets in subsequent
communication.
In the preceding networking, if hosts in the same VLAN are on different network segments, they
encapsulate the gateway's MAC address into packets, hosts can communicate through VLANIF
interfaces (with primary and secondary IP addresses configured). The principles are similar to those
in Inter-VLAN Communication Through the Same Device, and are not mentioned here.

Intra-VLAN Communication Through Multiple Devices


As shown in Figure 3-8, Host_1 and Host_2 connect to different devices, belong to VLAN 2, and
are located on the same network segment. The devices are connected using a trunk link over which
frames can be identified and sent across devices.
Figure 3-8 Intra-VLAN communication through multiple devices

12 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on Router_1 and Router_2):

1. The first two steps are similar to steps 1 and 2 in Intra-VLAN Communication
Through the Same Device. After the two steps are complete, Host_1 broadcasts the
ARP Request packet to IF_2 on Router_1.
2. IF_2 on Router_1 transparently transmits the ARP Request packet to IF_2 on Router_2
without removing the tag of the packet, because the VLAN ID of the packet is different
from the PVID of IF_2 on Router_1.
3. After receiving the ARP Request packet, IF_2 on Router_2 determines that VLAN 2 is
an allowed VLAN and accepts the packet.
4. Following the four steps similar to steps 3 to 6 in Intra-VLAN Communication
Through the Same Device, Router_2 forwards the ARP Reply packet of Host_2 to IF_2.
IF_2 on Router_2 transparently transmits the ARP Reply packet to IF_2 on Router_1,
because IF_2 is a trunk interface and its PVID is different from the VLAN ID of the
packet.
5. After receiving the ARP Reply packet, IF_2 on Router_1 determines that VLAN 2 is an
allowed VLAN and accepts the packet. Subsequent steps are similar to steps 7 to 9 in
Intra-VLAN Communication Through the Same Device.

In addition to transmitting frames from multiple VLANs, a trunk link can transparently transmit
frames without adding or removing the tags of the packets.
In the preceding networking, if hosts in the same VLAN are on different network segments, hosts
can communicate through VLANIF interfaces. The principles are similar to those in Inter-VLAN
Communication Through the Same Device, and are not mentioned here.

3.2.3  Inter-VLAN Communication


After VLANs are assigned, broadcast packets are only forwarded in the same VLAN. That is, hosts
in different VLANs cannot communicate at Layer 2. Therefore, VLAN technology isolates
broadcast domains. In real-world applications, hosts in different VLANs often need to
communicate, so inter-VLAN communication needs to be implemented to resolve this.
Similar to intra-VLAN communication described in 3.2.2 Intra-VLAN Communication, inter-
VLAN communication goes through three phases: packet transmission from the source host,
Ethernet switching in a device, and adding and removing VLAN tags during the exchange between
devices. According to the Ethernet switching principle, broadcast packets are only forwarded in the
same VLAN and hosts in different VLANs cannot directly communicate at Layer 2. Layer 3 routing

13 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

or VLAN translation technology is required to implement inter-VLAN communication.

Inter-VLAN Communication Technologies

Huawei provides a variety of technologies to implement inter-VLAN communication. The


following two technologies are commonly used.

VLANIF interface
A VLANIF interface is a Layer 3 logical interface. After an IP address is configured for a
VLANIF interface, the device adds the MAC address and VLAN ID of the VLANIF
interface to the MAC address table and sets the Layer 3 forwarding bit for the MAC
address entry. When the destination MAC address of a packet matches the MAC address
entry, the device forwards the packet at Layer 3, thereby implementing inter-VLAN Layer
3 connectivity.
It is simple to configure a VLANIF interface, so VLANIF interfaces are the most
commonly used for inter-VLAN communication. However, a VLANIF interface needs to
be configured for each VLAN and each VLANIF interface requires an IP address. As a
result, this technology wastes IP addresses.
Dot1q termination sub-interface
A sub-interface is also a Layer 3 logical interface. A device implements inter-VLAN
Layer 3 connectivity through sub-interfaces in a similar way as through VLANIF
interfaces. After a sub-interface is configured with Dot1q termination and an IP address,
the device adds a MAC address entry of the sub-interface to the MAC address table and
sets the Layer 3 forwarding bit.
A Dot1q termination sub-interface applies to scenarios where a Layer 3 Ethernet interface
connects to multiple VLANs. In such a scenario, data flows from different VLANs
preempt bandwidth of the primary Ethernet interface; therefore, the primary Ethernet
interface may become a bottleneck when the network is busy.
For details about the Dot1q termination sub-interface, see 6 VLAN Termination
Configuration.

Huawei devices implement inter-VLAN communication using VLANIF interfaces. A VLANIF


interface is a Layer 3 logical interface. After an IP address is configured for a VLANIF interface,
the device adds the MAC address and VLAN ID of the VLANIF interface to the MAC address table
and sets the Layer 3 forwarding bit for the MAC address entry. When the destination MAC address
of a packet matches the MAC address entry, the device forwards the packet at Layer 3, thereby
implementing inter-VLAN Layer 3 connectivity. It is simple to configure a VLANIF interface, so
VLANIF interfaces are the most commonly used for inter-VLAN communication. However, a
VLANIF interface needs to be configured for each VLAN and each VLANIF interface requires an
IP address. As a result, this technology wastes IP addresses.
VLANIF interfaces require that users in VLANs be located on different network segments. (When
hosts are located on the same network segment, a host encapsulates the destination host' MAC
address in packets. The device determines that packets should be forwarded at Layer 2. Layer 2
switching is performed only in the same VLAN, and broadcast packets cannot reach different
VLANs. In this case, the device cannot obtain destination hosts' MAC addresses and therefore
cannot forward packets to the destination host.) On a network, VLAN aggregation can allow hosts
on the same network segment in different VLANs to communicate.
VLAN aggregation, also known as super-VLAN, associates a super-VLAN with multiple sub-

14 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

VLANs. The sub-VLANs share the IP address of the super-VLAN as the gateway IP address to
implement Layer 3 connectivity with an external network. Proxy ARP can be enabled between sub-
VLANs to implement Layer 3 connectivity between sub-VLANs. VLAN aggregation conserves IP
addresses in inter-VLAN Layer 3 communication.
VLAN aggregation applies to scenarios where multiple VLANs share a gateway. For details about
VLAN aggregation, see 4 VLAN Aggregation Configuration.

Inter-VLAN Communication Through the Same Device


As shown in Figure 3-9, Host_1 (source host) and Host_2 (destination host) connect to the same
router, are located on different network segments, and belong to VLAN 2 and VLAN 3,
respectively. After VLANIF 2 and VLANIF 3 are created on the router and allocated IP addresses,
the default gateway addresses of the hosts are set to IP addresses of the VLANIF interfaces.
Figure 3-9 Using VLANIF interfaces to implement inter-VLAN communication through the same device

When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the router):

1. Host_1 determines that the destination IP address is on a different network segment from
its own IP address, and therefore sends an ARP Request packet to request the gateway
MAC address. The ARP Request packet carries the destination IP address of 10.1.1.1
(gateway's IP address) and all-F destination MAC address.
2. When the ARP Request packet reaches IF_1 on the Router, the Router tags the packet
with VLAN 2 (PVID of IF_1). The Router then adds the mapping between the source
MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) in its MAC address table.
3. The Router detects that the packet is an ARP Request packet and the destination IP
address is the IP address of VLANIF 2. The Router then encapsulates VLANIF 2's MAC
address of 3-3-3 into the ARP Reply packet and removes the tag with VLAN 2 from the
packet before sending it from IF_1. In addition, the Router adds the binding of the IP
address and MAC address of Host_1 in its ARP table.
4. After receiving the ARP Reply packet from the Router, Host_1 adds the binding of the IP
address and MAC address of VLANIF 2 on the Router in its ARP table and sends a
packet to the Router. The packet carries the destination MAC address of 3-3-3 and
destination IP address of 10.2.2.2 (Host_2's IP address).
5. After the packet reaches IF_1 on the Router, the Router tags the packet with VLAN 2.
6. The Router updates its MAC address table based on the source MAC address, VLAN ID,
and inbound interface of the packet, and compares the destination MAC address of the
packet with the MAC address of VLANIF 2. If they are the same, the Router determines
that the packet should be forwarded at Layer 3 and searches for a Layer 3 forwarding
entry based on the destination IP address. If no entry is found, the Router sends the

15 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

packet to the CPU. The CPU then searches for a routing entry to forward the packet.
7. The CPU looks up the routing table based on the destination IP address of the packet and
detects that the destination IP address matches a directly connected network segment
(network segment of VLANIF 3). The CPU continues to look up its ARP table but finds
no matching ARP entry. Therefore, the Router broadcasts an ARP Request packet with
the destination address of 10.2.2.2 to all interfaces in VLAN 3. Before sending the ARP
Request packet from IF_2, the Router removes the tag with VLAN 2 from the packet.
8. After receiving the ARP Request packet, Host_2 detects that the IP address is its own IP
address and sends an ARP Reply packet with its own. Additionally, Host_2 adds the
mapping between the MAC address and IP address of VLANIF 3 to its ARP table.
9. After IF_2 on the Router receives the ARP Reply packet, IF_2 tags the packet with
VLAN 3 to the packet and adds the binding of the MAC address and IP address of
Host_2 in its ARP table. Before forwarding the packet from Host_1 to Host_2, the
Router removes the tag with VLAN 3 from the packet. The Router also adds the binding
of Host_2's IP address, MAC address, VLAN ID, and outbound interface in its Layer 3
forwarding table.

The packet sent from Host_1 then reaches Host_2. The packet transmission process from Host_2 to
Host_1 is similar. Subsequent packets between Host_1 and Host_2 are first sent to the gateway
(Router), and the Router forwards the packets at Layer 3 based on its Layer 3 forwarding table.

Inter-VLAN Communication Through Multiple Devices


When hosts in different VLANs connect to multiple routers, you need to configure static routes or a
dynamic routing protocol in addition to VLANIF interface addresses. This is because IP addresses
of VLANIF interfaces can only be used to generate direct routes.
As shown in Figure 3-10, Host_1 (source host) and Host_2 (destination host) are located on
different network segments, connect to Router_1 and Router_2, and belong to VLAN 2 and VLAN
3, respectively. On Router_1, VLANIF 2 and VLANIF 4 are created and allocated IP addresses of
10.1.1.1 and 10.1.4.1. On Router_2, VLANIF 3 and VLANIF 4 are created and allocated IP
addresses of 10.1.2.1 and 10.1.4.2. Static routes are configured on Router_1 and Router_2.
Figure 3-10 Using VLANIF interfaces to implement inter-VLAN communication through multiple devices

When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on Router_1 and Router_2):

1. The first six steps are similar to steps 1 to 6 in inter-VLAN communication when hosts
connect to the same device. After the steps are complete, Router_1 sends the packet to
its CPU and the CPU looks up the routing table.

16 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

2. The CPU of Router_1 looks up the routing table based on the destination IP address of
10.1.2.2 and finds a matching entry with the network segment 10.1.2.0/24 corresponding
to VLANIF 4 and the next hop IP address 10.1.4.2. The CPU continues to look up its
ARP table but finds no matching ARP entry. Therefore, Router_1 broadcasts an ARP
Request packet with the destination address of 10.1.4.2 to all interfaces in VLAN 4. IF_2
on Router_1 transparently transmits the ARP Request packet to IF_2 on Router_2
without removing the tag from the packet.
3. After the ARP Request packet reaches Router_2, Router_2 finds that the destination IP
address of the ARP Request packet is the IP address of VLANIF 4. Router_2 then sends
an ARP Reply packet with the MAC address of VLANIF 4 to Router_1.
4. IF_2 on Router_2 transparently transmits the ARP Reply packet to Router_1. After
Router_1 receives the ARP Reply packet, it adds the binding of the MAC address and IP
address of VLANIF4 in its ARP table.
5. Before forwarding the packet of Host_1 to Router_2, Router_1 changes the destination
MAC address of the packet to the MAC address of VLANIF 4 on Router_2 and the
source MAC address to the MAC address of VLANIF 4 on itself. In addition, Router_1
records the forwarding entry (10.1.2.0/24, next hop IP address, VLAN, and outbound
interface) in its Layer 3 forwarding table. Similarly, the packet is transparently
transmitted to IF_2 on Router_2.
6. After Router_2 receives packets of Host_1 forwarded by Router_1, the steps similar to
steps 6 to 9 in inter-VLAN communication when hosts connect to the same device are
performed. In addition, Router_2 records the forwarding entry (Host_2's IP address,
MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table.

VLAN Damping
In a specified VLAN where a VLANIF interface has been configured, when all interfaces in the
VLAN go Down, the VLAN becomes Down. The interface Down event is reported to the VLANIF
interface, causing the VLANIF interface status change.
To avoid network flapping due to the status change of the VLANIF interface, you can enable
VLAN damping on the VLANIF interface and set a delay after which the VLANIF interface goes
Down.
With VLAN damping enabled, when the last Up interface in the VLAN goes Down, the Down
event will be reported to the VLANIF interface after a delay (the delay can be set as required). If an
interface in the VLAN goes Up during the delay, the status of the VLANIF interface keeps
unchanged. That is, the VLAN damping function postpones the time at which the VLAN reports a
Down event to the VLANIF interface, avoiding unnecessary route flapping.

3.2.4  Intra-VLAN Layer 2 Isolation


You can add different users to different VLANs to implement Layer 2 isolation between users. If an
enterprise has many users, VLANs have to be allocated to all users that are not allowed to
communicate with each other. This user isolation method uses a large number of VLANs and makes
configuration more complex, increasing the maintenance workload of the network administrator.
Huawei provides intra-VLAN Layer 2 isolation technologies including port isolation, MUX VLAN,
and Modular QoS Command-Line Interface (MQC).

Port Isolation

17 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Port isolation can isolate interfaces in a VLAN. You can add interfaces to a port isolation group to
disable Layer 2 packet transmission between the interfaces. Interfaces in different port isolation
groups or out of port isolation groups can exchange packets with other interfaces. In addition,
interfaces can be isolated unidirectionally, providing more secure and flexible networking.
For details about port isolation, see Configuring Interface Isolation in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - Interface Management.

MUX VLAN
Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources using
VLANs. It can implement inter-VLAN communication and intra-VLAN isolation.

For example, an enterprise has the following requirements:

Employees can communicate with each other but customers are isolated.
Both employees and customers can access enterprise servers.

You can deploy the MUX VLAN to meet the preceding requirements.
For details about the MUX VLAN feature, see 5 MUX VLAN Configuration.

Intra-VLAN Layer 2 Isolation Based on the Traffic Policy


A traffic policy is configured by binding traffic classifiers to traffic behaviors. You can define
traffic classifiers on a device to match packets with certain characteristics and associate the traffic
classifiers with the permit or deny behavior in a traffic policy. The device then permits or denies
packets matching the traffic classifiers. In this way, intra-VLAN unidirectional or bidirectional
isolation is implemented based on the traffic policy.
The device supports intra-VLAN Layer 2 isolation based on MQC and simplified ACL-based traffic
policies. For details about MQC and simplified ACL-based traffic policies, see MQC Configuration
and ACL-based Simplified Traffic Policy Configuration in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - QoS.

3.2.5  Inter-VLAN Layer 3 Isolation


After inter-VLAN Layer 3 connectivity is implemented between two VLANs, all users in the
VLANs can communicate. In some scenarios, communication between some users needs to be
prevented or only unidirectional communication is allowed. For example, user hosts and servers
often use unidirectional communication, and visitors to an enterprise are often allowed to access
only the Internet or some servers. In these scenarios, you need to configure inter-VLAN isolation.
Inter-VLAN isolation is often implemented using a traffic policy. You can define traffic classifiers
on a device to match packets with certain characteristics and associate the traffic classifiers with the
permit or deny behavior in a traffic policy. The device then permits or rejects the packets matching
the traffic classifiers. This technology implements flexible inter-VLAN isolation.
The device supports inter-VLAN Layer 3 isolation based on MQC and simplified ACL-based traffic
policies. For details about MQC and simplified ACL-based traffic policies, see MQC Configuration
and ACL-based Simplified Traffic Policy Configuration in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - QoS.

18 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

3.2.6  Management VLAN


To use a remote network management system (NMS) to manage devices in a centralized manner,
configure a management IP address on the device. You can then use the management IP address to
log in to the device using STelnet and manage the device. If a user-side interface is added to the
VLAN corresponding to the management IP address, users connected to the interface can also log
in to the device. This poses security risks to the device.
To enhance security, you can configure the VLAN as the management VLAN (mVLAN). Access or
Dot1q tunnel interfaces cannot be added to the mVLAN. (The VLANs not specified as the mVLAN
are service VLANs.) Access and Dot1q tunnel interfaces are often connected to users. When these
interfaces are prevented from joining the mVLAN, users connected to the interfaces cannot log in to
the device, improving device security.

3.3  Applications
This section describes VLAN applications.

3.3.1  Using VLAN Assignment to Implement Layer 2 Isolation


As shown in Figure 3-11, there are multiple companies in a building. These companies share
network resources to reduce costs. Networks of the companies connect to different interfaces of
Router2 and access the Internet through an egress.
Figure 3-11 Networking of interface-based VLAN assignment

To isolate services and ensure service security of different companies, add interfaces connected to
the companies to different VLANs. Each company has a virtual router and each VLAN is a virtual
work group.

3.3.2  Using VLANIF Interfaces to Implement Inter-VLAN Layer 3


Connectivity
VLANIF interfaces are used to implement inter-VLAN Layer 3 connectivity when devices are
connected to the same router or different routers.

Inter-VLAN Layer 3 Connectivity Between Devices Connected to the Same Device


As shown in Figure 3-12, departments 1 and 2 of a small-scale company belong to VLAN 2 and
VLAN 3, respectively, and connect to Router through Layer 2 switches. Packets exchanged
between the two departments need to pass Router.
Figure 3-12 Using VLANIF interfaces to implement inter-VLAN communication through the same device

19 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently
transmit VLAN packets to Router, and configure a VLANIF interface for each VLAN on Router to
allow communication between VLAN 2 and VLAN 3.

Inter-VLAN Layer 3 Connectivity Between Devices Connected to Different Layer 3


Routers
As shown in Figure 3-13, departments 1 and 2 of a medium- or large-scale company are connected
across two or more routers, and belong to VLAN 2 and VLAN 3 respectively. Packets exchanged
between the two departments need to pass the routers.
Figure 3-13 Using VLANIF interfaces to implement inter-VLAN communication through multiple Layer 3
routers

Assign VLANs on the switches, and configure the switches to transparently transmit VLAN packets
to Router_1 and Router_2. Configure a VLANIF interface for each user VLAN and interconnected
VLANs on switches, and configure VLANIF interfaces for interconnected VLANs on other Layer 3
devices. In addition, configure static routes or a dynamic routing protocol between Router_1 and
Router_2 (a dynamic routing protocol is recommended when devices are connected across more
than two routers).

3.3.3  Using a Traffic Policy to Implement Inter-VLAN Access Control


As shown in Figure 3-14, to ensure communication security, a company divides the network into
visitor area, employee area, and server area, and assigns VLAN 10, VLAN 20, and VLAN 30 to the
areas respectively. The company has the following requirements:

Employees, visitors, and servers can access the Internet.

20 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Visitors cannot communicate with employees and can access only Server_1 in the server
area.

Figure 3-14 Using a traffic policy to implement inter-VLAN access control

After the central router (Router) is configured with VLANIF 10, VLANIF 20, VLANIF 30, and
VLANIF 100 and a route to the Router_0, employees, visitors, and servers can access the Internet
and communicate with each other. To control access rights of visitors, configure a traffic policy on
the central router and define the following rules:

ACL rule 1: denies the packets sent from the IP network segment of visitors to the IP
segment of employees.
ACL rule 2: permits the packets from the IP network segment of visitors to the IP address
of Server_1, and denies the packets from the IP network segment of visitors and to the IP
segment of servers.
ACL rule 3: denies the packets from the IP network segment of employees to the IP
segment of visitors.
ACL rule 4: denies the packets from the IP network segment of servers to the IP segment
of visitors.

Apply the traffic policy to the inbound and outbound direction of the central router interface
connected to the visitor area. Visitors can then only access Server_1 and cannot communicate with
employees.

3.4  Configuration Task Summary


This section describes the VLAN configuration tasks.
Table 3-3 describes the VLAN configuration tasks. Figure 3-15 illustrates the logical relationship
between configuration tasks.
Figure 3-15 Logical relationship between configuration tasks

21 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Table 3-3 VLAN configuration task summary

Configuration Task Description

3.7.1 Configuring VLANs can isolate the hosts that do not need to communicate with each other,
VLAN Assignment which improves network security, reduces broadcast traffic, and mitigates
broadcast storms.

3.7.2 Configuring Inter- After VLANs are assigned, users in different VLANs cannot directly
VLAN Communication communicate with each other. If users in different VLANs need to communicate,
configure VLANIF interfaces to implement inter-VLAN Layer 3 connectivity.

3.7.3 Configuring a After VLANs are assigned, users in the same VLAN can directly communicate
Traffic Policy to with each other. If some users in the same VLAN need to be isolated, configure
Implement Intra-VLAN MQC-based intra-VLAN Layer 2 isolation.
Layer 2 Isolation
NOTE:
Intra-VLAN isolation can also be implemented using port isolation. For details about port
isolation, see Configuring Interface Isolation in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600
Series Enterprise Routers Configuration Guide - Interface Management.

3.7.4 Configuring a After VLANIF interfaces are configured to implement inter-VLAN connectivity,
Traffic Policy to users in different VLANs can communicate at Layer 3. If some users in different
Implement Inter-VLAN VLANs require unidirectional communication or need to be isolated, configure a
Layer 3 Isolation traffic policy.

3.7.5 Configuring an To use the NMS to manage devices in a centralized manner, assign VLANs and
mVLAN configure a VLAN as the management VLAN.

3.5  Default Configuration


This section describes the default configuration of VLAN technology.

Table 3-4 Default configuration of VLAN technology

Parameter Default Setting

Default Interface Hybrid


type

22 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Parameter Default Setting

configuration
Default VLAN 1
of an
VLAN
interface
VLAN VLAN 1 that interfaces join in untagged mode (port hybrid untagged vlan 1)
that an
interface
joins
Damping time 0s

Traffic statistics Disabled


collection in a VLAN

Traffic statistics Disabled


collection on a
VLANIF interface

3.6  Configuration Notes


This section describes the product models that support VLAN technology and notes about
configuring VLAN technology.

You are advised to plan service and management VLANs so that any broadcast storms in
service VLANs do not affect device management.
In practice, specify VLANs from which packets need to be transparently transmitted by a
trunk interface. Do not use the port trunk allow-pass vlan all command if possible.
All interfaces join VLAN 1 by default. When unknown unicast, multicast, or broadcast
packets of VLAN 1 exist on the network, broadcast storms may occur. When VLAN 1 is
used, pay attention to the following points:
Remove the interfaces that do not need to join VLAN 1 from VLAN 1 to prevent
loops.
You are advised to remove interfaces from VLAN 1 in Eth-Trunk or ring
networking.
When connecting to an access device, to prevent broadcast storms in VLAN 1,
do not configure the uplink interface of the access device to transparently
transmit packets from VLAN 1.

3.7  Configuring VLAN


This section describes how to configure VLAN.

3.7.1  Configuring VLAN Assignment


VLANs can isolate the hosts that do not need to communicate with each other, which improves
network security, reduces broadcast traffic, and mitigates broadcast storms.

Context

After an interface is added to a VLAN, the interface can forward packets from the VLAN.
Interface-based VLAN assignment allows hosts in the same VLAN to communicate and prevents

23 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

hosts in different VLANs from communicating, so broadcast packets are limited in a VLAN.

Ethernet interfaces are classified into access, trunk, and hybrid interfaces according to the objects
connected to the Ethernet interfaces and number of VLANs from which untagged frames are
permitted (see Interface Types):

Access interface
The router processes only tagged frames and an access interface connected to devices only
receive and send untagged frames, so the access interface needs to add a VLAN tag to
received frames. That is, you must configure the default VLAN for the access interface.
After the default VLAN is configured, the access interface joins the VLAN.
An access interface needs to process only untagged frames. If a user connects a switching
device to a user-side interface without permission, the user-side interface may receive
tagged frames. You can configure the user-side interface to discard tagged frames,
preventing unauthorized access.
Trunk interface
When a trunk interface connects to a device such as an AP or a voice terminal that can
receive and send tagged and untagged frames simultaneously, you need to configure the
default VLAN for the trunk interface so that the trunk interface can add the VLAN tag to
untagged frames.
Hybrid interface
When a hybrid interface connects to an AP, a voice terminal, a hub, a host, or a server that
sends untagged frames to the router, you need to configure the default VLAN for the
hybrid interface so that the hybrid interface can add the VLAN tag to untagged frames.
Frames sent by a router all carry VLAN tags. In some scenarios, VLAN tags need to be
removed from frames sent by a hybrid interface. A trunk interface allows untagged packets
from only one VLAN, so the interface must be configured as hybrid..

By default, the type of an interface is hybrid, the default VLAN is VLAN 1, and an interface joins
VLAN 1 in untagged mode.

Procedure

Configuring the default VLAN for an access interface

1. Run:
system-view

The system view is displayed.


2. Run:
vlan vlan-id

A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
3. Run:
quit

Return to the system view.

24 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

4. Run:
interface interface-type interface-number

The view of the Ethernet interface to be added to the VLAN is displayed.


5. Run:
port link-type access

The Ethernet interface is configured as the access interface.


6. Run:
port default vlan vlan-id

The default VLAN is configured for the interface and the interface is added to
the specified VLAN.

Configuring the default VLAN for a trunk interface

1. Run:
system-view

The system view is displayed.


2. Run:
vlan vlan-id

A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
3. Run:
quit

Return to the system view.


4. Run:
interface interface-type interface-number

The view of the Ethernet interface to be added to the VLAN is displayed.


5. Run:
port link-type trunk

The Ethernet interface is configured as the trunk interface.


6. Run:
port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |

The interface is added to the specified VLAN.


7. (Optional) Run:
port trunk pvid vlan vlan-id

The default VLAN is configured for the trunk interface.

NOTE:
When the VLAN allowed by an interface is the default VLAN of the interface, packets from the VLAN are
forwarded in untagged mode.

25 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Configuring the default VLAN for a hybrid interface

1. Run:
system-view

The system view is displayed.


2. Run:
vlan vlan-id

A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
3. Run:
quit

Return to the system view.


4. Run:
interface interface-type interface-number

The view of the Ethernet interface to be added to the VLAN is displayed.


5. Run:
port link-type hybrid

The Ethernet interface is configured as the hybrid interface.


6. Run the following commands as required.
Run:
port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10>

The hybrid interface is added to the VLAN in untagged mode.


Run:
port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |

The hybrid interface is added to the VLAN in tagged mode.

7. (Optional) Run:
port hybrid pvid vlan vlan-id

The default VLAN is configured for the hybrid interface.

Configuration Tips
Creating VLANs in a batch
To create multiple VLANs in a batch, run the vlan batch command in the system view.

For example:

Create 10 contiguous VLANs: VLANs 11 to 20.


<Huawei> system-view
[Huawei] vlan batch 11 to 20

Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to 30.
<Huawei> system-view

26 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

[Huawei] vlan batch 10 15 to 19 25 28 to 30

NOTE:
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are more than
10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19 25 28 to 30
command creates four incontiguous VLAN ranges.

Configuring a name for a VLAN


When multiple VLANs are created on the device, you are advised to configure names for the
VLANs to facilitate management. After a name is configured for a VLAN, you can directly enter
the VLAN view using the name.
# Set the name of VLAN 10 to huawei.
<Huawei> system-view
[Huawei] vlan 10
[Huawei-vlan10] name huawei
[Huawei-vlan10] quit

# After a name is configured for a VLAN, you can directly enter the VLAN view using the name.
[Huawei] vlan vlan-name huawei
[Huawei-vlan10] quit
Adding interfaces to a VLAN in a batch
To perform the same VLAN configuration for multiple Ethernet interfaces, use the port group,
which can reduce the workload. To add access interfaces to a VLAN in a batch, you can also run the
port interface-type { interface-number1 [ to interface-number2 ] }&<1-10> command in the
VLAN view. For details, see How to Add Interfaces to a VLAN in a Batch.
Restoring the default VLAN configuration of an interface
If the VLAN planning of an interface is changed, you need to delete the original VLAN
configuration of the interface. If many incontiguous VLANs are configured on the interface, you
need to delete the original VLAN configuration multiple times. To reduce deletion operations,
restore the default VLAN configuration of the interface. For details, see How to Restore the Default
VLAN Configuration of an Interface.
Changing the interface type
When the interface planning changes or the current interface type is different from the configured
one, the interface type needs to be changed. For details, see How to Change the Link Type of an
Interface.
Deleting a VLAN
If a VLAN is not in use, you are advised to delete it immediately by runing the command undo
vlan vlan-id or undo vlan batch vlan-id1 to vlan-id2, in order to save VLAN resources and reduce
packets on a network.

Checking the Configuration

Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to check
information about all VLANs or a specified VLAN.

3.7.2  Configuring Inter-VLAN Communication


After VLANs are assigned, users in the same VLAN can communication with each other while
users in different VLANs cannot. If some users in different VLANs need to communicate,

27 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

configure inter-VLAN communication.

Context
A VLANIF interface is a Layer 3 logical interface and can implement inter-VLAN Layer 3
connectivity. It is simple to configure a VLANIF interface, so the VLANIF interface is the most
commonly used technology. Each VLAN corresponds to a VLANIF interface. After an IP address is
configured for a VLANIF interface, the VLANIF interface is used as the gateway of the VLAN and
forwards packets across network segments at Layer 3 based on IP addresses.
If a VLAN goes Down because all interfaces in the VLAN go Down, the system immediately
reports the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF
interface to go Down. To avoid network flapping caused by the change of the VLANIF interface
status, enable VLAN damping on the VLANIF interface. After the last interface in Up state in a
VLAN goes Down, the device enabled with VLAN damping starts a delay timer and informs the
corresponding VLANIF interface of the VLAN Down event after the timer expires. If an interface
in the VLAN goes Up during the delay, the VLANIF interface remains Up.
The Maximum Transmission Unit (MTU) determines the maximum number of bytes each time a
sender can send. If the size of packets exceeds the MTU supported by a receiver or a transit node,
the receiver or transit node fragments the packets or even discards them, aggravating the network
transmission load. To avoid this problem, set the MTU of the VLANIF interface.
After configuring bandwidth for a VLANIF interface, you can use the NMS to query the bandwidth.
This facilitates traffic monitoring.

NOTE:
As shown in 3.2.3 Inter-VLAN Communication, in addition to using a VLANIF interface to inter-VLAN
communication, you can also use the VLAN aggregation and Dot1q termination sub-interface. This section uses the
VLANIF interface to implement inter-VLAN communication.

For details about the Dot1q termination sub-interface, see 6.6.1 Configuring a Dot1q Termination Sub-
interface to Implement Inter-VLAN Communication.
For details about VLAN aggregation, see 4 VLAN Aggregation Configuration.

After a VLANIF interface is configured, the corresponding VLAN cannot be configured as a sub-VLAN or principal
VLAN.

Pre-configuration Tasks
Before configuring inter-VLAN communication, complete the following tasks:

3.7.1 Configuring VLAN Assignment


Configuring the default gateway address of hosts as the IP address of the VLANIF
interface

Procedure

1. Run:
system-view

The system view is displayed.


2. Run:
interface vlanif vlan-id

28 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

The VLANIF interface view is displayed.


The number of a VLANIF interface must correspond to a created VLAN.
A VLANIF interface goes Up only when at least one physical interface in the
corresponding VLAN is in Up state.
3. Run:
ip address ip-address { mask | mask-length } [ sub ]

An IP address is configured for the VLANIF interface to implement Layer 3 connectivity.


If IP addresses assigned to VLANIF interfaces belong to different network segments, you
need to configure a routing protocol on the device to provide reachable routes.
Each VLANIF interface can be configured with one primary IP address and multiple
secondary IP addresses. A maximum of 31 secondary IP addresses can be configured.

NOTE:
An IP address of a VLANIF interface can be statically configured or dynamically obtained using DHCP.
For details about DHCP, see DHCP Configuration in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - IP Services.

4. (Optional) Run:
damping time delay-time

The delay of VLAN damping is set.


The value ranges from 0 to 20, in seconds. By default, the delay is 0 seconds, indicating
that VLAN damping is disabled.
5. (Optional) Run:
mtu mtu

The MTU of the VLANIF interface is set.


By default, the value is 1500 bytes.
6. (Optional) Run:
bandwidth bandwidth

The bandwidth of the VLANIF interface is set.

Checking the Configuration

Run the display interface vlanif [ vlan-id ] command to check the status, configuration,
and traffic statistics of the VLANIF interface.

NOTE:
Only the VLANIF interface in Up state can forward packets at Layer 3. When the VLANIF interface goes
Down, rectify the fault according to 3.9.2 A VLANIF Interface Goes Down.

3.7.3  Configuring a Traffic Policy to Implement Intra-VLAN Layer 2


Isolation
After VLANs are assigned, users in the same VLAN can communication with each other. If users in

29 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

a VLAN need to be isolated unidirectionally or bidirectionally, configure a traffic policy.

A traffic policy is configured by binding traffic classifiers to traffic behaviors. The device classifies
packets according to packet information, and associates a traffic classifier with a traffic behavior to
reject the packets matching the traffic classifier, implementing intra-VLAN isolation.
AR router provides intra-VLAN Layer 2 isolation based on MQC and based on the simplified ACL-
based traffic policy.

Pre-configuration Tasks
Before configuring a traffic policy to implement intra-VLAN Layer 2 isolation, complete the
following task:

3.7.1 Configuring VLAN Assignment

Procedure

Configure MQC to implement intra-VLAN Layer 2 isolation.

Perform the following MQC configurations to implement intra-VLAN Layer 2 isolation:


Specify permit or deny in the traffic behavior.
Apply the traffic policy to a VLAN or an interface that allows the VLAN.

For details about how to configure MQC, see Configuring Packet Filtering in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600
Series Enterprise Routers Configuration Guide - QoS.
Configure a simplified ACL-based traffic policy to implement intra-VLAN Layer 2
isolation.
For details about how to configure a simplified ACL-based traffic policy, see Configuring
ACL-based Packet Filtering in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600
Series Enterprise Routers Configuration Guide - QoS.

3.7.4  Configuring a Traffic Policy to Implement Inter-VLAN Layer 3


Isolation
After inter-VLAN Layer 3 connectivity is configured, if some users in different VLANs require
unidirectional access or need to be isolated, configure inter-VLAN Layer 3 isolation.

Inter-VLAN Layer 3 isolation is implemented using a traffic policy. A traffic policy is configured
by binding traffic classifiers to traffic behaviors. The router classifies packets according to IP
addresses or other information in packets, and associates a traffic classifier with a traffic behavior to
reject the packets matching the traffic classifier, implementing inter-VLAN Layer 3 isolation.
AR router provides inter-VLAN Layer 3 isolation based on MQC and based on the simplified ACL-
based traffic policy. You can select one of them according to your needs.

Pre-configuration Tasks
Before configuring a traffic policy to implement inter-VLAN Layer 3 isolation, complete the
following task:

30 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

3.7.2 Configuring Inter-VLAN Communication

Procedure

Configure MQC to implement inter-VLAN Layer 3 isolation.

Perform the following MQC configurations to implement inter-VLAN Layer 3 isolation:


Specify permit or deny in the traffic behavior.
Apply the traffic policy to a VLAN or an interface that allows the VLAN.

For details about how to configure MQC, see Configuring Packet Filtering in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600
Series Enterprise Routers Configuration Guide - QoS.
Configure a simplified ACL-based traffic policy to implement inter-VLAN Layer 3
isolation.
For details about how to configure a simplified ACL-based traffic policy, see Configuring
ACL-based Packet Filtering in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600
Series Enterprise Routers Configuration Guide - QoS.

3.7.5  Configuring an mVLAN


Management VLAN (mVLAN) allows you to use the VLANIF interface of the mVLAN to log in to
the management router to manage devices in a centralized manner.

Context

To use a remote network management system (NMS) to manage devices in a centralized manner,
configure a management IP address on the device. You can then log in to the device in Telnet mode
and manage the device by using the management IP address. The management IP address can be
configured on a management interface or VLANIF interface. If a user-side interface is added to the
VLAN, users connected to the interface can also log in to the device. This brings security risks to
the device.
After a VLAN is configured as an mVLAN, no access interface or Dot1q tunnel interface can be
added to the VLAN. Access and Dot1q tunnel interfaces are often connected to users. When these
interfaces are prevented from joining the mVLAN, users connected to the interfaces cannot log in to
the device, improving device security.
Generally, a VLANIF interface needs to be configured with only one management IP addresses. In
specified scenarios, for example, users in the same mVLAN belong to multiple different network
segments, you need to configure a primary management IP address and multiple secondary
management IP addresses.
You can only log in to the local device using the management interface, whereas you can log in to
both local and remote devices using a VLANIF interface of an mVLAN. When logging in to the
remote device using the VLANIF interface of an mVLAN, you need to configure VLANIF
interfaces on both local and remote devices and assign IP addresses on the same network segment
to them.

Pre-configuration Tasks

31 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Before configuring an mVLAN, complete the following task:

3.7.1 Configuring VLAN Assignment

NOTE:
Only trunk and hybrid interfaces can join the mVLAN.

Procedure

1. Run:
system-view

The system view is displayed.


2. Run:
vlan vlan-id

The VLAN view is displayed.


3. Run:
management-vlan

The VLAN is configured as the mVLAN.


VLAN 1 cannot be configured as the mVLAN.
4. Run:
quit

Exit from the VLAN view.


5. Run:
interface vlanif vlan-id

A VLANIF interface is created and its view is displayed.


6. Run:
ip address ip-address { mask | mask-length } [ sub ]

An IP address is assigned to the VLANIF interface.

Follow-up Procedure

Log in to the router to implement centralized management through the NMS. Select either of the
following login modes according to your needs:

To manage local devices, log in to the local router using Telnet, STelnet. For details, see
Configuring Telnet Login, Configuring STelnet Login in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600
Series Enterprise Routers Configuration Guide – Basic Configurations.
To manage remote devices, log in to the local device using Telnet or STelnet and log in to
remote devices using Telnet or STelnet from the local device.see (Optional) Using Telnet
to Log In to Another Device From the Local Device, or (Optional) Using STelnet to Log
In to Another Device From the Local Device in Huawei
AR120&AR150&AR160&AR200&AR500&AR510&AR1200&AR2200&AR3200&AR3600
Series Enterprise Routers Configuration Guide – Basic Configurations.

32 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

The login IP address is the IP address of the VLANIF interface of an mVLAN.

Checking the Configuration

Run the display vlan command to check the mVLAN configuration. In the command
output, the VLAN marked with a * is the mVLAN.

3.8  Configuration Examples


This section provides several configuration examples of VLAN technology, including networking
requirements, configuration roadmap, and configuration procedure.

3.8.1  Example for Configuring VLAN Assignment

Networking Requirements
As shown in Figure 3-16, multiple user terminals are connected to devices in an enterprise. Users
who use the same service access the enterprise network using different devices.
To ensure the communication security and avoid broadcast storms, the enterprise wants to allow
users who use the same service to communicate with each other and isolate users who use different
services.
Configure interface-based VLAN assignments on the device and add interfaces connected to
terminals of users who use the same service to the same VLAN. Users in different VLANs
communicate at Layer 2, and users in the same VLAN can communicate directly.
Figure 3-16 Networking of interface-based VLAN assignment

Configuration Roadmap
The configuration roadmap is as follows:

1. Create VLANs and add interfaces connecting to user terminals to VLANs to isolate
Layer 2 traffic between users who use different services.
2. Configure the type of link between RouterA and RouterB and VLANs to allow users who
use the same service to communicate.

Procedure

1. Create VLAN 2 and VLAN 3 on RouterA, and add interfaces connected to user terminals
to different VLANs. The configuration of RouterB is similar to that of RouterA, and is
not mentioned here.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan batch 2 3

33 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

[RouterA] interface ethernet 2/0/1


[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 2
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type access
[RouterA-Ethernet2/0/2] port default vlan 3
[RouterA-Ethernet2/0/2] quit

2. Configure the type of the interface connected to RouterB on RouterA and VLANs. The
configuration of RouterB is similar to that of RouterA, and is not mentioned here.
[RouterA] interface ethernet 2/0/3
[RouterA-Ethernet2/0/3] port link-type trunk
[RouterA-Ethernet2/0/3] port trunk allow-pass vlan 2 3

3. Verify the configuration.


Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24;
add User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
Only User1's and User2's terminals can ping each other, and only User3's and User4's
terminals can ping each other.

Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
vlan batch 2 to 3
#
interface Ethernet2/0/1
port link-type access
port default vlan 2
#
interface Ethernet2/0/2
port link-type access
port default vlan 3
#
interface Ethernet2/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return

Configuration file of RouterB


#
sysname RouterB
#
vlan batch 2 to 3
#
interface Ethernet2/0/1
port link-type access
port default vlan 2
#
interface Ethernet2/0/2
port link-type access
port default vlan 3
#
interface Ethernet2/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3

34 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

#
return

3.8.2  Example for Configuring VLANIF Interfaces to Implement


Inter-VLAN Communication

Networking Requirements
Different user hosts of a company transmit the same service, and are located on different network
segments. User hosts transmitting the same service belong to different VLANs and need to
communicate.
As shown in Figure 3-17, User1 and User2 use the same service but belong to different VLANs and
are located on different network segments. User1 and User2 need to communicate.
Figure 3-17 Configuring VLANIF interfaces to implement inter-VLAN communication

Configuration Roadmap
The configuration roadmap is as follows:

1. Create VLANs and determine VLANs that users belong to.


2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 connectivity.

NOTE:
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the corresponding VLANIF
interface as the gateway address.

Procedure

1. Configure the router.


# Create VLANs.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 10 20

# Add interfaces to VLANs.


[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 10
[Router-Ethernet2/0/0] quit

35 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

[Router] interface ethernet 2/0/1


[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] port default vlan 20
[Router-Ethernet2/0/1] quit

# Assign IP addresses to VLANIF interfaces.


[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.10.10.2 24
[Router-Vlanif10] quit
[Router] interface vlanif 20
[Router-Vlanif20] ip address 10.10.20.2 24
[Router-Vlanif20] quit

2. Verify the configuration.


Configure the IP address of 10.10.10.3/24 and default gateway address as 10.10.10.2/24
(VLANIF 10's IP address) for User1 in VLAN 10.
Configure the IP address of 10.10.20.3/24 and default gateway address as 10.10.20.2/24
(VLANIF 20's IP address) for User2 in VLAN 20.
After the configuration is complete, User1 in VLAN 10 and User2 in VLAN 20 can
communicate.

Configuration Files
Configuration file of Router
#
sysname Router
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 10
#
interface Ethernet2/0/1
port link-type access
port default vlan 20
#
return

3.8.3  Example for Configuring VLANIF Interfaces to Implement


Intra-VLAN Communication

Networking Requirements
As shown in Figure 3-18, Router_1 and Router_2 are connected to Layer 2 networks that VLAN 10
belongs to. Router_1 communicates with Router_2 through a Layer 3 network where OSPF is
enabled.
PCs of the two Layer 2 networks need to be interwork at Layer 3.
Figure 3-18 Configuring VLANIF interfaces to implement intra-VLAN communication

36 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Configuration Roadmap
The configuration roadmap is as follows:

1. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
2. Configure IP addresses for VLANIF interfaces to implement Layer 3 connectivity.
3. Configure basic OSPF functions to implement interworking.

Procedure

1. Configure Router_1.
# Create VLAN 10 and VLAN 30.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 10 30

# Add Eth2/0/1 to VLAN 10 and Eth2/0/2 to VLAN 30.


[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 10
[Router_1-Ethernet2/0/1] quit
[Router_1] interface ethernet 2/0/2
[Router_1-Ethernet2/0/2] port link-type trunk
[Router_1-Ethernet2/0/2] port trunk allow-pass vlan 30
[Router_1-Ethernet2/0/2] quit

# Configure IP addresses of 10.10.10.1/24 and 10.10.30.1/24 for VLANIF 10 and


VLANIF 30 respectively.
[Router_1] interface vlanif 10
[Router_1-Vlanif10] ip address 10.10.10.1 24
[Router_1-Vlanif10] quit
[Router_1] interface vlanif 30
[Router_1-Vlanif30] ip address 10.10.30.1 24
[Router_1-Vlanif30] quit

# Configure basic OSPF functions.


[Router_1] router id 1.1.1.1
[Router_1] ospf
[Router_1-ospf-1] area 0
[Router_1-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[Router_1-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255

37 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

[Router_1-ospf-1-area-0.0.0.0] quit

2. Configure Router_2.
# Create VLAN 10 and VLAN 30.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 10 30

# Add Eth2/0/1 to VLAN 10 and Eth2/0/2 to VLAN 30.


[Router_2] interface ethernet 2/0/1
[Router_2-Ethernet2/0/1] port link-type trunk
[Router_2-Ethernet2/0/1] port trunk allow-pass vlan 10
[Router_2-Ethernet2/0/1] quit
[Router_2] interface ethernet 2/0/2
[Router_2-Ethernet2/0/2] port link-type trunk
[Router_2-Ethernet2/0/2] port trunk allow-pass vlan 30
[Router_2-Ethernet2/0/2] quit

# Configure IP addresses of 10.10.20.1/24 and 10.10.30.2/24 for VLANIF 10 and


VLANIF 30 respectively.
[Router_2] interface vlanif 10
[Router_2-Vlanif10] ip address 10.10.20.1 24
[Router_2-Vlanif10] quit
[Router_2] interface vlanif 30
[Router_2-Vlanif30] ip address 10.10.30.2 24
[Router_2-Vlanif30] quit

# Configure basic OSPF functions.


[Router_2] router id 2.2.2.2
[Router_2] ospf
[Router_2-ospf-1] area 0
[Router_2-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255
[Router_2-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[Router_2-ospf-1-area-0.0.0.0] quit

3. Configure Router_3.
# Create VLAN 10, add Eth2/0/1 to VLAN 10 in untagged mode and Eth2/0/2 to VLAN
10 in tagged mode. The configuration of Router_4 is similar to that of Router_3, and is
not mentioned here.
<Huawei> system-view
[Huawei] sysname Router_3
[Router_3] vlan batch 10
[Router_3] interface ethernet 2/0/1
[Router_3-Ethernet2/0/1] port link-type access
[Router_3-Ethernet2/0/1] port default vlan 10
[Router_3-Ethernet2/0/1] quit
[Router_3] interface ethernet 2/0/2
[Router_3-Ethernet2/0/2] port link-type trunk
[Router_3-Ethernet2/0/2] port trunk allow-pass vlan 10
[Router_3-Ethernet2/0/2] quit

4. Verify the configuration.


On the PC of the Layer 2 network connected to Router_1, set the default gateway address
to the IP address of VLANIF10, that is, 10.10.10.1/24.
On the PC of the Layer 2 network connected to Router_2, set the default gateway address
to the IP address of VLANIF10, that is, 10.10.20.1/24.
After the configuration is complete, PCs on the two Layer 2 networks are interwork at

38 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Layer 3.

Configuration Files

Configuration file of Router_1


#
sysname Router_1
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return

Configuration file of Router_2


#
sysname Router_2
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.20.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return

39 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Configuration file of Router_3


#
sysname Router_3
#
vlan batch 10
#
interface Ethernet2/0/1
port link-type access
port default vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return

Configuration file of Router_4


#
sysname Router_4
#
vlan batch 10
#
interface Ethernet2/0/1
port link-type access
port default vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return

3.8.4  Example for Configuring VLANIF Interfaces to Implement


Communication of Hosts on Different Network Segments in the
Same VLAN

Networking Requirements
On the enterprise network shown in Figure 3-19, hosts in the same VLAN belong to network
segments of 10.1.1.1/24 and 10.1.2.1/24. Hosts on the two network segments are required to access
the Internet through the Router and communicate.
Figure 3-19 Configuring VLANIF interfaces to implement communication of hosts on different network
segments in the same VLAN

40 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Configuration Roadmap
If only one IP address is configured for the VLANIF interface on the Router, only hosts on one
network segment can access the Internet through the Router. To enable all hosts on the LAN can
access the Internet through the Router, configure a secondary IP address for the VLANIF interface.
To enable hosts on the two network segments to communicate, the hosts on the two network
segments need to use the primary and secondary IP addresses of the VLANIF interface as default
gateway addresses.
The configuration roadmap is as follows:

1. Create VLANs and add interfaces to the VLANs.


2. Configure VLANIF interfaces and assign IP addresses to them so that hosts on the two
network segments can communicate.
3. Configure a routing protocol so that hosts can access the Internet through the Router.

Procedure

1. Create VLANs and add interfaces to the VLANs on Router.


# Create VLAN 10 and VLAN 20.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 10 20

# Add Eth2/0/1 and Eth2/0/2 to VLAN 10 and Eth2/0/3 to VLAN 20.


[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] port default vlan 10
[Router-Ethernet2/0/1] quit
[Router] interface ethernet 2/0/2
[Router-Ethernet2/0/2] port link-type access
[Router-Ethernet2/0/2] port default vlan 10
[Router-Ethernet2/0/2] quit
[Router] interface ethernet 2/0/3
[Router-Ethernet2/0/3] port link-type trunk
[Router-Ethernet2/0/3] port trunk allow-pass vlan 20

41 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

[Router-Ethernet2/0/3] quit

2. Configure VLANIF interfaces on Router.


# Create VLANIF 10 and configure the primary IP address of 10.1.1.1/24 and secondary
IP address of 10.1.2.1/24 for VLANIF 10, and create VLANIF 20 and configure the IP
address of 10.10.10.1/24 for VLANIF 20.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.1.1.1 24
[Router-Vlanif10] ip address 10.1.2.1 24 sub
[Router-Vlanif10] quit
[Router] interface vlanif 20
[Router-Vlanif20] ip address 10.10.10.1 24
[Router-Vlanif20] quit

3. Configure a routing protocol.


# Configure basic OSPF functions and configure OSPF to advertise network segments of
hosts and the network segment between the Router and Router_1.
[Router] ospf
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit

NOTE:
Perform the following configurations on the Router_1:
Add the interface connected to the Router to VLAN 20 in tagged mode and specify an IP address
for VLANIF 20 on the same network segment as 10.10.10.1.
Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Router and Router_1.

For details, see the router documentation.

4. Verify the configuration.


Configure the IP address of 10.1.1.2 and default gateway address of 10.1.1.1/24 (primary
IP address of VLANIF 10) for Host1; configure the IP address of 10.1.2.2 and default
gateway address of 10.1.2.1/24 (secondary IP address of VLANIF 10) for Host2.
After the configuration is complete, Host1 and Host2 can ping each other successfully,
and they can ping 10.10.10.2/24, IP address of the router interface connected to the
Router. That is, they can access the Internet.

Configuration Files
Configuration file of the Router
#
sysname Router
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
#
interface Vlanif20

42 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

ip address 10.10.10.1 255.255.255.0


#
interface Ethernet2/0/1
port link-type access
port default vlan 10
#
interface Ethernet2/0/2
port link-type access
port default vlan 10
#
interface Ethernet2/0/3
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.10.10.0 0.0.0.255
#
return

3.8.5  Example for Configuring a Traffic Policy to Implement Inter-


VLAN Layer 3 Isolation

Networking Requirements
As shown in Figure 3-20, to ensure communication security, a company assigns visitors, employees,
and servers to VLAN 10, VLAN 20, and VLAN 30 respectively. The requirements are as follows:

Employees, visitors, and servers can access the Internet.


Visitors can access only the Internet, and cannot communicate with employees in any
other VLANs.
Employee A can access all resources in the server area, and other employees can access
port 21 (FTP service) of server A.

Figure 3-20 Configuring a traffic policy to implement inter-VLAN Layer 3 isolation

43 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Configuration Roadmap
The configuration roadmap is as follows:

1. Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of
visitors, employees, and servers.
2. Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
3. Configure a routing protocol so that visitors, employees, and servers can access the
Internet through the Router.
4. Configure and apply a traffic policy so that employee A can access all resources in the
server area, other employees can access only port 21 (FTP service) of server A,
employees can access only servers, and visitors can access only the Internet.

Procedure

1. Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of
visitors, employees, and servers.
# Create VLAN 10 on Router_1, add Eth2/0/1 to VLAN 10 in untagged mode and
Eth2/0/2 to VLAN 10 in tagged mode. The configurations of Router_2 and Router_3 are
similar to the configuration of Router_1, and are not mentioned here.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 10
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type access
[Router_1-Ethernet2/0/1] port default vlan 10
[Router_1-Ethernet2/0/1] quit
[Router_1] interface ethernet 2/0/2
[Router_1-Ethernet2/0/2] port link-type trunk

44 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

[Router_1-Ethernet2/0/2] port trunk allow-pass vlan 10


[Router_1-Ethernet2/0/2] quit

# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 on Router_4, and add Eth2/0
/1-Eth2/0/4 to VLAN 10, VLAN 20, VLAN 30, and VLAN 100 in tagged mode.
<Huawei> system-view
[Huawei] sysname Router_4
[Router_4] vlan batch 10 20 30 100
[Router_4] interface ethernet 2/0/1
[Router_4-Ethernet2/0/1] port link-type trunk
[Router_4-Ethernet2/0/1] port trunk allow-pass vlan 10
[Router_4-Ethernet2/0/1] quit
[Router_4] interface ethernet 2/0/2
[Router_4-Ethernet2/0/2] port link-type trunk
[Router_4-Ethernet2/0/2] port trunk allow-pass vlan 20
[Router_4-Ethernet2/0/2] quit
[Router_4] interface ethernet 2/0/3
[Router_4-Ethernet2/0/3] port link-type trunk
[Router_4-Ethernet2/0/3] port trunk allow-pass vlan 30
[Router_4-Ethernet2/0/3] quit
[Router_4] interface ethernet 2/0/4
[Router_4-Ethernet2/0/4] port link-type trunk
[Router_4-Ethernet2/0/4] port trunk allow-pass vlan 100
[Router_4-Ethernet2/0/4] quit

2. Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3


connectivity between employees, servers, and visitors.
# On Router_4, Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 and assign IP
addresses of 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.100.1/24 to them
respectively.
[Router_4] interface vlanif 10
[Router_4-Vlanif10] ip address 10.1.1.1 24
[Router_4-Vlanif10] quit
[Router_4] interface vlanif 20
[Router_4-Vlanif20] ip address 10.1.2.1 24
[Router_4-Vlanif20] quit
[Router_4] interface vlanif 30
[Router_4-Vlanif30] ip address 10.1.3.1 24
[Router_4-Vlanif30] quit
[Router_4] interface vlanif 100
[Router_4-Vlanif100] ip address 10.1.100.1 24
[Router_4-Vlanif100] quit

3. Configure a routing protocol so that visitors, employees, and servers can access the
Internet through the Router.
# Configure basic OSPF functions on Router_4 and configure OSPF to advertise network
segments of hosts and the network segment between Router_4 and the router.
[Router_4] ospf
[Router_4-ospf-1] area 0
[Router_4-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Router_4-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[Router_4-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[Router_4-ospf-1-area-0.0.0.0] network 10.1.100.0 0.0.0.255
[Router_4-ospf-1-area-0.0.0.0] quit
[Router_4-ospf-1] quit

NOTE:
Perform the following configurations on the Router:

45 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Add the interface connected to the Router to VLAN 100 in tagged mode and specify an IP
address for VLANIF 100 on the same network segment as 10.1.100.1.
Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Router and router_4.

For details, see the router documentation.

4. Configure and apply a traffic policy to control access of employees, visitors, and servers.

a. Configure ACLs to define flows.


# Configure ACL 3000 on Router_4 to prevent visitors from accessing
employees' PCs and servers.
[Router_4] acl 3000
[Router_4-acl-adv-3000] rule deny ip destination 10.1.2.1 0.0.0.255
[Router_4-acl-adv-3000] rule deny ip destination 10.1.3.1 0.0.0.255
[Router_4-acl-adv-3000] quit

# Configure ACL 3001 on Router_4 so that employee A can access all


resources in the server area and other employees can access only port 21 of
server A.
[Router_4] acl 3001
[Router_4-acl-adv-3001] rule permit tcp destination 10.1.3.2 0 destinat
[Router_4-acl-adv-3001] rule permit ip source 10.1.2.2 0 destination 10
[Router_4-acl-adv-3001] rule deny ip destination 10.1.3.1 0.0.0.255
[Router_4-acl-adv-3001] quit

b. Configure traffic classifiers to differentiate different flows.


# Configure traffic classifiers c_custom, and c_staff on Router_4 and
reference ACLs 3000, and 3001 in the traffic classifiers respectively.
[Router_4] traffic classifier c_custom
[Router_4-classifier-c_custom] if-match acl 3000
[Router_4-classifier-c_custom] quit
[Router_4] traffic classifier c_staff
[Router_4-classifier-c_staff] if-match acl 3001
[Router_4-classifier-c_staff] quit

c. Configure a traffic behavior and define an action.


# Configure a traffic behavior named b1 on Router_4 and define the permit
action.
[Router_4] traffic behavior b1
[Router_4-behavior-b1] permit
[Router_4-behavior-b1] quit

d. Configure traffic policies and associate traffic classifiers with the traffic
behavior in the traffic policies.
# Create traffic policies p_custom, and p_staff on Router_4, and associate
traffic classifiers c_custom, and c_staff with traffic behavior b1.
[Router_4] traffic policy p_custom
[Router_4-trafficpolicy-p_custom] classifier c_custom behavior b1
[Router_4-trafficpolicy-p_custom] quit
[Router_4] traffic policy p_staff
[Router_4-trafficpolicy-p_staff] classifier c_staff behavior b1
[Router_4-trafficpolicy-p_staff] quit

e. Apply the traffic policies to control access of employees, visitors, and servers.

46 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

# On Router_4, apply traffic policies p_custom, and p_staff in the inbound


direction of VLANIF 10, and VLANIF 20 respectively.
[Router_4] interface vlanif 10
[Router_4-Vlanif10] traffic-policy p_custom inbound
[Router_4-Vlanif10] quit
[Router_4] interface vlanif 20
[Router_4-Vlanif20] traffic-policy p_staff inbound
[Router_4-Vlanif20] quit

5. Verify the configuration.


Configure the IP address of 10.1.1.2 and default gateway address of 10.1.1.1/24
(VLANIF 10's IP address) for visitor A; configure the IP address of 10.1.2.2 and default
gateway address of 10.1.2.1/24 (VLANIF 20's IP address) for employee A; configure the
IP address of 10.1.2.3 and default gateway address of 10.1.2.1/24 (VLANIF 20's IP
address) for employee B; configure the IP address of 10.1.3.2 and default gateway
address of 10.1.3.1/24 (VLANIF 30's IP address) for server A.

After the configuration is complete, the following situations occur:


Visitor A fails to ping employee A or server A, and employee A and server A
fail to ping visitor A.
Employee A can successfully ping server A. That is, employee A can use server
A and the FTP service of server A.
Employee B fail to ping server A, and can only use the FTP service of server A.
Visitors, employees A and B, server A all can ping 10.1.100.2/24, IP address of
the router interface connected to Router_4. That is, they can access the Internet.

Configuration Files

Configuration file of Router_1


#
sysname Router_1
#
vlan batch 10
#
interface Ethernet2/0/1
port link-type access
port default vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return

Configuration file of Router_2


#
sysname Router_2
#
vlan batch 20
#
interface Ethernet2/0/1
port link-type access
port default vlan 20
#

47 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

interface Ethernet2/0/2
port link-type access
port default vlan 20
#
interface Ethernet2/0/3
port link-type trunk
port trunk allow-pass vlan 20
#
return

Configuration file of Router_3


#
sysname Router_3
#
vlan batch 30
#
interface Ethernet2/0/1
port link-type access
port default vlan 30
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
return

Configuration file of Router_4


#
sysname Router_4
#
vlan batch 10 20 30 100
#
acl number 3000
rule 5 deny ip destination 10.1.2.0 0.0.0.255
rule 10 deny ip destination 10.1.3.0 0.0.0.255
acl number 3001
rule 5 permit tcp destination 10.1.3.2 0 destination-port eq ftp
rule 10 permit ip source 10.1.2.2 0 destination 10.1.3.0 0.0.0.255
rule 15 deny ip destination 10.1.3.0 0.0.0.255
#
traffic classifier c_custom operator and
if-match acl 3000
traffic classifier c_staff operator and
if-match acl 3001
#
traffic behavior b1
permit
#
traffic policy p_custom
classifier c_custom behavior b1
traffic policy p_staff
classifier c_staff behavior b1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
traffic-policy p_custom inbound
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
traffic-policy p_staff inbound
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0

48 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

#
interface Vlanif100
ip address 10.1.100.1 255.255.255.0
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface Ethernet2/0/3
port link-type trunk
port trunk allow-pass vlan 30
#
interface Ethernet2/0/4
port link-type trunk
port trunk allow-pass vlan 100
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.100.0 0.0.0.255
#
return

3.8.6  Example for Configuring an mVLAN to Implement Remote


Management

Networking Requirements
As shown in Figure 3-21, users need to securely log in to the Router for remote management. There
is no idle management interface on the Router.
Figure 3-21 Configuring an mVLAN to implement remote management

Configuration Roadmap
A management interface or VLANIF interface of an mVLAN can be used to log in to the device for
remote management. The device has no idle management interface, so the mVLAN is used. STelnet
is used to ensure login security. The configuration roadmap is as follows:

1. Configure an mVLAN on the Router and add an interface to the mVLAN.


2. Configure a VLANIF interface and assign an IP address to it on the Router.
3. Enable STelnet on the Router and configure an SSH user.
4. Log in to the Router using STelnet from a user PC.

NOTE:

49 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

The user PC needs to be configured with the software for logging in to the SSH server, key pair generation
software, and public key conversion software.
To ensure device security, change the password periodically.

Procedure

1. Configure an mVLAN and add an interface to the mVLAN.


# Create VLAN 10 on the Router and specify VLAN 10 as the mVLAN, and add
Eth2/0/0 to VLAN 10 in tagged mode.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 10
[Router-vlan10] management-vlan
[Router-vlan10] quit
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type trunk
[Router-Ethernet2/0/0] port trunk allow-pass vlan 10
[Router-Ethernet2/0/0] quit

2. Configure a VLANIF interface and assign an IP address to the VLANIF interface.


# Create VLANIF 10 on the Router and configure the IP address of 10.10.10.2/24 for it.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.10.10.2 24
[Router-Vlanif10] quit

3. Enable the STelnet service and configure an SSH user.

a. Configure the Router to generate a local key pair.


[Router] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is less than 2048,
It will introduce potential security risks.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
........++++++++
..++++++++
............+++++++++
......+++++++++

b. Configure an SSH user.


# Configure the VTY user interface on the Router.
[Router] user-interface vty 0 14
[Router-ui-vty0-14] authentication-mode aaa
[Router-ui-vty0-14] protocol inbound ssh
[Router-ui-vty0-14] quit

# Create an SSH user named client001 on the Router and configure password
authentication.
[Router] aaa
[Router-aaa] local-user client001 password irreversible-cipher Huawei@1
[Router-aaa] local-user client001 privilege level 3
[Router-aaa] local-user client001 service-type ssh
[Router-aaa] quit
[Router] ssh user client001 authentication-type password

50 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

c. Enable the STelnet service.


# Enable the STelnet service on the Router.
[Router] stelnet server enable

# Configure the STelnet service for SSH user client001.


[Router] ssh user client001 service-type stelnet

NOTE:
The PC connects to Router through the intermediate device. The intermediate device needs to transparently
transmit packets from mVLAN 10 and has a route from 10.1.1.1/24 to 10.10.10.2/24.

4. Verify the configuration.


After the configuration is complete, the user can log in to the Router from the PC using
password authentication.
# Run the Putty software on the user PC. The dialog box shown in Figure 3-22 is
displayed. Enter 10.10.10.2 (IP address of the Router) and select SSH.
Figure 3-22 Configuring an mVLAN to implement remote management

# Click Open. On the page that is displayed on the Router, enter the user name and
password, and press Enter.
login as: client001
SSH server: User Authentication
Using keyboard-interactive authentication.
Password:

Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2014-02-25 05:45:41+00:00.

51 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

<Router>

The user can successfully log in to the Router for remote management.

Configuration Files
Configuration file of the Router
#
sysname Router
#
vlan batch 10
#
vlan 10
management-vlan
#
aaa
local-user client001 password irreversible-cipher %^%#N6a[D`B8x;5$^#@#^$5"WK,@$Sb5/!.Rq
local-user client001 privilege level 3
local-user client001 service-type ssh
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
#
user-interface vty 0 14
authentication-mode aaa
#
return

3.9  Common Misconfigurations


This section describes common faults caused by incorrect configurations and provides the
troubleshooting procedure.

3.9.1  A VLANIF Interface Fails to Be Created

Fault Symptom
When a user attempts to create a VLANIF interface, the system displays an error message. As a
result, the VLANIF interface fails to be created.

Procedure

1. Check the error message during VLANIF interface creation.


Rectify the fault according to the error message. See Table 3-5.
Table 3-5 Fault rectification according to the error message

Message Cause Analysis and Check Solution


Method

52 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Message Cause Analysis and Check Solution


Method

Error: The VLAN does not exist. The VLAN is not created on Run the vlan vlan-id
the device. command to create a VLAN
Run the display vlan corresponding to the
summary command to VLANIF interface and then
check whether the value of create a VLANIF interface.
the static vlan field is the
VLAN corresponding to the
VLANIF interface.

Error: The VLAN is used by The VLAN corresponding to Create a VLANIF interface
XXX. the VLANIF interfaces is a corresponding to another
dynamic, control, or VLAN.
NOTE: reserved VLAN.
XXX indicates a feature, such as SEP, Run the display vlan
or GVRP. summary command to
check whether the value of
the dynamic vlan or
reserved vlan field is the
VLAN corresponding to the
VLANIF interface.

2. If the fault persists, collect alarms and logs and contact Huawei technical support
personnel.

3.9.2  A VLANIF Interface Goes Down

Fault Symptom
A VLANIF interface goes Down.

Common Causes and Solutions


Table 3-6 describes common causes and solutions.
Table 3-6 Common causes and solutions

Common Cause Solution

The interface is not added to the VLAN. Run the following commands as required.
NOTE: Run the port default vlan vlan-id
command in the interface view to add an
The port trunk pvid vlan vlan-id command
only configures the PVID on a trunk interface,
access interface to a VLAN.
but does not add a trunk interface to a VLAN. Run the port trunk allow-pass vlan { {
The port hybrid pvid vlan vlan-id command vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
only configures the PVID on a hybrid interface, command in the interface view to add a
but does not add a hybrid interface to a VLAN. trunk interface to a VLAN.
You can add a hybrid interface to a VLAN
in tagged or untagged mode.
Run the port hybrid tagged
vlan { { vlan-id1 [ to vlan-id2 ]
}&<1-10> | all } command to
add a hybrid interface to a
VLAN in tagged mode.

53 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Common Cause Solution

Run the port hybrid untagged


vlan { { vlan-id1 [ to vlan-id2 ]
}&<1-10> | all } command to
add a hybrid interface to a
VLAN in untagged mode.

The physical status of all interfaces added to the Rectify this fault. A VLANIF interface goes Up as
VLAN is Down. long as one interface in the VLAN is Up.

No IP address is assigned to the VLANIF interface. Run the ip address command in the VLANIF
interface view to assign an IP address to the
VLANIF interface.

The VLANIF interface is shut down. Run the undo shutdown command in the VLANIF
interface view to start the VLANIF interface.

3.9.3  Users in a VLAN Cannot Communicate

Fault Symptom
Users in a VLAN cannot communicate.

Procedure

1. Check that the interfaces connected to user terminals are in Up state.


Run the display interface interface-type interface-number command in any view to
check the status of the interfaces.
If the interface is Down, rectify the interface fault.
If the interface is Up, go to 2.

2. Check whether the IP addresses of user terminals are on the same network segment. If
they are on different network segments, change the IP addresses of the user terminals to
be on the same network segment. If the fault persists, go to 3.
3. Check that the MAC address entry is correct.
Run the display mac-address command on the Router to check whether MAC addresses,
interfaces, and VLANs in the learned MAC address entries are correct. If the learned
MAC address entries are incorrect, run the undo mac-address mac-address vlan vlan-id
command in the system view to delete MAC address entries so that the Router can learn
MAC address entries again.

After the MAC address table is updated, check the MAC address entries again.
If the MAC address entries are incorrect, go to 4.
If the MAC address entries are correct, go to 5.

4. Check that the VLAN is properly configured.


Check the VLAN configuration according to the following table.

Check Item Method

54 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Check Item Method

Whether the VLAN Run the display vlan vlan-id command in any view to check whether the
has been created VLAN has been created. If not, run the vlan command in the system
view to create the VLAN.

Whether the Run the display vlan vlan-id command in any view to check whether the
interfaces are added VLAN contains the interfaces. If not, add the interfaces to the VLAN.
to the VLAN
NOTE:
If the interfaces are located on different devices, add the interfaces connecting
the devices to the VLAN.
The default type of an interface is Hybrid. You can run the port link-type
command to change the link type of an interface.

Add an access interface to the VLAN by using either of the


following methods:
Run the port default vlan command in the interface
view.
Run the port command in the VLAN view.
Add a trunk interface to the VLAN.
Run the port trunk allow-pass vlan command in the interface
view.
Add a hybrid interface to the VLAN by using either of the
following methods:
Run the port hybrid tagged vlan command in the
interface view.
Run the port hybrid untagged vlan command in the
interface view.

Whether connections Correctly connect user terminals to device interfaces.


between interfaces
and user terminals
are correct

After the preceding operations, if the MAC address entries are correct, go to 5.
5. Check whether port isolation is configured.

Run the interface interface-type interface-number command in the system view to enter
the interface view, and then run the display this command to check whether port
isolation is configured on the interface.
If port isolation is not configured, go to 6.
If port isolation is configured, run the undo port-isolate enable command on
the interface to disable port isolation. If the fault persists, go to 6.

6. Check whether correct static Address Resolution Protocol (ARP) entries are configured
on the user terminals. If the static ARP entries are incorrect, modify them. Otherw, go to
7.
7. Collect logs and alarms and contact Huawei technical support personnel.

3.9.4  Directly Connected Devices Cannot Communicate

55 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Fault Symptom
As shown in Figure 3-23, the IP address of VLANIF 10 on Router_2 cannot be pinged from
Router_1. Similarly, the IP address of VLANIF 10 on Router_1 cannot be pinged from Router_2.
Figure 3-23 Connected routers

Procedure

1. Check whether the VLANIF interface is Up.

Run the display interface vlanif vlan-id command on Router_1 and Router_2 and check
the current state and Line protocol current state fields.
If the value of any one of the two fields is DOWN, the VLANIF interface is
Down. Rectify this fault according to 3.9.2 A VLANIF Interface Goes Down.
If the value of the two fields is UP, the VLANIF interface is Up. Go to 2.

2. Check whether the connected Ethernet interfaces between devices join a VLAN.

Run the display vlan vlan-id command on Router_1 and Router_2 and check the
Interface field. Check whether the connected Ethernet interfaces exist in the VLAN.
If the connected Ethernet interfaces do not exist in the VLAN, add the
connected Ethernet interfaces to the VLAN.
If the connected Ethernet interfaces exist in the VLAN and at least one of them
joins the VLAN in untagged mode, change the untagged mode to tagged mode.
If none of the preceding configurations exists, go to 3.

3. Check whether the PVID values on the connected Ethernet interface between devices are
the same.

Run the display port vlan interface-type interface-number command on Router_1 and
Router_2 to check the PVID values.
If the PVID values are different, change them to be the same.
If the PVID values are the same, go to 4.

4. Collect logs and alarms and contact Huawei technical support personnel.

3.10  FAQ
This section describes the FAQ about VLAN technology.

3.10.1  How to Create and Delete VLANs in a Batch


Run the vlan batch command in the system view to create VLANs in a batch.
Create 10 contiguous VLANs: VLANs 11 to 20.
<Huawei> system-view
[Huawei] vlan batch 11 to 20

56 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN


25, VLANs 28 to 30.
<Huawei> system-view
[Huawei] vlan batch 10 15 to 19 25 28 to 30

NOTE:
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are more than
10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19 25 28 to 30
command creates four incontiguous VLAN ranges.

Run the undo vlan batch command in the system view to delete VLANs in a batch.
Delete VLANs 10 to 20.
<Huawei> system-view
[Huawei] undo vlan batch 10 to 20

3.10.2  How to Add Interfaces to a VLAN in a Batch


You can add interfaces to a VLAN in a batch using a port group, and can directly add access
interfaces to a VLAN in a batch in the system view.

Access interface
# Add Eth2/0/1-Eth2/0/5 to VLAN 10 in a batch.
Add interfaces to a VLAN in a batch using a port group.
<Huawei> system-view
[Huawei] port-group pg1
[Huawei-port-group-pg1] group-member Ethernet 2/0/1 to Ethernet 2/0/5
[Huawei-port-group-pg1] port link-type access
[Huawei-port-group-pg1] port default vlan 10

Add interfaces to a VLAN in a batch in the VLAN view.


<Huawei> system-view
[Huawei] vlan 10
[Huawei-vlan10] port Ethernet 2/0/1 to 2/0/5

NOTE:
Before performing this operation, configure interfaces to be added to a VLAN as access interface.

Trunk interface
# Add Eth2/0/1-Eth2/0/5 to VLAN 10 and VLAN 20 in a batch.
<Huawei> system-view
[Huawei] port-group pg1
[Huawei-port-group-pg1] group-member Ethernet 2/0/1 to Ethernet 2/0/5
[Huawei-port-group-pg1] port link-type trunk
[Huawei-port-group-pg1] port trunk allow-pass vlan 10 20

Hybrid interface
# Add Eth2/0/1-Eth2/0/5 to VLAN 10 and VLAN 20 in a batch.
<Huawei> system-view
[Huawei] port-group pg1
[Huawei-port-group-pg1] group-member Ethernet 2/0/1 to Ethernet 2/0/5
[Huawei-port-group-pg1] port link-type hybrid
[Huawei-port-group-pg1] port hybrid tagged vlan 10

57 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

[Huawei-port-group-pg1] port hybrid untagged vlan 20

3.10.3  How to Restore the Default VLAN Configuration of an


Interface
The default VLAN configuration of an interface involves the default VLAN of the interface and the
VLAN that the interface joins. By default, the default VLAN of an interface is VLAN 1 and an
interface joins VLAN 1 in untagged mode.
Run the display this command in the interface view to check the link type of the interface, and
perform the following operations to restore the default VLAN configuration of the interface.

Restore the default VLAN configuration of an access interface.


<Huawei> system-view
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] undo port default vlan

Restore the default VLAN configuration of a trunk interface.


<Huawei> system-view
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] undo port trunk pvid vlan
[Huawei-Ethernet2/0/0] undo port trunk allow-pass vlan all
[Huawei-Ethernet2/0/0] port trunk allow-pass vlan 1

Restore the default VLAN configuration of a hybrid interface.


<Huawei> system-view
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] undo port hybrid pvid vlan
[Huawei-Ethernet2/0/0] undo port hybrid vlan all
[Huawei-Ethernet2/0/0] port hybrid untagged vlan 1

3.10.4  How to Change the Link Type of an Interface


The link type of an interface can be access, trunk, or hybrid. When an interface joins VLAN 1 by
default and the PVID of the interface is VLAN 1, you can run the port link-type { access | trunk |
hybrid } command to change the link type of the interface.

Change the link type of the interface to access.


<Huawei> system-view
[Huawei] interface Ethernet2/0/0
[Huawei-Ethernet2/0/0] port link-type access

Change the link type of the interface to trunk.


<Huawei> system-view
[Huawei] interface Ethernet2/0/0
[Huawei-Ethernet2/0/0] port link-type trunk

Change the link type of the interface to hybrid.


<Huawei> system-view
[Huawei] interface Ethernet2/0/0
[Huawei-Ethernet2/0/0] port link-type hybrid

NOTE:
The default VLAN configuration of an interface involves the default VLAN of the interface and the VLAN that the
interface joins. By default, the default VLAN of an interface is VLAN 1 and an interface joins VLAN 1 in untagged
mode.
Run the display this command in the interface view to check the link type of the interface, and perform the following

58 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

operations to restore the default VLAN configuration of the interface.

Restore the default VLAN configuration of an access interface.


<Huawei> system-view
[Huawei] interface Ethernet 2/0/0
[Huawei-Ethernet2/0/0] undo port default vlan

Restore the default VLAN configuration of a trunk interface.


<Huawei> system-view
[Huawei] interface Ethernet 2/0/0
[Huawei-Ethernet2/0/0] undo port trunk pvid vlan
[Huawei-Ethernet2/0/0] undo port trunk allow-pass vlan all
[Huawei-Ethernet2/0/0] port trunk allow-pass vlan 1

Restore the default configuration of a hybrid interface.


<Huawei> system-view
[Huawei] interface Ethernet 2/0/0
[Huawei-Ethernet2/0/0] undo port hybrid pvid vlan
[Huawei-Ethernet2/0/0] undo port hybrid vlan all
[Huawei-Ethernet2/0/0] port hybrid untagged vlan 1

3.10.5  How to Verify That an Interface Is Added to a VLAN


Run the display vlan vlan-id command and verify that the interface is listed in the command
output.
For example, interface Ethernet2/0/0 is added to VLAN 10.
<Huawei> display vlan 10
* : management-vlan
---------------------
VLAN ID Type Status MAC Learning Broadcast/Multicast/Unicast Property
--------------------------------------------------------------------------------
10 common enable enable forward forward forward default
-------------------
Untagged Port: Ethernet2/0/0
-------------------
Active Untag Port: Ethernet2/0/0
-------------------
Interface Physical
Ethernet2/0/0 UP

3.10.6  How to Rapidly Query the Link Types, Default VLANs, and
Allowed VLANs of All Interfaces
Run the display port vlan command to check the link types and default VLANs of all interfaces.
<Huawei> display port vlan
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------------
Eth-Trunk1 hybrid 1 -
Eth-Trunk63 hybrid 1 -
Ethernet2/0/0 trunk 1 1-4094
Ethernet2/0/1 access 1 -
Ethernet2/0/2 hybrid 1 2-100
Ethernet2/0/3 trunk 1 1
Ethernet2/0/4 hybrid 1 -
Ethernet2/0/5 hybrid 1 -
Ethernet2/0/6 hybrid 1 -
Ethernet2/0/7 hybrid 1 -

The Link Type field indicates the link type of an interface, the PVID field indicates the default

59 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

VLAN, and the Trunk VLAN List field indicates the list of VLANs allowed by a trunk interface or
VLANs that hybrid interfaces join in tagged mode. The value is displayed as - if the link type of the
interface is access or the hybrid interface does not join the VLAN in tagged mode.

3.10.7  Can Multiple Network Segments Be Configured in a VLAN


Hosts on multiple network segments in the same VLAN can communicate by configure the primary
and secondary IP addresses for a VLANIF interface.
As shown in Figure 3-24, Host_1 and Host_2 in VLAN 10 belong to 10.1.1.1/24 and 10.1.2.1/24
respectively. The two hosts need to communicate.
Figure 3-24 Communication for hosts on multiple network segments in the same VLAN

Configure the Router.


[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] port default vlan 10
[Router-Ethernet2/0/1] quit
[Router] interface ethernet 2/0/2
[Router-Ethernet2/0/2] port link-type access
[Router-Ethernet2/0/2] port default vlan 10
[Router-Ethernet2/0/2] quit
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.1.1.1 24
[Router-Vlanif10] ip address 10.1.2.1 24 sub
[Router-Vlanif10] quit

After the preceding configurations are performed, Host_1 and Host_2 can communicate.

3.11  References
This section lists the reference for VLAN technology.
The following table lists the references of this document.

Document Description Remarks

RFC 3069 VLAN Aggregation for -


Efficient IP Address
Allocation

IEEE 802.1Q IEEE Standards for Local and -


Metropolitan Area Networks:
Virtual Bridged Local Area
Networks

60 de 61 20/11/2017 08:45
VLAN Configuration http://support.huawei.com/enterprise/docinforeader!loadDocument1.ac...

Document Description Remarks

IEEE 802.1ad IEEE Standards for Local and -


Metropolitan Area Networks:
Virtual Bridged Local Area
Networks— Amendment 4

IEEE 802.10 IEEE Standards for Local and -


Metropolitan Area Networks:
Standard for Interoperable
LAN/MAN Security

YD/T 1260-2003 Technical and Testing -


Specification of Virtual LAN
Based on Port

61 de 61 20/11/2017 08:45