01-04 VLAN Configuration
Uploaded by
Roberto Enrique01-04 VLAN Configuration
Uploaded by
Roberto EnriqueS300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
4 VLAN Configuration
4.1 Overview of VLANs
4.2 Understanding VLANs
4.3 Application Scenarios for VLANs
4.4 Summary of VLAN Configuration Tasks
4.5 Licensing Requirements and Limitations for VLANs
4.6 Default Settings for VLANs
4.7 Configuring VLANs
4.8 Maintaining VLAN
4.9 Configuration Examples for VLANs
4.10 Troubleshooting VLANs
4.11 FAQ About VLANs
4.1 Overview of VLANs
Definition
Virtual Local Area Networks (VLANs) are used to divide a physical LAN into
multiple broadcast domains to isolate services with the aim of improving the
security and management of the network.
Purpose
In the early stage, an Ethernet network implements data communication over
shared media based on Carrier Sense Multiple Access with Collision Detection
(CSMA/CD). When an Ethernet network has a large number of hosts, both
collisions and broadcast storms become a serious problem, affecting network
performance and in some cases causing the network to completely break down.
Although using switches to connect LANs can prevent collisions, they cannot
isolate broadcast packets or improve network quality.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 173
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
A physical LAN can be logically segmented into multiple VLANs to isolate
broadcast domains. Hosts within a VLAN can directly communicate only with
other hosts in the same VLAN and must use a router to communicate with hosts
in other VLANs.
Figure 4-1 VLAN networking
Figure 4-1 shows a simple VLAN networking environment. Two switches are
deployed in different locations (for example, on different floors of a building).
Each switch is connected to two PCs belonging to different VLANs, which may
belong to different entities or companies.
Benefits
VLANs offer the following benefits:
● Limit the scope of broadcast domains: The scope of broadcast domains is
limited to conserve bandwidth and improve network efficiency.
● Enhance LAN security: Packets from different VLANs are transmitted
separately, preventing hosts in a VLAN from communicating directly with
hosts in another VLAN.
● Improve network robustness: A fault in one VLAN does not affect hosts in
other VLANs.
● Allow for flexible groups: By leveraging VLANs, it is possible to group hosts in
different geographical locations, simplifying network construction and
maintenance.
4.2 Understanding VLANs
4.2.1 VLAN Tags
Definition and Function
A switch identifies packets from different VLANs according to the information
contained in its VLAN tags. IEEE 802.1Q adds a 4-byte VLAN tag between the
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 174
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Source/Destination MAC address and Length/Type fields of an Ethernet frame, as
shown in Figure 4-2.
Figure 4-2 IEEE 802.1Q-tagged frame format
A VLAN tag contains four fields. Table 4-1 describes the fields.
Table 4-1 Fields in a VLAN tag
Field Leng Description Value
th
TPID 2 Tag Protocol Identifier The value 0x8100 indicates an
bytes (TPID), indicating the frame 802.1Q-tagged frame. An 802.1Q-
type. incapable device discards the
802.1Q frames.
IEEE 802.1Q defines the value of
the field as 0x8100. However,
vendors can define their own TPID
values and users can then modify
the value to realize
interconnection of devices from
different vendors.
PRI 3 bits Priority (PRI), indicating the The value is in the range from 0
frame 802.1p priority. to 7. A larger value indicates a
higher priority. If congestion
occurs, the switch sends packets
with higher priorities first.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 175
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Field Leng Description Value
th
CFI 1 bit Canonical Format Indicator The value 0 indicates that the
(CFI), indicating whether a MAC address is encapsulated in
MAC address is canonical format, and the value 1
encapsulated in canonical indicates that the MAC address is
format over different encapsulated in non-canonical
transmission media. CFI is format. The CFI field has a fixed
used to ensure compatibility value of 0 on Ethernet networks.
between Ethernet and
token ring networks.
VID 12 VLAN ID (VID), indicating The VLAN ID is in the range from
bits the VLAN to which a frame 0 to 4095. The values 0 and 4095
belongs. are reserved, and therefore
available VLAN IDs are in the
range from 1 to 4094.
VLAN Tags in Received and Sent Frames
The following are the two types of Ethernet frames in a VLAN:
● Tagged frame: frame with a 4-byte VLAN tag
● Untagged frame: frame without a 4-byte VLAN tag
Common devices process tagged and untagged frames as follows:
● User hosts, servers, hubs, and unmanaged switches can only receive and send
untagged frames.
● Switches, routers, and ACs can receive and send both tagged and untagged
frames.
● Voice terminals and APs can receive and send either tagged or untagged
frames of only one VLAN.
All frames processed on a switch carry VLAN tags to improve frame processing
efficiency.
4.2.2 Interface Types
All frames processed on a switch carry VLAN tags, but some devices connected to
a switch cannot process tagged frames. To enable communication between the
switch and these devices, the switch interfaces must be able to identify whether
an Ethernet frame is tagged, and then decide whether to add VLAN tags to or
remove VLAN tags from the frames. Hosts in the same VLAN may be connected to
different switches, in which case the VLAN spans multiple switches. To enable
communication between these hosts, interfaces between switches must be able to
identify and send frames of multiple VLANs.
Huawei network devices can be configured with four types of interfaces: access,
trunk interface, hybrid interface, and QinQ interface. The four interface types
process frames differently and therefore the interface that should be configured
depends on what the interface connects to (for example, whether it connects to a
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 176
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
host or another switch). Figure 4-3 shows the access interface, trunk interface,
and hybrid interface.
Figure 4-3 Interface types
The following describes each type of interface in more detail:
● Access interface
An access interface often connects to a user terminal such as a user host or
server that cannot identify VLAN tags, or is used when VLANs do not need to
be differentiated. In most cases, access interfaces can only receive and send
untagged frames, and can add only a unique VLAN tag to untagged frames.
The default VLAN must be configured so that access interfaces can add a
VLAN tag to data frames. The access interface is then added to the default
VLAN. If the VLAN ID (VID) and default port VLAN ID (PVID) are the same in
tagged frames, access interfaces can receive and process the tagged frames. If
a user connects a switch to a user-side interface without permission, the user-
side interface may receive tagged frames. To prevent unauthorized access
from such users, you can configure the user-side interface to discard tagged
frames.
● Trunk interface
A trunk interface often connects to a switch, a router, an AP, or a voice
terminal that can receive and send both tagged and untagged frames. It
allows tagged frames from multiple VLANs and untagged frames from only
one VLAN to pass through.
● Hybrid interface
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 177
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
A hybrid interface can connect to a user terminal (such as a user host or
server) or network device (such as a hub or an unmanaged switch) that
cannot identify VLAN tags, and also can connect to a switch, a router, an AP,
or a voice terminal that can receive and send both tagged and untagged
frames. It allows tagged frames from multiple VLANs to pass through.
Whether frames sent out from a hybrid interface are tagged or untagged
depends on the VLAN configuration.
Hybrid and trunk interfaces can be interchanged in some scenarios, but only
hybrid interfaces can be used in other scenarios. For example, in the selective
QinQ scenario, before packets from multiple VLANs provided by a service
provider enter a user network, the outer VLAN tags must be removed. The
trunk interface cannot be used here because the trunk interface allows only
untagged packets from the default VLAN of the interface. For details about
selective QinQ scenario, see 9.7 Configuring Selective QinQ in "VLAN
Mapping Configuration".
● QinQ interface
An 802.1Q-in-802.1Q (QinQ) interface often connects a private network to a
public network. It can add an additional 802.1Q tag to a tagged frame. QinQ
supports up to 4094 x 4094 VLANs, offering sufficient VLANs required by
networks. The outer tag is often called the public tag and identifies the VLAN
ID of the public network, whereas the inner tag is often called the private tag
and identifies the VLAN ID of the private network. A QinQ interface is also
called a Dot1q-tunnel interface.
For details about the QinQ interface, see 9.2.1 QinQ Fundamentals.
There are two main types of Ethernet links: access links (transmit untagged
frames) and trunk links (transmit tagged frames). The two link types differ in the
number of VLANs they can carry traffic for: an access link can carry traffic for only
one VLAN, and therefore usually connects a switch to a user terminal, such as a
host, a server, or an unmanaged switch; a trunk link can carry traffic for multiple
VLANs, and as such usually connects a switch to another switch or a router.
4.2.3 Default VLAN
The default VLAN ID of an interface is called the port default VLAN ID (PVID).
Frames processed on a switch all carry VLAN tags. Whether the VLAN tags are
added or removed depends on whether the frame is tagged or untagged, and
whether the frame has the same VLAN ID as the interface's PVID. The details are
as follows:
● When an interface receives an untagged frame, the switch adds a tag with
the PVID to the frame and processes the frame. When an interface receives a
tagged frame, the switch does not add a tag with the PVID to the frame.
● When an interface sends a frame in which the VLAN ID is the same as the
PVID, the switch removes the tag from the frame before sending it out from
the interface.
Each interface has a default VLAN. By default, the default VLAN ID of all
interfaces is VLAN 1. The following describes the effect of changing the default
VLAN ID on different interface types:
● The default VLAN of an access interface is the VLAN allowed by the access
interface. Changing the allowed VLAN of an access interface will change its
default VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 178
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
● Trunk and hybrid interfaces allow multiple VLANs but have only one default
VLAN. Changing the allowed VLANs will not change the default VLAN.
4.2.4 Adding and Removing VLAN Tags
Ethernet data frames are tagged or untagged based on the interface type and
default VLAN. The following describes how access, trunk, and hybrid interfaces
process data frames.
NOTE
A QinQ interface adds an additional tag to a tagged frame. For details, see 9 QinQ
Configuration.
Access Interface
Figure 4-4 and Figure 4-5 show how an access interface adds and removes VLAN
tags.
Figure 4-4 Adding VLAN tags on an access interface
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 179
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-5 Removing VLAN tags on an access interface
Trunk Interface
Figure 4-6 and Figure 4-7 show how a trunk interface adds and removes VLAN
tags.
Figure 4-6 Adding VLAN tags on a trunk interface
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 180
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-7 Removing VLAN tags on a trunk interface
Hybrid Interface
Figure 4-8 and Figure 4-9 show how a hybrid interface adds and removes VLAN
tags.
Figure 4-8 Adding VLAN tags on a hybrid interface
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 181
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-9 Removing VLAN tags on a hybrid interface
Frame Processing Comparison
Table 4-2 Frame processing comparison
Interfa Untagged Frame Tagged Frame Frame
ce Processing Processing Transmission
Type
Access Receives an untagged ● Accepts the tagged After the PVID tag
frame and adds a tag frame if the frame's is removed, the
with the default VLAN VLAN ID matches frame is
ID to the frame. the default VLAN transmitted.
ID.
● Discards the tagged
frame if the frame's
VLAN ID differs
from the default
VLAN ID.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 182
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Interfa Untagged Frame Tagged Frame Frame
ce Processing Processing Transmission
Type
Trunk ● Adds a tag with the ● Accepts a tagged ● If the frame's
default VLAN ID to frame if the VLAN VLAN ID
the untagged frame ID carried in the matches the
and then transmits frame is permitted default VLAN ID
it if the default by the interface. and the VLAN
VLAN ID is ● Discards a tagged ID is permitted
permitted by the frame if the VLAN by the interface,
interface. ID carried in the the device
● Adds a tag with the frame is denied by removes the tag
default VLAN ID to the interface. and transmits
the untagged frame the frame.
and then discards it ● If the frame's
if the default VLAN VLAN ID differs
ID is denied by the from the
interface. default VLAN
ID, but the
VLAN ID is still
permitted by
the interface,
the device will
directly transmit
the frame.
Hybrid ● Adds a tag with the ● Accepts a tagged If the frame's
default VLAN ID to frame if the VLAN VLAN ID is
an untagged frame ID carried in the permitted by the
and accepts the frame is permitted interface, the
frame if the by the interface. frame is
interface permits ● Discards a tagged transmitted. The
the default VLAN ID. frame if the VLAN interface can be
● Adds a tag with the ID carried in the configured
default VLAN ID to frame is denied by whether to
an untagged frame the interface. transmit frames
and discards the with tags.
frame if the
interface denies the
default VLAN ID.
Based on the preceding table, an access interface can send only untagged frames;
a trunk interface can send untagged frames of only one VLAN and send tagged
frames of other VLANs; a hybrid interface sends tagged or untagged frames,
depending on the VLAN configuration.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 183
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
4.2.5 LNP
Definition
Link-type Negotiation Protocol (LNP) dynamically negotiates the link type of an
Ethernet interface. The negotiated link type affects the VLAN the interface joins,
which is described as follows:
● When the link type on an Ethernet interface is negotiated as access, the
interface joins VLAN 1 by default.
● When the link type on an Ethernet interface is negotiated as trunk, the
interface joins a VLAN in the range from VLAN 1 to VLAN 4094 by default.
Background
The switch supports the following link types on an Ethernet interface: access,
hybrid, trunk, and QinQ. The four link types are applicable to different network
deployments and are manually specified. When the network topology changes,
link types of Ethernet interfaces also need to be reconfigured. If this is done
manually, configuration is time-consuming and complex. To simplify configuration,
LNP supports auto-negotiation of the link types on Ethernet interfaces and allows
Ethernet interfaces to join VLANs through auto-negotiation. This eliminates the
need to manually configure link types of Ethernet interfaces, reducing the
workload.
Implementation
When Layer 2 devices on the network shown in Figure 4-10 are successfully
connected, the physical status of their interfaces becomes Up. After LNP
negotiation is complete, user-side interfaces on Switch4, Switch5, Switch6, and
Switch7 join VLAN 1 as access interfaces, and interfaces between switches become
trunk interfaces that allow all VLANs.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 184
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-10 Typical LNP networking
● After LNP is enabled, LNP negotiation is triggered in the following situations:
– The local device receives LNP packets from the remote device.
– The local interface type or interface status changes.
In addition to access, hybrid, trunk, and QinQ, LNP provides the following
interface types:
– negotiation-desirable: The local device actively sends LNP packets.
– negotiation-auto: The local device does not actively send LNP packets.
NOTE
An interface that is negotiated as a trunk interface allows all VLANs by default;
therefore, a loop prevention protocol (for example, STP, RSTP, MSTP, or VBST) needs to
be deployed to prevent loops.
If a loop prevention protocol is deployed on a Layer 2 network, LNP negotiation can
succeed even on a blocked interface.
● LNP negotiation
The link type of the remote Layer 2 Ethernet interface determines the
negotiation result. Table 4-3 describes LNP negotiation results on a Layer 2
interface in Up state.
NOTE
● If the two ends of an Eth-Trunk link have different numbers of member interfaces,
the LNP negotiation may fail.
● If the link type of the Layer 2 Ethernet interface is set to access, hybrid, trunk, or
QinQ, LNP negotiation does not take effect on the interface.
● If the negotiation fails, the link type of an interface will be set to access.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 185
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Table 4-3 LNP negotiation
Local LNP Remote Link Type or Negotiated Status of
Negotiation LNP Negotiation Local Link Remote Link
Mode Mode Type Type
negotiation- Access (LNP Access Access
desirable/ negotiation enabled)
negotiation-auto
Hybrid (LNP Trunk Hybrid
negotiation enabled)
QinQ (LNP Access QinQ
negotiation enabled)
Trunk (LNP Trunk Trunk
negotiation enabled)
LNP negotiation not Access Uncertain
supported or disabled
negotiation- negotiation- Trunk Trunk
desirable desirable
negotiation- negotiation-auto Trunk Trunk
desirable
negotiation-auto negotiation-auto Access Access
LNP negotiation depends on communication between both ends. When the
communication is delayed, the link type may be incorrectly negotiated. After
three rounds of communication are complete, the link type is in stable
negotiation state. Otherwise, the link type of the interface stays in
negotiation state. Before the link type enters the stable negotiation state, the
interface is in blocking state and does not forward packets. This prevents
forwarding errors.
The VLAN Central Management Protocol (VCMP) domain name affects LNP
negotiation. The link type can be negotiated as trunk only when domain
names at both ends are consistent or the domain name of at least one end is
empty; otherwise, the link type is negotiated as access.
4.2.6 VLAN Assignment
VLAN Assignment Modes
VLANs can be assigned based on interfaces, MAC addresses, policies, IP subnets,
and protocols. Table 4-4 compares different VLAN assignment modes.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 186
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Table 4-4 VLAN assignment modes
VLAN Implementation Advantage and Usage Scenario
Assignm Disadvantage
ent
Mode
Interface VLANs are Advantage: Networks of
-based assigned based on It is simple to define VLAN any scale and
VLAN interfaces. members. with devices at
assignm A network fixed locations
ent Disadvantage:
administrator
preconfigures a The network administrator
PVID for each needs to reconfigure VLANs
interface on a when VLAN members
switch. When an change.
untagged frame
arrives at an
interface, the
switch adds the
PVID of the
interface to the
frame. The frame
is then transmitted
in the VLAN
specified by the
PVID.
MAC VLANs are Advantage: Small-scale
address- assigned based on When physical locations of networks where
based source MAC users change, the network user terminals
assignm addresses of administrator does not need often change
ent frames. to reconfigure VLANs for the physical
A network users. This improves security locations but
administrator and access flexibility on a their NICs
preconfigures network. seldom change,
mappings between for example,
Disadvantage: mobile
MAC addresses
and VLAN IDs. The network administrator computers
When receiving an must predefine VLANs for all
untagged frame, members on a network.
the switch adds
the VLAN tag
mapping the MAC
address of the
frame to the
frame. Then the
frame is
transmitted in the
specified VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 187
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
VLAN Implementation Advantage and Usage Scenario
Assignm Disadvantage
ent
Mode
IP VLANs are Advantage: Scenarios where
subnet- assigned based on ● When physical locations there are high
based source IP of users change, the requirements
VLAN addresses and network administrator for mobility and
assignm subnet masks. does not need to simplified
ent A network reconfigure VLANs for the management
administrator users. and low
preconfigures requirements
● This mode reduces for security. For
mappings between communication traffic
IP addresses and example, this
and allows a broadcast mode can be
VLAN IDs. When domain to span multiple
receiving an used if a PC
switches. with multiple IP
untagged frame,
the switch adds Disadvantage: addresses needs
the VLAN tag to Users must be distributed to access
the frame regularly and multiple users servers on
according to the are on the same network different
preconfigured segment. network
mappings. Then segments or a
the frame is PC needs to join
transmitted in the a new VLAN
specified VLAN. automatically
after the PC's IP
address
changes.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 188
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
VLAN Implementation Advantage and Usage Scenario
Assignm Disadvantage
ent
Mode
Protocol VLANs are Advantage: Networks using
-based assigned based on This mode binds service multiple
VLAN protocol (suite) types to VLANs, facilitating protocols
assignm types and management and
ent encapsulation maintenance.
formats of frames.
Disadvantage:
A network
administrator ● The network
preconfigures administrator must
mappings between preconfigure mappings
protocol types and between all protocol
VLAN IDs. When types and VLAN IDs.
receiving an ● The switch needs to
untagged frame, analyze protocol address
the switch adds formats and convert the
the VLAN tag to formats, which consumes
the frame excessive resources.
according to the Therefore, this mode
preconfigured slows down switch
mappings. The response time.
frame is then
transmitted in the
specified VLAN.
Policy- VLANs are Advantage: Complex
based assigned based on ● This mode provides high networks
VLAN policies such as security. MAC addresses
assignm combinations of or IP addresses of users
ent interfaces, MAC who have been bound to
(MAC addresses, and IP VLANs cannot be
addresse addresses. changed.
s, IP A network
addresse ● The network
administrator administrator can flexibly
s, and preconfigures
interface select which policies to
policies. When use according to the
s) receiving an management mode and
untagged frame requirements.
that matches a
configured policy, Disadvantage:
the switch adds a Each policy needs to be
specified VLAN tag manually configured.
to the frame. The
frame is then
transmitted in the
specified VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 189
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Priorities of VLAN Assignment Modes
If incoming untagged frames match multiple VLAN assignment modes, the VLAN
assignment modes are selected in the following order of priority (from high to
low): policy-based VLAN assignment > MAC address-based or IP subnet-based
VLAN assignment > protocol-based VLAN assignment > interface-based VLAN
assignment.
● If frames match both MAC address-based and IP subnet-based VLAN
assignment modes, MAC address-based VLAN assignment is used by default.
You can change priorities of the two VLAN assignment modes to select a
preferred VLAN assignment mode for packets.
● Interface-based VLAN assignment has the lowest priority but is the most
commonly used.
Figure 4-11 illustrates the matching sequence of VLAN assignment modes.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 190
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-11 Matching sequence of VLAN assignment modes
4.2.7 Intra-VLAN Communication
Packets transmitted between users in a VLAN go through three phases:
● Packet transmission from the source host
Before sending a frame, the source host compares its IP address with the
destination IP address. If the two IP addresses are on the same network
segment, the source host obtains the MAC address of the destination host
and fills the destination MAC address of the frame with the obtained MAC
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 191
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
address. If the two IP addresses are on different network segments, the frame
needs to be forwarded by the gateway. The source host obtains the gateway's
MAC address, and uses it as the destination MAC address to send the frame
to the gateway.
● Ethernet switching in a switch
The following describes how the switch determines whether to forward a
received frame at Layer 2 or Layer 3 based on the information in the
destination MAC address, VLAN ID, and Layer 3 forwarding bit:
– If the destination MAC address and VLAN ID of the frame match a MAC
address entry of the switch and the Layer 3 forwarding bit is set, the
switch searches for a Layer 3 forwarding entry based on the destination
IP address. If no entry is found, the switch sends the frame to the CPU.
The CPU then searches for a route to forward the frame at Layer 3.
– If the destination MAC address and VLAN ID of the frame match a MAC
address entry but the Layer 3 forwarding bit is not set, the switch directly
forwards the frame from the outbound interface specified in the
matching MAC address entry.
– If the destination MAC address and VLAN ID of the frame do not match
any MAC address entry, the switch broadcasts the frame to all the
interfaces allowing the VLAN specified in the VID to obtain the MAC
address of the destination host.
For details about Layer 2 and Layer 3 switching, see 1.3.1 Layer 2 Switching
and 1.3.2 Layer 3 Switching.
● Adding and removing VLAN tags during the exchange between devices (for
example, between a switch and a user host, another switch, or another
network device)
The switch needs to add or remove VLAN tags according to the interface
setting to communicate with other network devices. For details on how VLAN
tags are added and removed on different types of interfaces, see 4.2.4 Adding
and Removing VLAN Tags.
After VLANs are assigned, broadcast packets are forwarded at Layer 2 in the same
VLAN. That is, users in the same VLAN can directly communicate at Layer 2. There
are two intra-VLAN communication scenarios depending on whether hosts in the
same VLAN connect to the same or multiple switches.
Among the interfaces that have been added to a VLAN, broadcast packets can be
sent to unauthenticated interfaces.
Intra-VLAN Communication Through the Same Switch
As shown in Figure 4-12, Host_1 and Host_2 connect to the same switch, belong
to VLAN 2, and are located on the same network segment. The interfaces
connected to Host_1 and Host_2 are access interfaces.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 192
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-12 Intra-VLAN communication through the same switch
When Host_1 sends a packet to Host_2, the packet is transmitted as follows
(assuming that no forwarding entry exists on the switch):
1. Host_1 determines that the destination IP address is on the same network
segment as its IP address, and therefore broadcasts an ARP Request packet to
obtain the MAC address of Host_2. The ARP Request packet carries the all-F
destination MAC address and destination IP address of 10.1.1.3 (Host_2's IP
address).
2. When the packet reaches IF_1 on the Switch, the Switch detects that the ARP
Request packet is untagged and adds VLAN 2 (PVID of IF_1) to the packet.
The Switch then adds the mapping between the source MAC address, VLAN
ID, and interface (1-1-1, 2, IF_1) to its MAC address table.
3. The Switch does not find a MAC address entry matching the destination MAC
address and VLAN ID of the ARP Request packet, so it broadcasts the ARP
Request packet to all interfaces that allow VLAN 2 (IF_2 in this example)
except to the interface that it received the packet on.
4. Before sending the ARP Request packet, IF_2 on the Switch removes the tag
with VLAN 2 from the packet.
5. Host_2 receives the ARP Request packet and records the mapping between
the MAC address and IP address of Host_1 in the ARP table. Then Host_2
compares the destination IP address with its own IP address. If they are the
same, Host_2 sends an ARP Reply packet. The ARP Reply packet carries
Host_2's MAC address of 2-2-2 and Host_1's IP address of 10.1.1.2 as the
destination IP address.
6. After receiving the ARP Reply packet, IF_2 on the Switch tags the packet with
VLAN 2.
7. The Switch adds the mapping between the source MAC address, VLAN ID, and
interface (2-2-2, 2, IF_2) to its MAC address table, and then searches for an
entry in its MAC address table based on the destination MAC address and
VLAN ID (1-1-1, 2). The entry is found because the mapping has been
recorded (see step 5). The Switch forwards the ARP Reply packet to IF_1.
8. Before forwarding the ARP Reply packet to IF_1, the Switch removes the tag
with VLAN 2 from the packet.
9. Host_1 receives the ARP Reply packet and records the mapping between the
MAC address and IP address of Host_2 in the ARP table.
Host_1 and Host_2 have now learned the MAC address of each other. In
subsequent communication, they can fill the destination MAC address fields of
packets with each other's MAC address.
In the preceding networking, if hosts in the same VLAN are on different network
segments, they encapsulate the gateway's MAC address into packets. If the Switch
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 193
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
is a Layer 2 switch, hosts cannot communicate. If the Switch is a Layer 3 switch,
hosts can communicate through VLANIF interfaces (with primary and secondary IP
addresses configured). The principles are similar to those in Inter-VLAN
Communication Through the Same Switch, and are not described in detail here.
Intra-VLAN Communication Through Multiple Switches
As shown in Figure 4-13, Host_1 and Host_2 connect to different switches, belong
to VLAN 2, and are located on the same network segment. The switches are
connected using a trunk link over which frames can be identified and sent
between switches.
Figure 4-13 Intra-VLAN communication through multiple switches
When Host_1 sends a packet to Host_2, the packet is transmitted as follows
(assuming that no forwarding entry exists on Switch_1 and Switch_2):
1. The first two steps are the same as steps 1 and 2 in Intra-VLAN
Communication Through the Same Switch and are not repeated here. After
the two steps are complete, Host_1 broadcasts the ARP Request packet to
IF_2 on Switch_1.
2. IF_2 on Switch_1 transparently transmits the ARP Request packet to IF_2 on
Switch_2 without removing the tag of the packet (also known as transparent
transmission), because the VLAN ID of the packet is different from the PVID
of IF_2 on Switch_1.
3. After receiving the ARP Request packet, IF_2 on Switch_2 determines that
VLAN 2 is an allowed VLAN and accepts the packet.
4. The next four steps are the same as steps 3 to 6 in Intra-VLAN
Communication Through the Same Switch and are not repeated here. After
these steps are complete, Switch_2 forwards the ARP Reply packet of Host_2
to IF_2. IF_2 on Switch_2 transparently transmits the ARP Reply packet to IF_2
on Switch_1, because IF_2 is a trunk interface and its PVID is different from
the VLAN ID of the packet.
5. After receiving the ARP Reply packet, IF_2 on Switch_1 determines that VLAN
2 is an allowed VLAN and accepts the packet. Subsequent steps are the same
as steps 7 to 9 in Intra-VLAN Communication Through the Same Switch
and are not repeated here.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 194
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
In addition to transmitting frames from multiple VLANs, a trunk link can
transparently transmit frames.
In the preceding networking, if hosts in the same VLAN are on different network
segments and Switch_1 or Switch_2 is a Layer 2 switch, hosts cannot
communicate. If Switch_1 or Switch_2 is a Layer 3 switch, hosts can communicate
through VLANIF interfaces. The principles are similar to those in Inter-VLAN
Communication Through the Same Switch, and are not mentioned here.
4.2.8 Inter-VLAN Communication
VLAN isolates broadcast domains, meaning broadcast packets are only forwarded
in the same VLAN. That is, hosts in different VLANs cannot communicate at Layer
2. In real-world applications, hosts in different VLANs often need to communicate,
which requires inter-VLAN communication.
Inter-VLAN communication goes through the same three phases as intra-VLAN
communication described in 4.2.7 Intra-VLAN Communication: packet
transmission from the source host, Ethernet switching in a switch, and adding and
removing VLAN tags during the exchange between devices. Users in different
VLANs can communicate with each other using the Layer 3 routing or VLAN
translation technology.
Inter-VLAN Communication Technologies
Huawei provides the following technologies to implement inter-VLAN
communication (VLANIF interface and Dot1q termination sub-interface are the
two most commonly used):
● VLANIF interface
A VLANIF interface is a Layer 3 logical interface that can be used to
implement inter-VLAN Layer 3 communication.
It is simple to configure a VLANIF interface, so this is the most commonly
used method for inter-VLAN communication. Each VLAN corresponds to a
VLANIF interface. After an IP address is configured for a VLANIF interface, the
VLANIF interface is used as the gateway of the VLAN and forwards packets
across network segments at Layer 3. However, a VLANIF interface needs to be
configured for each VLAN and each VLANIF interface requires an IP address,
wasting IP addresses.
In some scenarios, you need to configure multiple IP addresses for a VLANIF
interface. For example, a switch connects to a physical network only through
one interface but hosts on the physical network belong to different network
segments. To enable the switch to communicate with all hosts on the physical
network, you need to configure a primary IP address and multiple secondary
IP addresses for this interface.
● Dot1q termination sub-interface
A sub-interface is also a Layer 3 logical interface that can be used to
implement inter-VLAN Layer 3 communication.
A Dot1q termination sub-interface applies to scenarios where a Layer 3
Ethernet interface connects to multiple VLANs. In such a scenario, data flows
from different VLANs preempt bandwidth of the primary Ethernet interface;
therefore, the primary Ethernet interface may become a bottleneck when the
network is busy.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 195
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
For details about the Dot1q termination sub-interface, see 7 VLAN
Termination Configuration.
VLANIF interfaces require that users in VLANs be located on different network
segments. (When hosts are located on the same network segment, a host
encapsulates the destination host's MAC address in packets. The device determines
that packets should be forwarded at Layer 2. Layer 2 switching is performed only
in the same VLAN, and broadcast packets cannot reach different VLANs. In this
case, the device cannot obtain the destination host's MAC addresses and therefore
cannot forward packets to the destination host.) On a network, VLAN aggregation
can allow hosts on the same network segment in different VLANs to
communicate.
VLAN aggregation, also known as super-VLAN, associates a super-VLAN with
multiple sub-VLANs. The sub-VLANs share the IP address of the super-VLAN as the
gateway IP address to implement Layer 3 communication with an external
network. Proxy ARP can be enabled between sub-VLANs to implement Layer 3
communication between sub-VLANs. VLAN aggregation conserves IP addresses in
inter-VLAN Layer 3 communication.
VLAN aggregation applies to scenarios where multiple VLANs share a gateway. For
details about VLAN aggregation, see 5 VLAN Aggregation Configuration.
Inter-VLAN Communication Through the Same Switch
As shown in Figure 4-14, Host_1 (source host) and Host_2 (destination host)
connect to the same Layer 3 switch, are located on different network segments,
and belong to VLAN 2 and VLAN 3, respectively. After VLANIF 2 and VLANIF 3 are
created on the switch and allocated IP addresses, the default gateway addresses of
the hosts are set to IP addresses of the VLANIF interfaces.
Figure 4-14 Using VLANIF interfaces to implement inter-VLAN communication
through the same switch
When Host_1 sends a packet to Host_2, the packet is transmitted as follows
(assuming that no forwarding entry exists on the switch):
1. Host_1 determines that the destination IP address is on a different network
segment from its own IP address, and therefore sends an ARP Request packet
to request the gateway MAC address. The ARP Request packet carries the
destination IP address of 10.1.1.1 (gateway's IP address) and all-F destination
MAC address.
2. When the ARP Request packet reaches IF_1 on the Switch, the Switch tags the
packet with VLAN 2 (PVID of IF_1). The Switch then adds the mapping
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 196
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
between the source MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) to
its MAC address table.
3. The Switch detects that the packet is an ARP Request packet and the
destination IP address is the IP address of VLANIF 2. The Switch then
encapsulates VLANIF 2's MAC address of 3-3-3 into the ARP Reply packet
before sending it from IF_1. In addition, the Switch adds the mapping
between the IP address and MAC address of Host_1 in its ARP table.
4. After receiving the ARP Reply packet from the Switch, Host_1 adds the
mapping between the IP address and MAC address of VLANIF 2 on the Switch
to its ARP table and sends a packet to the Switch. The packet carries the
destination MAC address of 3-3-3 and destination IP address of 10.2.2.2
(Host_2's IP address).
5. After the packet reaches IF_1 on the Switch, the Switch tags the packet with
VLAN 2.
6. The Switch updates its MAC address table based on the source MAC address,
VLAN ID, and inbound interface of the packet, and compares the destination
MAC address of the packet with the MAC address of VLANIF 2. If they are the
same, the Switch determines that the packet should be forwarded at Layer 3
and searches for a Layer 3 forwarding entry based on the destination IP
address. If no entry is found, the Switch sends the packet to the CPU. The CPU
then searches for a routing entry to forward the packet.
7. The CPU looks up the routing table based on the destination IP address of the
packet and detects that the destination IP address matches a directly
connected network segment (network segment of VLANIF 3). The CPU
continues to look up its ARP table but finds no matching ARP entry. Therefore,
the Switch broadcasts an ARP Request packet with the destination address of
10.2.2.2 to all interfaces in VLAN 3. The ARP Request packet will be send from
IF_2.
8. After receiving the ARP Request packet, Host_2 detects that the IP address is
its own IP address and sends an ARP Reply packet with its own MAC address.
Additionally, Host_2 adds the mapping between the MAC address and IP
address of VLANIF 3 to its ARP table.
9. After IF_2 on the Switch receives the ARP Reply packet, IF_2 tags the packet
with VLAN 3 to the packet and adds the mapping between the MAC address
and IP address of Host_2 to its ARP table. Before forwarding the packet from
Host_1 to Host_2, the Switch removes the tag with VLAN 3 from the packet.
The Switch also adds the binding of Host_2's IP address, MAC address, VLAN
ID, and outbound interface in its Layer 3 forwarding table.
In this way, the packet sent from Host_1 then reaches Host_2. The packet
transmission process from Host_2 to Host_1 is similar. Subsequent packets
between Host_1 and Host_2 are first sent to the gateway (Switch), and the Switch
forwards the packets at Layer 3 based on its Layer 3 forwarding table.
Inter-VLAN Communication Through Multiple Switches
When hosts in different VLANs connect to multiple Layer 3 switches, you need to
configure static routes or a dynamic routing protocol in addition to VLANIF
interface addresses. This is because IP addresses of VLANIF interfaces can only be
used to generate direct routes.
As shown in Figure 4-15, Host_1 (source host) and Host_2 (destination host) are
located on different network segments, connect to Layer 3 switches Switch_1 and
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 197
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Switch_2, and belong to VLAN 2 and VLAN 3, respectively. On Switch_1, VLANIF 2
and VLANIF 4 are created and allocated IP addresses of 10.1.1.1 and 10.1.4.1. On
Switch_2, VLANIF 3 and VLANIF 4 are created and allocated IP addresses of
10.1.2.1 and 10.1.4.2, respectively. Static routes are configured on Switch_1 and
Switch_2. On Switch_1, the destination network segment in the static route is
10.1.2.0/24 and the next hop address is 10.1.4.2. On Switch_2, the destination
network segment in the static route is 10.1.1.0/24 and the next hop address is
10.1.4.1.
Figure 4-15 Using VLANIF interfaces to implement inter-VLAN communication
through multiple switches
When Host_1 sends a packet to Host_2, the packet is transmitted as follows
(assuming that no forwarding entry exists on Switch_1 and Switch_2):
1. The first six steps are the same as steps 1 to 6 in Inter-VLAN Communication
Through the Same Switch and are not repeated here. After the steps are
complete, Switch_1 sends the packet to its CPU and the CPU looks up the
routing table.
2. The CPU of Switch_1 searches for the routing table based on the destination
IP address of 10.1.2.2 in the routing table and finds a static route. In the static
route, the destination network segment is 10.1.2.0/24 and the next hop
address is 10.1.4.2. The CPU continues to look up its ARP table but finds no
matching ARP entry. Therefore, Switch_1 broadcasts an ARP Request packet
with the destination address of 10.1.4.2 to all interfaces in VLAN 4. IF_2 on
Switch_1 transparently transmits the ARP Request packet to IF_2 on Switch_2
without removing the tag from the packet.
3. After the ARP Request packet reaches Switch_2, Switch_2 finds that the
destination IP address of the ARP Request packet is the IP address of VLANIF
4. Switch_2 then sends an ARP Reply packet with the MAC address of VLANIF
4 to Switch_1.
4. IF_2 on Switch_2 transparently transmits the ARP Reply packet to Switch_1.
After Switch_1 receives the ARP Reply packet, it adds the mapping between
the MAC address and IP address of VLANIF4 to its ARP table.
5. Before forwarding the packet of Host_1 to Switch_2, Switch_1 changes the
destination MAC address of the packet to the MAC address of VLANIF 4 on
Switch_2 and the source MAC address to the MAC address of its local VLANIF
4. In addition, Switch_1 records the forwarding entry (10.1.2.0/24, next hop IP
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 198
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
address, VLAN, and outbound interface) in its Layer 3 forwarding table.
Similarly, the packet is transparently transmitted to IF_2 on Switch_2.
6. After Switch_2 receives packets of Host_1 forwarded by Switch_1, the same
steps as steps 6 to 9 in Inter-VLAN Communication Through the Same
Switch are performed. In addition, Switch_2 records the forwarding entry
(Host_2's IP address, MAC address, VLAN, and outbound interface) in its Layer
3 forwarding table.
4.2.9 Intra-VLAN Layer 2 Isolation
You can implement Layer 2 isolation between users by adding them to different
VLANs. VLANs have to be allocated to all users who are not allowed to
communicate with each other. If an enterprise has many users, this user isolation
method uses a large number of VLANs and makes configuration more complex,
increasing the maintenance workload of the network administrator.
Huawei provides intra-VLAN Layer 2 isolation technologies including port isolation,
Multiplex VLAN (MUX VLAN), and Modular QoS Command-Line Interface (MQC).
Port Isolation
Port isolation can isolate interfaces in the same VLAN. You can add interfaces to a
port isolation group to disable Layer 2 packet transmission between the interfaces.
Interfaces in different port isolation groups or not in any port isolation groups can
exchange packets with each other normally. In addition, interfaces can also be
isolated unidirectionally, creating a more secure and flexible network.
MUX VLAN
Multiplex VLAN (MUX VLAN) controls network resources using VLANs. It can
implement inter-VLAN communication and intra-VLAN isolation.
For example, by deploying MUX VLAN, an enterprise can allow employees to
communicate with each other, but isolate customers from each other. At the same
time, both employees and customers can access enterprise servers.
For details about the MUX VLAN feature, see 6 MUX VLAN Configuration.
Traffic Policies
A traffic policy is configured by binding traffic classifiers to traffic behaviors. You
can define traffic classifiers on a switch to match packets with certain
characteristics and associate the traffic classifiers with the permit or deny behavior
in a traffic policy. The switch then permits or denies packets matching the traffic
classifiers, implementing intra-VLAN unidirectional or bidirectional isolation.
The switch supports intra-VLAN Layer 2 isolation based on MQC and ACL-based
simplified traffic policies. For details about MQC and ACL-based simplified traffic
policies, see MQC Configuration and ACL-based Simplified Traffic Policy
Configuration in the S300, S500, S2700, S5700, and S6700 V200R021C10
Configuration Guide - QoS.
4.2.10 Inter-VLAN Layer 3 Isolation
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 199
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
After inter-VLAN Layer 3 connectivity is implemented between two VLANs, users
from both VLANs can communicate. In some scenarios, communication between
certain users needs to be restricted or only unidirectional communication is
allowed. For example, user hosts and servers often use unidirectional
communication, and visitors to an enterprise are often allowed to access only the
Internet or specific servers. In these scenarios, you need to configure inter-VLAN
isolation.
Inter-VLAN isolation is often implemented using a traffic policy. You can define
traffic classifiers on a switch to match packets with certain characteristics and
associate the traffic classifiers with the permit or deny behavior in a traffic policy.
The switch then permits or rejects the packets matching the traffic classifiers,
allowing for flexible inter-VLAN isolation.
The switch supports inter-VLAN Layer 3 isolation based on MQC and ACL-based
simplified traffic policies. For details about MQC and ACL-based simplified traffic
policies, see MQC Configuration and ACL-based Simplified Traffic Policy
Configuration in the S300, S500, S2700, S5700, and S6700 V200R021C10
Configuration Guide - QoS.
4.2.11 Management VLAN
To use a remote network management system (NMS) to centrally manage
devices, configure a management IP address on the switch. You can then log in to
the switch through STelnet and manage the switch using the management IP
address. The management IP address can be configured on a management
interface or VLANIF interface. If a user-side interface is added to the VLAN, users
connected to the interface can also log in to the switch, posing security risks to
the switch.
To avoid such risks, configure a VLAN as a management VLAN and prevent access
interfaces or Dot1q tunnel interfaces (both of which are often connected to users)
from being added to that VLAN. (The VLANs not specified as the management
VLAN are service VLANs.) This, in turn, prevents users connected to the interfaces
from logging in to the device, improving device security.
4.2.12 Protocol Packet Transparent Transmission in a VLAN
When the device is used as a gateway or a Layer 2 switch enabled with snooping
functions such as DHCP/IGMP/MLD snooping, the device needs to parse and
process the corresponding protocol packets. Protocol packets received by an
interface are sent to the CPU for processing and the interface sends protocol
packets without differentiating VLANs. If the preceding snooping functions are
deployed, protocol packets from all VLANs are sent to the CPU for processing.
If the device is a gateway for some VLANs or snooping functions are deployed in
some VLANs, the device does not need to process protocol packets from other
VLANs. After the protocol packets in other VLANs are sent to the CPU, the CPU
needs to forward them to other devices. This mechanism is called software
forwarding. Protocol packet processing in software forwarding decreases the
forwarding efficiency.
To address this issue, deploy protocol packet transparent transmission in VLANs
where protocol packets do not need to be processed. This function enables the
device to transparently transmit the protocol packets from VLANs to other devices,
improving forwarding speed and efficiency.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 200
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this function.
4.3 Application Scenarios for VLANs
4.3.1 Using VLAN Assignment to Implement Layer 2 Isolation
Interface-based VLAN Assignment
As shown in Figure 4-16, there are multiple companies in a building. These
companies share network resources to reduce costs. Networks of the companies
connect to different interfaces of the same Layer 2 switch and access the Internet
through an egress.
Figure 4-16 Networking of interface-based VLAN assignment
To isolate services and ensure service security of different companies, add
interfaces connected to the companies to different VLANs. Each company has a
virtual router and each VLAN is a virtual work group.
MAC Address-based VLAN Assignment
As shown in Figure 4-17, a company has two office areas that connect to the
company's network through Switch_2 and Switch_3, respectively. Employees often
move between the two office areas.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 201
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-17 Networking of MAC address-based VLAN assignment
To enable employees to access network resources such as servers after they move
between different office areas, configure MAC address-based VLAN assignment on
Switch_2 and Switch_3. As long as the MAC address of User_1 remains unchanged,
the VLAN of the user remains unchanged and they can still access the company's
network resources after changing the location.
IP Subnet-based VLAN Assignment
As shown in Figure 4-18, a company has two departments: departments 1 and 2.
The two departments are assigned fixed IP network segments. The employees
often move between locations, but the company requires that their network
resource access rights remain unchanged.
Figure 4-18 Networking of IP subnet-based VLAN assignment
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 202
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
To ensure that employees retain access to network resources after changing
locations, configure IP subnet-based VLAN assignment on the company's central
switch. Different network segments of servers are assigned to different VLANs to
isolate data flows of different application services, improving security.
4.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer
3 Connectivity
VLANIF interfaces are used to implement inter-VLAN Layer 3 connectivity when
devices are connected to the same Layer 3 switch or different Layer 3 switches.
Inter-VLAN Layer 3 Communication Through the Same Layer 3 Switch
As shown in Figure 4-19, departments 1 and 2 of a small-sized company belong
to VLAN 2 and VLAN 3, respectively, and connect to a Layer 3 switch (Switch)
through Layer 2 switches. Packets exchanged between the two departments need
to pass through the Layer 3 switch.
Figure 4-19 Using VLANIF interfaces to implement inter-VLAN communication
through the same Layer 3 switch
Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to
transparently transmit VLAN packets to the Layer 3 switch, and configure a
VLANIF interface for each VLAN on the Layer 3 switch to allow communication
between VLAN 2 and VLAN 3.
Inter-VLAN Layer 3 Communication Through Different Layer 3 Switches
As shown in Figure 4-20, departments 1 and 2 of a medium- or large-sized
company are connected across two or more Layer 3 switches, and belong to VLAN
2 and VLAN 3, respectively. Packets exchanged between the two departments
need to pass through the Layer 3 switches.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 203
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-20 Using VLANIF interfaces to implement inter-VLAN communication
through multiple Layer 3 switches
Assign VLANs on the Layer 2 switches, and configure the Layer 2 switches to
transparently transmit VLAN packets to Layer 3 switches. Configure a VLANIF
interface for each user VLAN and interconnected VLANs on Switch_1 and
Switch_2, and configure VLANIF interfaces for interconnected VLANs on other
Layer 3 devices. In addition, configure static routes or a dynamic routing protocol
between Switch_1 and Switch_2 (a dynamic routing protocol is recommended
when devices are connected across more than two Layer 3 switches).
4.3.3 Using a Traffic Policy to Implement Inter-VLAN Access
Control
As shown in Figure 4-21, to ensure communication security, a company divides
the network into visitor area, employee area, and server area, and assigns VLAN
10, VLAN 20, and VLAN 30 to the areas, respectively. The company has the
following requirements:
● Employees, visitors, and servers can access the Internet.
● Visitors cannot communicate with employees and can access only Server_1 in
the server area.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 204
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-21 Using a traffic policy to implement inter-VLAN access control
The central switch (Switch) is configured with VLANIF 10, VLANIF 20, VLANIF 30,
and VLANIF 100 and a route to the router, after which employees, visitors, and
servers can access the Internet and communicate with each other. To control
access rights of visitors, configure a traffic policy on the central switch and define
the following rules:
● ACL rule 1: denies any packets sent from the IP network segment of visitors to
the IP segment of employees.
● ACL rule 2: permits any packets from the IP network segment of visitors to
the IP address of Server_1, and denies any packets sent to the IP network
segment of servers.
● ACL rule 3: denies any packets from the IP network segment of employees to
the IP network segment of visitors.
● ACL rule 4: denies any packets from the IP network segment of servers to the
IP network segment of visitors.
Apply the traffic policy to the inbound and outbound directions of the switch
interface connected to the visitor area. Visitors can then only access Server_1 and
cannot communicate with employees.
4.3.4 Using a VLANIF Interface to Implement Layer 3
Connectivity Between the Switch and Router
To reduce costs, most enterprises use switches to connect internal devices and an
egress router to connect to an ISP network, as shown in Figure 4-22.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 205
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-22 Connection between the switch and router
To access the ISP network, the core Layer 3 switch and egress router need to
interwork at Layer 3. Most Layer 3 switches do not support or only support limited
routed interfaces. Generally, a VLANIF interface is used as a Layer 3 interface to
communicate with the Layer 3 sub-interface of the router. Then a static route or a
dynamic routing protocol is configured to implement Layer 3 connectivity between
the core switch and egress router.
4.4 Summary of VLAN Configuration Tasks
When configuring VLANs, first assign VLANs. Then carry out the other VLAN
configuration tasks according to your business requirements.
Table 4-5 VLAN configuration tasks
Configuration Description
Task
Assign VLANs Assign VLANs to isolate hosts that do not need to
communicate with each other, which improves network
security, reduces broadcast traffic, and mitigates broadcast
storms. Select a VLAN assignment mode based on your
specific needs.
Configure inter- After VLANs are assigned, users in different VLANs cannot
VLAN directly communicate with each other. If users in different
communication VLANs need to communicate with each other, configure
VLANIF interfaces to implement inter-VLAN Layer 3
communication.
Configure port After VLANs are assigned, users in the same VLAN can
isolation to directly communicate with each other. If some users in the
implement intra- same VLAN need to be isolated, configure port isolation to
VLAN Layer 2 implement intra-VLAN Layer 2 isolation.
isolation NOTE
You can also implement intra-VLAN Layer 2 isolation by
configuring MQC-based traffic policies and simplified traffic
policies. For details, see MQC Configuration and ACL-based
Simplified Traffic Policy Configuration in the S300, S500, S2700,
S5700, and S6700 V200R021C10 Configuration Guide - QoS.
Configure a To use the NMS to centrally manage devices, configure a
management VLAN as the management VLAN after assigning VLANs.
VLAN
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 206
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Configuration Description
Task
Configure Configure protocol packet transparent transmission in a
transparent VLAN so that the switch sends only protocol packets in a
transmission of specified VLAN to the CPU. This improves the forwarding
protocol packets efficiency.
in a VLAN
4.5 Licensing Requirements and Limitations for VLANs
Involved Network Elements
Other network elements are not required.
Licensing Requirements
VLAN is a basic feature of a switch and is not under license control.
Feature Support in V200R021C10
All models of S300, S500, S2700, S5700, and S6700 series switches support VLAN.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
The S5731-L and S5731S-L are remote units and do not support web-based management,
YANG, or commands. They can be configured only through configuration delivery by the
central device. For details, see "Simplified Architecture Configuration (the Solar System
Solution)" in the S300, S500, S2700, S5700, and S6700 V200R021C10 Configuration Guide -
Device Management.
Feature Limitations
● Table 4-6 describes the VLAN specifications of different switch models.
Table 4-6 VLAN specifications of different switch models
Item Specification
Maximum number of VLANs in the 4096 (VLAN 0 and VLAN 4095 are
system reserved)
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 207
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Item Specification
Maximum number of VLANIF ● S2710-SI/S5710-C-LI: 1
interfaces in the system ● S2700-SI/S2700-EI/S5710-X-LI: 8
● S2720-EI (V200R006C10,
V200R009C00, V200R010C00): 8
● S2720-EI (V200R011C10,
V200R012C00, V200R013C00,
V200R019C00, V200R019C10):
1024
● S3700-SI/S3700-EI/S3700-HI/
S5700-SI/S5700-EI: 256
● S5700-HI/S5730-SI/S5735S-H/
S5736-S/S5730S-EI/S5720-EI/
S5731-S/S5731S-S/S5710-HI/
S5720I-SI/S5720-SI/S5720S-SI/
S5720-LI/S5720S-LI/S6730-S/
S6730S-S/S6720-LI/S6720S-LI/
S6720-SI/S6720S-SI/S6735-S/
S6720-EI/S6720S-EI: 1024
● S5720-HI/S5730-HI/S5731-H/
S5731S-H/S5732-H/S6720-HI/
S6730-H/S6730S-H: 1024 in
versions earlier than
V200R019C10 and 4096 in
V200R019C10 and later versions
● S5735-L/S5735S-L/S5735S-L-M/
S5735-S/S5735-S-I/S5735S-S:
1019 in versions earlier than
V200R019C10 and 1024 in
V200R019C10 and later versions
● S5735-L-I/S5735-L1/S5735S-L1/
S500/S300: 1024
NOTE
On the S500, S5735-S, S300, S5735-
L, S5735S-L, S5735-S-I, S5735S-L-M,
S5735S-S, S5735-L1, S5735-L-I and
S5735S-L1 running V200R020C10 or
a later version, if the resource
allocation mode is set to enhanced-
mac, a maximum of eight VLANIF
interfaces can be configured.
● S2750-EI/S5700-LI/S5700S-LI: 1 in
versions earlier than V200R005
and 8 in V200R005 and later
versions
● S5710-EI/S6700-EI: 256 in
versions earlier than V200R005
and 1024 in V200R005
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 208
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
● If LNP is used to dynamically negotiate the link type (LNP is enabled by
default), it is recommended that each interface be added to a maximum of
1000 VLANs and a maximum of 200 interfaces be configured on a switch. If
4094 VLANs are configured globally, it is recommended that a maximum of
50 interfaces be enabled with LNP. Otherwise, the alarm about a high CPU
usage is generated for a short time.
● Plan service and management VLANs so that any broadcast storms in service
VLANs do not affect switch management.
● Create VLANs before configuring VLAN-related services.
● In practice, specify VLANs from which packets need to be transparently
transmitted by a trunk interface. Avoid using the port trunk allow-pass vlan
all command if possible.
● In versions earlier than V200R005, before changing the interface type, restore
the default VLAN of the interface.
● In versions earlier than V200R005, before deleting a VLAN where a VLANIF
interface has been configured, run the undo interface vlanif vlan-id
command to delete the VLANIF interface.
● All interfaces join VLAN 1 by default. When unknown unicast, multicast, or
broadcast packets of VLAN 1 exist on the network, broadcast storms may
occur. Note the following guidelines and limitations when using VLAN 1:
– Do not use VLAN 1 as the management VLAN or service VLAN.
– To prevent loops, remove unnecessary interfaces from VLAN 1. Configure
a trunk interface to permit packets from VLAN 1. If a trunk interface
rejects packets from VLAN 1, some protocol packets transmitted in VLAN
1 may be incorrectly discarded. To prevent such faults, take measures to
prevent potential risks when packets of VLAN 1 are allowed to pass
through.
– If a spanning tree protocol is used and a trunk interface on the switch
rejects packets from VLAN 1, run the stp bpdu vlan command to enable
the switch to encapsulate the specified VLAN ID in outgoing STP BPDUs
so that the spanning tree protocol runs properly.
– You are advised to remove interfaces from VLAN 1 in Eth-Trunk or ring
networking.
– When the switch connects to an access device, do not configure the
uplink interface of the access device to transparently transmit packets
from VLAN 1. This prevents broadcast storms in VLAN 1.
– When an interface is bound to a VLANIF interface for Layer 3 forwarding,
remove the interface from VLAN 1 to prevent Layer 2 loops in VLAN 1.
● To implement Layer 2 isolation between interfaces, you can add each
interface to a different VLAN. To isolate broadcast packets in the same VLAN
but allow users connecting to different interfaces to communicate at Layer 3,
you can set the port isolation mode to Layer 2 isolation and Layer 3
interworking. To prevent interfaces in the same VLAN from communicating at
both Layer 2 and Layer 3, you can set the port isolation mode to Layer 2 and
Layer 3 isolation. The S2720-EI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1,S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5720S-LI, S6720-LI and S6720S-
LI switches support only Layer 2 isolation and Layer 3 interworking. Interfaces
on subcards of the S5730-68C-SI-AC, S5730-68C-PWR-SI-AC, S5730-68C-PWR-
SI, S5730S-68C-EI-AC, and S5730S-68C-PWR-EI do not support port isolation.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 209
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
● In V200R020C10 and later versions, the resource allocation mode of the S500,
S5735-S, S300, S5735-L, S5735S-L, S5735-S-I, S5735S-L-M, S5735S-S, S5735-L-
I, S5735-L1,and S5735S-L1 can be set to enhanced-mac using the assign
resource-mode enhanced-mac global command. On a device of one of the
preceding models, if the enhanced-mac resource allocation mode is
configured, a maximum of eight VLANIF interfaces can be created. If the
device has already more than eight VLANIF interfaces configured, after the
enhanced-mac resource allocation mode is configured, only the eight VLANIF
interfaces with the smallest VLAN IDs are reserved.
4.6 Default Settings for VLANs
Table 4-7 Default setting for VLANs
Parameter Default Setting
Defaul Inter ● S2720-EI, S5720I-SI, S5720-LI, S2730S-S, S5735-L-I, S5735-
t face L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
config type S5720S-LI, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H,
uratio S5736-S: negotiation-auto
n of ● Other models: negotiation-desirable
an
interfa Defa VLAN 1
ce ult
VLA
N
VLA ● VLAN 1 that access interfaces join in untagged mode (port
N default vlan 1)
that ● VLANs 1 to 4094 that trunk interfaces join in tagged mode
an (port trunk allow-pass vlan 1 to 4094)
inter
face
joins
Damping time 0s
for a VLANIF
interface in
Down state
Traffic Disabled
statistics
collection in a
VLAN
Traffic Disabled
statistics
collection on
a VLANIF
interface
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 210
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
4.7 Configuring VLANs
4.7.1 Assigning VLANs
4.7.1.1 Configuring Interface-based VLAN Assignment (Statically Configured
Interface Type)
Context
Interface-based VLAN assignment is the simplest and most effective method for
assigning VLANs. With interface-based VLAN assignment, an interface is added to
a VLAN, after which the interface can forward packets from the VLAN. Interface-
based VLAN assignment allows hosts in the same VLAN to communicate at Layer
2 and prevents hosts in different VLANs from communicating, limiting broadcast
packets to within a VLAN.
Ethernet interfaces are classified into access, trunk, and hybrid interfaces. The type
of interface determines the objects that can connect to the Ethernet interface and
number of VLANs from which untagged frames are permitted (for more details,
see 4.2.2 Interface Types). If the device connected to an Ethernet interface can
send and receive only untagged frames, you need to configure a default VLAN on
the interface to add VLAN tags to untagged frames on the interface.
On the S2720-EI, S5720I-SI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-
L, S5735S-L, S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-
S-I, S5735S-H, S5736-S, the type of an interface is negotiation-auto by default. On
other models, the type of an interface is negotiation-desirable by default.
Procedure
● Configuring the default VLAN for an access interface
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN
has been created, the VLAN view is directly displayed.
c. Run quit
Return to the system view.
d. Run interface interface-type interface-number
The view of the Ethernet interface to be added to the VLAN is displayed.
e. Run port link-type access
The Ethernet interface is configured as an access interface.
f. Run port default vlan vlan-id
The default VLAN is configured for the interface and the interface is
added to the specified VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 211
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
g. (Optional) Run port discard tagged-packet
The interface is configured to discard incoming tagged packets.
● Configuring the default VLAN for a trunk interface
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN
has been created, the VLAN view is directly displayed.
c. Run quit
Return to the system view.
d. Run interface interface-type interface-number
The view of the Ethernet interface to be added to the VLAN is displayed.
e. Run port link-type trunk
The Ethernet interface is configured as a trunk interface.
f. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all }
The interface is added to the specified VLAN.
g. (Optional) Run port trunk pvid vlan vlan-id
The default VLAN is configured for the trunk interface.
NOTE
If the VLAN allowed by an interface is the default VLAN of the interface, packets from
the VLAN are forwarded as untagged.
● Configuring the default VLAN for a hybrid interface
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN
has been created, the VLAN view is directly displayed.
c. Run quit
Return to the system view.
d. Run interface interface-type interface-number
The view of the Ethernet interface to be added to the VLAN is displayed.
e. Run port link-type hybrid
The Ethernet interface is configured as a hybrid interface.
f. Run the following commands as required.
▪ Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }
&<1-10> | all }
The hybrid interface is added to the VLAN in untagged mode.
▪ Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all }
The hybrid interface is added to the VLAN in tagged mode.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 212
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
g. (Optional) Run port hybrid pvid vlan vlan-id
The default VLAN is configured for the hybrid interface.
----End
Configuration Example
In Figure 4-23, interfaces connecting to PC1 and PC3 are assigned to VLAN 10,
and the interface connecting to PC2 is assigned to VLAN 20. PC2 cannot directly
communicate with PC1 and PC3 at Layer 2, but PC1 and PC3 can directly
communicate with each other.
Figure 4-23 Networking of interface-based VLAN assignment
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 20
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 10
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type hybrid
[Switch-GigabitEthernet0/0/4] port hybrid tagged vlan 10 20
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 213
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Add PC1 and PC3 to the same IP address segment, for example, 192.168.100.0/24;
add PC2 to another IP address segment, for example, 192.168.200.0/24. PC1 and
PC3 can ping each other but cannot ping PC2.
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface gigabitethernet 0/0/1
port link-type access
port default vlan 10
#
interface gigabitethernet 0/0/2
port link-type access
port default vlan 20
#
interface gigabitethernet 0/0/3
port link-type access
port default vlan 10
#
interface gigabitethernet 0/0/4
port link-type hybrid
port hybrid tagged vlan 10 20
#
return
Configuration Tips
Configuring a name for a VLAN
When multiple VLANs are created on the device, you can configure names for the
VLANs to facilitate management. After a name is configured for a VLAN, you can
directly enter the VLAN view using the name.
# Set the name of VLAN 10 to huawei.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] huawei
[HUAWEI-vlan10] quit
# After a name is configured for a VLAN, you can directly enter the VLAN view
using the name.
[HUAWEI] vlan vlan-name huawei
[HUAWEI-vlan10] quit
Adding interfaces to a VLAN in a batch
Use a port group to perform the same VLAN configuration for multiple Ethernet
interfaces. To add access interfaces to a VLAN in a batch, you can also run the
port interface-type { interface-number1 [ to interface-number2 ] }&<1-10>
command in the VLAN view. The following uses the access interface as an
example.
# Add interfaces to a VLAN in a batch using a port group.
<HUAWEI> system-view
[HUAWEI] port-group pg1
[HUAWEI-port-group-pg1] group-member gigabitethernet0/0/1 to gigabitethernet0/0/5
[HUAWEI-port-group-pg1] port link-type access
[HUAWEI-port-group-pg1] port default vlan 10
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 214
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
# Add interfaces to a VLAN in a batch in the VLAN view.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] port gigabitethernet 0/0/1 to 0/0/5
Restoring the default VLAN configuration of an interface
If the VLAN planning of an interface is changed, you need to delete the original
VLAN configuration of the interface. If many non-contiguous VLANs are
configured on the interface, you need to perform the delete operation multiple
times. To reduce the workload, you can restore the default VLAN configuration of
the interface. For details, see 4.8.7 Restoring the Default VLAN Configuration of
an Interface.
Changing the interface type
When the interface planning changes or the current interface type is different
from the configured one, the interface type needs to be changed. For details, see
4.11.4 How Do I Change the Link Type of an Interface?.
Deleting a VLAN
If a VLAN is not in use, you are advised to delete it to save VLAN resources and
reduce packets on a network. For details, see 4.8.8 Deleting a VLAN.
Verifying the Configuration
● Run the display port vlan [ interface-type interface-number | active ] *
command in any view to check information about interfaces of the VLAN.
● Run the display vlan command in any view to check information about
VLANs.
4.7.1.2 Configuring Interface-based VLAN Assignment (LNP Dynamically
Negotiates the Link Type)
Context
The switch supports the following link types on an Ethernet interface: access,
hybrid, trunk, and QinQ. The four link types are applicable to different network
deployments and are manually specified. When the network topology changes,
link types of Ethernet interfaces also need to be reconfigured. If this is done
manually, configuration is time-consuming and complex. To simplify configuration,
LNP supports auto-negotiation of link types on Ethernet interfaces and allows
Ethernet interfaces to join VLANs through auto-negotiation. Typically, when LNP is
deployed, the VLAN Central Management Protocol (VCMP) also needs to be
deployed so that VLANs can be centrally created and deleted and user
configurations are simplified. For details about VCMP, see 12 VCMP
Configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 215
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Step 2 Run undo lnp disable
LNP is enabled globally.
By default, LNP is enabled on all interfaces.
Step 3 Run interface interface-type interface-number
The view of the Ethernet interface that needs to be enabled with LNP is displayed.
Step 4 Run undo port negotiation disable
LNP is enabled on the Layer 2 Ethernet interface.
By default, LNP is enabled on all interfaces of the device.
NOTE
When performing this step, ensure that the interface is a Layer 2 interface. If the interface
is not a Layer 2 interface, run the portswitch command to configure the interface as a
Layer 2 interface.
When an LNP-capable device is used with an LNP-incapable device, the LNP-capable device
continuously sends LNP packets, which wastes bandwidth. You can run the port
negotiation disable command in the Layer 2 Ethernet interface view to disable LNP.
To ensure successful negotiation, ensure that LNP is enabled both globally and in the
interface view.
Step 5 Run port link-type { negotiation-desirable | negotiation-auto }
An LNP mode is configured.
By default, the LNP mode of a Layer 2 Ethernet interface on the S2720-EI, S5720I-
SI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI, S5735S-H, S5736-S, S5735-S, S500, S5735S-S, and S5735-
S-I is negotiation-auto, and the LNP negotiation mode of a Layer 2 Ethernet
interface on other models is negotiation-desirable.
There are limitations on an interface where the LNP mode is set to negotiation-
desirable or negotiation-auto:
● The sub-interface cannot be created.
● The MUX VLAN cannot be enabled.
● The voice VLAN in auto mode cannot be configured on the interface.
Step 6 Configure the VLAN allowed by an interface.
● When a trunk interface is negotiated, perform the following operations:
a. Run port trunk allow-pass only-vlan { { vlan-id1 [ to vlan-id2 ] }
&<1-10> | none }
The VLAN allowed by the trunk interface is configured.
By default, a trunk interface allows all VLANs.
b. (Optional) Run port trunk pvid vlan vlan-id
The default VLAN of the interface is configured.
When the interface connected to an AP or a voice terminal receives
untagged and tagged frames, configure the default VLAN for the
interface so that the interface adds the VLAN tag to untagged frames.
By default, the default VLAN of a trunk interface is VLAN 1.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 216
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
● When an access interface is negotiated, perform the following operation:
Run port default vlan vlan-id
The default VLAN is configured for the access interface and the access
interface is added to the specified VLAN.
By default, the default VLAN of an access interface and the VLAN that an
access interface joins are both VLAN 1.
----End
Configuration Example
In Figure 4-24, to simplify configurations, switches are connected through the
trunk link, and switches and user terminals are connected through access links
and added to VLANs. By default, LNP is enabled globally and on all interfaces.
Figure 4-24 Networking of interface-based VLAN assignment (LNP dynamically
negotiates the link type)
Configure Switch3.
<HUAWEI> system-view
[HUAWEI] sysname Switch3
[Switch3] vlan batch 10 20
[Switch3] interface GigabitEthernet 0/0/1
[Switch3-GigabitEthernet0/0/1] port trunk allow-pass only-vlan 10 20
[Switch3-GigabitEthernet0/0/1] quit
[Switch3] interface GigabitEthernet 0/0/2
[Switch3-GigabitEthernet0/0/2] port trunk allow-pass only-vlan 10 20
[Switch3-GigabitEthernet0/0/2] quit
Configure Switch1. The configurations of Switch2 are similar to those of Switch1,
and are not mentioned here.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 217
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan batch 10 20
[Switch1] interface GigabitEthernet 0/0/1
[Switch1-GigabitEthernet0/0/1] port default vlan 10
[Switch1-GigabitEthernet0/0/1] quit
[Switch1] interface GigabitEthernet 0/0/2
[Switch1-GigabitEthernet0/0/2] port trunk allow-pass only-vlan 10 20
[Switch1-GigabitEthernet0/0/2] quit
[Switch1] interface GigabitEthernet 0/0/3
[Switch1-GigabitEthernet0/0/3] port default vlan 20
[Switch1-GigabitEthernet0/0/3] quit
Verifying the Configuration
● Run the display lnp { interface interface-type interface-number | summary }
command in any view to check LNP negotiation information on a Layer 2
Ethernet interface.
4.7.1.3 Configuring MAC Address-based VLAN Assignment
Context
In MAC address-based VLAN assignment mode, you do not need to reconfigure
VLANs for users when their physical locations change. This improves security and
access flexibility on a network.
When MAC address-based VLAN assignment is enabled, only untagged frames are
processed, and tagged frames are treated in the same manner as interface-based
VLAN assignment.
When receiving an untagged frame, the interface matches the source MAC
address of the frame against the MAC-VLAN table:
● If an entry is matched, the interface forwards the frame based on the VLAN
ID and priority in the entry.
● If no entry is matched, the interface matches the frame according to other
matching rules.
The total number of MAC-VLAN entries is the number of configured MAC-VLAN
entries multiplied by the number of interfaces where MAC-VLAN entries are
delivered. On different models, the number of MAC-VLAN entries is different:
● The S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5731-H, S5731-S, S5731S-H,
S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-
S, and S6730S-S support a maximum of 1024 MAC-VLAN entries and a
maximum of 64 MAC-VLAN entries with the mask.
● The S2720-EI, , S500S5720S-LI, S5735S-H, S5736-S, S5720-LI, S2730S-S,
S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, and S5735S-L-M
support a maximum of 512 MAC-VLAN entries and a maximum of 64 MAC-
VLAN entries with the mask.
● Other models support a maximum of 512 MAC-VLAN entries and a maximum
of 32 MAC-VLAN entries with the mask.
Procedure
Step 1 Run system-view
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 218
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
The system view is displayed.
Step 2 Run vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
NOTE
The vlan configuration command completes the VLAN configurations before the VLAN is
created. The vlan configuration command only enters the VLAN configuration view.
Neither the corresponding VLAN nor configurations in the VLAN take effect. To make
configurations in the VLAN take effect, create the VLAN using the vlan command.
Step 3 Run mac-vlan mac-address mac-address [ mac-address-mask | mac-address-
mask-length ] [ priority priority ]
A MAC address is associated with a VLAN.
NOTE
When the mac-vlan mac-address command with the same MAC address specified is
executed multiple times, MAC-VLAN entries take effect according to the longest match
principle. On the S6735-S, S6720-EI and S6720S-EI, MAC-VLAN entries take effect according
to the longest match principle only when the subnet mask has 47 bits or less than 47 bits.
A MAC-VLAN entry with a 48-bit subnet mask has the lowest priority.
● The MAC address is input in an H-H-H format, where each H is a hexadecimal
number composed of 1 to 4 alphanumeric characters, such as 00e0 and fc01.
If you enter less than four alphanumeric characters, 0s are added before the
input digits. For example, if e0 is entered, 00e0 is displayed. The MAC address
cannot be all Fs, all 0s, or a multicast MAC address.
● If a MAC-VLAN entry with a mask is specified (excluding a 48-bit mask or
mask with all Fs), the priority cannot be changed normally. To change the
priority, run the undo mac-vlan mac-address command to delete the MAC-
VLAN entry and then run the mac-vlan mac-address command to change
the priority.
● priority specifies the 802.1p priority of a MAC address-based VLAN. The value
is in the range from 0 to 7. A larger value indicates a higher priority. The
default value is 0. After the 802.1p priority of a MAC address-based VLAN is
specified, the switch forwards high-priority frames first during network
congestion.
Step 4 Run quit
Return to the system view.
Step 5 Configure attributes for the Ethernet interface.
1. Run interface interface-type interface-number
The view of the interface that allows the MAC address-based VLAN is
displayed.
2. Run port link-type hybrid
The interface is configured as a hybrid interface.
On access and trunk interfaces, MAC address-based VLAN assignment can be
used only when the MAC address-based VLAN is the same as the PVID. It is
recommended that MAC address-based VLAN assignment be configured on
hybrid interfaces.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 219
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
3. Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is configured to allow the MAC address-based VLAN.
Step 6 (Optional) Run vlan precedence mac-vlan
The device is configured to preferentially use MAC address-based VLAN
assignment.
By default, the device preferentially uses MAC address-based VLAN assignment.
NOTE
Only the S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S6735-S, S6720-EI,
S6720S-EI support the vlan precedence command.
S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S support the vlan precedence
command only in the system view. Other switches support the vlan precedence command only
in the interface view.
On the S6735-S, S6720-EI and S6720S-EI, if both a subnet VLAN and MAC VLAN with a mask
are configured, the MAC VLAN with a mask is matched first regardless of whether the vlan
precedence command is used.
Step 7 Run mac-vlan enable
MAC address-based VLAN assignment is enabled.
By default, MAC address-based VLAN assignment is disabled.
NOTE
MAC address-based VLAN assignment cannot be used with the MUX VLAN and MAC
address authentication on the same interface.
On the S2720-EI, S5720I-SI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S5735S-S, S5735-S-I, S5735S-H,
S5736-S, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S, MAC address-based VLAN assignment is invalid for packets with a VLAN ID
of 0, regardless of whether the mask of the MAC VLAN is specified. On other models, MAC
address-based VLAN assignment is invalid for packets with the VLAN ID of 0 only when the
mask of the MAC VLAN is specified.
----End
Configuration Example (a Switch Connects to Downstream Terminals)
In Figure 4-25, the MAC addresses of PC1, PC2, and PC3 are bound to VLAN 10.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 220
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-25 Networking of MAC address-based VLAN assignment (a switch
connects to downstream terminals)
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type hybrid
[Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type hybrid
[Switch-GigabitEthernet0/0/3] port hybrid untagged vlan 10
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type hybrid
[Switch-GigabitEthernet0/0/4] port hybrid untagged vlan 10
[Switch-GigabitEthernet0/0/4] quit
[Switch] vlan 10
[Switch-vlan10] mac-vlan mac-address 22-22-22
[Switch-vlan10] mac-vlan mac-address 33-33-33
[Switch-vlan10] mac-vlan mac-address 44-44-44
[Switch-vlan10] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] mac-vlan enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] mac-vlan enable
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] mac-vlan enable
[Switch-GigabitEthernet0/0/4] quit
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 221
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Configuration Example (a Switch Connects to Downstream Layer 2
Switches)
In Figure 4-26, Switch1 connects to a Layer 2 switch. On Switch1, associate MAC
addresses of PC1 and PC2 with VLAN 10 and MAC addresses of PC3 and PC4 with
VLAN 20.
Figure 4-26 Networking of MAC address-based VLAN assignment (a switch
connects to downstream Layer 2 switches)
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan batch 10 20
[Switch1] vlan 10
[Switch1-vlan10] mac-vlan mac-address 11-11-11
[Switch1-vlan10] mac-vlan mac-address 22-22-22
[Switch1-vlan10] quit
[Switch1] vlan 20
[Switch1-vlan20] mac-vlan mac-address 33-33-33
[Switch1-vlan20] mac-vlan mac-address 44-44-44
[Switch1-vlan20] quit
[Switch1] interface gigabitethernet 0/0/1
[Switch1-GigabitEthernet0/0/1] mac-vlan enable
[Switch1-GigabitEthernet0/0/1] quit
[Switch1] interface gigabitethernet 0/0/1
[Switch1-GigabitEthernet0/0/1] port link-type hybrid
[Switch1-GigabitEthernet0/0/1] port hybrid untagged vlan 10 20
[Switch1-GigabitEthernet0/0/1] quit
[Switch1] interface gigabitethernet 0/0/2
[Switch1-GigabitEthernet0/0/2] port link-type trunk
[Switch1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20
[Switch1-GigabitEthernet0/0/2] quit
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 222
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Verifying the Configuration
● Run the display mac-vlan { mac-address { all | mac-address [ mac-address-
mask | mac-address-mask-length ] } | vlan vlan-id } command in any view to
check the configuration of MAC address-based VLAN assignment.
● Run the display vlan command in any view to check information about
VLANs.
4.7.1.4 Configuring IP Subnet-based VLAN Assignment
Context
IP subnet-based and protocol-based VLAN assignments are types of network
layer-based VLAN assignment. They reduce manual VLAN configuration workload
and allow users to easily join a VLAN, transfer from one VLAN to another, and exit
from a VLAN. IP subnet-based VLAN assignment applies to scenarios where there
are high requirements for mobility and simplified management and low
requirements for security. For example, when a PC configured with multiple IP
addresses needs to access servers on different network segments or when a switch
adds PCs to other VLANs when the PCs' IP addresses change.
A switch that has IP subnet-based VLAN assignment enabled processes only
untagged frames, and treats tagged frames in the same manner as interface-
based VLAN assignment.
After receiving untagged frames from an interface, the switch determines the
VLANs that the frames belong to using the source IP addresses or network
segments, and then transmits the frames to the specified VLANs.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
NOTE
The vlan configuration command completes the VLAN configurations before the VLAN is
created. The vlan configuration command only enters the VLAN configuration view.
Neither the corresponding VLAN nor configurations in the VLAN take effect. To make
configurations in the VLAN take effect, create the VLAN using the vlan command.
Step 3 Run ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length }
[ priority priority ]
An IP subnet is associated with a VLAN.
After the 802.1p priority of a VLAN associated with an IP address or a network
segment is specified, the switch forwards high-priority frames first during network
congestion.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 223
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Step 4 Run quit
Return to the system view.
Step 5 Configure attributes for the Ethernet interface.
1. Run interface interface-type interface-number
The view of the Ethernet interface to be added to the VLAN is displayed.
2. Run port link-type hybrid
The interface is configured as a hybrid interface.
On access and trunk interfaces, IP subnet-based VLAN assignment can be
used only when the IP subnet-based VLAN is the same as the PVID. It is
recommended that IP subnet-based VLAN assignment be configured on
hybrid interfaces.
3. port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is configured to allow an IP subnet-based VLAN.
Step 6 (Optional) Run vlan precedence ip-subnet-vlan
The device is configured to preferentially use IP subnet-based VLAN assignment.
By default, the device preferentially uses MAC address-based VLAN assignment.
NOTE
Only the S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S6735-S, S6720-EI,
S6720S-EI support the vlan precedence command.
S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S support the vlan precedence
command only in the system view. Other switches support the vlan precedence command only
in the interface view.
On the S6735-S, S6720-EI and S6720S-EI, if both a subnet VLAN and MAC VLAN with a mask
are configured, the MAC VLAN with a mask is matched first regardless of whether the vlan
precedence command is used.
Step 7 Run ip-subnet-vlan enable
IP subnet-based VLAN assignment is enabled.
By default, IP subnet-based VLAN assignment is disabled.
NOTE
On the S2720-EI, S5720I-SI, S5720-LI, and S5720S-LI, when the ip error-packet-check
disable command is used to disable IP packet check, IP subnet-based VLAN assignment and
policy-based VLAN assignment do not take effect.
IP subnet-based VLAN assignment is invalid for packets with the VLAN ID of 0 on the
S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, and
S6730S-S.
----End
Configuration Example
In Figure 4-27, PC1, PC2, and PC3 are located on different network segments and
are added to VLAN 100, VLAN 200, and VLAN 300, respectively.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 224
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-27 Networking of IP subnet-based VLAN assignment
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200 300
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200 300
[Switch-GigabitEthernet0/0/1] ip-subnet-vlan enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 200 300
[Switch-GigabitEthernet0/0/2] quit
[Switch] vlan 100
[Switch-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2
[Switch-vlan100] quit
[Switch] vlan 200
[Switch-vlan200] ip-subnet-vlan 1 ip 192.168.2.2 24 priority 3
[Switch-vlan200] quit
[Switch] vlan 300
[Switch-vlan300] ip-subnet-vlan 1 ip 192.168.3.2 24 priority 4
[Switch-vlan300] quit
Verifying the Configuration
● Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] }
command in any view to check information about IP subnets associated with
VLANs.
● Run the display vlan command in any view to check information about
VLANs.
4.7.1.5 Configuring Protocol-based VLAN Assignment
Context
IP subnet-based assignment and protocol-based VLAN assignment are types of
network layer-based VLAN assignment. They reduce manual VLAN configuration
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 225
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
workload and allow users to easily join a VLAN, transfer from one VLAN to
another, and exit from a VLAN. A switch that has protocol-based VLAN
assignment enabled processes only untagged frames, and treats tagged frames in
the same manner as interface-based VLAN assignment.
When receiving an untagged frame from an interface, the switch identifies the
protocol profile of the frame and then determines the VLAN that the frame
belongs to.
● If protocol-based VLANs are configured on the interface and the protocol
profile of the frame matches a protocol-based VLAN, the switch adds the
VLAN tag to the frame.
● If protocol-based VLANs are configured on the interface and the protocol
profile of the frame matches no protocol-based VLAN, the switch adds the
PVID of the interface to the frame.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
NOTE
The vlan configuration command completes the VLAN configurations before the VLAN is
created. The vlan configuration command only enters the VLAN configuration view.
Neither the corresponding VLAN nor configurations in the VLAN take effect. To make
configurations in the VLAN take effect, create the VLAN using the vlan command.
Step 3 Run protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw
| snap } | mode { ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id |
snap-etype etype-id2 } }
Protocols are associated with VLANs and a protocol profile is specified.
● protocol-index specifies the index of a protocol profile.
A protocol profile depends on protocol types and encapsulation formats. A
VLAN associated with a protocol can be defined in a protocol profile.
● When specifying the source and destination service access points, pay
attention to the following points:
– dsap-id and ssap-id cannot be both set to 0xaa.
– dsap-id and ssap-id cannot be both set to 0xe0. 0xe0 indicates llc, an
encapsulation format of IPX packets.
– dsap-id and ssap-id cannot be both set to 0xff. 0xff indicates raw, an
encapsulation format of IPX packets.
Step 4 Configure attributes for the Ethernet interface.
1. Run interface interface-type interface-number
The view of the interface that allows the protocol-based VLAN is displayed.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 226
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
2. Run port link-type hybrid
The interface is configured as a hybrid interface.
On access and trunk interfaces, protocol-based VLAN assignment can be used
only when the protocol-based VLAN is the same as the PVID. It is
recommended that protocol-based VLAN assignment be configured on hybrid
interfaces.
3. Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is configured to allow the protocol-based VLAN.
4. Run protocol-vlan vlan vlan-id { all | protocol-index1 [ to protocol-index2 ] }
[ priority priority ]
The interface is associated with a protocol-based VLAN.
– vlan-id must be the ID of a protocol-based VLAN.
– priority specifies the 802.1p priority of a protocol-based VLAN. The value
is in the range from 0 to 7. A larger value indicates a higher priority. The
default value is 0. After the 802.1p priority of a protocol-based VLAN is
specified, the switch forwards high-priority frames first during network
congestion.
NOTE
Protocol-based VLAN assignment is invalid for packets with the VLAN ID of 0 on the S5731-
H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S.
----End
Configuration Example
In Figure 4-28, users in VLAN 10 use IPv4 to communicate with remote users, and
users in VLAN 20 use IPv6 to communicate with remote servers. To implement
this, you need to use protocol-based VLAN assignment.
Figure 4-28 Networking of protocol-based VLAN assignment
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 227
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] vlan 10
[Switch-vlan10] protocol-vlan ipv4
[Switch-vlan10] quit
[Switch] vlan 20
[Switch-vlan20] protocol-vlan ipv6
[Switch-vlan20] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] protocol-vlan vlan 10 all priority 5
[Switch-GigabitEthernet0/0/2] port link-type hybrid
[Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] protocol-vlan vlan 20 all priority 6
[Switch-GigabitEthernet0/0/3] port link-type hybrid
[Switch-GigabitEthernet0/0/3] port hybrid untagged vlan 20
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20
[Switch-GigabitEthernet0/0/1] quit
Verifying the Configuration
● Run the display protocol-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command
in any view to check the types and indexes of the protocols associated with
VLANs.
● Run the display protocol-vlan interface { all | interface-type interface-
number } command in any view to check the protocol-based VLAN
configuration on a specified interface or all interfaces.
● Run the display vlan command in any view to check information about
VLANs.
4.7.1.6 Configuring Policy-based VLAN Assignment
Context
Policy-based VLAN assignment allows plug-and-play of user terminals and
provides secure data isolation for terminal users.
The switch provides policy-based VLAN assignment based on just MAC and IP
addresses or based on both MAC and IP addresses and interfaces.
Policy-based VLAN assignment uses a policy to bind a terminal's MAC address and
IP address, or its interface, to a specific VLAN. If the IP or MAC addresses of
terminals added to a VLAN are changed, they will exit from the VLAN.
The switch that has policy-based VLAN assignment enabled processes only
untagged frames, and treat tagged frames in the same manner as VLANs
configured based on ports.
When receiving an untagged frame, the switch determines the VLAN according to
the policy matching both MAC and IP addresses of the frame, and then transmits
the frame in the VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 228
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
NOTE
The vlan configuration command completes the VLAN configurations before the VLAN is
created. The vlan configuration command only enters the VLAN configuration view.
Neither the corresponding VLAN nor configurations in the VLAN take effect. To make
configurations in the VLAN take effect, create the VLAN using the vlan command.
Step 3 Run policy-vlan mac-address mac-address ip ip-address [ interface interface-
type interface-number ] [ priority priority ]
Policy-based VLAN assignment is configured.
If interface interface-type interface-number is not specified, MAC-IP binding
policies are applied to all interfaces in a specified VLAN.
Step 4 Run quit
Return to the system view.
Step 5 Configure attributes for the Ethernet interface.
1. Run interface interface-type interface-number
The view of the interface that allows the policy-based VLAN is displayed.
2. Run port link-type hybrid
The interface is configured as a hybrid interface.
3. Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is configured to allow the policy-based VLAN.
On access and trunk interfaces, policy-based VLAN assignment can be used
only when the policy-based VLAN is the same as the PVID. It is recommended
that policy-based VLAN assignment be configured on hybrid interfaces.
NOTE
Policy-based VLAN assignment is invalid for packets with the VLAN ID of 0.
On the S2720-EI, S5720I-SI, S5720-LI, and S5720S-LI, when the ip error-packet-check
disable command is used to disable IP packet check, IP subnet-based VLAN assignment and
policy-based VLAN assignment do not take effect.
----End
Verifying the Configuration
● Run the display policy-vlan { all | vlan vlan-id } command in any view to
check the configuration of policy-based VLAN assignment.
● Run the display vlan command in any view to check information about
VLANs.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 229
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
4.7.2 Configuring Inter-VLAN Communication
Context
VLANIF interfaces are simple to configure and are one of the most commonly
used technologies for inter-VLAN communication.
If a VLAN goes Down because all interfaces in the VLAN went Down, the system
immediately reports the VLAN Down event to the corresponding VLANIF interface,
instructing the VLANIF interface to go Down. To avoid network flapping from the
VLANIF interface status change, enable VLAN damping on the VLANIF interface.
With VLAN damping, after the last interface in Up state in a VLAN goes Down, the
device starts a delay timer. It will only inform the corresponding VLANIF interface
of the VLAN Down event after the timer expires. In this way, if an interface in the
VLAN goes Up during the delay, the VLANIF interface remains Up.
The Maximum Transmission Unit (MTU) determines the maximum number of
bytes that can be sent at a time. If the size of the packets exceeds the MTU
supported by a receiver or a transit node, the packet will be fragmented or
discarded, increasing the network transmission load. To avoid this problem, set the
MTU of the VLANIF interface appropriately.
After configuring bandwidth for a VLANIF interface, you can use the NMS to query
the bandwidth to facilitate traffic monitoring.
Pre-configuration Tasks
Before configuring inter-VLAN communication, complete the following tasks:
● Assign VLANs.
● Configure the default gateway address of hosts as the IP address of the
VLANIF interface.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
The VLANIF interface view is displayed.
A VLANIF interface goes Up only when at least one physical interface in the
corresponding VLAN is in Up state.
Step 3 (Optional) Run description description
The description of the VLANIF interface is configured.
Step 4 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the VLANIF interface to implement Layer 3
connectivity.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 230
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
If IP addresses assigned to VLANIF interfaces belong to different network
segments, you need to configure a routing protocol on the device to provide
reachable routes.
Each VLANIF interface can be configured with one primary IP address and a
maximum of 31 secondary IP addresses.
NOTE
An IP address of a VLANIF interface can be statically configured or dynamically obtained
using DHCP. For details about DHCP, see DHCP Configuration in the S300, S500, S2700,
S5700, and S6700 V200R021C10 Configuration Guide - IP Services.
Step 5 (Optional) Run damping time delay-time
The delay of VLAN damping is set.
The value is in the range from 0 to 20, in seconds. By default, the delay is set to 0,
which indicates that VLAN damping is disabled.
Step 6 (Optional) Run mtu mtu
The MTU of the VLANIF interface is set.
By default, the value is 1500 bytes.
NOTE
● After using the mtu command to change the MTU of an interface, restart the interface
to make the new MTU take effect. To restart the interface, run the shutdown command
and then the undo shutdown command, or run the restart command in the interface
view.
● The MTU plus the Layer 2 frame header of a VLANIF interface must be smaller than the
maximum frame length of the remote interface set by the jumboframe command;
otherwise, some frames may be discarded.
----End
Verifying the Configuration
● Run the display interface vlanif [ vlan-id | main ] command to check the
status, configuration, and traffic statistics of the VLANIF interface.
NOTE
Only the VLANIF interface in Up state can forward packets at Layer 3. If the VLANIF
interface goes Down, rectify the fault according to 4.10.2 A VLANIF Interface Goes
Down.
4.7.3 Configuring Port Isolation to Implement Intra-VLAN
Layer 2 Isolation
Context
To isolate broadcast packets in the same VLAN but allow users connecting to
different interfaces to communicate at Layer 3, you can set the port isolation
mode to Layer 2 isolation and Layer 3 interworking. To prevent interfaces in the
same VLAN from communicating at both Layer 2 and Layer 3, you can set the
port isolation mode to Layer 2 and Layer 3 isolation.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 231
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-29 shows a port isolation usage scenario. PC1, PC2, and PC3 belong to
VLAN 10. After GE0/0/1 connecting to PC1 and GE0/0/2 connecting to PC2 are
added to a port isolation group, PC1 and PC2 cannot communicate with each
other in VLAN 10, but they can communicate with PC3.
Figure 4-29 Network diagram of port isolation
Unidirectional port isolation can be configured in certain scenarios. When multiple
hosts connect to different interfaces of a device, a host with security risks may
send a lot of broadcast packets to other hosts. You can configure unidirectional
isolation to prevent the insecure host from sending packets to other hosts.
As shown in Figure 4-30, PC4 is not secure and sends many broadcast packets to
other hosts. You can configure unidirectional isolation to isolate GE0/0/4 from
GE0/0/5 and GE0/0/6 unidirectionally. In this way, the broadcast packets sent by
PC4 cannot reach PC5 and PC6, but the broadcast packets sent by PC5 and PC6
can reach PC4.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 232
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Figure 4-30 Network diagram of unidirectional isolation
Procedure
● Configure a port isolation group.
a. Run system-view
The system view is displayed.
b. (Optional) Run port-isolate mode { l2 | all }
The port isolation mode is configured.
The default port isolation mode is Layer 2 isolation and Layer 3
interworking.
c. Run interface interface-type interface-number
The Ethernet interface view is displayed.
d. Run port-isolate enable [ group group-id ]
Port isolation is enabled.
By default, port isolation is disabled.
Port isolation takes effect only for interfaces on the same device.
Interfaces in a port isolation group are isolated from each other, but
interfaces in different port isolation groups can communicate. If group-id
is not specified, interfaces are added to port isolation group 1 by default.
● Configure unidirectional isolation.
a. Run system-view
The system view is displayed.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 233
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
b. (Optional) Run port-isolate mode { l2 | all }
The port isolation mode is configured.
The default port isolation mode is Layer 2 isolation and Layer 3
interworking.
c. Run interface interface-type interface-number
The Ethernet interface view is displayed.
d. Run am isolate { interface-type interface-number }&<1-8>
Unidirectional isolation is configured.
By default, unidirectional isolation is disabled.
NOTE
If interface A is isolated from interface B unidirectionally, packets sent from
interface A cannot reach interface B, but packets sent from interface B can reach
interface A.
Interfaces in a port isolation group are isolated from each other, but interfaces in
different port isolation groups can communicate. To isolate interfaces in different
port isolation groups, configure unidirectional isolation on these interfaces.
----End
Configuration Example
In Figure 4-31, PC3 needs to communicate with PC1 and PC2 but PC1 and PC2
cannot communicate with each other.
Figure 4-31 Network of port isolation
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 234
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] port-isolate enable //By default, the interface is added to port isolation
group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-
isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/2] port-isolate enable //By default, the interface is added to port isolation
group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-
isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 10
[Switch-GigabitEthernet0/0/3] quit
Verifying the Configuration
Run the display port-isolate group { group-id | all } command in any view to
check the configuration of a port isolation group.
Follow-up Procedure
After configuring port isolation, you can perform the following tasks:
● To reduce the maintenance workload and operation complexity, run the clear
configuration port-isolate command in the system view to clear all the port
isolation configurations on the device.
● To exclude a VLAN when configuring port isolation, run the port-isolate
exclude vlan command in the system view. This configuration ensures that
port isolation does not take effect in the excluded VLAN, and users in the
VLAN can communicate with each other.
4.7.4 Configuring Unknown Packet Isolation in a VLAN
Context
You can configure unknown packet isolation in a VLAN to isolate broadcast
packets, unknown unicast packets, and unknown multicast packets, without
affecting packets sending to the CPU. This function applies to large- and medium-
sized campus networks where aggregation and access switches go online through
Option 148.
NOTE
This function is supported only on the following models: S5731-H, S5731-S, S5731S-H,
S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S.
Procedure
● Configure unknown packet isolation in a VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 235
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
1. Run system-view
The system view is displayed.
2. Run vlan vlan-id
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
3. Run unknown-flow drop
Unknown packet isolation is configured in the VLAN.
Verifying the Configuration
Run the display this command in the VLAN view to check the configuration of
unknown packet isolation in the VLAN.
4.7.5 Configuring a Management VLAN
Context
The management VLAN allows you to use the VLANIF interface to log in to the
management switch to centrally manage devices.
Usually, a VLANIF interface needs to be configured with only one management IP
address. However, in some situations, for example, when users in the same
management VLAN belong to multiple different network segments, you need to
configure a primary management IP address and multiple secondary management
IP addresses.
You can log in to both local and remote devices using a VLANIF interface of a
management VLAN. When logging in to the remote device using the VLANIF
interface of a management VLAN, you need to configure VLANIF interfaces on
both local and remote devices and assign IP addresses on the same network
segment to them.
Pre-configuration Tasks
Before configuring a management VLAN, perform the task of assigning VLANs.
NOTE
Only trunk and hybrid interfaces can join the management VLAN.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
The VLAN view is displayed.
Step 3 Run management-vlan
The VLAN is configured as the management VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 236
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
VLAN 1 cannot be configured as the management VLAN.
Step 4 Run quit
Exit from the VLAN view.
Step 5 Run interface vlanif vlan-id
A VLANIF interface is created and its view is displayed.
Step 6 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is assigned to the VLANIF interface.
----End
Follow-up Procedure
Log in to the switch to implement centralized management through the NMS.
Then, select one of the following login modes:
● To manage local devices, log in to the local switch using Telnet, STelnet,
HTTPS. For details, see Configuring Telnet Login, Configuring STelnet Login, or
Web System Login in the S300, S500, S2700, S5700, and S6700 V200R021C10
Configuration Guide - Basic Configurations.
● To manage remote devices, log in to the local device using Telnet or STelnet.
Then log in to the remote devices using Telnet or STelnet from the local
device. For details, see Example for Configuring the Device as the Telnet Client
to Log In to Another Device in "Configuring Telnet Login", or Example for
Configuring the Device as the STelnet Client to Log In to Another Devicein
"Configuring STelnet Login" in the S300, S500, S2700, S5700, and S6700
V200R021C10 Configuration Guide - Basic Configurations.
The login IP address is the IP address of the VLANIF interface of the management
VLAN.
Verifying the Configuration
● Run the display vlan command to check the management VLAN
configuration. In the command output, the VLAN marked with a * is the
management VLAN.
4.7.6 Configuring Transparent Transmission of Protocol
Packets in a VLAN
Context
Transparent transmission of protocol packets in a VLAN allows the switch to
transparently transmit protocol packets in a specified VLAN without sending the
protocol packets to the CPU, improving forwarding efficiency.
The switch can transparently transmit the following protocol packets:
CFM/ARP/BFD/DHCP/DHCPV6/HTTP/IGMP/MLD/ND/PIM/PIMv6/PPPoE/TACACS.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 237
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this function.
Procedure
● Configure transparent transmission of protocol packets in a VLAN.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the specified VLAN
has been created, the VLAN view is directly displayed.
c. Run protocol-transparent
Transparent transmission of protocol packets in a VLAN is configured.
By default, transparent transmission of protocol packets in a VLAN is
disabled.
● Configure transparent transmission of protocol packets in multiple VLANs.
a. Run system-view
The system view is displayed.
b. Run vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>
One or more VLANs are created.
c. Run vlan range { vlan-id1 [ to vlan-id2 ] } &<1-10>
A temporary VLAN range is created and its view is displayed. If the VLAN
range has been created, this command directly displays the VLAN-Range
view.
Uncreated VLANs cannot be added to a temporary VLAN range.
d. Run protocol-transparent
Transparent transmission of protocol packets in VLANs is configured.
By default, transparent transmission of protocol packets is disabled in
VLANs of a temporary VLAN range.
NOTE
● The vlan range command configuration is not saved in the configuration file. After
services are configured in the VLAN-Range view, the service configurations of all the
VLANs in the VLAN range will be saved in the configuration file.
● After transparent transmission of protocol packets is configured in a VLAN, the VLAN
cannot be configured as a multicast VLAN or control VLAN.
● Before running this command, ensure that IGMP or MLD snooping has been disabled in
the VLAN. Otherwise, the configuration may fail.
Verifying the Configuration
Run the display this command in the VLAN view to check the configuration of
transparent transmission of protocol packets in a VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 238
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
4.8 Maintaining VLAN
4.8.1 Collecting VLAN Traffic Statistics
Context
You can enable traffic statistics collection on a VLAN or on a VLANIF interface to
monitor VLAN traffic.
Procedure
● Check VLAN traffic statistics.
a. (Optional) Run the vlan statistics interval command in the system view
to set the VLAN traffic statistics collection interval.
b. (Optional) Run the vlan statistics { by-packets | by-bytes } command in
the system view to set the VLAN traffic statistics collection mode. You can
configure the switch to collect VLAN traffic statistics based on packets or
bytes.
NOTE
Only the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, S5736-S support this
configuration.
c. Run the statistic enable command in the VLAN view to enable VLAN
traffic statistics collection.
d. Run the display vlan vlan-id statistics command in any view to check
traffic statistics about a specified VLAN.
● Check traffic statistics about a VLANIF interface.
a. Run the statistic enable command in the VLANIF interface view to
enable traffic statistics collection.
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this configuration.
b. Run the display interface vlanif [ vlan-id ] command in any view to
check traffic statistics about a VLANIF interface.
----End
4.8.2 Clearing VLAN Traffic Statistics
Context
If you want to collect traffic statistics for a specified time on an interface, you
must first clear existing statistics on the interface.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 239
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
NOTICE
The cleared VLAN traffic statistics cannot be restored. Exercise caution when you
use the reset vlan command.
To clear VLAN traffic statistics, run the reset vlan statistics command in the user
view.
Procedure
● Run the reset vlan vlan-id statistics command to clear the traffic statistics of
the specified VLAN.
----End
4.8.3 Clearing Packet Statistics on a VLANIF Interface
Context
If you want to collect the packet statistics for a specified time on a VLANIF
interface, you must first clear existing packet statistics on the VLANIF interface.
NOTICE
The cleared statistics cannot be restored. Exercise caution when you run the reset
command.
Procedure
● Run the reset counters interface [ interface-type [ interface-number ] ]
command to clear the packet statistics on the specified VLANIF interface.
----End
4.8.4 Clearing LNP Packet Statistics
If you want to re-collect statistics on LNP packets for a specified time, you must
first clear existing statistics.
Context
NOTICE
The cleared LNP packet statistics cannot be restored. Exercise caution when you
run the reset lnp statistics command.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 240
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Procedure
● Run the reset lnp statistics [ interface interface-type interface-number ]
command in the user view to clear the LNP packet statistics.
----End
4.8.5 Enabling GMAC Ping to Detect Layer 2 Network
Connectivity
Context
Similar to IP ping, GMAC ping efficiently detects and locates Ethernet faults and
monitors link quality.
GMAC ping is applicable to networks where MD, MA, or MEP is not configured.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ping mac enable command to enable GMAC ping globally.
By default, GMAC ping is disabled.
After GMAC ping is enabled on the device, the device can ping the remote device
and respond to received GMAC ping packets.
Step 3 Run the ping mac mac-address vlan vlan-id [ interface interface-type interface-
number | -c count | -s packetsize | -t timeout | -p priority-value ] * command to
perform GMAC ping to check the connectivity of the link between the local and
remote devices.
A MEP is not required to initiate GMAC ping, but the destination node cannot be a
MEP or MIP. You can perform GMAC ping without configuring the MD, MA, or
MEP on the source device, intermediate device, and destination device.
The two devices must be configured with IEEE 802.1ag of the same version.
Otherwise, you cannot use the ping mac command. For example, if the local
device is configured with IEEE 802.1ag Draft 7 and the remote device is configured
with IEEE Standard 802.1ag-2007, the local device cannot ping the remote device.
----End
4.8.6 Enabling GMAC Trace to Locate Faults
Context
Similar to IP traceroute, GMAC trace efficiently detects and locates Ethernet faults
and monitors the link quality.
GMAC trace is applicable to the network where MD, MA, or MEP is not configured.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 241
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Procedure
Step 1 Configure the devices on both ends of a link and the intermediate device.
Perform the following operations on the devices at both ends of the link to be
tested and the intermediate device.
1. Run the system-view command to enter the system view.
2. Run the trace mac enable command to enable GMAC trace globally.
By default, GMAC trace is disabled (except the S5731-H, S5731-S, S5731S-H,
S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S).
After GMAC trace is enabled on the device, GMAC trace operations can be
performed on the device. The device can respond to received GMAC trace
packets.
Step 2 Perform GMAC trace.
Perform the following operations on the device at one end of the link to be tested.
1. Run the system-view command to enter the system view.
2. Run the trace mac mac-address vlan vlan-id [ interface interface-type
interface-number | -t timeout | -h ]* command to configure the device to
locate connectivity faults between the local and remote devices.
A MEP is not required to initiate GMAC trace, but the destination node cannot
be a MEP or MIP. GMAC trace can be used without configuring the MD, MA,
or MEP on the source device, intermediate device, or destination device. All
the intermediate devices can respond with an LTR.
The two devices must be configured with IEEE 802.1ag of the same version.
Otherwise, you cannot use the trace mac command. For example, if the local
device is configured with IEEE 802.1ag Draft 7 and the remote device is
configured with IEEE Standard 802.1ag-2007, the connectivity fault cannot be
located.
----End
4.8.7 Restoring the Default VLAN Configuration of an
Interface
The default VLAN configuration of an interface depends on the default VLAN of
the interface and the VLAN that the interface joins. By default, the default VLAN
configuration of an interface is as follows:
● Access: The default VLAN is VLAN 1. An access interface joins VLAN 1 in
untagged mode.
● Trunk: The default VLAN is VLAN 1. A trunk interface joins VLAN 1 in tagged
mode.
● Hybrid: The default VLAN is VLAN 1. A hybrid interface joins VLAN 1 in
untagged mode.
● QinQ: The default VLAN is VLAN 1. A QinQ interface joins VLAN 1.
● Negotiation-auto or Negotiation-desirable: If the interface is negotiated as an
access interface, the default VLAN configuration of that interface is the same
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 242
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
as that of the access interface. If the interface is negotiated as a trunk
interface, the default VLAN is VLAN 1 and the interface joins VLANs 1 to 4094
in tagged mode.
Run the display this include-default | include link-type command in the
interface view to check the link type of the interface, and then perform one of the
following configurations to restore the default configuration of the interface.
● Restore the default VLAN configuration of an access or a QinQ interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port default vlan
● Restore the default VLAN configuration of a trunk interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port trunk pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port trunk allow-pass vlan all
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 1
● Restore the default VLAN configuration of a hybrid interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid vlan all
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 1
● Restore the default VLAN configuration of a Negotiation-auto or Negotiation-
desirable interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port default vlan
[HUAWEI-GigabitEthernet0/0/1] undo port trunk pvid vlan
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan all
4.8.8 Deleting a VLAN
Context
It is good practice to delete unused VLANs to conserve VLAN resources and reduce
packets on the network. You can delete a single VLAN or VLANs in a batch.
NOTE
VLAN 1 is the default VLAN. It does not need to be created and cannot be deleted.
Procedure
● Deleting a single VLAN
a. Run system-view
The system view is displayed.
b. Run undo vlan vlan-id
The VLAN is deleted.
● Deleting multiple VLANs
a. Run system-view
The system view is displayed.
b. Run undo vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 243
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
The VLANs are deleted.
----End
4.9 Configuration Examples for VLANs
4.9.1 Example for Configuring VLANIF Interfaces to
Implement Inter-VLAN Communication
Networking Requirements
Different user hosts of a company transmit the same service, and are located on
different network segments. User hosts transmitting the same service belong to
different VLANs and need to communicate.
In Figure 4-32, User1 and User2 use the same service and need to communicate,
but belong to different VLANs and are located on different network segments.
User1 and User2 need to communicate.
Figure 4-32 Configuring VLANIF interfaces to implement inter-VLAN
communication
Configuration Roadmap
1. Create VLANs and determine which VLANs users belong to.
2. Add interfaces to VLANs and configure the interfaces to allow the VLANs of
the users.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces
to implement Layer 3 connectivity.
NOTE
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of
the corresponding VLANIF interface as the gateway address.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 244
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Procedure
Step 1 Configure the switch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Add interfaces to VLANs.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 20
[Switch-GigabitEthernet0/0/2] quit
# Assign IP addresses to VLANIF interfaces.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.10.20.2 24
[Switch-Vlanif20] quit
Step 2 Verify the configuration.
Configure the IP address of 10.10.10.3/24 and default gateway address as
10.10.10.2/24 (VLANIF 10's IP address) for User1 in VLAN 10.
Configure the IP address of 10.10.20.3/24 and default gateway address as
10.10.20.2/24 (VLANIF 20's IP address) for User2 in VLAN 20.
After the configuration is complete, User1 in VLAN 10 and User2 in VLAN 20 can
communicate.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
return
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 245
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Related Content
Videos
Deploying a Layer 3 Switch on a LAN
4.9.2 Example for Configuring VLANIF Interfaces to
Implement Intra-VLAN Communication
Networking Requirements
In Figure 4-33, Switch_1 and Switch_2 are connected to Layer 2 networks that
VLAN 10 belongs to. Switch_1 communicates with Switch_2 through a Layer 3
network with OSPF enabled.
PCs of the two Layer 2 networks need to be isolated at Layer 2 and interwork at
Layer 3.
Figure 4-33 Configuring VLANIF interfaces to implement intra-VLAN
communication
Configuration Roadmap
1. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
2. Configure IP addresses for VLANIF interfaces to implement Layer 3
connectivity.
3. Configure basic OSPF functions to implement Layer 3 interworking.
Procedure
Step 1 Configure Switch_1.
# Create VLAN 10 and VLAN 30.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 246
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 10 30
# Add GE0/0/1 to VLAN 10 and GE0/0/2 to VLAN 30.
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 30
[Switch_1-GigabitEthernet0/0/2] quit
# Configure IP addresses of 10.10.10.1/24 for VLANIF 10 and 10.10.30.1/24 for
VLANIF 30.
[Switch_1] interface vlanif 10
[Switch_1-Vlanif10] ip address 10.10.10.1 24
[Switch_1-Vlanif10] quit
[Switch_1] interface vlanif 30
[Switch_1-Vlanif30] ip address 10.10.30.1 24
[Switch_1-Vlanif30] quit
# Configure basic OSPF functions.
[Switch_1] router id 1.1.1.1
[Switch_1] ospf
[Switch_1-ospf-1] area 0
[Switch_1-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[Switch_1-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[Switch_1-ospf-1-area-0.0.0.0] quit
Step 2 Configure Switch_2.
# Create VLAN 10 and VLAN 30.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 10 30
# Add GE0/0/1 to VLAN 10 and GE0/0/2 to VLAN 30.
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 30
[Switch_2-GigabitEthernet0/0/2] quit
# Configure VLANIF 10 and VLANIF 30 with IP addresses 10.10.20.1/24 and
10.10.30.2/24 respectively.
[Switch_2] interface vlanif 10
[Switch_2-Vlanif10] ip address 10.10.20.1 24
[Switch_2-Vlanif10] quit
[Switch_2] interface vlanif 30
[Switch_2-Vlanif30] ip address 10.10.30.2 24
[Switch_2-Vlanif30] quit
# Configure basic OSPF functions.
[Switch_2] router id 2.2.2.2
[Switch_2] ospf
[Switch_2-ospf-1] area 0
[Switch_2-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 247
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
[Switch_2-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[Switch_2-ospf-1-area-0.0.0.0] quit
Step 3 Configure Switch_3.
# Create VLAN 10, add GE0/0/1 to VLAN 10 in untagged mode and GE0/0/2 to
VLAN 10 in tagged mode. The configuration of Switch_4 is the same as that of
Switch_3.
<HUAWEI> system-view
[HUAWEI] sysname Switch_3
[Switch_3] vlan batch 10
[Switch_3] interface gigabitethernet 0/0/1
[Switch_3-GigabitEthernet0/0/1] port link-type access
[Switch_3-GigabitEthernet0/0/1] port default vlan 10
[Switch_3-GigabitEthernet0/0/1] quit
[Switch_3] interface gigabitethernet 0/0/2
[Switch_3-GigabitEthernet0/0/2] port link-type trunk
[Switch_3-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch_3-GigabitEthernet0/0/2] quit
Step 4 Verify the configuration.
On the PC of the Layer 2 network connected to Switch_1, set the default gateway
address to 10.10.10.1 (the IP address of VLANIF10).
On the PC of the Layer 2 network connected to Switch_2, set the default gateway
address to 10.10.20.1 (the IP address of VLANIF10).
After the configuration is complete, PCs on the two Layer 2 networks are isolated
at Layer 2 and interwork at Layer 3.
----End
Configuration Files
● Switch_1 configuration file
#
sysname Switch_1
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
● Switch_2 configuration file
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 248
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
#
sysname Switch_2
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.20.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
● Switch_3 configuration file
#
sysname Switch_3
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
● Switch_4 configuration file
#
sysname Switch_4
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Related Content
Videos
Deploying a Layer 3 Switch on a LAN
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 249
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
4.9.3 Example for Configuring VLANIF Interfaces to
Implement Communication of Hosts on Different Network
Segments in the Same VLAN
Networking Requirements
On the enterprise network shown in Figure 4-34, hosts in the same VLAN belong
to network segments of 10.1.1.1/24 and 10.1.2.1/24. Hosts on the two network
segments need to access the Internet through the Switch and still communicate.
Figure 4-34 Configuring VLANIF interfaces to implement communication of hosts
on different network segments in the same VLAN
Configuration Roadmap
If only one IP address is configured for the VLANIF interface on the Switch, only
hosts on one network segment can access the Internet through the Switch. To
enable all hosts on the LAN to access the Internet through the Switch, configure a
secondary IP address for the VLANIF interface. To enable hosts on the two
network segments to communicate, the hosts on the two network segments need
to use the primary and secondary IP addresses of the VLANIF interface as default
gateway addresses.
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to the VLANs.
2. Configure VLANIF interfaces and assign IP addresses to them so that hosts on
the two network segments can communicate.
3. Configure a routing protocol so that hosts can access the Internet through the
Switch.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 250
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Add GE0/0/1 and GE0/0/2 to VLAN 10 and GE0/0/3 to VLAN 20.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 20
[Switch-GigabitEthernet0/0/3] quit
Step 2 Configure VLANIF interfaces.
# Create VLANIF 10 and configure a primary IP address of 10.1.1.1/24 and a
secondary IP address of 10.1.2.1/24 for VLANIF 10. Create VLANIF 20 and
configure an IP address of 10.10.10.1/24 for VLANIF 20.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.1.1 24
[Switch-Vlanif10] ip address 10.1.2.1 24 sub
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.10.10.1 24
[Switch-Vlanif20] quit
Step 3 Configure a routing protocol.
# Configure basic OSPF functions and then configure OSPF to advertise both the
network segments of hosts and the network segment between the Switch and
router.
[Switch] ospf
[Switch-ospf-1] area 0
[Switch-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] quit
[Switch-ospf-1] quit
NOTE
Perform the following configurations on the router:
● Add the interface connected to the Switch to VLAN 20 in tagged mode. Specify an IP
address for VLANIF 20 on the same network segment as 10.10.10.1.
● Configure basic OSPF functions and configure OSPF to advertise the network segment
between the Switch and router.
For details, see the router documentation.
Step 4 Verify the configuration.
Configure Host1 with an IP address of 10.1.1.2 and a default gateway address of
10.1.1.1/24 (primary IP address of VLANIF 10).
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 251
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Configure Host2 with an IP address of 10.1.2.2 and a default gateway address of
10.1.2.1/24 (secondary IP address of VLANIF 10).
After the configuration is complete, Host1 and Host2 can ping each other. They
can also access the Internet though the IP address of the router interface
connected to the Switch (10.10.10.2/24).
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
#
interface Vlanif20
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.10.10.0 0.0.0.255
#
return
Related Content
Videos
Deploying a Layer 3 Switch on a LAN
4.9.4 Example for Configuring a Traffic Policy to Implement
Inter-VLAN Layer 3 Isolation
Networking Requirements
In Figure 4-35, a company assigns visitors, employees, and servers to VLAN 10,
VLAN 20, and VLAN 30, respectively to ensure communication security. The
company requires that:
● Employees, visitors, and servers can access the Internet.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 252
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
● Visitors can access only the Internet. They cannot access servers or
communicate with users in any other VLANs.
● Employee A can access all resources in the server area, and employee B can
access only port 21 (FTP service) of server A.
Figure 4-35 Configuring a traffic policy to implement inter-VLAN Layer 3 isolation
Configuration Roadmap
The configuration roadmap is as follows. If Layer 2 isolation and Layer 3
connectivity have been implemented, start from step 4.
1. Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation
of visitors, employees, and servers.
2. Configure VLANIF interfaces and assign IP addresses to them to implement
Layer 3 connectivity between employees, servers, and visitors.
3. Configure a routing protocol so that visitors, employees, and servers can
access the Internet through Switch_4.
4. Configure an advanced ACL and an ACL-based traffic classifier.
– Visitors can access only the Internet, but cannot communicate with
employees or access servers.
– Employee A can access the Internet and all resources in the server area.
– Employee B can access only the Internet and port 21 of server A.
5. Configure a traffic behavior.
6. Configure and apply a traffic policy for the ACL and traffic behavior to take
effect.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 253
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Procedure
Step 1 Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of
visitors, employees, and servers.
# Create VLAN 10 on Switch_1, and add GE0/0/1 to VLAN 10 in untagged mode
and GE0/0/2 to VLAN 10 in tagged mode. The configurations of Switch_2 and
Switch_3 are similar to the configuration of Switch_1.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 10
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type access
[Switch_1-GigabitEthernet0/0/1] port default vlan 10
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet0/0/2] quit
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 on Switch_4, and add
GE0/0/1 to GE0/0/4 to VLAN 10, VLAN 20, VLAN 30, and VLAN 100 in tagged
mode, respectively.
<HUAWEI> system-view
[HUAWEI] sysname Switch_4
[Switch_4] vlan batch 10 20 30 100
[Switch_4] interface gigabitethernet 0/0/1
[Switch_4-GigabitEthernet0/0/1] port link-type trunk
[Switch_4-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch_4-GigabitEthernet0/0/1] quit
[Switch_4] interface gigabitethernet 0/0/2
[Switch_4-GigabitEthernet0/0/2] port link-type trunk
[Switch_4-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[Switch_4-GigabitEthernet0/0/2] quit
[Switch_4] interface gigabitethernet 0/0/3
[Switch_4-GigabitEthernet0/0/3] port link-type trunk
[Switch_4-GigabitEthernet0/0/3] port trunk allow-pass vlan 30
[Switch_4-GigabitEthernet0/0/3] quit
[Switch_4] interface gigabitethernet 0/0/4
[Switch_4-GigabitEthernet0/0/4] port link-type trunk
[Switch_4-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[Switch_4-GigabitEthernet0/0/4] quit
Step 2 Configure VLANIF interfaces and assign IP addresses to them to implement Layer
3 connectivity between employees, servers, and visitors.
# On Switch_4, create VLANIF 10, VLANIF 20, VLANIF 30, and VLANIF 100 and
assign IP addresses 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.100.1/24 to them
respectively.
[Switch_4] interface vlanif 10
[Switch_4-Vlanif10] ip address 10.1.1.1 24
[Switch_4-Vlanif10] quit
[Switch_4] interface vlanif 20
[Switch_4-Vlanif20] ip address 10.1.2.1 24
[Switch_4-Vlanif20] quit
[Switch_4] interface vlanif 30
[Switch_4-Vlanif30] ip address 10.1.3.1 24
[Switch_4-Vlanif30] quit
[Switch_4] interface vlanif 100
[Switch_4-Vlanif100] ip address 10.1.100.1 24
[Switch_4-Vlanif100] quit
Step 3 Configure a routing protocol so that visitors, employees, and servers can access
the Internet through Switch_4.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 254
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
# Configure basic OSPF functions on Switch_4 to advertise the user network
segment and the network segment between Switch_4 and Router.
[Switch_4] ospf
[Switch_4-ospf-1] area 0
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.100.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] quit
[Switch_4-ospf-1] quit
NOTE
Perform the following configurations on Router:
● Add the interface connected to Switch to VLAN 100 in tagged mode and specify an IP
address for VLANIF 100 on the same network segment as 10.1.100.1.
● Configure basic OSPF functions and advertise the network segment between Switch
and Router.
For details, see the corresponding product documentation.
Step 4 Configure and apply a traffic policy to control access between employees, visitors,
and servers.
1. Configure an ACL rule.
# Configure ACL 3000 on Switch_4 to prevent visitors from accessing the
employee area and server area.
[Switch_4] acl 3000
[Switch_4-acl-adv-3000] rule deny ip destination 10.1.2.1 0.0.0.255
[Switch_4-acl-adv-3000] rule deny ip destination 10.1.3.1 0.0.0.255
[Switch_4-acl-adv-3000] quit
# Configure ACL 3001 on Switch_4 so that employee A can access all
resources in the server area and employee B can access only port 21 of server
A.
[Switch_4] acl 3001
[Switch_4-acl-adv-3001] rule permit ip source 10.1.2.2 0 destination 10.1.3.1 0.0.0.255
[Switch_4-acl-adv-3001] rule permit tcp destination 10.1.3.2 0 destination-port eq 21
[Switch_4-acl-adv-3001] rule deny ip destination 10.1.3.1 0.0.0.255
[Switch_4-acl-adv-3001] quit
2. Configure traffic classifiers.
# Configure traffic classifiers c_custom and c_staff on Switch_4 and reference
ACLs 3000, and 3001 in the traffic classifiers, respectively.
[Switch_4] traffic classifier c_custom
[Switch_4-classifier-c_custom] if-match acl 3000
[Switch_4-classifier-c_custom] quit
[Switch_4] traffic classifier c_staff
[Switch_4-classifier-c_staff] if-match acl 3001
[Switch_4-classifier-c_staff] quit
3. Configure a traffic behavior.
# Create a traffic behavior b1 on Switch_4 and configure the permit action.
For the relationship between permit/deny rules in an ACL and permit/deny
rules in a traffic behavior, see What Is the Relationship Between the permit/
deny Rules in an ACL and Those in the Traffic Behavior of a Traffic Policy?.
[Switch_4] traffic behavior b1
[Switch_4-behavior-b1] permit
[Switch_4-behavior-b1] quit
4. Configure traffic policies and associate traffic classifiers with the traffic
behavior in the traffic policies.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 255
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
# Create traffic policies p_custom and p_staff on Switch_4, and associate
traffic classifiers c_custom and c_staff with traffic behavior b1.
[Switch_4] traffic policy p_custom
[Switch_4-trafficpolicy-p_custom] classifier c_custom behavior b1
[Switch_4-trafficpolicy-p_custom] quit
[Switch_4] traffic policy p_staff
[Switch_4-trafficpolicy-p_staff] classifier c_staff behavior b1
[Switch_4-trafficpolicy-p_staff] quit
5. Apply the traffic policies to control access between employees, visitors, and
servers.
# On Switch_4, apply traffic policies p_custom and p_staff in the inbound
direction of VLAN 10 and VLAN 20, respectively.
[Switch_4] vlan 10
[Switch_4-vlan10] traffic-policy p_custom inbound
[Switch_4-vlan10] quit
[Switch_4] vlan 20
[Switch_4-vlan20] traffic-policy p_staff inbound
[Switch_4-vlan20] quit
Step 5 Verify the configuration.
Configure the IP address of 10.1.1.2/24 and default gateway address of 10.1.1.1
(VLANIF 10's IP address) for visitor A; configure the IP address of 10.1.2.2/24 and
default gateway address of 10.1.2.1 (VLANIF 20's IP address) for employee A;
configure the IP address of 10.1.2.3/24 and default gateway address of 10.1.2.1
(VLANIF 20's IP address) for employee B; configure the IP address of 10.1.3.2/24
and default gateway address of 10.1.3.1 (VLANIF 30's IP address) for server A.
After the configuration is complete, the following situations occur:
● Visitor A cannot ping employee A or server A, and employee A and server A
cannot ping visitor A.
● Employee A can successfully ping server A. That is, employee A can use FTP
and other services provided by server A.
● Employee B cannot ping server A, and can only use the FTP service of server
A.
● Visitors, employees A and B, server A all can ping 10.1.100.2/24, IP address of
the router interface connected to Switch_4. That is, they can access the
Internet.
----End
Configuration File
● Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 256
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
● Switch_2 configuration file
#
sysname Switch_2
#
vlan batch 20
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 20
#
return
● Switch_3 configuration file
#
sysname Switch_3
#
vlan batch 30
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
return
● Switch_4 configuration file
#
sysname Switch_4
#
vlan batch 10 20 30 100
#
acl number 3000
rule 5 deny ip destination 10.1.2.0 0.0.0.255
rule 10 deny ip destination 10.1.3.0 0.0.0.255
acl number 3001
rule 10 permit ip source 10.1.2.2 0 destination 10.1.3.0 0.0.0.255
rule 5 permit tcp destination 10.1.3.2 0 destination-port eq ftp
rule 15 deny ip destination 10.1.3.0 0.0.0.255
#
traffic classifier c_custom operator and
if-match acl 3000
traffic classifier c_staff operator and
if-match acl 3001
#
traffic behavior b1
permit
#
traffic policy p_custom match-order config
classifier c_custom behavior b1
traffic policy p_staff match-order config
classifier c_staff behavior b1
#
vlan 10
traffic-policy p_custom inbound
vlan 20
traffic-policy p_staff inbound
#
interface Vlanif10
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 257
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.1.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.100.0 0.0.0.255
#
return
4.9.5 Example for Configuring a Management VLAN to
Implement Remote Management
Networking Requirements
In Figure 4-36, users need to securely log in to the Switch for remote
management. There is no idle management interface on the Switch.
Figure 4-36 Configuring a management VLAN to implement remote management
Configuration Roadmap
A management interface or VLANIF interface of a management VLAN can be used
to log in to the device for remote management. The device has no idle
management interface, so the management VLAN is used. STelnet is used to
ensure login security. The configuration roadmap is as follows:
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 258
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
1. Configure a management VLAN on the Switch and add an interface to the
management VLAN.
2. Configure a VLANIF interface and assign an IP address to it on the Switch.
3. Enable STelnet on the Switch and configure an SSH user.
4. Log in to the Switch using STelnet from a user PC.
NOTE
● The user PC needs to be configured with software for logging in to the SSH server, key
pair generation software, and public key conversion software.
● To ensure device security, change the password frequently.
Procedure
Step 1 Configure a management VLAN and add an interface to the management VLAN.
# Create VLAN 10 on the Switch, configure VLAN 10 as the management VLAN,
and add GE0/0/1 to VLAN 10 in tagged mode.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] management-vlan
[Switch-vlan10] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
Step 2 Configure a VLANIF interface and assign an IP address to the VLANIF interface.
# Create VLANIF 10 on the Switch and configure the IP address of 10.10.10.2/24
for it.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24
[Switch-Vlanif10] quit
Step 3 Enable the STelnet service and create an SSH user.
1. Generate a local key pair on the Switch.
[Switch] rsa local-key-pair create
The key name will be: Switch_Host
The range of public key size is (2048 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]: //Press Enter.
Generating keys...
...................+++++
........................++
....++++
...........++
2. Create an SSH user.
# Configure the VTY user interface on the Switch.
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa
[Switch-ui-vty0-14] protocol inbound ssh
[Switch-ui-vty0-14] quit
# Create an SSH user named client001 on the Switch and configure password
authentication.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 259
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
[Switch] aaa
[Switch-aaa] local-user client001 password irreversible-cipher huawei@123
[Switch-aaa] local-user client001 privilege level 3
[Switch-aaa] local-user client001 service-type ssh
[Switch-aaa] quit
[Switch] ssh user client001 authentication-type password
3. Enable the STelnet service.
# Enable the STelnet service on the Switch.
[Switch] ssh server-source -i Vlanif 10
[Switch] stelnet server enable
# Configure the STelnet service for SSH user client001.
[Switch] ssh user client001 service-type stelnet
NOTE
The PC connects to the switch through the intermediate device. The intermediate device
needs to be able to transparently transmit packets from management VLAN 10 and have a
route from 10.1.1.1/24 to 10.10.10.2/24.
Step 4 Verify the configuration.
After the configuration is complete, the user can log in to the Switch from the PC
using password authentication.
# Run the PuTTY software on the user PC. The dialog box shown in Figure 4-37 is
displayed. Enter 10.10.10.2 (IP address of the Switch) and select SSH.
Figure 4-37 Configuring a management VLAN to implement remote management
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 260
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
# Click Open. On the page that is displayed on the Switch, enter the user name
and password, and press Enter.
login as: client001
SSH server: User Authentication
Using keyboard-interactive authentication.
Password:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2014-02-25 05:45:41+00:00.
<Switch>
The user can successfully log in to the Switch for remote management.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
vlan 10
management-vlan
#
aaa
local-user client001 password irreversible-cipher $1a$EqZEVTq=/@T2XM0q0W{Ec[Fs2@&4YII@-
=(lbr[K>4Dq76]3#BgqMOAxu^%$$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
#
user-interface vty 0 14
authentication-mode aaa
#
return
4.9.6 Example for Configuring Transparent Transmission of
Protocol Packets in a VLAN
Networking Requirements
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this function.
A company has multiple subsidiary companies. When the parent company
communicates with a subsidiary company through the core switch, the core switch
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 261
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
processes the packets before forwarding them. If multiple subsidiary companies
communicate with the parent company simultaneously, then network
performance deteriorates, lowering communication efficiency and increasing
communication costs. Transparent transmission of protocol packets in a VLAN can
be configured on the core switch to solve this problem.
In Figure 4-38, after transparent transmission of protocol packets in a VLAN is
enabled, the Switch forwards data from the specified VLAN without sending the
data to its CPU. This improves the processing efficiency, reduces communication
costs, and minimizes the probability of malicious attacks on the Switch.
Figure 4-38 VLAN transparent transmission
Configuration Roadmap
1. Create VLANs.
2. Enable transparent transmission of protocol packets in a VLAN.
3. Add Ethernet interfaces to VLANs.
Procedure
Step 1 Configure the Switch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Enable transparent transmission of protocol packets in a VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 262
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
[Switch] vlan 20
[Switch-vlan20] protocol-transparent
[Switch-vlan20] quit
# Add interfaces to the VLANs.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type hybrid
[Switch-GigabitEthernet0/0/2] port hybrid tagged vlan 10 20
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type hybrid
[Switch-GigabitEthernet0/0/3] port hybrid tagged vlan 20
[Switch-GigabitEthernet0/0/3] quit
Step 2 Configure SwitchA and SwitchB. Add upstream interfaces on SwitchA and SwitchB
to VLAN 10 and VLAN 20 in tagged mode, and add downstream interfaces to
VLAN 10 and VLAN 20 in default mode.
Step 3 Verify the configuration.
# After the configuration is complete, run the display this command on VLAN 20.
The command output shows that transparent transmission of protocol packets in a
VLAN is enabled.
[Switch] vlan 20
[Switch-vlan20] display this
#
vlan 20
protocol-transparent
#
return
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
vlan 20
protocol-transparent
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid tagged vlan 10
#
interface GigabitEthernet0/0/2
port link-type hybrid
port hybrid tagged vlan 10 20
#
interface GigabitEthernet0/0/3
port link-type hybrid
port hybrid tagged vlan 20
#
return
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 263
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
4.10 Troubleshooting VLANs
4.10.1 A VLANIF Interface Fails to Be Created
Fault Symptom
When a user attempts to create a VLANIF interface, the system displays an error
message. As a result, the VLANIF interface fails to be created.
Procedure
Step 1 Check the error message during VLANIF interface creation.
Rectify the fault according to the error message. See Table 4-8 for a list of error
messages.
Table 4-8 Fault solutions for a variety of error messages
Message Cause Analysis and Solution
Check Method
Error: Can not create this The number of created Run the undo
interface because the VLANIF interfaces on interface vlanif vlan-
interface number of this the device has reached id command to delete
type has reached its the limit. unnecessary VLANIF
maximum. Run the display interfaces, and then
interface brief create the new VLANIF
command to check the interface.
number of VLANIF
interfaces, and check
whether the number of
VLANIF interfaces has
reached the limits
shown in Table 4-6.
Error: The VLAN is used by The VLAN Create a VLANIF
XXX. corresponding to the interface corresponding
NOTE VLANIF interfaces is a to another VLAN.
XXX indicates a feature, such as dynamic, control, or
stack, ERPS, RRPP, SEP, Smart reserved VLAN.
Link, GVRP, or VBST.
Run the display vlan
summary command to
check whether the
value of the Dynamic
vlan or Reserved vlan
field is the VLAN
corresponding to the
VLANIF interface.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 264
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Step 2 If the fault persists, collect alarms and logs and contact technical support
personnel.
----End
4.10.2 A VLANIF Interface Goes Down
Fault Symptom
A VLANIF interface goes Down.
Common Causes and Solutions
Table 4-9 describes common causes and solutions.
Table 4-9 Common causes and solutions for the VLANIF interface going down
Common Cause Solution
The VLAN corresponding to the Run the vlan vlan-id command to
VLANIF interface is not created. create a VLAN corresponding to the
VLANIF interface.
The interface is not added to the Run the following commands as
VLAN. required.
NOTE ● Run the port default vlan vlan-id
● The port trunk pvid vlan vlan-id [ step step-number [ increased |
command only configures the PVID on decreased ] ] command in the
a trunk interface, but does not add a interface view to add an access
trunk interface to a VLAN.
interface to a VLAN.
● The port hybrid pvid vlan vlan-id
command only configures the PVID on ● Run the port trunk allow-pass
a hybrid interface, but does not add a vlan { { vlan-id1 [ to vlan-
hybrid interface to a VLAN. id2 ] }&<1-10> | all } command in
the interface view to add a trunk
interface to a VLAN.
● You can add a hybrid interface to a
VLAN in tagged or untagged mode.
Run the port hybrid tagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in tagged
mode, or run the port hybrid
untagged vlan { { vlan-id1 [ to
vlan-id2 ] }&<1-10> | all }
command to add a hybrid interface
to a VLAN in untagged mode.
The physical status of all interfaces A VLANIF interface only goes Up when
added to the VLAN is Down. at least one interface in the VLAN is
Up.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 265
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Common Cause Solution
No IP address is assigned to the Run the ip address command in the
VLANIF interface. VLANIF interface view to assign an IP
address to the VLANIF interface.
The VLANIF interface is shut down. Run the undo shutdown command in
the VLANIF interface view to start the
VLANIF interface.
4.10.3 Users in a VLAN Cannot Communicate
Fault Symptom
Users in a VLAN cannot communicate.
Procedure
Step 1 Check whether the interfaces connected to user terminals are in Up state.
Run the display interface interface-type interface-number command in any view
to check the status of the interfaces.
● If the interface is Down, rectify the interface fault.
● If the interface is Up, go to Step 2.
Step 2 Check whether the IP addresses of user terminals are on the same network
segment. If they are on different network segments, change the IP addresses of
the user terminals to be on the same network segment. If the fault persists, go to
Step 3.
Step 3 Check whether the MAC address entry is correct.
Run the display mac-address command on the Switch to check whether MAC
addresses, interfaces, and VLANs in the learned MAC address entries are correct. If
the learned MAC address entries are incorrect, run the undo mac-address mac-
address vlan vlan-id command in the system view to delete MAC address entries
so that the Switch can learn the correct MAC address entries.
After the MAC address table is updated, check the MAC address entries again.
● If the MAC address entries are incorrect, go to Step 4.
● If the MAC address entries are correct, go to Step 5.
Step 4 Check whether the VLAN is properly configured.
Check the VLAN configuration according to the following table.
Check Item Method
Whether the Run the display vlan vlan-id command in any view to check
VLAN has been whether the VLAN has been created. If not, run the vlan
created command in the system view to create the VLAN.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 266
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Check Item Method
Whether the Run the display vlan vlan-id command in any view to check
interfaces are whether the VLAN contains the interfaces. If not, add the
added to the interfaces to the VLAN.
VLAN NOTE
If the interfaces are located on different switches, add the interfaces
connecting the switches to the VLAN.
The default type of an interface is Negotiation. You can run the port
link-type command to change the link type of an interface.
● Add an access interface to the VLAN by using either of
the following methods. Run the port default vlan
command in the interface view, or run the port command
in the VLAN view.
● Add a trunk interface to the VLAN. Run the port trunk
allow-pass vlan command in the interface view.
● Add a hybrid interface to the VLAN by using either of the
following methods. Run the port hybrid tagged vlan
command in the interface view, or run the port hybrid
untagged vlan command in the interface view.
Whether Correctly connect user terminals to device interfaces.
connections
between
interfaces and
user terminals
are correct
After the preceding operations, if the MAC address entries are correct, go to Step
5.
Step 5 Check whether port isolation is configured.
Run the interface interface-type interface-number command in the system view
to enter the interface view, and then run the display this command to check
whether port isolation is configured on the interface.
● If port isolation is not configured, go to Step 6.
● If port isolation is configured, run the undo port-isolate enable command on
the interface to disable port isolation. If the fault persists, go to Step 6.
Step 6 Check whether the correct static Address Resolution Protocol (ARP) entries are
configured on the user terminals. If the static ARP entries are incorrect, modify
them. Otherwise, go to Step 7.
Step 7 Collect logs and alarms and contact technical support personnel.
----End
4.10.4 IP Addresses of the Connected Interfaces Between
Switches Cannot Be Pinged
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 267
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
Fault Symptom
In Figure 4-39, the IP address of VLANIF 10 on Switch_2 cannot be pinged from
Switch_1. Similarly, the IP address of VLANIF 10 on Switch_1 cannot be pinged
from Switch_2.
Figure 4-39 Connected switches
Procedure
Step 1 Check whether the VLANIF interface is Up.
Run the display interface vlanif vlan-id command on Switch_1 and Switch_2 and
check the current state and Line protocol current state fields.
● If the value of any one of the two fields is DOWN, the VLANIF interface is
Down. Rectify this fault according to 4.10.2 A VLANIF Interface Goes Down.
● If the values of the two fields are UP, the VLANIF interface is Up. Go to Step
2.
Step 2 Check whether the connected Ethernet interfaces between switches joined the
VLAN.
Run the display vlan vlan-id command on Switch_1 and Switch_2 and check the
Ports field. Check whether the connected Ethernet interfaces exist in the VLAN.
● If the connected Ethernet interfaces do not exist in the VLAN, add the
connected Ethernet interfaces to the VLAN.
● If the connected Ethernet interfaces exist in the VLAN and at least one of
them joined the VLAN in untagged mode (UT is displayed before the
interface), change it from untagged mode to tagged mode.
● If the connected Ethernet interfaces exist in the VLAN but the interfaces are
Down (D is displayed after the interface), rectify the fault according to An
Ethernet Interface Is Physically Down in "Ethernet Interface Configuration" in
the S300, S500, S2700, S5700, and S6700 V200R021C10 Configuration Guide -
Interface Management.
● If none of the preceding rectifies the fault, go to Step 3.
Step 3 Check whether the PVID values on the connected Ethernet interface between
switches are the same.
Run the display port vlan interface-type interface-number command on Switch_1
and Switch_2 to check the PVID values.
● If the PVID values are different, change them to be the same.
● If the PVID values are the same, go to Step 4.
Step 4 Collect logs and alarms and contact technical support personnel.
----End
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 268
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
4.11 FAQ About VLANs
4.11.1 How Do I Rapidly Query the Link Types and Default
VLANs of All Interfaces?
Run the display port vlan command to check the link types and default VLANs of
all interfaces. For example:
● V200R005 and later versions
<HUAWEI> display port vlan
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------------
Eth-Trunk2 auto 1 1-4094
Eth-Trunk3 hybrid 1 -
Eth-Trunk5 auto 1 1-4094
Ethernet0/0/1 auto 1 1-4094
Ethernet0/0/2 auto 1 1-4094
Ethernet0/0/3 auto 1 1-4094
Ethernet0/0/4 auto 1 1-4094
Ethernet0/0/5 auto 1 1-4094
Ethernet0/0/6 auto 0 -
Ethernet0/0/7 auto 1 1-4094
Ethernet0/0/8 auto 0 -
Ethernet0/0/9 auto 0 -
Ethernet0/0/10 auto 1 1-4094
Ethernet0/0/11 auto 1 1-4094
Ethernet0/0/12 auto 0 -
Ethernet0/0/13 auto 1 1-4094
Ethernet0/0/14 auto 1 1-4094
Ethernet0/0/15 auto 1 1-4094
Ethernet0/0/16 auto 1 1-4094
Ethernet0/0/17 auto 1 1-4094
Ethernet0/0/18 auto 1 1-4094
Ethernet0/0/19 auto 1 1-4094
Ethernet0/0/20 auto 1 1-4094
Ethernet0/0/21 access 20 -
Ethernet0/0/22 auto 1 1-4094
Ethernet0/0/23 auto 1 1-4094
Ethernet0/0/24 access 4094 -
GigabitEthernet0/0/1 auto 0 -
GigabitEthernet0/0/2 auto 1 1-4094
GigabitEthernet0/0/3 auto 1 1-4094
GigabitEthernet0/0/4 auto 1 1-4094
● Versions earlier than V200R005
<HUAWEI> display port vlan
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 trunk 1 1
GigabitEthernet0/0/2 hybrid 1 -
GigabitEthernet0/0/3 hybrid 1 -
GigabitEthernet0/0/4 hybrid 1 -
GigabitEthernet0/0/5 access 10 -
GigabitEthernet0/0/6 hybrid 1 -
GigabitEthernet0/0/7 hybrid 1 -
GigabitEthernet0/0/8 hybrid 1 -
GigabitEthernet0/0/9 hybrid 1 -
GigabitEthernet0/0/10 hybrid 1 -
GigabitEthernet0/0/11 hybrid 1 -
GigabitEthernet0/0/12 hybrid 1 -
GigabitEthernet0/0/13 hybrid 1 -
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 269
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
GigabitEthernet0/0/15 hybrid 1 -
GigabitEthernet0/0/16 hybrid 1 -
GigabitEthernet0/0/17 hybrid 1 -
GigabitEthernet0/0/18 hybrid 1 -
GigabitEthernet0/0/19 hybrid 1 -
GigabitEthernet0/0/20 hybrid 1 -
GigabitEthernet0/0/21 hybrid 1 -
GigabitEthernet0/0/22 hybrid 1 -
GigabitEthernet0/0/23 hybrid 1 -
GigabitEthernet0/0/24 hybrid 1 -
The Link Type field indicates the link type of an interface, the PVID field indicates
the default VLAN, and the Trunk VLAN List field indicates the list of VLANs
allowed by a trunk interface. If the interface did not join any VLAN, the Trunk
VLAN List field is displayed as -. If the link type of an interface is negotiation-
desirable or negotiation-auto, the Trunk VLAN List field is displayed as 1 to
4094.
4.11.2 Can Multiple Network Segments Be Configured in a
VLAN?
Hosts on multiple network segments in the same VLAN can communicate after
the primary and secondary IP addresses for a VLANIF interface are configured.
As shown in Figure 4-40, Host_1 and Host_2 in VLAN 10 belong to 10.1.1.1/24
and 10.1.2.1/24 respectively. The two hosts need to communicate.
Figure 4-40 Communication for hosts on multiple network segments in the same
VLAN
Configure the Switch.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.1.1 24
[Switch-Vlanif10] ip address 10.1.2.1 24 sub
[Switch-Vlanif10] quit
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 270
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
After the preceding configurations are performed, Host_1 and Host_2 can
communicate.
4.11.3 Can the Switch Collect Statistics on Only Traffic
Destined for the VLANIF Interface Enabled with Traffic
Statistics?
Context
When the VLANIF interface is enabled with traffic statistics, the switch counts
Layer 3 traffic in the VLAN corresponding to the VLANIF interface. That is,
statistics on all traffic passing the VLANIF interface are collected.
4.11.4 How Do I Change the Link Type of an Interface?
The link type of an interface can be access, trunk, hybrid, or Dot1q-tunnel. The
methods used to change the link type of an interface in different versions are
different.
● In V200R005 and later versions, run the port link-type { access | trunk |
hybrid | dot1q-tunnel } command and enter y or n as prompted. When the
interface uses the default VLAN configuration, the system does not display
any message. The link type of the interface is changed directly.
– When you enter y and press Enter, the device automatically deletes the
non-default VLAN configuration of the interface and set the link type of
the interface to the specified one.
– When you enter n and press Enter, the device retains the current link
type and VLAN configuration of the interface.
Change the link type of the interface to hybrid.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
Warning: This command will delete VLANs on this port. Continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment...done.
● In earlier versions of V200R005, an interface joins VLAN 1 by default, and the
PVID of an interface is VLAN 1. You can run the port link-type { access |
trunk | hybrid | dot1q-tunnel } command to change the link type of the
interface.
– Change the link type of the interface to access.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 10 //Set the PVID of the interface to VLAN
10.
– Change the link type of the interface to trunk.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type trunk
[HUAWEI-GigabitEthernet0/0/1] port trunk pvid vlan 10 //Set the PVID of the interface to
VLAN 10.
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 10 20 //Add the interface to
VLAN 2, VLAN 10, and VLAN 20.
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 271
S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 4 VLAN Configuration
– Change the link type of the interface to hybrid.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] port hybrid pvid vlan 10 //Set the PVID of the interface to
VLAN 10.
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 2 10 //Add the interface to VLAN
2 and VLAN 10 in untagged mode.
[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 20 //Add the interface to VLAN 20
in tagged mode.
– Change the link type of the interface to Dot1q-tunnel.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type dot1q-tunnel
[HUAWEI-GigabitEthernet0/0/1] port default vlan 10 //Set the PVID of the interface to VLAN
10. The interface adds VLAN 10 to all received data packets.
When you change the link type of an interface that does not use the default
VLAN configuration, the system displays the message "Error: Please renew the
default configurations."
You need to restore the default configuration of the interface, and then
change the link type of the interface.
– Restore the default VLAN configuration of an access or Dot1q-tunnel
interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port default vlan
– Restore the default VLAN configuration of a trunk interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port trunk pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port trunk allow-pass vlan all
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 1
– Restore the default configuration of a hybrid interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid vlan all
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 1
