Настройка vlan на роутере huawei

Virtual local area networks (VLANs) have advantages of broadcast domain isolation, security improvement, flexible networking, and good extensibility.

  • VLAN Overview
  • Configuration Precautions for VLAN
  • Summary of VLAN Configuration Tasks
  • Configuring a VLAN Based on Ports
    • Creating a VLAN
    • Configuring the Type of a Layer 2 Ethernet Port
    • Adding a Port to a VLAN
    • Verifying the Configuration of a Layer 2 Interface-based VLAN
  • Configuring Layer 3 Communication Between VLANIF Interfaces
    • Creating a VLANIF Interface
    • Assigning an IP Address to a VLANIF Interface
    • (Optional) Setting a Delay After Which a VLANIF Interface Goes Down
    • (Optional) Configuring Bandwidth for a VLANIF Interface
    • Verifying the VLANIF Interface Configuration
  • Configuring Inter-VLAN Communication
    • Configuring Sub-interfaces for Inter-VLAN Communication
    • Configuring VLANIF Interfaces for Inter-VLAN Communication
    • Configuring VLAN Mapping for Inter-VLAN Communication
    • Verifying the Inter-VLAN Communication Configuration
  • Configuring VLAN Security Attributes
    • Disabling a Port from Broadcasting Packets to Other Ports in the Same VLAN
    • Disabling MAC Address Learning in a VLAN
    • Verifying the VLAN Security Attribute Configuration
  • Configuring Intra-VLAN Interface Isolation
    • Configuring Interface Isolation for a Common VLAN
    • Configuring Interface Isolation for an Outside VLAN in VLAN Stacking or VLAN Mapping Scenarios
    • Enabling Intra-VLAN Proxy ARP
    • Verifying the Intra-VLAN Interface Isolation Configuration
  • Maintaining VLAN
    • Clearing the Statistics of VLAN Packets
    • Monitoring the VLAN Operating Status
  • Configuration Examples for VLANs
    • Example for Dividing a LAN into VLANs Based on Ports
    • Example for Configuring Users in a VLAN to Communicate by Using a Trunk Link
    • Example for Configuring Inter-VLAN Communication by Using Sub-interfaces
    • Example for Configuring VLAN and Non-VLAN Users to Communicate by Using Sub-interfaces
    • Example for Configuring Inter-VLAN Communication by Using VLANIF Interfaces
    • Example for Configuring 1 to 1 VLAN Mapping for Inter-VLAN Communication
    • Example for Configuring Communication Between VLANs Through VLAN Aggregation

VLAN Overview

The VLAN technology is important for Layer 2 network forwarding. This section describes the background, functions, and advantages of the VLAN technology.

Introduction

The traditional LAN technology based on the bus structure has the following defects:

  • Conflicts are inevitable if multiple nodes send messages simultaneously.

  • Messages are broadcast to all nodes.

  • Networks have security risks as all the hosts in a LAN share the same transmission channel.

The network constructs a collision domain. More computers on the network cause more conflicts and lower network efficiency. The network is also a broadcast domain. When many computers on the network send data, broadcast traffic consumes much bandwidth.

Traditional networks face collision domain and broadcast domain issues, and cannot ensure information security.

To reduce the broadcast traffic, you need to enable the broadcast only among hosts that need to communicate with each other, and isolate the hosts that do not need the broadcast. A NE can select routes based on IP addresses and effectively suppress broadcast
traffic between two connected network segments. The NE solution, however, is costly. Therefore, multiple logical LANs, namely, VLANs are developed on the physical LAN.

In this manner, a physical LAN is divided into multiple broadcast domains, that is, multiple VLANs. The intra-VLAN communication is not restricted, while the inter-VLAN communication
is restricted. As a result, network security is enhanced.

Definition

The virtual local area network (VLAN) technology logically divides a physical LAN into multiple VLANs that are broadcast domains. Each VLAN contains a group of PCs that have the same requirements. A VLAN has the same attributes as a LAN. PCs of a VLAN can be placed on different LAN segments. Hosts
can communicate within the same VLAN, while cannot communicate in different VLANs. If two PCs are located on one LAN segment but belong to different VLANs, they do not broadcast packets to each other. In this manner, network security is enhanced.

Figure 1 is a networking diagram of a typical VLAN application. Device A, Device B, and Device C are placed at different locations, such as different floors in an office building. Each switch connects to three computers which belong to three different VLANs. In Figure 1, each dashed line frame identifies a VLAN. Packets of enterprise customers in the same VLAN are broadcast within the VLAN but not among VLANs. In this way, enterprise customers in the same VLAN can share resources as well as protect their information security.

Figure 1-360 Typical VLAN application

This application shows the following VLAN advantages:

  • Broadcast domains are confined. A broadcast domain is confined to a VLAN. This saves bandwidth and improves network processing capabilities.
  • Network security is enhanced. Packets from different VLANs are separately transmitted. PCs in one VLAN cannot directly communicate with PCs in another VLAN.
  • Network robustness is improved. A fault in a VLAN does not affect PCs in other VLANs.
  • Virtual groups are set up flexibly. With the VLAN technology, PCs in different geographical areas can be grouped together. This facilitates network construction and maintenance.

Basic VLAN Concepts and Principles

  • 802.1q and VLAN frame format

    A conventional Ethernet frame is encapsulated with the Length/Type field for an upper-layer protocol following the Destination address and Source address fields, as shown in Figure 1-361.

    Figure 1-361 Conventional Ethernet frame format

    IEEE 802.1Q defines a VLAN frame by adding a 4-byte 802.1Q tag between the source MAC address field and the Length/Type field in an Ethernet frame, as shown in Figure 1.

    Figure 1-362 VLAN frame format defined in IEEE 802.1Q

    An 802.1Q tag contains four fields:

    • EType

      The 2-byte Type field indicates a frame type. If the value of the field is 0x8100, it indicates an 802.1Q frame. If a device that does not support 802.1Q frames receives an 802.1Q frame, it discards the frame.

    • PRI

      The 3-bit Priority field indicates the frame priority. A greater the PRI value indicates a higher frame priority. If a switch is congested, it preferentially sends frames with a higher priority.

    • CFI

      The 1-bit Canonical Format Indicator (CFI) field indicates whether a MAC address is in the canonical format. If the CFI field value is 0, the MAC address is in canonical format. If the CFI field value is 1, the MAC address is not in canonical format. This field is mainly used to differentiate among Ethernet frames, Fiber Distributed Digital Interface (FDDI) frames, and token ring frames. The CFI field value in an Ethernet frame is 0.

    • VID

      The 12-bit VLAN ID (VID) field indicates to which VLAN a frame belongs. VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved, and therefore VLAN IDs range from 1 to 4094.

      Each frame sent by an 802.1q-capable switch carries a VLAN ID. On a VLAN, Ethernet frames are classified into the following types:

      • Tagged frames: frames with 4-byte 802.1q tags.
      • Untagged frames: frames without 4-byte 802.1q tags.

  • Port-based VLAN classification

    VLANs are classified based on port numbers. In this mode, VLANs are classified based on the numbers of ports on a switching device. The network administrator configures a port default VLAN ID (PVID) for each port on the switch. When a data frame reaches a port which is configured with a PVID, the frame is marked with the PVID if the data frame carries no VLAN tag. If the data frame carries a VLAN tag, the switching device will not add a VLAN tag to the data frame even if the port is configured with a PVID. Different types of ports process VLAN frames in different manners.

  • Type of VLAN links

    Figure 1-363 VLAN links

    As shown in Figure 1-363, there are the following types of VLAN links:

    • Access link: a link connecting a host and a switch. Generally, a PC does not know which VLAN it belongs to, and PC hardware cannot distinguish frames with VLAN tags. Therefore, PCs send and receive only untagged frames.

    • Trunk link: a link connecting switches. Data of different VLANs is transmitted along a trunk link. The two ends of a trunk link must be able to distinguish frames with VLAN tags. Therefore, only tagged frames are transmitted along trunk links.

  • Port types

    Table 1-180 lists VLAN port types.

    Table 1-180 Port types

    Port Type

    Method for Processing a Received Untagged Frame

    Method for Processing a Received Tagged Frame

    Method for Sending a Frame

    Application

    Access port

    Accepts the frame and adds a tag with the default VLAN ID
    to the frame.

    Discards the frame.

    Removes the tag from the frame and sends the frame.

    An access port connects a switch to a PC and can be added
    to only one VLAN.

    Trunk port

    Discards the frame.
    • Accepts the frame if the port permits the VLAN ID carried in the
      frame.
    • Discards the frame if the port denies the VLAN ID carried in the
      frame.
    • Directly sends the frame if the port permits the VLAN ID carried
      in the frame.
    • Discards the frame if the port denies the VLAN ID carried in the
      frame.

    A trunk port can be added to multiple VLANs to send and
    receive frames for these VLANs. A trunk port connects a switch to
    another switch or to a router.

    Hybrid port
    • If only the port default vlan command is run
      on a hybrid port, the hybrid port receives the frame and adds the
      default VLAN tag to the frame.
    • If only the port trunk allow-pass command is
      run on a hybrid port, the hybrid port discards the frame.
    • If both the port default vlan and port trunk allow-pass commands are run on a hybrid port,
      the hybrid port receives the frame and adds the VLAN tag with the
      default VLAN ID specified in the port default vlan command to the frame.

    • If only the port default vlan command is
      run on a hybrid port:

      • The hybrid port accepts the frame if the frame’s VLAN ID is the
        same as the default VLAN ID of the port.
      • The hybrid port discards the frame if the frame’s VLAN ID is different
        from the default VLAN ID of the port.

    • If only the port trunk allow-pass command
      is run on a hybrid port:

      • The hybrid port accepts the frame if the frame’s VLAN ID is in
        the permitted range of VLAN IDs.
      • The hybrid port discards the frame if the frame’s VLAN ID is not
        in the permitted range of VLAN IDs.
    • If both the port default vlan and port trunk allow-pass commands are run on a hybrid port:
      • The hybrid port accepts the frame if the frame’s VLAN ID is in
        the permitted range of VLAN IDs or is the same as the default VLAN
        ID specified in the port default vlan command.
      • The hybrid port discards the frame if the frame’s VLAN ID is not
        in the permitted range of VLAN IDs or is different from the default
        VLAN ID specified in the port default vlan command.

    • If only the port default vlan command is
      run on a hybrid port and the frame’s VLAN ID is the same as the default
      VLAN ID, the hybrid port removes the VLAN tag and forwards the frame;
      otherwise, the hybrid port discards the frame.

    • If only the port trunk allow-pass command
      is run on a hybrid port:

      • The hybrid port forwards the frame if the frame’s VLAN ID is in
        the permitted range of VLAN IDs.
      • The hybrid port discards the frame if the frame’s VLAN ID is not
        in the permitted range of VLAN IDs.

    • If both the port default vlan and port trunk allow-pass commands are run on a hybrid port:

      • The hybrid port removes the VLAN tag and forwards the frame if
        the frame’s VLAN ID is the same as the default VLAN ID of the port.
      • The hybrid port forwards the frame if the frame’s VLAN ID is different
        from the default VLAN ID of the port but in the permitted range of
        VLAN IDs specified in the port trunk allow-pass; otherwise, the hybrid port discards the frame.

      NOTE:

      The hybrid port removes the VLAN tag
      and forwards the frame if the frame’s VLAN ID is the same as the default
      VLAN ID configured using the port default vlan and
      the default VLAN ID is in the permitted range of VLAN IDs specified
      in the port trunk allow-pass command.

    A hybrid port can be added to multiple VLANs to send and
    receive frames for these VLANs. A hybrid port can connect a switch
    to a PC or connect a network device to another network device.

    QinQ port

    QinQ ports are enabled
    with the IEEE 802.1QinQ protocol. A QinQ port adds a tag to a single-tagged
    frame, and thus the number of VLANs can meet the requirement of a
    Metropolitan Area Network.

  • Principle for data switching in a VLAN

    Use the network shown in Figure 1-363 as an example. If PC1 in VLAN 2 intends to send data to PC2, the data is forwarded as follows:

    1. An access port on CE1 receives an untagged frame from PC1 and adds a PVID (VLAN 2) to the frame. CE1 searches the MAC address table for an outbound port. Then the frame is transmitted from the outbound port.

    2. After the trunk port on PE receives the frame, the port checks whether the VLAN ID carried in the frame is the same as that configured on the port. If the VLAN ID has been configured on the port, the port transparently transmits the frame to CE2. If the VLAN ID is not configured on the port, the port discards the frame.

    3. After a trunk port on CE2 receives the frame, the system searches the MAC address table for an outbound port, which is the access port connecting CE2 to PC2.

    4. After the frame is sent to the access port connecting CE2 to PC2, the port checks that the VLAN ID carried in the frame is the same as that configured on the port. The port then removes the tag from the frame and sends the untagged frame to PC2.

  • VLANIF interface

    A VLANIF interface is a Layer 3 logical interface, which can be configured
    on either a Layer 3 switch or a router.

    Layer 3 switching combines both routing and switching
    techniques to implement routing on a switch, improving the overall
    performance of the network. After sending the first data flow based
    on a routing table, a Layer 3 switch generates a mapping table, in
    which the mapping between the MAC address and the IP address about
    this data flow is recorded. If the switch needs to send the same data
    flow again, it directly sends the data flow at Layer 2 but not Layer
    3 based on the mapping table. In this manner, delays on the network
    caused by route selection are eliminated, and data forwarding efficiency
    is improved.

    To allow the first data flow
    to be correctly forwarded based on the routing table, the routing
    table must contain correct routing entries. Therefore, configuring
    a Layer 3 interface and a routing protocol on the Layer 3 switch is
    required. VLANIF interfaces are therefore introduced.

Key points are summarized
as follows:

  • A PC does not need to know the VLAN to which it belongs. It sends
    only untagged frames.
  • After receiving an untagged frame from a PC, a switching device
    determines the VLAN to which the frame belongs. The determination
    is based on the configured VLAN division method such as port information,
    and then the switching device processes the frame accordingly.
  • If the frame needs to be forwarded to another switching device,
    the frame must be transparently transmitted along a trunk link. Frames
    transmitted along trunk links must carry VLAN tags to allow other
    switching devices to properly forward the frame based on the VLAN
    information.
  • Before sending the frame to the destination PC, the switching
    device connected to the destination PC removes the VLAN tag from the
    frame to ensure that the PC receives an untagged frame.

Generally, only tagged frames are transmitted on trunk
links; only untagged frames are transmitted on access links. In this
manner, switching devices on the network can properly process VLAN
information and PCs are not concerned about VLAN information.

Configuration Precautions for VLAN

Feature Requirements

Table 1-181 Feature requirements

Feature Requirements

Series

Models

For the NE05E, 08E series:

When the mapping VLAN or stacking VLAN goes Down, protocol packets sent to the outbound interface can be transparently transmitted. As a result, traffic from the remote device may be incorrectly sent to the local device and then discarded.

NE05E, 08E

NE05E/NE08E

For the NE05E, 08E series:

In a VLANIF IP FRR scenario, if the primary outbound interface is a VLANIF interface and fails, FRR cannot rapidly switch traffic to the backup outbound interface. Traffic can be restored only when routes are hard converged to the backup outbound interface. Packet loss occurs during the switchover.

NE05E, 08E

NE05E/NE08E

For the NE05E, 08E series:

VLANs cannot support the Layer 3 function of VLANIF interfaces after the port vlan-mapping and port vlan-stacking commands are configured.

Do not configure VLANIF Layer 3 services after the port vlan-mapping and port vlan-stacking commands are configured.

NE05E, 08E

NE05E/NE08E

Summary of VLAN Configuration Tasks

This section describes VLAN features supported by the NE in light of better understanding the process of configuring VLANs.

The VLAN technology helps set up virtual groups to separate broadcast domains and implements both intra-VLAN and inter-VLAN communication.

  1. After VLANs are configured, users in a VLAN can communicate with each other.

  2. In addition to intra-VLAN communication, users in different VLANs need to communicate with each other sometimes.

    Intra-VLAN communication and inter-VLAN communication are basic VLAN functions.

  3. Security configurations are required to ensure reliable VLAN data transmission.

Configuring a VLAN Based on Ports

Configuring a VLAN based on ports allows PCs in the VLAN to communicate with each other.

Applicable Environment

A company has multiple departments located in different buildings. For service security, it is required that employees in one department be able to communicate with each other, whereas employees in different departments be prohibited from communicating with each other. Devices on the network shown in Figure 1-364 are configured as follows:

  • Add ports connecting devices to PCs of the financial department to VLAN 5 and ports connecting devices to PCs of the marketing department to VLAN 9. This configuration prevents employees in financial and marketing departments from communicating with each other.
  • Configure links between CE and PE as trunk links to allow frames from VLAN 5 and VLAN 9 to pass through, allowing employees of the same department but different buildings to communicate with each other.

By configuring port-based VLANs on the PE, CE1, and CE2, employees in the same department can communicate with each other, whereas employees in different departments cannot.

Figure 1-364 Networking diagram for configuring a VLAN based on ports

Pre-configuration Tasks

Before configuring a VLAN based on ports, complete the following task:

  • Connecting ports and configuring physical parameters of the ports, ensuring that the ports are physically Up

Creating a VLAN

Creating a VLAN isolates PCs that do not need to communicate with each other. This improves network security, reduces broadcast traffic, and prevents broadcast storms.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vlan vlan-id

    A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.

    The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, you can run the vlan batch command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN.

    If a device is configured with multiple VLANs, do as follows to configure a name for each VLAN:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run commit

    The configuration is committed.

Configuring the Type of a Layer 2 Ethernet Port

On a Layer 2 switching device, some ports identify frames with VLAN tags, whereas the others do not. Configure ports types for Layer 2 Ethernet ports as needed.

Context

Table 1-182 lists Layer 2 Ethernet port types.

Table 1-182 Port types

Port Type

Method for Processing a Received Untagged Frame

Method for Processing a Received Tagged Frame

Method for Sending a Frame

Application

Access port

Accepts the frame and adds a tag with the default VLAN ID
to the frame.

Discards the frame.

Removes the tag from the frame and sends the frame.

An access port connects a switch to a PC and can be added
to only one VLAN.

Trunk port

Discards the frame.
  • Accepts the frame if the port permits the VLAN ID carried in the
    frame.
  • Discards the frame if the port denies the VLAN ID carried in the
    frame.
  • Directly sends the frame if the port permits the VLAN ID carried
    in the frame.
  • Discards the frame if the port denies the VLAN ID carried in the
    frame.

A trunk port can be added to multiple VLANs to send and
receive frames for these VLANs. A trunk port connects a switch to
another switch or to a router.

Hybrid port
  • If only the port default vlan command is run
    on a hybrid port, the hybrid port receives the frame and adds the
    default VLAN tag to the frame.
  • If only the port trunk allow-pass command is
    run on a hybrid port, the hybrid port discards the frame.
  • If both the port default vlan and port trunk allow-pass commands are run on a hybrid port,
    the hybrid port receives the frame and adds the VLAN tag with the
    default VLAN ID specified in the port default vlan command to the frame.

  • If only the port default vlan command is
    run on a hybrid port:

    • The hybrid port accepts the frame if the frame’s VLAN ID is the
      same as the default VLAN ID of the port.
    • The hybrid port discards the frame if the frame’s VLAN ID is different
      from the default VLAN ID of the port.

  • If only the port trunk allow-pass command
    is run on a hybrid port:

    • The hybrid port accepts the frame if the frame’s VLAN ID is in
      the permitted range of VLAN IDs.
    • The hybrid port discards the frame if the frame’s VLAN ID is not
      in the permitted range of VLAN IDs.
  • If both the port default vlan and port trunk allow-pass commands are run on a hybrid port:
    • The hybrid port accepts the frame if the frame’s VLAN ID is in
      the permitted range of VLAN IDs or is the same as the default VLAN
      ID specified in the port default vlan command.
    • The hybrid port discards the frame if the frame’s VLAN ID is not
      in the permitted range of VLAN IDs or is different from the default
      VLAN ID specified in the port default vlan command.

  • If only the port default vlan command is
    run on a hybrid port and the frame’s VLAN ID is the same as the default
    VLAN ID, the hybrid port removes the VLAN tag and forwards the frame;
    otherwise, the hybrid port discards the frame.

  • If only the port trunk allow-pass command
    is run on a hybrid port:

    • The hybrid port forwards the frame if the frame’s VLAN ID is in
      the permitted range of VLAN IDs.
    • The hybrid port discards the frame if the frame’s VLAN ID is not
      in the permitted range of VLAN IDs.

  • If both the port default vlan and port trunk allow-pass commands are run on a hybrid port:

    • The hybrid port removes the VLAN tag and forwards the frame if
      the frame’s VLAN ID is the same as the default VLAN ID of the port.
    • The hybrid port forwards the frame if the frame’s VLAN ID is different
      from the default VLAN ID of the port but in the permitted range of
      VLAN IDs specified in the port trunk allow-pass; otherwise, the hybrid port discards the frame.

    NOTE:

    The hybrid port removes the VLAN tag
    and forwards the frame if the frame’s VLAN ID is the same as the default
    VLAN ID configured using the port default vlan and
    the default VLAN ID is in the permitted range of VLAN IDs specified
    in the port trunk allow-pass command.

A hybrid port can be added to multiple VLANs to send and
receive frames for these VLANs. A hybrid port can connect a switch
to a PC or connect a network device to another network device.

QinQ port

QinQ ports are enabled
with the IEEE 802.1QinQ protocol. A QinQ port adds a tag to a single-tagged
frame, and thus the number of VLANs can meet the requirement of a
Metropolitan Area Network.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The view of a Layer 3 Ethernet interface to be added to a VLAN is displayed.

  3. Run portswitch

    The Layer 3 interface is switched to the Layer 2 mode.

    • If an interface is borrowing the IP address of an Ethernet, a GE, or an Eth-Trunk, the portswitch command cannot be run on the Ethernet, GE, or Eth-Trunk.
    • If the Ethernet, GE, or Eth-Trunk has any Layer 3 configuration, the portswitch command cannot be run on the interface. Before running the portswitch command on the interface, clear all Layer 3 configurations on the interface.

    If many Layer 3 Ethernet interfaces need to be added to the VLAN, run the portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch the working mode of these Ethernet interfaces in batches.

  4. Run port link-type { access | dot1q-tunnel | hybrid | trunk }The port type is configured.

    If you have specified a Dot1q-tunnel interface, run the port dot1q-tunnel discard untag-frame command to enable this Dot1q-tunnel interface to discard incoming untagged packets to ensure network security.

  5. Run commit

    The configuration is committed.

Adding a Port to a VLAN

Adding a port to a VLAN associates the port with the VLAN.

Context

  • A port connecting a switch to a PC must be configured as an access or a hybrid port.

    The port trunk allow-pass vlan command is invalid on access ports.

  • A port connecting one switch to another must be configured as a trunk or hybrid port.

    The port default vlan command cannot be used on trunk ports.

Procedure

  • For access ports or QinQ ports:

    1. Run the port default vlan vlan-id command to add a port to a specified VLAN.

      To add ports to a VLAN in batches, run the port porttype { portbegin [ to iportend ] } &<1-10> command in the VLAN view.

      The input port format must be correct. The port number following to must be greater than the port number before to. If a group of ports are specified, ensure that these ports are of the same type and all specified ports exist.

      In one port command, a maximum of 10 groups of ports can be specified by using to.

    2. Run commit

      The configuration is committed.

  • For trunk ports:

    1. Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add ports to specified VLANs.

    2. Run the commit command to commit the configuration.

Verifying the Configuration of a Layer 2 Interface-based VLAN

After configuring a Layer 2 interface-based VLAN, verify the configuration.

Prerequisites

All functions of a Layer 2 interface-based VLAN have been configured.

Procedure

  • Run the display vlan command to check VLAN information.
  • Run the display port vlan command to check information about all interfaces belonging to the configured VLANs.
  • Run the display port vlan interface-type interface-number active command to check information about interfaces with specified types and numbers within the configured VLANs.

Configuring Layer 3 Communication Between VLANIF Interfaces

VLANIF interfaces are Layer 3 logical interfaces. After creating VLANIF interfaces on Layer 2 devices, you can configure Layer 3 features on these interfaces.

Applicable Environment

A Layer 2 device cannot communicate with a Layer 3 device because no IP address can be configured on the Layer 2 device. To allow a Layer 2 device to communicate with a Layer 3 device, create a VLANIF interface on the Layer 2 device and assign an IP address to the VLANIF interface. The Layer 2 device then can communicate with the Layer 3 device.

Layer 3 switching combines both routing and switching
techniques to implement routing on a switch, improving the overall
performance of the network. After sending the first data flow based
on a routing table, a Layer 3 switch generates a mapping table, in
which the mapping between the MAC address and the IP address about
this data flow is recorded. If the switch needs to send the same data
flow again, it directly sends the data flow at Layer 2 but not Layer
3 based on the mapping table. In this manner, delays on the network
caused by route selection are eliminated, and data forwarding efficiency
is improved.

To allow the first data flow
to be correctly forwarded based on the routing table, the routing
table must contain correct routing entries. Therefore, configuring
a Layer 3 interface and a routing protocol on the Layer 3 switch is
required. VLANIF interfaces are therefore introduced.

Pre-configuration Tasks

Before creating a VLANIF interface, complete the following task:

  • Creating a VLAN

Creating a VLANIF Interface

Before configure Layer 3 features on a Layer 2 device, you must create a VLANIF interface on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vlanif vlan-id

    A VLANIF interface is created and the VLANIF interface view is displayed.

    The VLAN ID specified in this command must be the ID of an existing VLAN.

    A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.

  3. Run commit

    The configuration is committed.

Assigning an IP Address to a VLANIF Interface

As a VLANIF interface is a Layer 3 logical interface, it can communicate with other interfaces at the network layer only after being assigned an IP address.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vlanif vlan-id

    The VLANIF interface view is displayed.

    The VLAN ID specified in this command must be the ID of an existing VLAN.

  3. Run ip address ip-address { mask | mask-length } [ sub ]

    An IP address is assigned to the VLANIF interface for communication at the network layer.

    If IP addresses assigned to VLANIF interfaces on a Layer 3 device belong to different network segments, a routing protocol must be configured on the Layer 3 switch to provide reachable routes. Otherwise, VLANIF interfaces cannot communicate with each other at the network layer. For configurations of routing protocols, see the NE Configuration Guide — IP Routing.

  4. Run commit

    The configuration is committed.

Follow-up Procedure

To disable all users in a VLAN from communicating with users in other VLANs through a VLANIF interface, whereas communication is available between users within the VLAN, run the shutdown command in the VLANIF interface view.

Both Layer 2 and Layer 3 traffic is transmitted over the VLANIF interface. Running the shutdown command in the VLANIF interface view prohibits only Layer 3 traffic. After running the display interface vlanif command, you can view that traffic statistics still increase on this VLANIF interface.

To prohibit all traffic on the VLANIF interface, run the shutdown vlan command in the VLANIF interface view.

(Optional) Setting a Delay After Which a VLANIF Interface Goes Down

Setting a delay after which a VLANIF interface goes Down prevents network flapping caused by changes of VLANIF interface status. This function is also called VLAN damping.

Context

If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF interface to go Down.

To prevent network flapping caused by changes of VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last Up port in a VLAN goes Down, the system starts a delay timer and informs the corresponding VLANIF interface of the VLAN Down event after the timer expires. If a port in the VLAN goes Up during the delay period, the VLANIF interface remains Up.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vlanif vlan-id

    The VLANIF interface view is displayed.

    The VLAN ID specified in this command must be the ID of an existing VLAN.

  3. Run damping time delay-time

    The delay for VLAN damping is set.

    The delay-time value ranges from 0 to 20, in seconds.

  4. Run commit

    The configuration is committed.

(Optional) Configuring Bandwidth for a VLANIF Interface

After configuring bandwidth for VLANIF interfaces, you can use the NMS to query the bandwidth. This facilitates traffic monitoring.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vlanif vlan-id

    The VLANIF interface view is displayed.

    The VLAN ID specified in this command must be the ID of an existing VLAN.

  3. Run bandwidth bandwidth

    The VLANIF interface is configured with bandwidth.

  4. Run commit

    The configuration is committed.

Verifying the VLANIF Interface Configuration

After the configuration is complete, verify the VLANIF interface configuration, such as whether an IP address is correctly assigned to the VLANIF interface and status of the VLANIF interface.

Prerequisites

The configurations of a VLANIF interface are complete.

Procedure

  • Run the display interface vlanif [ vlan-id ] command to check the physical status, link protocol status, description, and IP address of the VLANIF interface.

Configuring Inter-VLAN Communication

Configuring inter-VLAN communication allows users in different VLANs to communicate with each other. The inter-VLAN communication configuration involves the configurations of VLAN sub-interfaces or VLANIF interfaces.

Applicable Environment

Currently, schemes listed in Table 1-183 are provided for inter-VLAN communication. You can choose one of them based on the real world situation.

Table 1-183 Schemes for inter-VLAN communication

Inter-VLAN Communication Scheme

Advantage

Disadvantage

Usage Scenario

Sub-interface

After sub-interfaces are configured, users in different VLANs and network segments can communicate with each other as long as routes are reachable.
  • Both Layer 2 and Layer 3 devices are required, which increases expenditure.
  • If multiple users on a network belong to different VLANs, each VLAN requires a sub-interface on a Layer 3 device. Each sub-interface needs to be assigned an IP address. This increases configuration workload and uses up a large number of IP addresses.

This scheme is applicable to small-scale networks on which users belong to different network segments. If Layer 3 forwarding of packets is mainly required, use sub-interfaces.

VLANIF interface

After sub-interfaces are configured, users in different VLANs and network segments can communicate with each other as long as routes are reachable.

Inter-VLAN communication can also be implemented by Layer 3 switches if routes are reachable. This scheme boasts of low operating costs.

If multiple users on a network belong to different VLANs, each VLAN requires a VLANIF interface. Each VLANIF interface needs to be assigned an IP address. This increases configuration workload and uses a lot of IP addresses.

This scheme is applicable to small-scale networks on which users belong to different network segments and IP addresses of these users are seldom changed. If a large number of VLANs are configured and both Layer 2 and Layer 3 forwarding of packets are required, use VLANIF interfaces.

VLAN mapping

This scheme is easily configured and does not rely on routes.

IP addresses of users in different VLANs must belong to the same network segment.

This scheme is applicable to large-scale networks on which multiple users belong to one network segment.

Pre-configuration Tasks

Before configuring communication between VLANs, complete the following task:

  • Creating VLANs

Configuring Sub-interfaces for Inter-VLAN Communication

If users belong to different VLANs and reside on different network segments, sub-interfaces can be created on an Layer 3 device and assigned IP addresses to allow these users to communicate with each other at the network layer.

Context

During communication at the data link layer on a LAN, source MAC addresses identify where data comes from, and destination MAC addresses guide data to destinations. If the source and destination PCs reside on different network segments, a Layer 2 network is unable to send data from the source to the destination. In this case, data has to be forwarded at the network layer 3. After the default gateway address of the Layer 2 device is specified as the IP address of the Layer 3 device, the Layer 2 device sends data that needs to be forwarded at the network layer to the Layer 3 device. After receiving a packet, the Layer 3 device searches its routing table according to the destination address in the packet. If the Layer 3 device finds a matching route in the routing table, the Layer 3 device directly forwards the packet to another network segment. If the Layer 3 device does not find any matching route, it discards the packet.

On the network shown in Figure 1-365, VLANs 2 to n belong to different network segments. To allow users in VLANs 2 to n to communicate with each other, you can create a sub-interface on the PE for each VLAN and assign an IP address to each sub-interface. After VLANs are configured, the CE is logically divided into n parts. Accordingly, the Layer 3 device must have n logical interfaces corresponding to n VLANs. The detailed implementation process is as follows:

  1. A PC in VLAN 2 checks the destination IP address and finds that the destination PC in VLAN n is on a different network segment.
  2. The PC in VLAN 2 sends an ARP request. After receiving the request, the PE considers itself the destination, translates its MAC address into an IP address, and sends an ARP reply to the PC in VLAN 2.
  3. After receiving data from the PC in VLAN 2, the CE adds a VLAN tag to the data and searches the MAC address table for an outbound port.
  4. The PE receives the frame and sends it to sub-interface 2.
  5. Sub-interface 2 removes the VLAN tag from the frame, searches for an ARP entry based on the IP address in the IP header, and forwards the packet at the network layer.
  6. Sub-interface n receives the packet, re-encapsulates the packet with the VLAN ID of n and the destination MAC address of the MAC address of the destination PC, and sends the frame.
  7. After receiving the frame, the CE searches the MAC address table for the destination MAC address based on the VLAN ID carried in the packet to determine the outbound port.

  8. The PC in VLAN n receives the frame from VLAN 2.

    If a PC in VLAN n sends a packet to a PC in VLAN 2, the process is similar and not described in this document.

Figure 1-365 Networking diagram for configuring sub-interfaces for inter-VLAN communication

On the network shown in Figure 1-365, downstream ports on the CE are separately added to VLAN 2 to VLAN n. The configuration roadmap for communication between these VLANs is as follows:

  1. Create n-1 sub-interfaces on the Ethernet interface connecting the PE to the CE.

  2. The sub-interface is associated with a VLAN.

  3. Assign an IP address to each sub-interface for communication at the network layer.

  4. Configure the port connecting the CE to the PE as a trunk or hybrid port to allow frames with VLAN IDs from 2 to n to pass through.

The default gateway address of each PC in a VLAN must be the IP address of the corresponding sub-interface. Otherwise, inter-VLAN communication fails.

Procedure

  • Do as follows on the PE:
    1. Run system-view

      The system view is displayed.

    2. Run interface { ethernet | gigabitethernet } interface-number.subinterface-number

      An Ethernet sub-interface is created and the view of the Ethernet sub-interface is displayed.

      The Ethernet interface in this step is the interface connecting the PE to the CE.

    3. Run vlan-type dot1q vlan-id

      The sub-interface is associated with a VLAN.

      Sub-interfaces of different interfaces can be associated with the same VLAN; sub-interfaces of one interface cannot be associated with the same VLAN.

    4. Run ip address ip-address { mask | mask-length } [ sub ]

      An IP address is assigned to the sub-interface for communication at the network layer.

    5. Run commit

      The configuration is committed.

Configuring VLANIF Interfaces for Inter-VLAN Communication

Configuring VLANIF interfaces for inter-VLAN communication saves expenditure and helps implement fast forwarding.

Context

VLAIF interfaces are Layer 3 logical interfaces. After being assigned IP addresses, VLANIF interfaces are able to communicate at the network layer. Layer 3 switches and routers can be configured with VLANIF interfaces.

By using VLANIF interfaces to implement inter-VLAN communication, you need to configure a VLANIF interface for each VLAN and assign an IP address to each VLANIF interface. The communication process by using VLANIF interfaces is similar to that by using sub-interfaces.

Figure 1-366 Networking diagram for configuring VLANIF interfaces for inter-VLAN communication

The default gateway address of each PC in a VLAN must be the IP address of the corresponding VLANIF interface. Otherwise, inter-VLAN communication will fail.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vlanif vlan-id

    A VLANIF interface is created and the VLANIF interface view is displayed.

    The VLAN ID specified in this command must be the ID of an existing VLAN.

    A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.

  3. Run ip address ip-address { mask | mask-length } [ sub ]

    An IP address is assigned to the VLANIF interface.

    VLANIF interfaces must belong to different network segments.

  4. Run commit

    The configuration is committed.

Configuring VLAN Mapping for Inter-VLAN Communication

The configuration of VLAN mapping is simple and independent of Layer 3 routing.

Context

VLAN mapping is also called VLAN translation. With VLAN mapping, a switch maps the VLAN tag of a frame to another VLAN tag after receiving the frame and before sending the frame. On the network shown in Figure 1-367, ports connecting CE 1 to users are added to VLAN 2 and ports connecting CE 2 to users are added to VLAN 3. To allow users in VLAN 2 and VLAN 3 to communicate with each other, configure VLAN mapping on interface1 connecting CE 1 to CE 2.

  • Before sending a frame to VLAN 3, interface1 on CE 1 replaces the VLAN ID 2 in the frame with the VLAN ID 3.

  • After receiving a frame from VLAN 3, interface1 on CE 1 replaces the VLAN ID 3 in the frame with the VLAN ID 2.

Figure 1-367 Networking diagram for configuring VLAN mapping for inter-VLAN communication

Before configuring VLAN mapping to allow PCs in two VLANs to communicate, IP addresses of the PCs must belong to the same network segment. Otherwise, devices in different VLANs must communicate with each other at the network layer. In this case, VLAN mapping does not make sense.

Currently, the NE supports the following mapping modes:

  • 1 to 1 VLAN mapping

    After receiving a single-tagged frame, the device replaces the tag with a specified tag.

    1 to 1 VLAN mapping is applicable to the networking environment shown in Figure 1-368.

    Figure 1-368 Networking diagram for 1 to 1 VLAN mapping

    On the network shown in Figure 1-368, different types of services (Internet, IPTV, and VoIP) of each household are transmitted in separate VLANs. To differentiate between households, you need to configure 1 to 1 VLAN mapping on each corridor switch to transmit the same type of services for different households in separate VLANs. In this case, the aggregate switch must provide a large number of VLAN IDs to separate services of different households. As the number of available VLAN IDs on the aggregate switch is limited, you need to implement VLAN aggregation to transmit the same type of services for different households in one VLAN.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Add ports connecting CE 1 and CE 2 to users to separate VLANs.
  3. Configure the Layer 2 port type.

    1. Run the interface interface-type interface-number command to enter the view of an Ethernet port to be configured with VLAN mapping.

    2. Run the port link-type trunk command to configure the Layer 2 Ethernet port as a trunk port.

  4. Run port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] map-vlan vlan-id3

    VLAN mapping is configured to change the outer VLAN tag to vlan-id3.

  5. Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to specify the VLAN IDs. Frames carrying these VLAN IDs can pass through the port configured with VLAN mapping.

    The VLAN ID specified in this command must be private VLAN IDs but not public VLAN IDs.

  6. Run commit

    The configuration is committed.

Verifying the Inter-VLAN Communication Configuration

After inter-VLAN communication is configured, you can check whether users in different VLANs can communicate with each other and check information about VLANs to which users belong.

Prerequisites

The configurations of inter-VLAN communication are complete.

Procedure

  • Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-type interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -system-time | -t timeout | -tos tos-value | -v | -vpn-instance vpn-instance-name ] * host command to check whether users in different VLANs can communicate with each other.

    If the ping fails, you can run the following commands to locate the fault:

    • Run the display vlan [ vlan-id [ verbose ] ] command to check information about all VLANs or a specified VLAN.

    • Run the display interface vlanif [ vlan-id ] command to check information about VLANIF interfaces.

      Before running this command, ensure that VLANIF interfaces have been configured.

    Run the display vlan [ vlan-id [ verbose ] ] command to check information about VLANIF interfaces.

Configuring VLAN Security Attributes

Configuring VLAN security attributes ensures reliable transmission of user data. Currently, the NE supports two security attributes. You can configure security attributes as required.

Applicable Environment

Table 1-184 lists VLAN security attribute schemes.

Table 1-184 Security schemes for VLANs

Security Scheme

Description

Advantage

Disadvantage

Usage Scenario

Disabling a port from broadcasting packets to other ports in the same VLAN

If a port in a VLAN receives a broadcast or unknown unicast packet, it will broadcast the packet to other ports in the VLAN. If the broadcast or unknown unicast packet is malicious, system resources waste and device performance deteriorates or even the device malfunctions. Disabling the port from broadcasting packets to other ports in the VLAN prevents malicious attacks.

This security scheme is applicable to topology-stable networks or networks on which MAC addresses are configured and forwarding paths are specified.

Disabling MAC address learning in a VLAN

If a device has only one inbound port and one outbound port, MAC address learning in a VLAN can be disabled.

  • MAC address entries are saved.

  • Security is guaranteed.

This security scheme requires that the network has fixed users and forwarding paths have been established by using dynamic MAC address learning or by manually configuring MAC addresses.

If there are a large number of users connected to a switch, each user needs to be configured with a static forwarding path. This imposes a configuration burden on network administrators.

This security scheme prohibits new users from visiting the network.

This security scheme is applicable to topology-stable networks or networks on which MAC addresses are configured and forwarding paths are specified.

Pre-configuration Tasks

Before configuring VLAN security attributes, complete the following task:

  • Creating VLANs

Disabling a Port from Broadcasting Packets to Other Ports in the Same VLAN

Disabling a port from broadcasting packets to other ports in the same VLAN prevents malicious attacks and improves network security.

Context

If a port in a VLAN receives a broadcast or unknown unicast packet, it will broadcast the packet to other ports in the VLAN. If the broadcast or unknown unicast packet is malicious, system resources waste and device performance deteriorates or even the device malfunctions. Disabling the port from broadcasting packets to other ports in the VLAN prevents malicious attacks.

This security scheme is applicable to topology-stable networks or networks on which MAC addresses are configured and forwarding paths are specified.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vlan vlan-id

    The VLAN view is displayed.

    If a device is configured with multiple VLANs, do as follows to configure a name for each VLAN:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run broadcast discard

    The port is disabled from broadcasting packets to other ports in the same VLAN.

  4. Run commit

    The configuration is committed.

Disabling MAC Address Learning in a VLAN

If a device has only one inbound port and one outbound port, or the network topology is stable, MAC address learning in a VLAN can be disabled.

Context

A company has multiple departments located in different stories of a building. It is required that PCs of one department be grouped into a VLAN and PCs in different departments be grouped into different VLANs.

On the network shown in Figure 1-369, department 1 belongs to VLAN 2; department 2 belongs to VLAN 3; the public sector belongs to VLAN 10. Users in VLANs 2 and 3 can access VLAN 10. Users in VLAN 2 or 3 can communicate with each other. Users in VLAN 2 cannot communicate with users in VLAN 3. To reduce the number of MAC address entries saved on the core switching device and prevent visitors from accessing the company’s network, you can disable MAC address learning in a VLAN on CE 1 and CE 5.

Disabling MAC address learning in a VLAN is suitable for a device that has only one inbound port and one outbound port or a network with a stable topology.

Figure 1-369 Networking diagram for disabling MAC address learning in a VLAN

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vlan vlan-id

    The VLAN view is displayed.

    If a device is configured with multiple VLANs, do as follows to configure a name for each VLAN:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run mac-address learning disable

    MAC address learning in a VLAN is disabled.

  4. Run commit

    The configuration is committed.

Verifying the VLAN Security Attribute Configuration

After VLAN security attributes are configured, you can check whether a VLAN is enabled with the broadcast function and the MAC address learning function.

Prerequisites

The configurations of VLAN security attributes are complete.

Procedure

  • Run the display vlan [ vlan-id ] command to check information about all VLANs or a specified VLAN.

Configuring Intra-VLAN Interface Isolation

After you configure selected interfaces in a VLAN as isolated interfaces, these interfaces cannot communicate.

Configuring Interface Isolation for a Common VLAN

This section describes how to configure interface isolation for a common VLAN.

Context

Two methods are available to configure interface isolation for a common VLAN:

  • Enabling interface isolation in the interface view
  • Configuring one or more interfaces as isolated interfaces in the VLAN view

In a VLAN, isolated interfaces cannot communicate with each other at Layer 2, but can do so with non-isolated interfaces.

Procedure

  • Enable interface isolation in the interface view.

    Perform the following steps on the device on which the interfaces to be isolated reside:

    1. Run system-view

      The system view is displayed.

    2. Run interface { ethernet | gigabitethernet | eth-trunk } interface-number

      The interface view is displayed.

    3. Run portswitch

      The interface is configured as a switched interface.

    4. Run port default vlan vlan-id

      The interface is added to a VLAN.

    5. Run port isolate-state enable vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10>}

      Interface isolation is enabled.

  • Configure one or more interfaces as isolated interfaces in the VLAN view.

    Perform the following steps on the device on which the interfaces to be isolated reside:

    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run port isolate { { interface-type interface-number } &<1-10>| all }

      The specified interfaces are configured as isolated interfaces.

Configuring Interface Isolation for an Outside VLAN in VLAN Stacking or VLAN Mapping Scenarios

This section describes how to configure interface isolation for an outside VLAN in VLAN stacking or VLAN mapping scenarios.

Context

Perform the following steps on the device on which the interfaces to be isolated reside:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface { ethernet |gigabitethernet | eth-trunk } interface-number

    The interface view is displayed.

  3. Run portswitch

    The interface is configured as a switched interface.

  4. Run outside-vlan port isolate

    Interface isolation is enabled for the outside VLAN in VLAN stacking or VLAN mapping scenarios.

Enabling Intra-VLAN Proxy ARP

This section describes how to configure proxy ARP for isolated interfaces in a VLAN to communicate.

Context

Perform the following steps on the device on which the isolated interfaces that require communication reside:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vlanif vlan-id

    A VLANIF interface is created.

  3. Run ip address ip-address { mask | mask-length } [ sub ]

    An IP address is assigned to the VLANIF interface.

    The IP address of the VLANIF interface must be on the same network segment as the IP addresses of interfaces in the VLAN.

    The IP addresses of different VLANIF interfaces must be on different network segments so that users in different VLANs can communicate with each other.

  4. Run arp-proxy inner-sub-vlan-proxy enable

    Intra-VLAN proxy ARP is enabled.

Verifying the Intra-VLAN Interface Isolation Configuration

After interface isolation is configured for a common VLAN, verify the configuration.

Procedure

  1. Run the display port-isolate command in the VLAN view to check interface isolation information.
  2. Run the display this command in the interface view to check interface isolation information for an outside VLAN in VLAN stacking or VLAN mapping scenarios.

Maintaining VLAN

A command of clearing statistics helps to locate the faults in a VLAN.

Clearing the Statistics of VLAN Packets

Before collecting traffic statistics in a specified time period on an interface, you need to reset the original statistics on the interface.

Context

Statistics about VLAN packets cannot be restored after you clear it. So, confirm the action before you use the command.

To clear the Statistics of VLAN Packets, run the following reset command in the user view:

Procedure

  • Run the reset statistics interface interface type interface number vlan vlan-id command to clear the VLAN packet statistics on a specified interface.

Monitoring the VLAN Operating Status

This section describes how to monitor the VLAN operating status.

Context

In routine maintenance, you can run the following command in any view to check the VLAN operating status.

Procedure

  • Run the display vlan vlan-id statistics command to view VLAN packet statistics.

    Before you run this command to view VLAN packet statistics to locate faults, run the statistics enable command in the VLAN view to enable VLAN packet statistics collection. If VLAN packet statistics collection is disabled, you cannot obtain statistics.

  • Run the display vlan vlan-id statistics command to check statistics about discarded BUM packets in a specified VLAN.

    Before you run the display vlan vlan-id statistics command to check statistics about discarded BUM packets in a VLAN for fault locating, run the statistic discard enable command in the VLAN view to enable collection on traffic statistics about discarded BUM packets. If you do not run the statistic discard enable command, the statistics cannot be collected.

  • Run the display statistics interface interface-type interface-number vlan vlan-id command to view statistics about both sent and received packets on a specific interface in a specific VLAN.

    To view packet statistics on a specified interface in a specified VLAN for fault locating, run the statistics enable vlan command in the interface view to enable VLAN-based packet statistics collection on the interface. If the statistics enable vlan command is not executed, statistics cannot be displayed.

  • Run the monitor interface-vlan-statistics interface interface-type interface-number vlan vlan-id [ interval interval-value | times { times-value | infinity } ] command to monitor traffic statistics on an interface of a specified VLAN.

    By default, once the monitor interface-vlan-statistics command is run on an interface, the system displays traffic statistics
    five times at an interval of 10s. To stop the statistics display,
    press Ctrl+C.

Configuration Examples for VLANs

This section describes the typical application scenarios of VLANs, including networking requirements, configuration roadmap, and data preparation, and provides related configuration files.

Example for Dividing a LAN into VLANs Based on Ports

It is easy to divide a LAN into VLANs based on ports. After ports are added to different VLANs, users in the same VLAN can directly communicate with each other, whereas users in different VLANs cannot directly communicate with each other.

Networking Requirements

As shown in Figure 1-370, a department has multiple project teams. To improve service security, it is required that employees in the same project team can communicate with each other but employees in different project teams cannot communicate with each other.

Figure 1-370 Networking diagram for dividing a LAN into VLANs based on ports

Interfaces 1 through 4 in this example are GE 0/1/1, GE 0/1/2, GE 0/1/3, GE 0/1/4, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs and determine mappings between employees and VLANs.
  2. Configure port types to determine the device connected to each port.
  3. Add the port connected to group 1 to VLAN 2 and the port connected to group 2 to VLAN 3 to prevent employees in group 1 from communicating with employees in group 2.

Data Preparation

To complete the configuration, you need the following data:

  • Number of each port connecting CE to a PC
  • ID of each VLAN

Procedure

  1. Create VLANs. 
    <HUAWEI> system-view
    [~HUAWEI] sysname CE
    [*HUAWEI] commit
    [~CE] vlan batch 2 3
  2. Configure port types. 
    [*CE] interface gigabitethernet 0/1/1
    [*CE-GigabitEthernet0/1/1] portswitch
    [*CE-GigabitEthernet0/1/1] undo shutdown
    [*CE-GigabitEthernet0/1/1] port link-type access
    [*CE-GigabitEthernet0/1/1] quit
    [*CE] interface gigabitethernet 0/1/2
    [*CE-GigabitEthernet0/1/2] portswitch
    [*CE-GigabitEthernet0/1/2] undo shutdown
    [*CE-GigabitEthernet0/1/2] port link-type access
    [*CE-GigabitEthernet0/1/2] quit
    [*CE] interface GigabitEthernet 0/1/3
    [*CE-GigabitEthernet0/1/3] portswitch
    [*CE-GigabitEthernet0/1/3] undo shutdown
    [*CE-GigabitEthernet0/1/3] port link-type access
    [*CE-GigabitEthernet0/1/3] quit
    [*CE] interface GigabitEthernet 0/1/4
    [*CE-GigabitEthernet0/1/4] portswitch
    [*CE-GigabitEthernet0/1/4] undo shutdown
    [*CE-GigabitEthernet0/1/4] port link-type access
    [*CE-GigabitEthernet0/1/4] quit
  3. Add ports to VLANs.

    # Add GE 0/1/1 and GE 0/1/2 to VLAN 2.

    [*CE] vlan 2
    [*CE-vlan2] port gigabitethernet 0/1/1 to 0/1/2
    [*CE-vlan2] quit

    # Add GE 0/1/3 and GE 0/1/4 to VLAN 3.

    [*CE] vlan 3
    [*CE-vlan3] port gigabitethernet 0/1/3 to 0/1/4
    [*CE-vlan3]quit
    [*CE] commit
  4. Verify the configuration.

    After the configurations are complete, run the display vlan command to view the VLAN status.

    [~CE] display vlan
    The total number of vlans is : 2                                               
VID  Type     Status  Property  MAC-LRN STAT    BC  MC  UC  Description         
--------------------------------------------------------------------------------
   2 common   enable  default   enable  disable FWD FWD FWD VLAN 0002
   3 common   enable  default   enable  disable FWD FWD FWD VLAN 0003

    Ping a PC in group 2 from a PC in group 1. The ping fails. PCs in the same group can ping each other successfully.

Configuration Files

#
 sysname CE
#
 vlan batch 2 3
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 2
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 2
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type access
 port default vlan 3
#
interface GigabitEthernet0/1/4
 portswitch
 undo shutdown
 port link-type access
 port default vlan 3
#
return

Example for Configuring Users in a VLAN to Communicate by Using a Trunk Link

If employees of a department work in different buildings, devices in the buildings can be connected by using a trunk link to allow the employees to communicate.

Networking Requirements

A company has several departments. Employees of each department reside in different buildings.

On the network shown in Figure 1-371, employees of the financial or marketing department work in different buildings. It is required that employees of the same department can communicate with each other but employees of different departments cannot communicate with each other.

Figure 1-371 Networking diagram for configuring users in a VLAN to communicate by using a trunk link

Interfaces 1 through 5 in this example are GE 0/1/1, GE 0/1/2, GE 0/1/3, GE 0/1/4, GE 0/1/5, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Add ports connecting CEs to PCs of the financial department to VLAN 5 and ports connecting CEs to PCs of the marketing department to VLAN 9. This configuration prevents employees in financial and marketing departments from communicating with each other.

  2. Configure links between CEs and PE as trunk links to allow frames from VLAN 5 and VLAN 9 to pass through, allowing employees of the same department but different buildings to communicate with each other.

    Only Layer 2 ports are able to identify frames with tags. All interfaces on PE and CEs 1 and 2 must function as Layer 2 ports.

Data Preparation

To complete the configuration, you need the following data:

  • Number of each port connecting a CE to a PC
  • Number of each port connecting a CE to the PE
  • Number of each port connecting the PE to a CE
  • ID of each VLAN

Procedure

  1. Add ports connecting CEs to PCs to specified VLANs.

    # Configure CE 1.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE1
    [*HUAWEI] commit
    [~CE1] vlan batch 5 9
    [*CE1] interface gigabitethernet 0/1/1
    [*CE1-GigabitEthernet0/1/1] portswitch
    [*CE1-GigabitEthernet0/1/1] undo shutdown
    [*CE1-GigabitEthernet0/1/1] port link-type access
    [*CE1-GigabitEthernet0/1/1] port default vlan 5
    [*CE1-GigabitEthernet0/1/1] quit
    [*CE1] interface gigabitethernet 0/1/2
    [*CE1-GigabitEthernet0/1/2] portswitch
    [*CE1-GigabitEthernet0/1/2] undo shutdown
    [*CE1-GigabitEthernet0/1/2] port link-type access
    [*CE1-GigabitEthernet0/1/2] port default vlan 5
    [*CE1-GigabitEthernet0/1/2] quit
    [*CE1] interface gigabitethernet 0/1/3
    [*CE1-GigabitEthernet0/1/3] portswitch
    [*CE1-GigabitEthernet0/1/3] undo shutdown
    [*CE1-GigabitEthernet0/1/3] port link-type access
    [*CE1-GigabitEthernet0/1/3] port default vlan 9
    [*CE1-GigabitEthernet0/1/3] quit
    [*CE1] interface gigabitethernet 0/1/4
    [*CE1-GigabitEthernet0/1/4] portswitch
    [*CE1-GigabitEthernet0/1/4] undo shutdown
    [*CE1-GigabitEthernet0/1/4] port link-type access
    [*CE1-GigabitEthernet0/1/4] port default vlan 9
    [*CE1-GigabitEthernet0/1/4] commit
    [~CE1-GigabitEthernet0/1/4] quit

    # Configure CE 2.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE2
    [*HUAWEI] commit
    [~CE2] vlan batch 5 9
    [*CE2] interface gigabitethernet 0/1/1
    [*CE2-GigabitEthernet0/1/1] portswitch
    [*CE2-GigabitEthernet0/1/1] undo shutdown
    [*CE2-GigabitEthernet0/1/1] port link-type access
    [*CE2-GigabitEthernet0/1/1] port default vlan 5
    [*CE2-GigabitEthernet0/1/1] quit
    [*CE2] interface gigabitethernet 0/1/2
    [*CE2-GigabitEthernet0/1/2] portswitch
    [*CE2-GigabitEthernet0/1/2] undo shutdown
    [*CE2-GigabitEthernet0/1/2] port link-type access
    [*CE2-GigabitEthernet0/1/2] port default vlan 5
    [*CE2-GigabitEthernet0/1/2] quit
    [*CE2] interface gigabitethernet 0/1/3
    [*CE2-GigabitEthernet0/1/3] portswitch
    [*CE2-GigabitEthernet0/1/3] undo shutdown
    [*CE2-GigabitEthernet0/1/3] port link-type access
    [*CE2-GigabitEthernet0/1/3] port default vlan 9
    [*CE2-GigabitEthernet0/1/3] quit
    [*CE2] interface gigabitethernet 0/1/4
    [*CE2-GigabitEthernet0/1/4] portswitch
    [*CE2-GigabitEthernet0/1/4] undo shutdown
    [*CE2-GigabitEthernet0/1/4] port link-type access
    [*CE2-GigabitEthernet0/1/4] port default vlan 9
    [*CE2-GigabitEthernet0/1/4] commit
    [~CE2-GigabitEthernet0/1/4] quit
  2. Configure links between CEs and the PE as trunk links.

    # Configure CE 1.

    [*CE1] interface gigabitethernet 0/1/5
    [*CE1-GigabitEthernet0/1/5] portswitch
    [*CE1-GigabitEthernet0/1/5] undo shutdown
    [*CE1-GigabitEthernet0/1/5] port link-type trunk
    [*CE1-GigabitEthernet0/1/5] port trunk allow-pass vlan 5 9
    [*CE1-GigabitEthernet0/1/5] quit
    [*CE1] commit

    # Configure CE 2.

    [*CE2] interface gigabitethernet 0/1/5
    [*CE2-GigabitEthernet0/1/5] portswitch
    [*CE2-GigabitEthernet0/1/5] undo shutdown
    [*CE2-GigabitEthernet0/1/5] port link-type trunk
    [*CE2-GigabitEthernet0/1/5] port trunk allow-pass vlan 5 9
    [*CE2-GigabitEthernet0/1/5] quit
    [*CE2] commit
  3. Configure PE. 
    <HUAWEI> system-view
    [~HUAWEI] sysname PE
    [*HUAWEI] commit
    [~PE] interface gigabitethernet 0/1/1
    [*PE-GigabitEthernet0/1/1] portswitch
    [*PE-GigabitEthernet0/1/1] undo shutdown
    [*PE-GigabitEthernet0/1/1] port link-type trunk
    [*PE-GigabitEthernet0/1/1] port trunk allow-pass vlan 5 9
    [*PE-GigabitEthernet0/1/1] quit
    [*PE] interface gigabitethernet 0/1/2
    [*PE-GigabitEthernet0/1/2] portswitch
    [*PE-GigabitEthernet0/1/2] undo shutdown
    [*PE-GigabitEthernet0/1/2] port link-type trunk
    [*PE-GigabitEthernet0/1/2] port trunk allow-pass vlan 5 9
    [*PE-GigabitEthernet0/1/2] quit
    [*PE] commit
  4. Verify the configuration.

    After the configurations are complete, run the display vlan command to view VLAN status. In the following example, the display on CE1 is used:

    [~CE1] display vlan 5
    --------------------------------------------------------------------------------
U: Up;         D: Down;         TG: Tagged;         UT: Untagged;
MP: Vlan-mapping;               ST: Vlan-stacking;
#: ProtocolTransparent-vlan;    *: Management-vlan;
--------------------------------------------------------------------------------

VID  Type    Ports
--------------------------------------------------------------------------------
5    common  UT:0/1/1(U)     0/1/2(U)
             TG:0/1/5(U)

VID  Status  Property      MAC-LRN Statistics Description
--------------------------------------------------------------------------------
5    enable  default       enable  disable    VLAN 0005

    Run the display port vlan command to view the list of VLANs configured on port. In the following example, the display on CE 1 is used:

    [*CE1] display port vlan gigabitethernet0/1/5
    Port                     Link Type    PVID    Trunk VLAN List
--------------------------------------------------------------
GigabitEthernet0/1/5     trunk        0       5 9

    In either VLAN 5 or VLAN 9, a PC connected to CE 1 can ping a PC connected to CE 2 successfully.

Configuration Files

  • Configuration file of CE 1

    #
     sysname CE1
    #
     vlan batch 5 9
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type access
     port default vlan 5
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type access
     port default vlan 5
    #
    interface GigabitEthernet0/1/3
     portswitch
     undo shutdown
     port link-type access
     port default vlan 9
    #
    interface GigabitEthernet0/1/4
     portswitch
     undo shutdown
     port link-type access
     port default vlan 9
    #
    interface GigabitEthernet0/1/5
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 5 9
    #
    return

  • Configuration file of CE 2

    #
     sysname CE2
    #
     vlan batch 5 9
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type access
     port default vlan 5
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type access
     port default vlan 5
    #
    interface GigabitEthernet0/1/3
     portswitch
     undo shutdown
     port link-type access
     port default vlan 9
    #
    interface GigabitEthernet0/1/4
     portswitch
     undo shutdown
     port link-type access
     port default vlan 9
    #
    interface GigabitEthernet0/1/5
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 5 9
    #
    return

  • Configuration file of PE

    #
     sysname PE
    #
     vlan batch 5 9
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 5 9
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 5 9
    #
    return

Example for Configuring Inter-VLAN Communication by Using Sub-interfaces

Configuring sub-interfaces enables users in different VLANs and network segments to communicate with each other.

Networking Requirements

Users in different residential compounds in different network segments require various services such as Internet, IPTV, and VoIP services. The network administrator of each residential compound configures a VLAN for each service to simplify management. After the configuration, users in different residential compounds belong to different VLANs, but they need to communicate with each other for the same type of service.

On the network shown in Figure 1-372, users in residential compounds 1 to 4 belong to different VLANs and network segments but all require the Internet access service. Therefore, communication between these users is required.

Figure 1-372 Networking diagram for configuring inter-VLAN communication by using sub-interfaces

Interfaces 1 through 3 and subinterface1.1, subinterface1.2, subinterface2.1, subinterface2.2 in this example are GE 0/1/1, GE 0/1/2, GE 0/1/3, GE 0/1/1.1, GE 0/1/1.2, GE 0/1/2.1, GE 0/1/2.2, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs on CEs and determine mappings between users and VLANs.
  2. Configure trunk ports on CEs to allow frames with certain VLAN IDs to pass through.
  3. Create sub-interfaces on PE and associate the sub-interfaces with VLANs.
  4. Assign an IP address to each sub-interface for communication at the network layer.

The default gateway address of each PC in a VLAN must be the IP address of the corresponding sub-interface. Otherwise, inter-VLAN communication fails.

Data Preparation

To complete the configuration, you need the following data:

  • User VLAN ID
  • User IP address
  • Number of each port connecting a CE to a PC
  • Number of each port connecting a CE to the PE
  • Number and IP address of each sub-interface on PE

Procedure

  1. Create VLANs on CE1 and CE2.

    # Configure CE1.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE1
    [*HUAWEI] commit
    [~CE1] vlan batch 30 40
    [*CE1] interface gigabitethernet 0/1/1
    [*CE1-GigabitEthernet0/1/1] portswitch
    [*CE1-GigabitEthernet0/1/1] undo shutdown
    [*CE1-GigabitEthernet0/1/1] port link-type access
    [*CE1-GigabitEthernet0/1/1] port default vlan 30
    [*CE1-GigabitEthernet0/1/1] quit
    [*CE1] interface gigabitethernet 0/1/2
    [*CE1-GigabitEthernet0/1/2] portswitch
    [*CE1-GigabitEthernet0/1/2] undo shutdown
    [*CE1-GigabitEthernet0/1/2] port link-type access
    [*CE1-GigabitEthernet0/1/2] port default vlan 40
    [*CE1-GigabitEthernet0/1/2] quit

    # Configure CE2.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE2
    [*HUAWEI] commit
    [~CE2] vlan batch 10 20
    [*CE2] interface gigabitethernet 0/1/1
    [*CE2-GigabitEthernet0/1/1] portswitch
    [*CE2-GigabitEthernet0/1/1] undo shutdown
    [*CE2-GigabitEthernet0/1/1] port link-type access
    [*CE2-GigabitEthernet0/1/1] port default vlan 10
    [*CE2-GigabitEthernet0/1/1] quit
    [*CE2] interface gigabitethernet 0/1/2
    [*CE2-GigabitEthernet0/1/2] portswitch
    [*CE2-GigabitEthernet0/1/2] undo shutdown
    [*CE2-GigabitEthernet0/1/2] port link-type access
    [*CE2-GigabitEthernet0/1/2] port default vlan 20
    [*CE2-GigabitEthernet0/1/2] quit
  2. Configure trunk ports on CE 1 and CE 2 to allow frames with certain VLAN IDs to pass through.

    # Configure CE1.

    [*CE1] interface gigabitethernet 0/1/3
    [*CE1-GigabitEthernet0/1/3] portswitch
    [*CE1-GigabitEthernet0/1/3] undo shutdown
    [*CE1-GigabitEthernet0/1/3] port link-type trunk
    [*CE1-GigabitEthernet0/1/3] port trunk allow-pass vlan 30 40
    [*CE1-GigabitEthernet0/1/3] quit
    [*CE1] commit

    # Configure CE2.

    [*CE2] interface gigabitethernet 0/1/3
    [*CE2-GigabitEthernet0/1/3] portswitch
    [*CE2-GigabitEthernet0/1/3] undo shutdown
    [*CE2-GigabitEthernet0/1/3] port link-type trunk
    [*CE2-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20
    [*CE2-GigabitEthernet0/1/3] quit
    [*CE2] commit
  3. Create sub-interfaces on PE and associate the sub-interfaces with VLANs. 
    <HUAWEI> system-view
    [~HUAWEI] sysname PE
    [*HUAWEI] commit
    [~PE] interface gigabitethernet 0/1/1
    [*PE-GigabitEthernet0/1/1] undo shutdown
    [*PE-GigabitEthernet0/1/1] quit
    [*PE] interface gigabitethernet 0/1/1.1
    [*PE-GigabitEthernet0/1/1.1] vlan-type dot1q 10
    [*PE-GigabitEthernet0/1/1.1] quit
    [*PE] interface gigabitethernet 0/1/1.2
    [*PE-GigabitEthernet0/1/1.2] vlan-type dot1q 20
    [*PE-GigabitEthernet0/1/1.2] quit
    [*PE] interface gigabitethernet 0/1/2
    [*PE-GigabitEthernet0/1/2] undo shutdown
    [*PE-GigabitEthernet0/1/2] quit
    [*PE] interface gigabitethernet 0/1/2.1
    [*PE-GigabitEthernet0/1/2.1] vlan-type dot1q 30
    [*PE-GigabitEthernet0/1/2.1] quit
    [*PE] interface gigabitethernet 0/1/2.2
    [*PE-GigabitEthernet0/1/2.2] vlan-type dot1q 40
    [*PE-GigabitEthernet0/1/2.2] quit
  4. Configure IP addresses. 
    [*PE] interface gigabitethernet 0/1/1.1
    [*PE-GigabitEthernet0/1/1.1] ip address 10.110.6.3 24
    [*PE-GigabitEthernet0/1/1.1] quit
    [*PE] interface gigabitethernet 0/1/1.2
    [*PE-GigabitEthernet0/1/1.2] ip address 10.110.5.3 24
    [*PE-GigabitEthernet0/1/1.2] quit
    [*PE] interface gigabitethernet 0/1/2.1
    [*PE-GigabitEthernet0/1/2.1] ip address 10.110.4.3 24
    [*PE-GigabitEthernet0/1/2.1] quit
    [*PE] interface gigabitethernet 0/1/2.2
    [*PE-GigabitEthernet0/1/2.2] ip address 10.110.3.3 24
    [*PE-GigabitEthernet0/1/2.2] quit
    [*PE] commit
  5. Verify the configuration.

    On PCs in VLAN 10, configure the IP address 10.110.6.3/24 of GE 0/1/1.1 as the default gateway address.

    On PCs in VLAN 20, configure the IP address 10.110.5.3/24 of GE 0/1/1.2 as the default gateway address.

    On PCs in VLAN 30, configure the IP address 10.110.4.3/24 of GE 0/1/2.1 as the default gateway address.

    On PCs in VLAN 40, configure the IP address 10.110.3.3/24 of GE 0/1/2.2 as the default gateway address.

    After the configurations, PCs in VLANs 10, 20, 30, and 40 can ping each other successfully.

Configuration Files

  • Configuration file of CE1

    #
     sysname CE1
    #
     vlan batch 30 40
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type access
     port default vlan 30
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type access
     port default vlan 40
    #
    interface GigabitEthernet0/1/3
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 30 40
    #
    return

  • Configuration file of CE2

    #
     sysname CE2
    #
     vlan batch 10 20
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type access
     port default vlan 10
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type access
     port default vlan 20
    #
    interface GigabitEthernet0/1/3
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 10 20
    #
    return

  • Configuration file of PE

    #
     sysname PE
    #
    interface GigabitEthernet0/1/1
     undo shutdown
    #
    interface GigabitEthernet0/1/1.1
     vlan-type dot1q 10
     ip address 10.110.6.3 255.255.255.0
    #
    interface GigabitEthernet0/1/1.2
     vlan-type dot1q 20
     ip address 10.110.5.3 255.255.255.0
    #
    interface GigabitEthernet0/1/2
     undo shutdown
    #
    interface GigabitEthernet0/1/2.1
     vlan-type dot1q 30
     ip address 10.110.4.3 255.255.255.0
    #
    interface GigabitEthernet0/1/2.2
     vlan-type dot1q 40
     ip address 10.110.3.3 255.255.255.0
    #
    return

Example for Configuring VLAN and Non-VLAN Users to Communicate by Using Sub-interfaces

This example describes how to configure communication between VLAN users and non-VLAN users.

Networking Requirements

Residents in a residential compound belong to different network segments. To simplify management, the network administrator of the residential compound adds users to different VLANs. Residents in another residential compound are not added to any VLAN. VLAN users must be able to communicate with non-VLAN users.

On the network shown in Figure 1-373, users in residential compound 1 belong to different VLANs and network segments, and users in residential compound 2 do not belong to any VLAN. It is required that the network permit the communication between users in VLAN 10 and users in residential compound 2.

Figure 1-373 Networking diagram for configuring VLAN and non-VLAN users to communicate by using sub-interfaces

Interfaces 1 through 3 and subinterface1.1 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, GE 0/1/1.1, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs on switches and determine mappings between users and VLANs.
  2. Configure the trunk port on CE 1 to allow frames with certain VLAN IDs to pass through.
  3. Create a sub-interface on the interface connecting the NE to VLAN users and associate the sub-interface with VLAN 10.

  4. Assign IP addresses to interfaces for communication at the network layer.

    • Assign an IP address to the sub-interface.
    • Assign an IP address to the interface connecting the NE to non-VLAN users.
  • The IP address assigned to the sub-interface connected to VLAN users must be on the same network segment with IP addresses of VLAN users.
  • The IP address assigned to the interface connected to non-VLAN users must be on the same network segment with IP addresses of non-VLAN users.
  • The default gateway addresses of PCs in VLAN 10 must be the IP address of the sub-interface. Otherwise, VLAN and non-VLAN users cannot communicate with each other.

Data Preparation

To complete the configuration, you need the following data:

  • User VLAN ID
  • User IP address
  • Number of each port connecting a CE to a PC
  • Number of each port connecting a CE to the PE
  • Number and IP address of each sub-interface on PE

Procedure

  1. Create a VLAN on CE 1. 
    <HUAWEI> system-view
    [~HUAWEI] sysname CE1
    [*HUAWEI] commit
    [~CE1] vlan batch 10
    [*CE1-vlan10] quit
    [*CE1] interface gigabitethernet 0/1/1
    [*CE1-GigabitEthernet0/1/1] portswitch
    [*CE1-GigabitEthernet0/1/1] undo shutdown
    [*CE1-GigabitEthernet0/1/1] port link-type access
    [*CE1-GigabitEthernet0/1/1] port default vlan 10
    [*CE1-GigabitEthernet0/1/1] quit
  2. Configure the trunk port on CE 1 to allow frames with certain VLAN IDs to pass through. 
    [*CE1] interface gigabitethernet 0/1/3
    [*CE1-GigabitEthernet0/1/3] portswitch
    [*CE1-GigabitEthernet0/1/3] undo shutdown
    [*CE1-GigabitEthernet0/1/3] port link-type trunk
    [*CE1-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20
    [*CE1-GigabitEthernet0/1/3] quit
    [*CE1] commit
  3. Create a sub-interface on PE and associate the sub-interface with VLAN 10. 
    <HUAWEI> system-view
    [~HUAWEI] sysname PE
    [*HUAWEI] commit
    [~PE] interface gigabitethernet 0/1/1
    [*PE-GigabitEthernet0/1/1] undo shutdown
    [*PE-GigabitEthernet0/1/1] quit
    [*PE] interface gigabitethernet 0/1/1.1
    [*PE-GigabitEthernet0/1/1.1] vlan-type dot1q 10
  4. Configure IP addresses. 
    [*PE-GigabitEthernet0/1/1.1] ip address 10.110.2.5 24
    [*PE-GigabitEthernet0/1/1.1] quit
    [*PE] interface gigabitethernet 0/1/2
    [*PE-GigabitEthernet0/1/2] undo shutdown
    [*PE-GigabitEthernet0/1/2] ip address 10.110.3.5 24
    [*PE-GigabitEthernet0/1/2] quit
    [*PE] commit
  5. Verify the configuration.

    On PCs in VLAN 10, configure the IP address 10.110.2.5/24 of GE 0/1/1.1 as the default gateway address.

    On CE 2, configure the IP address 10.110.3.5 of GE 0/1/2 as the default gateway address.

    After the configurations, users in VLAN 10 and non-VLAN users can ping each other successfully.

Configuration Files

  • Configuration file of CE 1

    #
     sysname CE1
    #
     vlan batch 10
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type access
     port default vlan 10
    #
    interface GigabitEthernet0/1/3
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    return

  • Configuration file of PE

    #
     sysname PE
    #
    interface GigabitEthernet0/1/1
     undo shutdown
    #
    interface GigabitEthernet0/1/1.1
     vlan-type dot1q 10
     ip address 10.110.2.5 255.255.255.0
    #
    interface GigabitEthernet0/1/2
     undo shutdown
     ip address 10.110.3.5 255.255.255.0
    #
    return

Example for Configuring Inter-VLAN Communication by Using VLANIF Interfaces

In this example, Layer 3 forwarding is performed by a Layer 3 PE instead of a router. This allows PCs in different VLANs to communicate with each other and reduces operating costs.

Networking Requirements

Users in different residential compounds in different network segments require various services such as Internet, IPTV, and VoIP services. The network administrator of each residential compound configures a VLAN for each service to simplify management. After the configuration, users in different residential compounds belong to different VLANs, but they need to communicate with each other for the same type of service.

On the network shown in Figure 1-374, users in communities 1 to 4 belong to different VLANs and network segments but all require the Internet access service. It is required that these users communicate with each other at a low operating cost.

Figure 1-374 Networking diagram for configuring inter-VLAN communication by using VLANIF interfaces

Interfaces 1 through 3 in this example are GE 0/1/1, GE 0/1/2, GE 0/1/3, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs on CEs and determine mappings between users and VLANs.
  2. Configure trunk ports on CEs to allow frames with certain VLAN IDs to pass through.
  3. Create VLANIF interfaces on the PE and assign IP addresses to the interfaces to allow Layer 3 communication.

The default gateway address of each PC in a VLAN must be the IP address of the corresponding VLANIF interface. Otherwise, inter-VLAN communication will fail.

Data Preparation

To complete the configuration, you need the following data:

  • User VLAN ID
  • User IP address
  • Number of each port connecting a CE to a PC

  • Number of the ports interconnecting CEs

  • Number and IP address of each VLANIF interface on the PE

Procedure

  1. Create VLANs on CE1 and CE2.

    # Configure CE1.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE1
    [*HUAWEI] commit
    [~CE1] vlan batch 30 40
    [*CE1] interface gigabitethernet 0/1/1
    [*CE1-GigabitEthernet0/1/1] portswitch
    [*CE1-GigabitEthernet0/1/1] undo shutdown
    [*CE1-GigabitEthernet0/1/1] port link-type access
    [*CE1-GigabitEthernet0/1/1] port default vlan 30
    [*CE1-GigabitEthernet0/1/1] quit
    [*CE1] interface gigabitethernet 0/1/2
    [*CE1-GigabitEthernet0/1/2] portswitch
    [*CE1-GigabitEthernet0/1/2] undo shutdown
    [*CE1-GigabitEthernet0/1/2] port link-type access
    [*CE1-GigabitEthernet0/1/2] port default vlan 40
    [*CE1-GigabitEthernet0/1/2] quit

    # Configure CE2.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE2
    [*HUAWEI] commit
    [~CE2] vlan batch 10 20
    [*CE2] interface gigabitethernet 0/1/1
    [*CE2-GigabitEthernet0/1/1] portswitch
    [*CE2-GigabitEthernet0/1/1] undo shutdown
    [*CE2-GigabitEthernet0/1/1] port link-type access
    [*CE2-GigabitEthernet0/1/1] port default vlan 10
    [*CE2-GigabitEthernet0/1/1] quit
    [*CE2] interface gigabitethernet 0/1/2
    [*CE2-GigabitEthernet0/1/2] portswitch
    [*CE2-GigabitEthernet0/1/2] undo shutdown
    [*CE2-GigabitEthernet0/1/2] port link-type access
    [*CE2-GigabitEthernet0/1/2] port default vlan 20
    [*CE2-GigabitEthernet0/1/2] quit
  2. Configure trunk ports on CE 1 and CE 2 to allow frames with certain VLAN IDs to pass through.

    # Configure CE1.

    [*CE1] interface gigabitethernet 0/1/3
    [*CE1-GigabitEthernet0/1/3] portswitch
    [*CE1-GigabitEthernet0/1/3] undo shutdown
    [*CE1-GigabitEthernet0/1/3] port link-type trunk
    [*CE1-GigabitEthernet0/1/3] port trunk allow-pass vlan 30 40
    [*CE1-GigabitEthernet0/1/3] quit
    [*CE1] commit

    # Configure CE2.

    [*CE2] interface gigabitethernet 0/1/3
    [*CE2-GigabitEthernet0/1/3] portswitch
    [*CE2-GigabitEthernet0/1/3] undo shutdown
    [*CE2-GigabitEthernet0/1/3] port link-type trunk
    [*CE2-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20
    [*CE2-GigabitEthernet0/1/3] quit
    [*CE2] commit
  3. Create VLANIF interfaces on PE and assign IP addresses to the VLANIF interfaces. 
    <HUAWEI> system-view
    [~HUAWEI] sysname PE
    [*HUAWEI] commit
    [~PE] vlan batch 10 to 40
    [*PE] interface gigabitethernet 0/1/1
    [*PE-GigabitEthernet0/1/1] portswitch
    [*PE-GigabitEthernet0/1/1] undo shutdown
    [*PE-GigabitEthernet0/1/1] port link-type trunk
    [*PE-GigabitEthernet0/1/1] port trunk allow-pass vlan 30 40
    [*PE-GigabitEthernet0/1/1] quit
    [*PE] interface gigabitethernet 0/1/2
    [*PE-GigabitEthernet0/1/2] portswitch
    [*PE-GigabitEthernet0/1/2] undo shutdown
    [*PE-GigabitEthernet0/1/2] port link-type trunk
    [*PE-GigabitEthernet0/1/2] port trunk allow-pass vlan 10 20
    [*PE-GigabitEthernet0/1/2] quit
    [*PE] interface Vlanif 10
    [*PE-Vlanif10] ip address 10.110.6.3 24
    [*PE-Vlanif10] quit
    [*PE] interface Vlanif 20
    [*PE-Vlanif20] ip address 10.110.5.3 24
    [*PE-Vlanif20] quit
    [*PE] interface Vlanif 30
    [*PE-Vlanif30] ip address 10.110.4.3 24
    [*PE-Vlanif30] quit
    [*PE] interface Vlanif 40
    [*PE-Vlanif40] ip address 10.110.3.3 24
    [*PE-Vlanif40] quit
    [*PE] commit
  4. Verify the configuration.

    On PCs in VLAN 10, configure the IP address 10.110.6.3/24 of VLANIF 10 as the default gateway address.

    On PCs in VLAN 20, configure the IP address 10.110.5.3/24 of VLANIF 20 as the default gateway address.

    On PCs in VLAN 30, configure the IP address 10.110.4.3/24 of VLANIF 30 as the default gateway address.

    On PCs in VLAN 40, configure the IP address 10.110.3.3/24 of VLANIF 40 as the default gateway address.

    After the configurations, PCs in VLANs 10, 20, 30, and 40 can ping each other successfully.

Configuration Files

  • Configuration file of CE1

    #
     sysname CE1
    #
     vlan batch 30 40
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type access
     port default vlan 30
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type access
     port default vlan 40
    #
    interface GigabitEthernet0/1/3
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 30 40
    #
    return

  • Configuration file of CE2

    #
     sysname CE2
    #
     vlan batch 10 20
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type access
     port default vlan 10
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type access
     port default vlan 20
    #
    interface GigabitEthernet0/1/3
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 10 20
    #
    return

  • Configuration file of PE

    #
     sysname PE
    #
    vlan batch 10 to 40
    #
    interface Vlanif10
     ip address 10.110.6.3 255.255.255.0
    #
    interface Vlanif20
     ip address 10.110.5.3 255.255.255.0
    #
    interface Vlanif30
     ip address 10.110.4.3 255.255.255.0
    #
    interface Vlanif40
     ip address 10.110.3.3 255.255.255.0
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 30 40
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 10 20
    #
    return

Example for Configuring 1 to 1 VLAN Mapping for Inter-VLAN Communication

1 to 1 VLAN mapping allows user VLAN IDs and the ISP VLAN ID to be replaced with each other to help users in different VLANs to communicate with each other.

Networking Requirements

Users in different residential compounds use IPTV, VoIP, and Internet services. To simplify management, the network administrator of each residential compound configures a separate VLAN for each type of services. After the configuration, users using the same type of services in different residential compounds belong to different VLANs, but they need to communicate with each other.

On the network shown in Figure 1-375, the same type of services in residential compounds 1 and 2 belong to different VLANs. It is required that these users communicate with each other at a low operating cost.

Figure 1-375 Networking diagram for configuring 1 to 1 VLAN mapping

Interfaces 1 through 3 in this example are GE 0/1/1, GE 0/1/2, GE 0/1/3, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Add ports connecting CE1 to residential compound 1 to VLAN 6. Add ports connecting CE2 to residential compound 2 to VLAN 5.
  2. Configure 1 to 1 VLAN mapping on CEs 3 and 4 at the edge of the ISP network to map user VLAN IDs to the ISP VLAN ID to allow users in different VLANs to communicate with each other.

Data Preparation

To complete the configuration, you need the following data:

  • Number of each port connecting a CE to a user device
  • Number of the ports interconnecting CEs
  • VLAN IDs configured on CEs
  • VLAN ID provided by the ISP

Procedure

  1. Add ports connecting CEs to user devices to specified VLANs.

    # Configure CE1.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE1
    [*HUAWEI] commit
    [~CE1] vlan 6
    [*CE1-vlan6] quit
    [*CE1] interface gigabitethernet 0/1/1
    [*CE1-GigabitEthernet0/1/1] undo shutdown
    [*CE1-GigabitEthernet0/1/1] portswitch
    [*CE1-GigabitEthernet0/1/1] port link-type access
    [*CE1-GigabitEthernet0/1/1] port default vlan 6
    [*CE1-GigabitEthernet0/1/1] quit
    [*CE1] interface gigabitethernet 0/1/2
    [*CE1-GigabitEthernet0/1/2] undo shutdown
    [*CE1-GigabitEthernet0/1/2] portswitch
    [*CE1-GigabitEthernet0/1/2] port link-type access
    [*CE1-GigabitEthernet0/1/2] port default vlan 6
    [*CE1-GigabitEthernet0/1/2] quit
    [*CE1] interface gigabitethernet 0/1/3
    [*CE1-GigabitEthernet0/1/3] undo shutdown
    [*CE1-GigabitEthernet0/1/3] portswitch
    [*CE1-GigabitEthernet0/1/3] port link-type trunk
    [*CE1-GigabitEthernet0/1/3] port trunk allow-pass vlan 6
    [*CE1-GigabitEthernet0/1/3] commit
    [~CE1-GigabitEthernet0/1/3] quit

    # Configure CE2.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE2
    [*HUAWEI] commit
    [~CE2] vlan 5
    [*CE2-vlan5] quit
    [*CE2] interface gigabitethernet 0/1/1
    [*CE2-GigabitEthernet0/1/1] undo shutdown
    [*CE2-GigabitEthernet0/1/1] portswitch
    [*CE2-GigabitEthernet0/1/1] port link-type access
    [*CE2-GigabitEthernet0/1/1] port default vlan 5
    [*CE2-GigabitEthernet0/1/1] quit
    [*CE2] interface gigabitethernet 0/1/2
    [*CE2-GigabitEthernet0/1/2] undo shutdown
    [*CE2-GigabitEthernet0/1/2] portswitch
    [*CE2-GigabitEthernet0/1/2] port link-type access
    [*CE2-GigabitEthernet0/1/2] port default vlan 5
    [*CE2-GigabitEthernet0/1/2] quit
    [*CE2] interface gigabitethernet 0/1/3
    [*CE2-GigabitEthernet0/1/3] undo shutdown
    [*CE2-GigabitEthernet0/1/3] portswitch
    [*CE2-GigabitEthernet0/1/3] port link-type trunk
    [*CE2-GigabitEthernet0/1/3] port trunk allow-pass vlan 5
    [*CE2-GigabitEthernet0/1/3] commit
    [~CE2-GigabitEthernet0/1/3] quit
  2. Configure 1 to 1 VLAN mapping.

    # Configure PE1.

    <HUAWEI> system-view
    [~HUAWEI] sysname PE1
    [*HUAWEI] commit
    [~PE1] vlan 10
    [*PE1-vlan10] quit
    [*PE1] interface gigabitethernet 0/1/1
    [*PE1-GigabitEthernet0/1/1] undo shutdown
    [*PE1-GigabitEthernet0/1/1] portswitch
    [*PE1-GigabitEthernet0/1/1] port link-type trunk
    [*PE1-GigabitEthernet0/1/1] port trunk allow-pass vlan 10
    [*PE1-GigabitEthernet0/1/1] port vlan-mapping vlan 6 map-vlan 10
    [*PE1-GigabitEthernet0/1/1] commit
    [~PE1-GigabitEthernet0/1/1] quit

    # Configure PE2.

    <HUAWEI> system-view
    [~HUAWEI] sysname PE2
    [*HUAWEI] commit
    [~PE2] vlan 10
    [*PE2-vlan10] quit
    [*PE2] interface gigabitethernet 0/1/1
    [*PE2-GigabitEthernet0/1/1] undo shutdown
    [*PE2-GigabitEthernet0/1/1] portswitch
    [*PE2-GigabitEthernet0/1/1] port link-type trunk
    [*PE2-GigabitEthernet0/1/1] port trunk allow-pass vlan 10
    [*PE2-GigabitEthernet0/1/1] port vlan-mapping vlan 5 map-vlan 10
    [*PE2-GigabitEthernet0/1/1] commit
    [~PE2-GigabitEthernet0/1/1] quit
  3. Verify the configuration.

    After completing the configurations, run the display vlan command to check VLAN mapping information. Use the display on PE1 as an example.

    [*PE1] display vlan 10
    * : management-vlan
---------------------
VLAN ID Type         Status   MAC Learning Broadcast/Multicast/Unicast Property
--------------------------------------------------------------------------------
10      common       enable   enable       forward   forward   forward default
----------------
QinQ-map  Port: GigabitEthernet0/1/1
----------------
Interface                   Physical
GigabitEthernet0/1/1        UP

    Users in residential compounds 1 and 2 can communicate with each other.

Configuration Files

  • Configuration file of CE1 

    #
     sysname CE1
    #
    vlan batch 6
    #
    interface GigabitEthernet0/1/1
     undo shutdown
     portswitch
     port link-type access
     port default vlan 6
    #
    interface GigabitEthernet0/1/2
     undo shutdown
     portswitch
     port link-type access
     port default vlan 6
    #
    interface GigabitEthernet0/1/3
     undo shutdown
     portswitch
     port link-type trunk
     port trunk allow-pass vlan 6
    #
    return

  • Configuration file of CE2

    #
     sysname CE2
    #
    vlan batch 5
    #
    interface GigabitEthernet0/1/1
     undo shutdown
     portswitch
     port link-type access
     port default vlan 5
    #
    interface GigabitEthernet0/1/2
     undo shutdown
     portswitch
     port link-type access
     port default vlan 5
    #
    interface GigabitEthernet0/1/3
     undo shutdown
     portswitch
     port link-type trunk
     port trunk allow-pass vlan 5
    #
    return

  • Configuration file of PE1 

    #
     sysname PE1
    #
    vlan batch 10
    #
    interface GigabitEthernet0/1/1
     undo shutdown
     portswitch
     port link-type trunk
     port trunk allow-pass vlan 10
     port vlan-mapping vlan 6 map-vlan 10
    #
    return

  • Configuration file of PE2 

    #
     sysname PE2
    #
    vlan batch 10
    #
    interface GigabitEthernet0/1/1
     undo shutdown
     portswitch
     port link-type trunk
     port trunk allow-pass vlan 10
     port vlan-mapping vlan 5 map-vlan 10
    #
    return

Example for Configuring Communication Between VLANs Through VLAN Aggregation

This part describes how to configure communication between VLANs with fewer IP addresses.

Networking Requirements

Assume that an enterprise has many departments and IP addresses of these departments are on the same network segment, to improve the service security, IP addresses of PCs used by employees in the same department are added to the same VLAN and IP addresses of PCs used by employees in different departments are added to different VLANs. IP addresses of PCs used by employees in different departments need to communicate with each other.

As shown in Figure 1-376, IP addresses of the R&D department and test department belong to different VLANs. It is required that IP addresses of PCs used by employees in different VLANs communicate with each other.

Figure 1-376 Networking diagram of configuring communication between VLANs through VLAN aggregation

Interfaces 1 through 3 in this example are GE 0/1/1, GE 0/1/2, GE 0/1/3, respectively.

IP addresses of the R&D department and test department are on the same network segment. To save IP address resources, you can deploy VLAN aggregation on devices of the R&D department and test department. This ensures that different VLANs can communicate with each other.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLAN on CE1 and CE2 to determine mappings between users and VLANs.

  2. Configure VLAN aggregation on the PE.

    1. Configure the Layer 2 forwarding function.

    2. Create a super-VLAN and add sub-VLANs to the super-VLAN.

    3. Create the VLANIF interface of the super-VLAN and assign an IP address to the VLANIF interface as the network gateway address.

Data Preparation

To complete the configuration, you need the following data:

  • User VLAN ID
  • User IP address
  • Number of each port connecting a CE to a PC
  • Sub-VLAN ID and super-VLAN ID
  • Number and IP address of the VLANIF interface of the super-VLAN

Procedure

  1. Create a VLAN on CE and add Layer 2 interfaces to the VLAN.

    # Configure CE1.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE1
    [*HUAWEI] commit
    [~CE1] vlan batch 2
    [*CE1] interface gigabitethernet 0/1/1
    [*CE1-GigabitEthernet0/1/1] portswitch
    [*CE1-GigabitEthernet0/1/1] undo shutdown
    [*CE1-GigabitEthernet0/1/1] port link-type access
    [*CE1-GigabitEthernet0/1/1] port default vlan 2
    [*CE1-GigabitEthernet0/1/1] quit
    [*CE1] interface gigabitethernet 0/1/2
    [*CE1-GigabitEthernet0/1/2] portswitch
    [*CE1-GigabitEthernet0/1/2] undo shutdown
    [*CE1-GigabitEthernet0/1/2] port link-type access
    [*CE1-GigabitEthernet0/1/2] port default vlan 2
    [*CE1-GigabitEthernet0/1/2] quit
    [*CE1] interface gigabitethernet 0/1/3
    [*CE1-GigabitEthernet0/1/3] portswitch
    [*CE1-GigabitEthernet0/1/3] undo shutdown
    [*CE1-GigabitEthernet0/1/3] port link-type trunk
    [*CE1-GigabitEthernet0/1/3] port trunk allow-pass vlan 2
    [*CE1-GigabitEthernet0/1/3] quit
    [*CE1] commit

    # Configure CE2.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE2
    [*HUAWEI] commit
    [~CE2] vlan batch 3
    [*CE2] interface gigabitethernet 0/1/1
    [*CE2-GigabitEthernet0/1/1] portswitch
    [*CE2-GigabitEthernet0/1/1] undo shutdown
    [*CE2-GigabitEthernet0/1/1] port link-type access
    [*CE2-GigabitEthernet0/1/1] port default vlan 3
    [*CE2-GigabitEthernet0/1/1] quit
    [*CE2] interface gigabitethernet 0/1/2
    [*CE2-GigabitEthernet0/1/2] portswitch
    [*CE2-GigabitEthernet0/1/2] undo shutdown
    [*CE2-GigabitEthernet0/1/2] port link-type access
    [*CE2-GigabitEthernet0/1/2] port default vlan 3
    [*CE2-GigabitEthernet0/1/2] quit
    [*CE2] interface gigabitethernet 0/1/3
    [*CE2-GigabitEthernet0/1/3] portswitch
    [*CE2-GigabitEthernet0/1/3] undo shutdown
    [*CE2-GigabitEthernet0/1/3] port link-type trunk
    [*CE2-GigabitEthernet0/1/3] port trunk allow-pass vlan 3
    [*CE2-GigabitEthernet0/1/3] quit
    [*CE2] commit
  2. Configure VLAN aggregation on the PE.

    1. Configure the Layer 2 forwarding function.

      <HUAWEI> system-view
      [~HUAWEI] sysname PE
      [*HUAWEI] commit
      [~PE] vlan batch 2 to 4
      [*PE] interface gigabitethernet 0/1/1
      [*PE-GigabitEthernet0/1/1] portswitch
      [*PE-GigabitEthernet0/1/1] undo shutdown
      [*PE-GigabitEthernet0/1/1] port link-type trunk
      [*PE-GigabitEthernet0/1/1] port trunk allow-pass vlan 2
      [*PE-GigabitEthernet0/1/1] quit
      [*PE] interface gigabitethernet 0/1/2
      [*PE-GigabitEthernet0/1/2] portswitch
      [*PE-GigabitEthernet0/1/2] undo shutdown
      [*PE-GigabitEthernet0/1/2] port link-type trunk
      [*PE-GigabitEthernet0/1/2] port trunk allow-pass vlan 3
      [*PE-GigabitEthernet0/1/2] quit

    2. Create a super-VLAN and add sub-VLANs to the super-VLAN.

      [*PE] vlan 4
      [*PE-vlan4] aggregate-vlan
      [*PE-vlan4] access-vlan 2 to 3
      [*PE-vlan4] quit

    3. Create a VLANIF interface for the super-VLAN and assign an IP address to the VLANIF interface.

      [*PE] interface vlanif 4
      [*PE-Vlanif4] ip address 10.1.1.12 24
      [*PE-Vlanif4] commit

      After the preceding configurations, configure IP addresses as shown in Figure 1-376 to PCs. The IP addresses of the PCs and VLANIF interface are on the same network segment. If the configuration succeeds, the PCs used by employees in each VLAN and the corresponding switch can ping each other, whereas the PCs used by employees in VLAN2 and the PCs used by employees in VLAN3 cannot.

  3. Enable inter-VLAN ARP proxy. 
    [~PE-vlanif4] arp-proxy inter-sub-vlan-proxy enable
    [*PE-vlanif4] commit
    [~PE-vlanif4] quit
  4. Verify the configuration.

    After the configuration, IP addresses of PCs used by employees in VLAN2 and VLAN3 can ping each other.

Configuration Files

  • CE1 configuration file

    #
     sysname CE1
    #
     vlan batch 2
    #
     interface GigabitEthernet0/1/1
      portswitch
      undo shutdown
      port link-type access
      port default vlan 2
    #
     interface GigabitEthernet0/1/2
      portswitch
      undo shutdown
      port link-type access
      port default vlan 2
    #
     interface GigabitEthernet0/1/3
      portswitch
      undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 2
    #
     return

  • CE2 configuration file

    #
     sysname CE2
    #
     vlan batch 3
    #
     interface GigabitEthernet0/1/1
      portswitch
      undo shutdown
      port link-type access
      port default vlan 3
    #
     interface GigabitEthernet0/1/2
      portswitch
      undo shutdown
      port link-type access
      port default vlan 3
    #
     interface GigabitEthernet0/1/3
      portswitch
      undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 3
    #
    return

  • PE configuration file

    #
     sysname PE
    #
     vlan batch 2 to 4
    #
     vlan 4
      aggregate-vlan
      access-vlan 2 to 3
    #
     interface Vlanif4
      ip address 10.1.1.12 255.255.255.0
      arp-proxy inter-sub-vlan-proxy enable
    #
     interface GigabitEthernet0/1/1
      portswitch
      undo shutdown
      port link-type trunk
      port trunk allow-pass vlan 2
    #
     interface GigabitEthernet0/1/2
      portswitch
      undo shutdown
      port link-type trunk
      port trunk allow-pass vlan 3
    #
     return
  • VLAN Overview
  • Configuration Precautions for VLAN
  • Summary of VLAN Configuration Tasks
  • Configuring a VLAN Based on Ports
    • Creating a VLAN
    • Configuring the Type of a Layer 2 Ethernet Port
    • Adding a Port to a VLAN
    • Verifying the Configuration of a Layer 2 Interface-based VLAN
  • Configuring Layer 3 Communication Between VLANIF Interfaces
    • Creating a VLANIF Interface
    • Assigning an IP Address to a VLANIF Interface
    • (Optional) Setting a Delay After Which a VLANIF Interface Goes Down
    • (Optional) Configuring Bandwidth for a VLANIF Interface
    • Verifying the VLANIF Interface Configuration
  • Configuring Inter-VLAN Communication
    • Configuring Sub-interfaces for Inter-VLAN Communication
    • Configuring VLANIF Interfaces for Inter-VLAN Communication
    • Configuring VLAN Mapping for Inter-VLAN Communication
    • Verifying the Inter-VLAN Communication Configuration
  • Configuring VLAN Security Attributes
    • Disabling a Port from Broadcasting Packets to Other Ports in the Same VLAN
    • Disabling MAC Address Learning in a VLAN
    • Verifying the VLAN Security Attribute Configuration
  • Configuring Intra-VLAN Interface Isolation
    • Configuring Interface Isolation for a Common VLAN
    • Configuring Interface Isolation for an Outside VLAN in VLAN Stacking or VLAN Mapping Scenarios
    • Enabling Intra-VLAN Proxy ARP
    • Verifying the Intra-VLAN Interface Isolation Configuration
  • Maintaining VLAN
    • Clearing the Statistics of VLAN Packets
    • Monitoring the VLAN Operating Status
  • Configuration Examples for VLANs
    • Example for Dividing a LAN into VLANs Based on Ports
    • Example for Configuring Users in a VLAN to Communicate by Using a Trunk Link
    • Example for Configuring Inter-VLAN Communication by Using Sub-interfaces
    • Example for Configuring VLAN and Non-VLAN Users to Communicate by Using Sub-interfaces
    • Example for Configuring Inter-VLAN Communication by Using VLANIF Interfaces
    • Example for Configuring 1 to 1 VLAN Mapping for Inter-VLAN Communication
    • Example for Configuring Communication Between VLANs Through VLAN Aggregation
Источник

Время на прочтение
5 мин

Количество просмотров 285K

HUAWEI – одна из крупнейших китайских компаний в сфере телекоммуникаций. Основана в 1988 году.

Компания HUAWEI достаточно недавно вышла на российский рынок сетевого оборудования уровня Enterprise. С учётом тенденции тотальной экономии, на нашем предприятии очень остро встал вопрос о подборе достойной замены оборудованию Cisco.
В статье я попытаюсь рассмотреть базовые аспекты настройки сервисов коммутации и маршрутизации оборудования HUAWEI на примере коммутатора Quidway серии 5300.

Глобальные команды, режимы работы, cходства и различия с CLI CISCO.

Оборудование HUAWEI, построенное на базе операционной системы VRP, имеет cisco-like интерфейс командной строки. Принципы остаются теми же самыми, меняется только синтаксис.
В CLI оборудования HUAWEI существуют 2 режима командного интерфейса:

  1. system-view – аналог цисковского режима конфигурирования conf t. В этом режиме приглашение командной строки выглядит как [Switch].
  2. user-view – аналог цисковского непривилегированного режима. Режим приглашения выглядит так: <Switch>.

В отличие от непривилегированного режима Cisco из user-view доступны многие функции, в частности можно ресетнуть запущенные процессы. Подключения по telnet и ssh так же доступны только из user-view.
После некоторых претензий со стороны компании Cisco Systems, в ОС VRP были заменены часть служебных слов. Таблица соответствия некоторых служебных слов CLI представлена ниже.

Cisco HUAWEI
show display
running-configuration current-configuration
clear reset
configure terminal system-view
write save
quit exit
no undo

Основные команды:

  • system-view – переход из user-view в привилегированный режим system-view;
  • save – запись текущих настроек в энергонезависимую память устройства;
  • display current-configuration – вывод текущего файла конфигурации
  • display current-configuration configuration XXXX – вывод настроек секции XXXX.
  • display this – вывод конфигурации текущей секции;
  • quit – выход из текущей секции в родительскую.

Настройка vlan интерфейсов, режимы работы физических портов коммутатора

Создание vlan

Для создания vlan как сущности, на коммутаторе в режиме system-view выполняется команда vlan XXX, где XXX – номер vlan.

<Quidway>system-view
Enter system view, return user view with Ctrl+Z.
[Quidway]vlan
[Quidway]vlan 1
[Quidway-vlan1]

Vlan создан. Так же командой description можно задать описание или название vlan. В отличие от Cisco имя не является обязательным атрибутом при создании vlan.

Для передачи созданых vlan в пределах локальной сети используется протокол GVRP. Включается он командой gvrp в режиме system-view.

[Quidway]gvrp
Info: GVRP has been enabled.
[Quidway]

Так же gvrp должен быть разрешён на интерфейсе:

#
interface GigabitEthernet0/0/23
 port link-type trunk
 port trunk allow-pass vlan 100 to 200
 gvrp
#

Совместимости с Cisco VTP (vlan transfer protocol) нет и быть не может.

Создание vlan интерфейса.

<Quidway>
<Quidway>system-view
Enter system view, return user view with Ctrl+Z.
[Quidway]int vlanif 1
[Quidway-Vlanif1]ip address 2.2.2.2 24
[Quidway-Vlanif1]display this
#
interface Vlanif1
 ip address 2.2.2.2 255.255.255.0
#
return
[Quidway-Vlanif1]

В отличие от Cisco, маску можно писать сокращённо. Очень удобно.
Думаю, что комментарии излишни.

Режимы работы портов

Собственно, ничего нового. Существуют два основных режима работы порта: access и trunk.
Режим trunk
Настройка порта:

<Quidway>system-view
Enter system view, return user view with Ctrl+Z.
[Quidway]int gi0/0/1
[Quidway-GigabitEthernet0/0/1]port link-type trunk
[Quidway-GigabitEthernet0/0/1]port trunk allow-pass vlan 1
[Quidway-GigabitEthernet0/0/1]di th
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 900
#
return

В отличие от коммутаторов Cisco, по-умолчанию, все vlan запрещены и их необходимо принудительно разрешить командой port trunk allow-pass vlan.
Нетэггированный native vlan на порту включается командой:

[Quidway-GigabitEthernet0/0/1]port trunk pvid vlan 600

Режим access

[Quidway-GigabitEthernet0/0/1]port link-type access
[Quidway-GigabitEthernet0/0/1]port default vlan 2
[Quidway-GigabitEthernet0/0/1]di th
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 2
#
return
Настройка eth-trunk

interface Vlanif100
 ip address 1.1.1.2 255.255.255.252
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
#
interface Eth-Trunk0
 port link-type trunk
 port trunk allow-pass vlan 100
#

Комментарии излишни.

Настройка STP

Для тестирование STP были соединены коммутаторы Cisco 2960 и HUAWEI Quidway S5328C-EI.
Для включения STP на коммутаторе необходимо в режиме system-view ввести команду 

[Quidway] stp enable

По умолчанию, приоритет коммутатора HUAWEI, так же как и коммутатора Cisco равен 32768.
Просмотр информации о текущем состоянии портов:

[Quidway]display stp brief
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ALTE  DISCARDING      NONE
   0    GigabitEthernet0/0/2        ROOT  FORWARDING      NONE

Видно, что один из портов заблокирован, т. к. приоритет коммутатора Cisco оказался больше.
Просмотр глобальной информации об STP:

[Quidway]disp stp
-------[CIST Global Info][Mode STP]-------
CIST Bridge         :32768.781d-baa4-b6a7
Config Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC      :8192 .2893-fe2a-9a80 / 199999
CIST RegRoot/IRPC   :32768.781d-baa4-b6a7 / 0
CIST RootPortId     :128.2
BPDU-Protection     :Disabled
TC or TCN received  :107
TC count per hello  :0
STP Converge Mode   :Normal
Share region-configuration :Enabled
Time since last TC  :0 days 1h:16m:17s
Number of TC        :9
Last TC occurred    :GigabitEthernet0/0/2

Изменим приоритет коммутатора HUAWEI. Сделаем его наименьшим: 4096.

[Quidway]stp priority 4096

Посмотрим, что порт разблокировался:

[Quidway]disp stp brief
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        DESI  FORWARDING      NONE
   0    GigabitEthernet0/0/2        DESI  FORWARDING      NONE
[Quidway]

Общая информация об STP:

[Quidway]disp stp
-------[CIST Global Info][Mode STP]-------
CIST Bridge         :4096 .781d-baa4-b6a7
Config Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC      :4096 .781d-baa4-b6a7 / 0
CIST RegRoot/IRPC   :4096 .781d-baa4-b6a7 / 0
CIST RootPortId     :0.0
BPDU-Protection     :Disabled
TC or TCN received  :123
TC count per hello  :0
STP Converge Mode   :Normal
Share region-configuration :Enabled
Time since last TC  :0 days 0h:0m:44s
Number of TC        :11
Last TC occurred    :GigabitEthernet0/0/1
Статическая маршрутизация

Статические маршруты прописываются точно так же, как на оборудовании Cisco:

[Quidway]ip route 0.0.0.0 0.0.0.0 1.1.1.1

Просмотр таблицы маршрутизации:

[Quidway]disp ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 6        Routes : 6

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        2.2.2.0/24  Direct  0    0           D   2.2.2.2         Vlanif1
        2.2.2.2/32  Direct  0    0           D   127.0.0.1       Vlanif1
       10.0.0.3/32  Direct  0    0           D   127.0.0.1       LoopBack0
       90.0.0.1/32  Direct  0    0           D   127.0.0.1       LoopBack10
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

На этом всё.
Если уважаемое сообщество заинтересуется материалом, планирую продолжить освещать настройку оборудования HUAWEI. В следующей статье рассмотрим настройку динамической маршрутизации.

Спасибо за внимание.

Источник

Создание vlan. 

[huawei] vlan {vlan-id}  

Удаление vlan.   

[huawei] undo vlan {vlan-id}  

Пример:

<huawei> system-view

[huawei] vlan 150

[huawei-vlan150] quit

[huawei]

Настройка vlan для acess port

В режиме конфигурирования интерфейса задем тип — access.

[huawei-GigabitEthernet0/0/1] port link-type access

Задаем номер vlan, по умолчанию на порту используется vlan-id = 1.

[huawei-GigabitEthernet0/0/1] port default vlan {vlan-id}

Пример:

[huawei] interface GigabitEthernet 0/0/1

[huawei-GigabitEthernet0/0/1] port link-type access

[huawei-GigabitEthernet0/0/1] port default vlan 150

[huawei-GigabitEthernet0/0/1] quit

Настройка vlan для trunk port

В режиме конфигурирования интерфейса задем тип — trunk.

[huawei-GigabitEthernet0/0/1] port link-type trunk

Добавляем номера vlan в trunk через пробел или диапазон vlan используя to (Пример 100 to 200).

[huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan {vlan-id1 vlan-id2 … vlan-idn} 

При необходимости можно изменить и default vlan (нетегированную) на другую.

[huawei-GigabitEthernet0/0/1] port trunk pvid vlan {vlan-id}

Пример:

[huawei] interface GigabitEthernet 0/0/1

[huawei-GigabitEthernet0/0/1] port link-type trunk

[huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan 150 200 to 220

[huawei-GigabitEthernet0/0/1] port trunk pvid vlan 150

[huawei-GigabitEthernet0/0/1] quit

Настройка vlan для hubrid port

В режиме конфигурирования интерфейса задем тип — hybrid.

[huawei-GigabitEthernet0/0/1] port link-type hybrid

Добавляем номера тегированных vlan. 

[huawei-GigabitEthernet0/0/1] port hybrid tagged vlan {vlan-id1 vlan-id2 … vlan-idn}

Добавляем номера нетегированных vlan. 

[huawei-GigabitEthernet0/0/1] port hybrid untagged vlan {vlan-id1 vlan-id2 … vlan-idn}

Добавляем pvid для нетегированной vlan, по умолчанию используется pvid = 1

[huawei-GigabitEthernet0/0/1] port hybrid pvid vlan {vlan-id} 

Пример:

[huawei] interface GigabitEthernet 0/0/1

[huawei-GigabitEthernet0/0/1] port link-type hubrid

[huawei-GigabitEthernet0/0/1] port hybrid tagged vlan 150 200 to 210

[huawei-GigabitEthernet0/0/1] port hybrid untagged vlan 10 20

[huawei-GigabitEthernet0/0/1] port hybrid pvid vlan 10 

[huawei-GigabitEthernet0/0/1] quit

P.S. По умолчанию на коммутаторах huawei S2300 и S5300 тип работы интерфейса стоит hybrid.

Просмотр всех созданных vlan

[huawei] display vlan 

Просмотр детальной информации по конкретной vlan

[huawei] display vlan vlan-id

Пример:

[huawei] display vlan 100

Просмотр состояния интерфейса

[huawei] display interface {type-interface-number}

Пример:

display vlan 100

Просмотр настроек интерфейса

[huawei] display current-configuration interface {type-interface-number}

Пример:

[huawei] display current-configuration interface GigabitEthernet 0/0/1

#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 150
#
return

Также настройки интерфейса можно посмотреть используя команду display this из режима конфигурирования интерфейса.

Пример:

[huawei] interface GigabitEthernet 0/0/1

[huawei-GigabitEthernet0/0/1] display this

#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 150
#
return

Источник

Technology: Enterprise Switching
Area: VLAN
Vendor: Cisco
Software: eNSP, Huawei
Platform: AR120, S9300&S9300E&S9300X V200R010C00

Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple broadcast domains, each of which is called a VLAN. Hosts within a VLAN can communicate with each other but cannot communicate directly with hosts in other VLANs. Consequently, broadcast packets are confined to within a single VLAN.

To create vlan:

<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan batch 2 3

To assign interface to specific vlan:
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 2
[RouterA-Ethernet2/0/1] quit

Источник

Рассмотрим основные команды для настройки vlan, особенности конфигурирования интерфейсов в разных режимах работы — access, trunk и hybrid на коммутаторах серии huawei quidway S2300 и S5300.

Создание и удаление vlan на коммутаторах huawei

Создание vlan на коммутаторах huawei

[huawei] vlan {vlan-id}

Пример:

system-view
[huawei] vlan 150
[huawei-vlan150] quit
[huawei]

Удаление vlan на коммутаторах huawei

[huawei] undo vlan {vlan-id}

Настройка портов коммутаторов huawei в режиме acess port

В режиме конфигурирования интерфейса задем тип — access.

[huawei-GigabitEthernet0/0/1] port link-type access

Задаем номер vlan, по умолчанию на порту используется vlan-id = 1.

[huawei-GigabitEthernet0/0/1] port default vlan {vlan-id}

Пример:

[huawei] interface GigabitEthernet 0/0/1
[huawei-GigabitEthernet0/0/1] port link-type access
[huawei-GigabitEthernet0/0/1] port default vlan 150
[huawei-GigabitEthernet0/0/1] quit

Настройка портов коммутаторов huawei в режиме trunk port

В режиме конфигурирования интерфейса задем тип — trunk.

[huawei-GigabitEthernet0/0/1] port link-type trunk

Добавляем номера vlan в trunk через пробел или диапазон vlan используя to (Пример 100 to 200).

[huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan {vlan-id1 vlan-id2 ... vlan-idn}

При необходимости можно изменить и default vlan (нетегированную) на другую.

[huawei-GigabitEthernet0/0/1] port trunk pvid vlan {vlan-id}

Пример:

[huawei] interface GigabitEthernet 0/0/1
[huawei-GigabitEthernet0/0/1] port link-type trunk
[huawei-GigabitEthernet0/0/1] port trunk allow-pass vlan 150 200 to 220
[huawei-GigabitEthernet0/0/1] port trunk pvid vlan 150
[huawei-GigabitEthernet0/0/1] quit

Настройка портов коммутаторов huawei в режиме hybrid port

В режиме конфигурирования интерфейса задем тип — hybrid.

[huawei-GigabitEthernet0/0/1] port link-type hybrid

Добавляем номера тегированных vlan.

[huawei-GigabitEthernet0/0/1] port hybrid tagged vlan {vlan-id1 vlan-id2 ... vlan-idn}

Добавляем номера нетегированных vlan.

[huawei-GigabitEthernet0/0/1] port hybrid untagged vlan {vlan-id1 vlan-id2 ... vlan-idn}

Добавляем pvid для нетегированной vlan, по умолчанию используется pvid = 1

[huawei-GigabitEthernet0/0/1] port hybrid pvid vlan {vlan-id}

Пример:

[huawei] interface GigabitEthernet 0/0/1
[huawei-GigabitEthernet0/0/1] port link-type hubrid
[huawei-GigabitEthernet0/0/1] port hybrid tagged vlan 150 200 to 210
[huawei-GigabitEthernet0/0/1] port hybrid untagged vlan 10 20
[huawei-GigabitEthernet0/0/1] port hybrid pvid vlan 10 
[huawei-GigabitEthernet0/0/1] quit

P.S. По умолчанию на коммутаторах huawei S2300 и S5300 тип работы интерфейса стоит hybrid.

Просмотр настроек портов и vlan на коммутаторах huawei

Просмотр всех созданных vlan

[huawei] display vlan

Просмотр детальной информации по конкретной vlan на коммутаторах huawei

[huawei] display vlan vlan-id

Пример:

[huawei] display vlan 100

Просмотр состояния интерфейса на коммутаторах huawei

[huawei] display interface {type-interface-number}

Пример:

display interface GigabitEthernet0/0/1

huawei-S2300-S5300

Просмотр настроек интерфейса на коммутаторах huawei

[huawei] display current-configuration interface {type-interface-number}

Пример:

[huawei] display current-configuration interface GigabitEthernet 0/0/1/
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 150
#
return

Также настройки интерфейса можно посмотреть используя команду display this из режима конфигурирования интерфейса.

Пример:

[huawei] interface GigabitEthernet 0/0/1
[huawei-GigabitEthernet0/0/1] display this
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 150
#
return

На этом все. Всем пока.

Источник

  • Настройка vpn сервер на роутере zyxel keenetic viva
  • Настройка vpn между двумя роутерами asus
  • Настройка tp link 741 роутер настройка
  • Настройка vlan на роутере asus
  • Настройка vpn на роутере linksys