3.1 Overview Of VLANs Definition

3VLAN Configuration
About This Chapter
This chapter describes how to configure VLAN technology. VLAN technology provides
broadcast domain isolation, security hardening, flexible networking, and high extensibility.
3.1 Overview of VLANs
3.2 Understanding VLANs
3.3 Application Scenarios for VLANs
3.4 Summary of VLAN Configuration Tasks
3.5 Default Settings for VLANs
3.6 Licensing Requirements and Limitations for VLANs
3.7 Configuring VLAN
3.8 Configuration Examples for VLANs
3.9 Troubleshooting VLANs
3.10 FAQ About VLANs
3.1 Overview of VLANs
Definition
Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple
broadcast domains, each of which is called a VLAN. Hosts within a VLAN can communicate
with each other but cannot communicate directly with hosts in other VLANs. Consequently,
broadcast packets are confined to within a single VLAN.
Purpose
Ethernet technology implements data communication over shared media based on Carrier
Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a
Huawei AR Series Access Routers
CLI-based Configuration Guide - Ethernet Switching
Configuration 3 VLAN Configuration
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. 73

large number of hosts, collision becomes a serious problem and can lead to broadcast storms.
As a result, network performance deteriorates, or can even result in a complete breakdown.
Using switches to connect LANs can mitigate collisions, but cannot isolate broadcast packets
or improve network quality.
VLAN technology divides a physical LAN into multiple VLANs to isolate broadcast
domains. Hosts within a VLAN can communicate with each other but cannot communicate
directly with hosts in other VLANs. Consequently, broadcast packets are confined to within a
single VLAN.
Figure 3-1 VLAN networking
VLAN 2
Router
Router1 Router2
VLAN 3
Figure 3-1 shows a typical VLAN networking environment. Device Router1 and device
Router2 are deployed in different locations (for example, on different floors of a building).
Each device is connected to two PCs belonging to different VLANs, which likely belong to
different entities or companies.
Benefits
VLAN technology offers the following benefits:
l Limits broadcast domains. Broadcast domains are limited to conserve bandwidth and
improve network efficiency.
l Enhances LAN security. Packets from different VLANs are transmitted separately. Hosts
in a VLAN cannot communicate directly with hosts in another VLAN.
l Improves network robustness. A fault in a VLAN does not affect hosts in other VLANs.
l Allows flexible definition of virtual groups. With VLAN technology, hosts in different
geographical locations can be grouped together, thereby simplifying network
construction and maintenance.

3.2 Understanding VLANs
3.2.1 Intra-VLAN Communication
Packets transmitted between users in a VLAN go through three phases:
l Packet transmission from the source user host
Before sending a frame, the source host compares its IP address with the destination IP
address. If the two IP addresses are on the same network segment, the source host
obtains the MAC address of the destination host and fills the destination field MAC
address of the frame with the obtained MAC address. If the two IP addresses are on
different network segments, the frame needs to be forwarded by the gateway. The source
host obtains the gateway's MAC address, and uses it as the destination MAC address to
send the frame to the gateway.
l Ethernet switching in a device
The device determines whether to forward a received frame at Layer 2 or Layer 3 based
on the information in the destination MAC address, VLAN ID, and Layer 3 forwarding
bit.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry of the device and the Layer 3 forwarding bit is set, the device searches for a
Layer 3 forwarding entry based on the destination IP address. If no entry is found,
the device sends the frame to the CPU. The CPU then searches for a route to
forward the frame at Layer 3.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry but the Layer 3 forwarding bit is not set, the device directly forwards the
frame from the outbound interface specified in the matching MAC address entry.
– If the destination MAC address and VLAN ID of the frame do not match any MAC
address entry, the device broadcasts the frame to all the interfaces allowing the
VLAN specified in the VID to obtain the MAC address of the destination host.
l Adding and removing VLAN tags during the exchange between devices
Frames processed in a device all carry VLAN tags. The device needs to add or remove
VLAN tags according to the interface setting to communicate with other network
devices. For details on how VLAN tags are added and removed on different interfaces,
see 3.2.3.4 Adding and Removing VLAN Tags.
After VLANs are assigned, broadcast packets are forwarded at Layer 2 in the same VLAN.
That is, users in the same VLAN can directly communicate at Layer 2. There are two intra-
VLAN communication scenarios depending on whether hosts in the same VLAN connect to
the same or multiple devices.
Intra-VLAN Communication Through the Same Device
As shown in Figure 3-2, Host_1 and Host_2 connect to the same device, belong to VLAN 2,
and are located on the same network segment. The interfaces connected to Host_1 and Host_2
are access interfaces.

Figure 3-2 Intra-VLAN communication through the same device
IF_1
Router
IF_2
Access
VLAN2
Access
VLAN2
Host_1
MAC：1-1-1
IP：10.1.1.2
Subnet Mask: 255.255.255.0
Host_2
MAC：2-2-2
IP：10.1.1.3
Subnet Mask: 255.255.255.0
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the router):
1. Host_1 determines that the destination IP address is on the same network segment as its
IP address, and therefore broadcasts an ARP Request packet to obtain the MAC address
of Host_2. The ARP Request packet carries the all-F destination MAC address and
destination IP address of 10.1.1.3 (Host_2's IP address).
2. When the packet reaches IF_1 on the Router, the Router detects that the ARP Request
packet is untagged and adds VLAN 2 (PVID of IF_1) to the packet. The Router then
adds the binding of the source MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) to
its MAC address table.
3. The Router does not find a MAC address entry matching the destination MAC address
and VLAN ID of the ARP Request packet, so it broadcasts the ARP Request packet to
all interfaces that allow VLAN 2 (IF_2 in this example).
4. Before sending the ARP Request packet, IF_2 on the Router removes the tag with
VLAN 2 from the packet.
5. Host_2 receives the ARP Request packet and records the mapping between the MAC
address and IP address of Host_1 in the ARP table. Then Host_2 compares the
destination IP address with its own IP address. If they are the same, Host_2 sends an
ARP Reply packet. The ARP Reply packet carries Host_2's MAC address of 2-2-2 and
Host_1's IP address of 10.1.1.2 as the destination IP address.
6. After receiving the ARP Reply packet, IF_2 on the Router tags the packet with VLAN 2.
7. The Router adds the mapping between the source MAC address, VLAN ID, and
interface (2-2-2, 2, IF_2) to its MAC address table, and then searches for an entry in its
MAC address table based on the destination MAC address and VLAN ID (1-1-1, 2). The
entry is found because the mapping has been recorded before (see step 5). The Router
forwards the ARP Reply packet to IF_1.
8. Before forwarding the ARP Reply packet to IF_1, the Router removes the tag with
VLAN 2 from the packet.
9. Host_1 receives the ARP Reply packet and records the mapping between the MAC
address and IP address of Host_2 in the ARP table.
Host_1 and Host_2 have learned the MAC address of each other, so they directly fill the
destination MAC address fields of packets with the learned MAC addresses of the packets in
subsequent communication.
In the preceding networking, if hosts in the same VLAN are on different network segments,
they encapsulate the gateway's MAC address into packets, hosts can communicate through
VLANIF interfaces (with primary and secondary IP addresses configured). The principles are
similar to those in Inter-VLAN Communication Through the Same Device, and are not
mentioned here.

Intra-VLAN Communication Through Multiple Devices
As shown in Figure 3-3, Host_1 and Host_2 connect to different devices, belong to VLAN 2,
and are located on the same network segment. The devices are connected using a trunk link
over which frames can be identified and sent across devices.
Figure 3-3 Intra-VLAN communication through multiple devices
Host_1
MAC：1-1-1
IP：10.1.1.2
Subnet Mask: 255.255.255.0
IF_1
Router_1
IF_2
Access
VLAN2
Access
VLAN2
Router_2
IF_1
IF_2
Host_2
MAC：2-2-2
IP：10.1.1.3
Subnet Mask: 255.255.255.0
Trunk
VLAN2
Trunk
VLAN2
forwarding entry exists on Router_1 and Router_2):
1. The first two steps are similar to steps 1 and 2 in Intra-VLAN Communication
Through the Same Device. After the two steps are complete, Host_1 broadcasts the
ARP Request packet to IF_2 on Router_1.
2. IF_2 on Router_1 transparently transmits the ARP Request packet to IF_2 on Router_2
without removing the tag of the packet, because the VLAN ID of the packet is different
from the PVID of IF_2 on Router_1.
3. After receiving the ARP Request packet, IF_2 on Router_2 determines that VLAN 2 is
an allowed VLAN and accepts the packet.
4. Following the four steps similar to steps 3 to 6 in Intra-VLAN Communication
Through the Same Device, Router_2 forwards the ARP Reply packet of Host_2 to
IF_2. IF_2 on Router_2 transparently transmits the ARP Reply packet to IF_2 on
Router_1, because IF_2 is a trunk interface and its PVID is different from the VLAN ID
of the packet.
5. After receiving the ARP Reply packet, IF_2 on Router_1 determines that VLAN 2 is an
allowed VLAN and accepts the packet. Subsequent steps are similar to steps 7 to 9 in
Intra-VLAN Communication Through the Same Device.
In addition to transmitting frames from multiple VLANs, a trunk link can transparently
transmit frames without adding or removing the tags of the packets.
In the preceding networking, if hosts in the same VLAN are on different network segments,
hosts can communicate through VLANIF interfaces. The principles are similar to those in
Inter-VLAN Communication Through the Same Device, and are not mentioned here.
3.2.2 Inter-VLAN Communication
After VLANs are assigned, broadcast packets are only forwarded in the same VLAN. That is,
hosts in different VLANs cannot communicate at Layer 2. Therefore, VLAN technology

isolates broadcast domains. In real-world applications, hosts in different VLANs often need to
communicate, so inter-VLAN communication needs to be implemented to resolve this.
Similar to intra-VLAN communication described in 3.2.1 Intra-VLAN Communication,
inter-VLAN communication goes through three phases: packet transmission from the source
host, Ethernet switching in a device, and adding and removing VLAN tags during the
exchange between devices. According to the Ethernet switching principle, broadcast packets
are only forwarded in the same VLAN and hosts in different VLANs cannot directly
communicate at Layer 2. Layer 3 routing or VLAN translation technology is required to
implement inter-VLAN communication.
Inter-VLAN Communication Technologies
Huawei provides a variety of technologies to implement inter-VLAN communication. The
following two technologies are commonly used.
l VLANIF interface
A VLANIF interface is a Layer 3 logical interface. After an IP address is configured for
a VLANIF interface, the device adds the MAC address and VLAN ID of the VLANIF
interface to the MAC address table and sets the Layer 3 forwarding bit for the MAC
address entry. When the destination MAC address of a packet matches the MAC address
entry, the device forwards the packet at Layer 3, thereby implementing inter-VLAN
Layer 3 connectivity.
It is simple to configure a VLANIF interface, so VLANIF interfaces are the most
commonly used for inter-VLAN communication. However, a VLANIF interface needs to
be configured for each VLAN and each VLANIF interface requires an IP address. As a
result, this technology wastes IP addresses.
l Dot1q termination sub-interface
A sub-interface is also a Layer 3 logical interface. A device implements inter-VLAN
Layer 3 connectivity through sub-interfaces in a similar way as through VLANIF
interfaces. After a sub-interface is configured with Dot1q termination and an IP address,
the device adds a MAC address entry of the sub-interface to the MAC address table and
sets the Layer 3 forwarding bit.
A Dot1q termination sub-interface applies to scenarios where a Layer 3 Ethernet
interface connects to multiple VLANs. In such a scenario, data flows from different
VLANs preempt bandwidth of the primary Ethernet interface; therefore, the primary
Ethernet interface may become a bottleneck when the network is busy.
For details about the Dot1q termination sub-interface, see 6 VLAN Termination
Configuration.
Huawei devices implement inter-VLAN communication using VLANIF interfaces. A
VLANIF interface is a Layer 3 logical interface. After an IP address is configured for a
VLANIF interface, the device adds the MAC address and VLAN ID of the VLANIF interface
to the MAC address table and sets the Layer 3 forwarding bit for the MAC address entry.
When the destination MAC address of a packet matches the MAC address entry, the device
forwards the packet at Layer 3, thereby implementing inter-VLAN Layer 3 connectivity. It is
simple to configure a VLANIF interface, so VLANIF interfaces are the most commonly used
for inter-VLAN communication. However, a VLANIF interface needs to be configured for
each VLAN and each VLANIF interface requires an IP address. As a result, this technology
wastes IP addresses.
VLANIF interfaces require that users in VLANs be located on different network segments.
(When hosts are located on the same network segment, a host encapsulates the destination

host' MAC address in packets. The device determines that packets should be forwarded at
Layer 2. Layer 2 switching is performed only in the same VLAN, and broadcast packets
cannot reach different VLANs. In this case, the device cannot obtain destination hosts' MAC
addresses and therefore cannot forward packets to the destination host.) On a network, VLAN
aggregation can allow hosts on the same network segment in different VLANs to
communicate.
VLAN aggregation, also known as super-VLAN, associates a super-VLAN with multiple sub-
VLANs. The sub-VLANs share the IP address of the super-VLAN as the gateway IP address
to implement Layer 3 connectivity with an external network. Proxy ARP can be enabled
between sub-VLANs to implement Layer 3 connectivity between sub-VLANs. VLAN
aggregation conserves IP addresses in inter-VLAN Layer 3 communication.
VLAN aggregation applies to scenarios where multiple VLANs share a gateway. For details
about VLAN aggregation, see 4 VLAN Aggregation Configuration.
Inter-VLAN Communication Through the Same Device
As shown in Figure 3-4, Host_1 (source host) and Host_2 (destination host) connect to the
same router, are located on different network segments, and belong to VLAN 2 and VLAN 3,
respectively. After VLANIF 2 and VLANIF 3 are created on the router and allocated IP
addresses, the default gateway addresses of the hosts are set to IP addresses of the VLANIF
interfaces.
Figure 3-4 Using VLANIF interfaces to implement inter-VLAN communication through the
same device
Host_1
MAC: 1-1-1
IP: 10.1.1.2
Gateway address: 10.1.1.1
IF_1
Router
VLANIF2
IP: 10.1.1.1/24
MAC: 3-3-3
Access
VLAN2
Access
VLAN3
IF_2
Host_2
MAC: 2-2-2
IP: 10.2.2.2
VLANIF3
IP: 10.2.2.1/24
MAC: 4-4-4
forwarding entry exists on the router):
1. Host_1 determines that the destination IP address is on a different network segment from
its own IP address, and therefore sends an ARP Request packet to request the gateway
MAC address. The ARP Request packet carries the destination IP address of 10.1.1.1
(gateway's IP address) and all-F destination MAC address.
2. When the ARP Request packet reaches IF_1 on the Router, the Router tags the packet
with VLAN 2 (PVID of IF_1). The Router then adds the mapping between the source
MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) in its MAC address table.
3. The Router detects that the packet is an ARP Request packet and the destination IP
address is the IP address of VLANIF 2. The Router then encapsulates VLANIF 2's MAC
address of 3-3-3 into the ARP Reply packet and removes the tag with VLAN 2 from the
packet before sending it from IF_1. In addition, the Router adds the binding of the IP
address and MAC address of Host_1 in its ARP table.
4. After receiving the ARP Reply packet from the Router, Host_1 adds the binding of the
IP address and MAC address of VLANIF 2 on the Router in its ARP table and sends a

packet to the Router. The packet carries the destination MAC address of 3-3-3 and
destination IP address of 10.2.2.2 (Host_2's IP address).
5. After the packet reaches IF_1 on the Router, the Router tags the packet with VLAN 2.
6. The Router updates its MAC address table based on the source MAC address, VLAN ID,
and inbound interface of the packet, and compares the destination MAC address of the
packet with the MAC address of VLANIF 2. If they are the same, the Router determines
that the packet should be forwarded at Layer 3 and searches for a Layer 3 forwarding
entry based on the destination IP address. If no entry is found, the Router sends the
packet to the CPU. The CPU then searches for a routing entry to forward the packet.
7. The CPU looks up the routing table based on the destination IP address of the packet and
detects that the destination IP address matches a directly connected network segment
(network segment of VLANIF 3). The CPU continues to look up its ARP table but finds
no matching ARP entry. Therefore, the Router broadcasts an ARP Request packet with
the destination address of 10.2.2.2 to all interfaces in VLAN 3. Before sending the ARP
Request packet from IF_2, the Router removes the tag with VLAN 2 from the packet.
8. After receiving the ARP Request packet, Host_2 detects that the IP address is its own IP
address and sends an ARP Reply packet with its own. Additionally, Host_2 adds the
mapping between the MAC address and IP address of VLANIF 3 to its ARP table.
9. After IF_2 on the Router receives the ARP Reply packet, IF_2 tags the packet with
VLAN 3 to the packet and adds the binding of the MAC address and IP address of
Host_2 in its ARP table. Before forwarding the packet from Host_1 to Host_2, the
Router removes the tag with VLAN 3 from the packet. The Router also adds the binding
of Host_2's IP address, MAC address, VLAN ID, and outbound interface in its Layer 3
forwarding table.
The packet sent from Host_1 then reaches Host_2. The packet transmission process from
Host_2 to Host_1 is similar. Subsequent packets between Host_1 and Host_2 are first sent to
the gateway (Router), and the Router forwards the packets at Layer 3 based on its Layer 3
forwarding table.
Inter-VLAN Communication Through Multiple Devices
When hosts in different VLANs connect to multiple routers, you need to configure static
routes or a dynamic routing protocol in addition to VLANIF interface addresses. This is
because IP addresses of VLANIF interfaces can only be used to generate direct routes.
As shown in Figure 3-5, Host_1 (source host) and Host_2 (destination host) are located on
different network segments, connect to Router_1 and Router_2, and belong to VLAN 2 and
VLAN 3, respectively. On Router_1, VLANIF 2 and VLANIF 4 are created and allocated IP
addresses of 10.1.1.1 and 10.1.4.1. On Router_2, VLANIF 3 and VLANIF 4 are created and
allocated IP addresses of 10.1.2.1 and 10.1.4.2. Static routes are configured on Router_1 and
Router_2. On Router_1, the destination network segment in the static route is 10.1.2.0/24 and
the next hop address is 10.1.4.2. On Router_2, the destination network segment in the static
route is 10.1.1.0/24 and the next hop address is 10.1.4.1.

Figure 3-5 Using VLANIF interfaces to implement inter-VLAN communication through
multiple devices
Host_1
MAC: 1-1-1
IP: 10.1.1.2
IF_1
Router_1
IF_2
Access
VLAN2
Access
VLAN3
Router_2
IF_1
IF_2
Host_2
MAC: 2-2-2
IP: 10.1.2.2
Trunk
VLAN4
forwarding entry exists on Router_1 and Router_2):
1. The first six steps are similar to steps 1 to 6 in inter-VLAN communication when hosts
connect to the same device. After the steps are complete, Router_1 sends the packet to
its CPU and the CPU looks up the routing table.
2. The CPU of Router_1 looks up the routing table based on the destination IP address of
10.1.2.2 and finds a matching entry with the network segment 10.1.2.0/24 corresponding
to VLANIF 3 and the next hop IP address 10.1.4.2. The CPU continues to look up its
ARP table but finds no matching ARP entry. Therefore, Router_1 broadcasts an ARP
Request packet with the destination address of 10.1.4.2 to all interfaces in VLAN 4. IF_2
on Router_1 transparently transmits the ARP Request packet to IF_2 on Router_2
without removing the tag from the packet.
3. After the ARP Request packet reaches Router_2, Router_2 finds that the destination IP
address of the ARP Request packet is the IP address of VLANIF 4. Router_2 then sends
an ARP Reply packet with the MAC address of VLANIF 4 to Router_1.
4. IF_2 on Router_2 transparently transmits the ARP Reply packet to Router_1. After
Router_1 receives the ARP Reply packet, it adds the binding of the MAC address and IP
address of VLANIF4 in its ARP table.
5. Before forwarding the packet of Host_1 to Router_2, Router_1 changes the destination
MAC address of the packet to the MAC address of VLANIF 4 on Router_2 and the
source MAC address to the MAC address of VLANIF 4 on itself. In addition, Router_1
records the forwarding entry (10.1.2.0/24, next hop IP address, VLAN, and outbound
interface) in its Layer 3 forwarding table. Similarly, the packet is transparently
transmitted to IF_2 on Router_2.
6. After Router_2 receives packets of Host_1 forwarded by Router_1, the steps similar to
steps 6 to 9 in inter-VLAN communication when hosts connect to the same device
are performed. In addition, Router_2 records the forwarding entry (Host_2's IP address,
MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table.
VLAN Damping
In a specified VLAN where a VLANIF interface has been configured, when all interfaces in
the VLAN go Down, the VLAN becomes Down. The interface Down event is reported to the
VLANIF interface, causing the VLANIF interface status change.

To avoid network flapping due to the status change of the VLANIF interface, you can enable
VLAN damping on the VLANIF interface and set a delay after which the VLANIF interface
goes Down.
With VLAN damping enabled, when the last Up interface in the VLAN goes Down, the
Down event will be reported to the VLANIF interface after a delay (the delay can be set as
required). If an interface in the VLAN goes Up during the delay, the status of the VLANIF
interface keeps unchanged. That is, the VLAN damping function postpones the time at which
the VLAN reports a Down event to the VLANIF interface, avoiding unnecessary route
flapping.
3.2.3 Basic Concepts of VLAN
3.2.3.1 VLAN Tags
Definition and Function
A device identifies packets from different VLANs according to the information contained in
VLAN tags. IEEE 802.1Q adds a 4-byte VLAN tag between the Source address and Length/
Type fields of an Ethernet frame, as shown in Figure 3-6.
Figure 3-6 IEEE 802.1Q tagged frame format
2Byte 3bit 12bit
1bit
4Byte 2Byte
VLAN
Tag
Data FCS
TPID PRI CFI VID
6Byte 6Byte 46-1500Byte 4Byte
Destination
address
Source
address
Length/
Type
2Byte
6Byte 6Byte 46-1500Byte 4Byte
Destination
address
Source
address
Length/Type Data FCS
Traditional Ethernet data frame
VLAN data frame
A VLAN tag contains four fields. Table 3-1 describes the fields.

Table 3-1 Fields in a VLAN tag
Field Leng
th
Description Value
TPID 2
bytes
Tag Protocol Identifier (TPID),
indicating the frame type.
The value 0x8100 indicates an 802.1Q-
tagged frame. An 802.1Q-incapable
device discards the 802.1Q frames.
IEEE 802.1Q protocol defines the
value of the field as 0x8100. However,
manufacturers can define their own
TPID values and users can then modify
the value to realize interconnection of
devices from different manufacturers.
PRI 3 bits Priority (PRI), indicating the
frame priority.
The value ranges from 0 to 7. A larger
value indicates a higher priority. If
congestion occurs, the device sends
packets with higher priorities first.
CFI 1 bit Canonical Format Indicator
(CFI), indicating whether a
MAC address is encapsulated in
canonical format over different
transmission media. CFI is used
to ensure compatibility between
Ethernet and token ring
networks.
The value 0 indicates that the MAC
address is encapsulated in canonical
format, and the value 1 indicates that
the MAC address is encapsulated in
non-canonical format. The CFI field
has a fixed value of 0 on Ethernet
networks.
VID 12
bits
VLAN ID (VID), indicating the
VLAN to which a frame
belongs.
VLAN IDs range from 0 to 4095. The
values 0 and 4095 are reserved, and
therefore valid VLAN IDs range from
1 to 4094.
The device identifies the VLAN that a frame belongs to according to the information
contained in the VID field. Broadcast frames are forwarded only in the local VLAN. That is, a
broadcast domain is confined to within a single VLAN.
VLAN Tags in Received and Sent Frames
In a VLAN, Ethernet frames are classified into the following types:
l Tagged frame: frame with a 4-byte VLAN tag
l Untagged frame: frame without a 4-byte VLAN tag
Common devices process tagged and untagged frames as follows:
l User hosts, servers and hubs can only receive and send untagged frames.
l Switches, routers, and ACs can receive and send both tagged and untagged frames.
l Voice terminals and APs can receive and send tagged and untagged frames
simultaneously.
All frames processed in a device carry VLAN tags so as to improve frame processing
efficiency.

3.2.3.2 Link and Interface Types
All frames processed in a router carry VLAN tags. On a live network, some devices
connected to a router can only receive and send untagged frames. To enable communication
between the Router and these devices, the Router interface must be able to identify the
untagged frames and add or remove VLAN tags from the frames. Hosts in the same VLAN
may be connected to different Routers, and more than one VLAN may span multiple Routers.
To enable communication between hosts, interfaces between Routers must be able to identify
and send VLAN frames.
To accommodate different connections and networking, the device defines three interface
types (access, trunk, and hybrid) and two link types (access and trunk), as shown in Figure
3-7.
Figure 3-7 Link and interface types
Access link
Trunk link
VLAN2 VLAN3 VLAN4 VLAN2 VLAN3 VLAN4
Untagged frame
Tagged frame, VID=2
Tagged frame, VID=3
Tagged frame, VID=4
Access interface
Trunk interface
Hrbrid interface
Hub Hub
Router Router
Router Router
2
3
4
4
2
2
3
4
Link Types
As shown in Figure 3-7, Ethernet links fall into the following types, depending on the number
of allowed VLANs:
l Access link
An access link can transmit data frames of only one VLAN. It connects a device to a user
terminal, such as a host or server. Generally, user terminals do not need to know the
VLANs to which they belong and cannot identify tagged frames; therefore, only
untagged frames are transmitted along an access link.

l Trunk link
A trunk link can transmit data frames from multiple VLANs. It connects devices. Frames
on a trunk link must be tagged so that other network devices can correctly identify
VLAN information in the frames.
Interface Types
As shown in Figure 3-7, Ethernet interfaces are classified into the following types depending
on the objects connected to them and the way they process frames:
l Access interface
An access interface often connects to a user terminal such as a user host or server that
cannot identify VLAN tags, or is used when VLANs do not need to be differentiated.
Access interfaces can only receive and send untagged frames, and can add only a unique
VLAN tag to untagged frames.
l Trunk interface
A trunk interface often connects to a switch, router, AP, or voice terminal that can
receive and send tagged and untagged frames simultaneously. It allows tagged frames
from multiple VLANs and untagged frames from only one VLAN.
l Hybrid interface
A hybrid interface can connect to not only a user terminal (such as a user host or server)
or network device (such as a hub) that cannot identify tags, but also a switch, router,
voice terminal, or AP that can receive and send tagged and untagged frames. It allows
tagged frames from multiple VLANs. Frames sent out from a hybrid interface are tagged
or untagged according to the VLAN configuration.
Hybrid and trunk interfaces are interchangeable in some scenarios, yet hybrid interfaces
are required in certain specific scenarios. For example, if an interface connects to
different VLAN network segments (such as the router interface connected to a hub in
Figure 3-7 ), the interface must be a hybrid interface because it needs to add tags to
untagged frames of multiple VLANs.
3.2.3.3 Default VLAN
The default VLAN ID of an interface is called the port default VLAN ID (PVID). Frames
processed in a device all carry VLAN tags. When the device receives an untagged frame, it
adds a VLAN tag to the frame according to the default VLAN of the interface that receives
the frame.
For details on how to add or remove tags when the interface receives and sends frames, see
3.2.3.4 Adding and Removing VLAN Tags.
Each interface has a default VLAN. By default, the default VLAN ID of all interfaces is
VLAN 1. You can change the default VLAN ID as required.
l The default VLAN of an access interface is the VLAN allowed by the access interface.
You can change the default VLAN of an access interface to change the allowed VLAN.
l Trunk and hybrid interfaces allow multiple VLANs but have only one default VLAN.
Default VLAN and VLANs allowed by the trunk and hybrid interfaces should be
configured separately.
3.2.3.4 Adding and Removing VLAN Tags

Ethernet data frames are tagged or untagged based on the interface type and default VLAN.
The following describes how access, trunk, and hybrid interfaces process data frames.
Access Interface
Figure 3-8 and Figure 3-9 shows how an access interface adds and removes VLAN tags.
Figure 3-8 Access interface adding VLAN tags
No
Yes
No
Yes
Receive a
frame
Carry tag?
Same
VID and PVID?
Accept the frame
Further
processing
Discard
Accept it and add
PVID
Figure 3-9 Access interface removing VLAN tags
Prepare for
sending a frame
Remove tag
Send the frame
Trunk Interface
Figure 3-10 and Figure 3-11 shows how a trunk interface adds and removes VLAN tags.

Figure 3-10 Trunk interface adding VLAN tags
No
Yes
No
Yes
Receive a
frame
Carry tag?
Is VID allowed?
Accept the frame
Further
processing
Discard
Accept it and add
PVID
Figure 3-11 Trunk interface removing VLAN tags
No
Yes
Prepare for
sending a frame
Same as PVID?
Remove tag
Send the frame
Retain tag
Hybrid Interface
Figure 3-12 and Figure 3-13 shows how a hybrid interface adds and removes VLAN tags.

Figure 3-12 Hybrid interface adding VLAN tags
No
Yes
No
Yes
Receive a
frame
Carry tag?
Is VID allowed?
Accept the frame
Further
processing
Discard
Add the PVID
Figure 3-13 Hybrid interface removing VLAN tags
No
Yes
Prepare for
sending a frame
Does device
add tag to it?
Retain tag
Send the frame
Remove tag

Frame Processing on Different Interfaces
Table 3-2 Frame processing based on the port type
Port
Type
Untagged Frame
Processing
Tagged Frame
Processing
Frame
Transmission
Access
port
Accepts an untagged
frame and adds a tag with
the default VLAN ID to
the frame.
l Accepts the tagged
frame if the frame's
VLAN ID matches the
default VLAN ID.
l Discards the tagged
frame if the frame's
VLAN ID differs from
the default VLAN ID.
After the PVID tag is
stripped, the frame is
transmitted.
Trunk
port
l Adds a tag with the
default VLAN ID to
the untagged frame
and then transmits it if
the default VLAN ID
is permitted by the
port.
default VLAN ID to
the untagged frame
and then discards it if
the default VLAN ID
is denied by the port.
l Accepts a tagged
frame if the VLAN ID
carried in the frame is
permitted by the port.
l Discards a tagged
denied by the port.
l If the frame's
VLAN ID
matches the
default VLAN ID
and the VLAN ID
is permitted by the
port, the device
removes the tag
and transmits the
frame.
l If the frame's
VLAN ID differs
from the default
VLAN ID, but the
VLAN ID is still
permitted by the
port, the device
will directly
transmit the
frame.
Hybrid
port
default VLAN ID to an
untagged frame and
accepts the frame if the
port permits the default
VLAN ID.
default VLAN ID to an
untagged frame and
discards the frame if
the port denies the
default VLAN ID.
l Accepts a tagged
permitted by the port.
l Discards a tagged
denied by the port.
If the frame's VLAN
ID is permitted by the
port, the frame is
transmitted. The port
can be configured
whether to transmit
frames with tags.
Interfaces process received frames as follows:

l Access, trunk, and hybrid interfaces add VLAN tags to received untagged frames. Trunk
and hybrid interfaces determine whether to accept untagged frames depending on
whether VLANs specified by the VLAN IDs in the frames are allowed, whereas an
access interface accepts the untagged frames unconditionally.
l Access, trunk, and hybrid interfaces determine whether to accept tagged frames
depending on whether VLANs specified by the VLAN IDs in the frames are allowed (the
VLAN ID allowed by an access interface is the default VLAN ID).
l Interfaces send frames as follows:
– An access interface directly removes VLAN tags from frames before sending the
frames.
– A trunk interface removes VLAN tags from frames only when their VLAN IDs are
the same as the PVID on the interface.
– A hybrid interface determines whether to remove VLAN tags from frames based on
the interface configuration.
Frames sent by an access interface are all untagged. On a trunk interface, only frames of
one VLAN are sent with tags, and frames of other VLANs are sent without tags. On a
hybrid interface, you can specify the VLANs of which frames are sent with or without
tags.
3.2.4 Intra-VLAN Layer 2 Isolation
You can add different users to different VLANs to implement Layer 2 isolation between users.
If an enterprise has many users, VLANs have to be allocated to all users that are not allowed
to communicate with each other. This user isolation method uses a large number of VLANs
and makes configuration more complex, increasing the maintenance workload of the network
administrator.
Huawei provides intra-VLAN Layer 2 isolation technologies including port isolation, MUX
VLAN, and Modular QoS Command-Line Interface (MQC).
Port Isolation
Port isolation can isolate interfaces in a VLAN. You can add interfaces to a port isolation
group to disable Layer 2 packet transmission between the interfaces. Interfaces in different
port isolation groups or out of port isolation groups can exchange packets with other
interfaces. In addition, interfaces can be isolated unidirectionally, providing more secure and
flexible networking.
For details about port isolation, see Configuring Interface Isolation in Huawei AR Series
Access Routers Configuration Guide - Interface Management.
MUX VLAN
Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources using
VLANs. It can implement inter-VLAN communication and intra-VLAN isolation.
For example, an enterprise has the following requirements:
l Employees can communicate with each other but customers are isolated.
l Both employees and customers can access enterprise servers.
You can deploy the MUX VLAN to meet the preceding requirements.

For details about the MUX VLAN feature, see 5 MUX VLAN Configuration.
Intra-VLAN Layer 2 Isolation Based on the Traffic Policy
A traffic policy is configured by binding traffic classifiers to traffic behaviors. You can define
traffic classifiers on a device to match packets with certain characteristics and associate the
traffic classifiers with the permit or deny behavior in a traffic policy. The device then permits
or denies packets matching the traffic classifiers. In this way, intra-VLAN unidirectional or
bidirectional isolation is implemented based on the traffic policy.
The device supports intra-VLAN Layer 2 isolation based on MQC and simplified ACL-based
traffic policies. For details about MQC and simplified ACL-based traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in Huawei AR Series
Access Routers Configuration Guide - QoS.
3.2.5 Inter-VLAN Layer 3 Isolation
After inter-VLAN Layer 3 connectivity is implemented between two VLANs, all users in the
VLANs can communicate. In some scenarios, communication between some users needs to
be prevented or only unidirectional communication is allowed. For example, user hosts and
servers often use unidirectional communication, and visitors to an enterprise are often allowed
to access only the Internet or some servers. In these scenarios, you need to configure inter-
VLAN isolation.
Inter-VLAN isolation is often implemented using a traffic policy. You can define traffic
classifiers on a device to match packets with certain characteristics and associate the traffic
classifiers with the permit or deny behavior in a traffic policy. The device then permits or
rejects the packets matching the traffic classifiers. This technology implements flexible inter-
VLAN isolation.
The device supports inter-VLAN Layer 3 isolation based on MQC and simplified ACL-based
traffic policies. For details about MQC and simplified ACL-based traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in Huawei AR Series
Access Routers Configuration Guide - QoS.
3.2.6 Management VLAN
To use a remote network management system (NMS) to manage devices in a centralized
manner, configure a management IP address on the device. You can then use the management
IP address to log in to the device using STelnet and manage the device. If a user-side interface
is added to the VLAN corresponding to the management IP address, users connected to the
interface can also log in to the device. This poses security risks to the device.
To enhance security, you can configure the VLAN as the management VLAN (mVLAN).
Access or Dot1q tunnel interfaces cannot be added to the mVLAN. (The VLANs not specified
as the mVLAN are service VLANs.) Access and Dot1q tunnel interfaces are often connected
to users. When these interfaces are prevented from joining the mVLAN, users connected to
the interfaces cannot log in to the device, improving device security.
3.3 Application Scenarios for VLANs

3.3.1 Using VLAN Assignment to Implement Layer 2 Isolation
As shown in Figure 3-14, there are multiple companies in a building. These companies share
network resources to reduce costs. Networks of the companies connect to different interfaces
of Router2 and access the Internet through an egress.
Figure 3-14 Networking of interface-based VLAN assignment
Router1
CompanyA
VLAN 2 VLAN 3 VLAN 4
CompanyB CompanyC
Router2
To isolate services and ensure service security of different companies, add interfaces
connected to the companies to different VLANs. Each company has a virtual router and each
VLAN is a virtual work group.
3.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer 3
Connectivity
VLANIF interfaces are used to implement inter-VLAN Layer 3 connectivity when devices are
connected to the same router or different routers.
Inter-VLAN Layer 3 Connectivity Between Devices Connected to the Same
Device
As shown in Figure 3-15, departments 1 and 2 of a small-scale company belong to VLAN 2
and VLAN 3, respectively, and connect to Router through Layer 2 switches. Packets
exchanged between the two departments need to pass Router.

Figure 3-15 Using VLANIF interfaces to implement inter-VLAN communication through the
same device
VLAN2
VLANIF2
Router
VLANIF3
VLAN3
Switch_1 Switch_2
PC_1 PC_2
Department 1 Department 2
Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently
transmit VLAN packets to Router, and configure a VLANIF interface for each VLAN on
Router to allow communication between VLAN 2 and VLAN 3.
Inter-VLAN Layer 3 Connectivity Between Devices Connected to Different Layer
3 Routers
As shown in Figure 3-16, departments 1 and 2 of a medium- or large-scale company are
connected across two or more routers, and belong to VLAN 2 and VLAN 3 respectively.
Packets exchanged between the two departments need to pass the routers.
Figure 3-16 Using VLANIF interfaces to implement inter-VLAN communication through
multiple Layer 3 routers
Switch
Router_1
Switch
Router_2
VLAN2 VLAN3
PC_1
Department 1
PC_2
VLANIF2 VLANIF3
Layer 3 network
Department 2
Assign VLANs on the switches, and configure the switches to transparently transmit VLAN
packets to Router_1 and Router_2. Configure a VLANIF interface for each user VLAN and

interconnected VLANs on switches, and configure VLANIF interfaces for interconnected
VLANs on other Layer 3 devices. In addition, configure static routes or a dynamic routing
protocol between Router_1 and Router_2 (a dynamic routing protocol is recommended when
devices are connected across more than two routers).
3.3.3 Using a Traffic Policy to Implement Inter-VLAN Access
Control
As shown in Figure 3-17, to ensure communication security, a company divides the network
into visitor area, employee area, and server area, and assigns VLAN 10, VLAN 20, and
VLAN 30 to the areas respectively. The company has the following requirements:
l Employees, visitors, and servers can access the Internet.
l Visitors cannot communicate with employees and can access only Server_1 in the server
area.
Figure 3-17 Using a traffic policy to implement inter-VLAN access control
Router
Employee_1
10.1.2.2/24
Visitor_1
10.1.1.2/24
Router_0
Server_1
10.1.3.2/24
Switch Switch Switch
VLANIF100
Visitor
area
Employee
area
VLAN20
VLAN10 VLAN30
VLANIF10
VLANIF20
VLANIF30
Internet
Server
area
After the central router (Router) is configured with VLANIF 10, VLANIF 20, VLANIF 30,
and VLANIF 100 and a route to the Router_0, employees, visitors, and servers can access the
Internet and communicate with each other. To control access rights of visitors, configure a
traffic policy on the central router and define the following rules:
l ACL rule 1: denies the packets sent from the IP network segment of visitors to the IP
segment of employees.
l ACL rule 2: permits the packets from the IP network segment of visitors to the IP
address of Server_1, and denies the packets from the IP network segment of visitors and
to the IP segment of servers.

l ACL rule 3: denies the packets from the IP network segment of employees to the IP
segment of visitors.
l ACL rule 4: denies the packets from the IP network segment of servers to the IP segment
of visitors.
Apply the traffic policy to the inbound and outbound direction of the central router interface
connected to the visitor area. Visitors can then only access Server_1 and cannot communicate
with employees.
3.4 Summary of VLAN Configuration Tasks
Table 3-3 describes the VLAN configuration tasks. Figure 3-18 illustrates the logical
relationship between configuration tasks.
Figure 3-18 Logical relationship between configuration tasks
Assign VLANs
Configure VLANIF
interfaces to
implement inter-VLAN
communication
Configure MQC-based
intra-VLAN Layer 2
isolation
Configure MQC to
implement inter-VLAN
isolation
Configure VLAN
Table 3-3 VLAN configuration tasks
Configuration Task Description
3.7.1 Configuring VLAN
Assignment
VLANs can isolate the hosts that do not need to
communicate with each other, which improves network
security, reduces broadcast traffic, and mitigates broadcast
storms.

Configuration Task Description
3.7.2 Configuring Inter-
VLAN Communication
After VLANs are assigned, users in different VLANs
cannot directly communicate with each other. If users in
different VLANs need to communicate, configure VLANIF
interfaces to implement inter-VLAN Layer 3 connectivity.
3.7.3 Configuring a Traffic
Policy to Implement Intra-
VLAN Layer 2 Isolation
After VLANs are assigned, users in the same VLAN can
directly communicate with each other. If some users in the
same VLAN need to be isolated, configure MQC-based
intra-VLAN Layer 2 isolation.
NOTE
Intra-VLAN isolation can also be implemented using port
isolation. For details about port isolation, see Configuring
Interface Isolation in Huawei AR Series Access Routers
Configuration Guide - Interface Management.
3.7.4 Configuring a Traffic
Policy to Implement Inter-
VLAN Layer 3 Isolation
After VLANIF interfaces are configured to implement
inter-VLAN connectivity, users in different VLANs can
communicate at Layer 3. If some users in different VLANs
require unidirectional communication or need to be
isolated, configure a traffic policy.
3.7.5 Configuring an
mVLAN
To use the NMS to manage devices in a centralized
manner, assign VLANs and configure a VLAN as the
management VLAN.
3.5 Default Settings for VLANs
Table 3-4 Default setting for VLANs
Parameter Default Setting
Default
configu
ration
of an
interfac
e
Interf
ace
type
Hybrid
Defa
ult
VLA
N
VLAN 1
VLA
N
that
an
interf
ace
joins
VLAN 1 that interfaces join in untagged mode (port hybrid untagged
vlan 1)
Damping time 0s

Parameter Default Setting
Traffic statistics
collection in a
VLAN
Disabled
3.6 Licensing Requirements and Limitations for VLANs
Involved Network Elements
None
Licensing Requirements
VLAN is a basic feature of a router and is not under license control.
Feature Limitations
When deploying VLAN on the router, pay attention to the following:
l You are advised to plan service and management VLANs so that any broadcast storms in
service VLANs do not affect device management.
l In practice, specify VLANs from which packets need to be transparently transmitted by a
trunk interface. Do not use the port trunk allow-pass vlan all command if possible.
l All interfaces join VLAN 1 by default. When unknown unicast, multicast, or broadcast
packets of VLAN 1 exist on the network, broadcast storms may occur. When VLAN 1 is
used, pay attention to the following points:
– Remove the interfaces that do not need to join VLAN 1 from VLAN 1 to prevent
loops.
– You are advised to remove interfaces from VLAN 1 in Eth-Trunk or ring
networking.
– When connecting to an access device, to prevent broadcast storms in VLAN 1, do
not configure the uplink interface of the access device to transparently transmit
packets from VLAN 1.
3.7 Configuring VLAN
3.7.1 Configuring VLAN Assignment
Context
VLANs can isolate the hosts that do not need to communicate with each other, which
improves network security, reduces broadcast traffic, and mitigates broadcast storms.
After an interface is added to a VLAN, the interface can forward packets from the VLAN.
Interface-based VLAN assignment allows hosts in the same VLAN to communicate and

prevents hosts in different VLANs from communicating, so broadcast packets are limited in a
VLAN.
Ethernet interfaces are classified into access, trunk, and hybrid interfaces according to the
objects connected to the Ethernet interfaces and number of VLANs from which untagged
frames are permitted (see Interface Types):
l Access interface
The router processes only tagged frames and an access interface connected to devices
only receive and send untagged frames, so the access interface needs to add a VLAN tag
to received frames. That is, you must configure the default VLAN for the access
interface. After the default VLAN is configured, the access interface joins the VLAN.
An access interface needs to process only untagged frames. If a user connects a
switching device to a user-side interface without permission, the user-side interface may
receive tagged frames. You can configure the user-side interface to discard tagged
frames, preventing unauthorized access.
l Trunk interface
When a trunk interface connects to a device such as an AP or a voice terminal that can
receive and send tagged and untagged frames simultaneously, you need to configure the
default VLAN for the trunk interface so that the trunk interface can add the VLAN tag to
untagged frames.
l Hybrid interface
When a hybrid interface connects to an AP, a voice terminal, a hub, a host, or a server
that sends untagged frames to the router, you need to configure the default VLAN for the
hybrid interface so that the hybrid interface can add the VLAN tag to untagged frames.
Frames sent by a router all carry VLAN tags. In some scenarios, VLAN tags need to be
removed from frames sent by a hybrid interface. A trunk interface allows untagged
packets from only one VLAN, so the interface must be configured as hybrid.
By default, the type of an interface is hybrid, the default VLAN is VLAN 1, and an interface
joins VLAN 1 in untagged mode.
Procedure
l Configuring the default VLAN for an access interface
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
c. Run quit
Return to the system view.
d. Run interface interface-type interface-number
The view of the Ethernet interface to be added to the VLAN is displayed.
e. (Optional) Run portswitch
The virtual Ethernet (VE) interface is switched from Layer 3 mode to Layer 2
mode.
By default, a VE interface works in Layer 3 mode.
You need to perform this operation after accessing the VE interface view.

f. Run port link-type access
The Ethernet interface is configured as the access interface.
g. Run port default vlan vlan-id
The default VLAN is configured for the interface and the interface is added to the
specified VLAN.
l Configuring the default VLAN for a trunk interface
a. Run system-view
b. Run vlan vlan-id
VLAN is displayed.
c. Run quit
mode.
f. Run port link-type trunk
The Ethernet interface is configured as the trunk interface.
g. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLAN.
h. (Optional) Run port trunk pvid vlan vlan-id
The default VLAN is configured for the trunk interface.
This step is not supported in the VE interface view.
NOTE
When the VLAN allowed by an interface is the default VLAN of the interface, packets from the
VLAN are forwarded in untagged mode.
l Configuring the default VLAN for a hybrid interface
a. Run system-view
b. Run vlan vlan-id
VLAN is displayed.
c. Run quit

mode.
f. Run port link-type hybrid
The Ethernet interface is configured as the hybrid interface.
g. Run the following commands as required.
n Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is added to the VLAN in untagged mode.
n Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is added to the VLAN in tagged mode.
h. (Optional) Run port hybrid pvid vlan vlan-id
The default VLAN is configured for the hybrid interface.
This step is not supported in the VE interface view.
----End
Configuration Tips
Creating VLANs in a batch
To create multiple VLANs in a batch, run the vlan batch command in the system view.
For example:
l Create 10 contiguous VLANs: VLANs 11 to 20.
<Huawei> system-view
[Huawei] vlan batch 11 to 20
l Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to 30.
[Huawei] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four incontiguous VLAN ranges.
Configuring a name for a VLAN
When multiple VLANs are created on the device, you are advised to configure names for the
VLANs to facilitate management. After a name is configured for a VLAN, you can directly
enter the VLAN view using the name.
# Set the name of VLAN 10 to huawei.
[Huawei] vlan 10
[Huawei-vlan10] name huawei
[Huawei-vlan10] quit
# After a name is configured for a VLAN, you can directly enter the VLAN view using the
name.
[Huawei] vlan vlan-name huawei
[Huawei-vlan10] quit

Adding interfaces to a VLAN in a batch
To perform the same VLAN configuration for multiple Ethernet interfaces, use the port group,
which can reduce the workload. To add access interfaces to a VLAN in a batch, you can also
run the port interface-type { interface-number1 [ to interface-number2 ] }&<1-10> command
in the VLAN view. For details, see 3.10.2 How to Add Interfaces to a VLAN in a Batch.
Restoring the default VLAN configuration of an interface
If the VLAN planning of an interface is changed, you need to delete the original VLAN
configuration of the interface. If many incontiguous VLANs are configured on the interface,
you need to delete the original VLAN configuration multiple times. To reduce deletion
operations, restore the default VLAN configuration of the interface. For details, see 3.10.3
How to Restore the Default VLAN Configuration of an Interface.
Changing the interface type
When the interface planning changes or the current interface type is different from the
configured one, the interface type needs to be changed. For details, see 3.10.4 How to
Change the Link Type of an Interface.
Deleting a VLAN
If a VLAN is not in use, you are advised to delete it immediately by running the command
undo vlan vlan-id or undo vlan batch vlan-id1 to vlan-id2, in order to save VLAN resources
and reduce packets on a network.
Verifying the Configuration
l Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to
check information about all VLANs or a specified VLAN.
3.7.2 Configuring Inter-VLAN Communication
Context
After VLANs are assigned, users in the same VLAN can communication with each other
while users in different VLANs cannot. If some users in different VLANs need to
communicate, configure inter-VLAN communication.
A VLANIF interface is a Layer 3 logical interface and can implement inter-VLAN Layer 3
connectivity. It is simple to configure a VLANIF interface, so the VLANIF interface is the
most commonly used technology. Each VLAN corresponds to a VLANIF interface. After an
IP address is configured for a VLANIF interface, the VLANIF interface is used as the
gateway of the VLAN and forwards packets across network segments at Layer 3 based on IP
addresses.
If a VLAN goes Down because all interfaces in the VLAN go Down, the system immediately
reports the VLAN Down event to the corresponding VLANIF interface, instructing the
VLANIF interface to go Down. To avoid network flapping caused by the change of the
VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last
interface in Up state in a VLAN goes Down, the device enabled with VLAN damping starts a
delay timer and informs the corresponding VLANIF interface of the VLAN Down event after
the timer expires. If an interface in the VLAN goes Up during the delay, the VLANIF
interface remains Up.

The Maximum Transmission Unit (MTU) determines the maximum number of bytes each
time a sender can send. If the size of packets exceeds the MTU supported by a receiver or a
transit node, the receiver or transit node fragments the packets or even discards them,
aggravating the network transmission load. To avoid this problem, set the MTU of the
VLANIF interface.
After configuring bandwidth for a VLANIF interface, you can use the NMS to query the
bandwidth. This facilitates traffic monitoring.
NOTE
As shown in 3.2.2 Inter-VLAN Communication, in addition to using a VLANIF interface to inter-
VLAN communication, you can also use the VLAN aggregation and Dot1q termination sub-interface.
This section uses the VLANIF interface to implement inter-VLAN communication.
l For details about the Dot1q termination sub-interface, see 6.6 Configuring a Dot1q Termination
Sub-interface to Implement Inter-VLAN Communication.
l For details about VLAN aggregation, see 4 VLAN Aggregation Configuration.
After a VLANIF interface is configured, the corresponding VLAN cannot be configured as a sub-VLAN
or principal VLAN.
Pre-configuration Tasks
Before configuring inter-VLAN communication, complete the following tasks:
l 3.7.1 Configuring VLAN Assignment
l Configuring the default gateway address of hosts as the IP address of the VLANIF
interface
Procedure
Step 1 Run system-view
Step 2 Run interface vlanif vlan-id
The VLANIF interface view is displayed.
The number of a VLANIF interface must correspond to a created VLAN.
A VLANIF interface goes Up only when at least one physical interface in the corresponding
VLAN is in Up state.
Step 3 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the VLANIF interface to implement Layer 3 connectivity.
If IP addresses assigned to VLANIF interfaces belong to different network segments, you
need to configure a routing protocol on the device to provide reachable routes.
Each VLANIF interface can be configured with one primary IP address and multiple
secondary IP addresses. A maximum of 31 secondary IP addresses can be configured.
NOTE
An IP address of a VLANIF interface can be statically configured or dynamically obtained using DHCP.
For details about DHCP, see DHCP Configuration in Huawei AR Series Access Routers Configuration
Guide - IP Services.

Step 4 (Optional) Run damping time delay-time
The delay of VLAN damping is set.
The value ranges from 0 to 20, in seconds. By default, the delay is 0 seconds, indicating that
VLAN damping is disabled.
Step 5 (Optional) Run mtu mtu
The MTU of the VLANIF interface is set.
By default, the value is 1500 bytes.
Step 6 (Optional) Run bandwidth bandwidth
The bandwidth of the VLANIF interface is set.
----End
l Run the display interface vlanif [ vlan-id ] command to check the status, configuration,
and traffic statistics of the VLANIF interface.
NOTE
Only the VLANIF interface in Up state can forward packets at Layer 3. When the VLANIF
interface goes Down, rectify the fault according to 3.9.2 A VLANIF Interface Goes Down.
3.7.3 Configuring a Traffic Policy to Implement Intra-VLAN
Layer 2 Isolation
Context
After VLANs are assigned, users in the same VLAN can communication with each other. If
users in a VLAN need to be isolated unidirectionally or bidirectionally, configure a traffic
policy.
A traffic policy is configured by binding traffic classifiers to traffic behaviors. The device
classifies packets according to packet information, and associates a traffic classifier with a
traffic behavior to reject the packets matching the traffic classifier, implementing intra-VLAN
isolation.
Router provides intra-VLAN Layer 2 isolation based on MQC and based on the simplified
ACL-based traffic policy.
Before configuring a traffic policy to implement intra-VLAN Layer 2 isolation, complete the
following task:
Procedure
l Configure MQC to implement intra-VLAN Layer 2 isolation.
Perform the following MQC configurations to implement intra-VLAN Layer 2 isolation:

– Specify permit or deny in the traffic behavior.
– Apply the traffic policy to a VLAN or an interface that allows the VLAN.
For details about how to configure MQC, see Configuring Packet Filtering in Huawei AR
Series Access Routers Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement intra-VLAN Layer 2
isolation.
For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in Huawei AR Series Access Routers
Configuration Guide - QoS.
----End
3.7.4 Configuring a Traffic Policy to Implement Inter-VLAN
Layer 3 Isolation
Context
After inter-VLAN Layer 3 connectivity is configured, if some users in different VLANs
require unidirectional access or need to be isolated, configure inter-VLAN Layer 3 isolation.
Inter-VLAN Layer 3 isolation is implemented using a traffic policy. A traffic policy is
configured by binding traffic classifiers to traffic behaviors. The router classifies packets
according to IP addresses or other information in packets, and associates a traffic classifier
with a traffic behavior to reject the packets matching the traffic classifier, implementing inter-
VLAN Layer 3 isolation.
Router provides inter-VLAN Layer 3 isolation based on MQC and based on the simplified
ACL-based traffic policy. You can select one of them according to your needs.
Before configuring a traffic policy to implement inter-VLAN Layer 3 isolation, complete the
following task:
l 3.7.2 Configuring Inter-VLAN Communication
Procedure
l Configure MQC to implement inter-VLAN Layer 3 isolation.
Perform the following MQC configurations to implement inter-VLAN Layer 3 isolation:
– Specify permit or deny in the traffic behavior.
– Apply the traffic policy to a VLAN or an interface that allows the VLAN.
For details about how to configure MQC, see Configuring Packet Filtering in Huawei AR
Series Access Routers Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement inter-VLAN Layer 3
isolation.

For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in Huawei AR Series Access Routers
Configuration Guide - QoS.
----End
3.7.5 Configuring an mVLAN
Context
Management VLAN (mVLAN) allows you to use the VLANIF interface of the mVLAN to
log in to the management router to manage devices in a centralized manner.
To use a remote network management system (NMS) to manage devices in a centralized
manner, configure a management IP address on the device. You can then log in to the device
in Telnet mode and manage the device by using the management IP address. The management
IP address can be configured on a management interface or VLANIF interface. If a user-side
interface is added to the VLAN, users connected to the interface can also log in to the device.
This brings security risks to the device.
After a VLAN is configured as an mVLAN, no access interface or Dot1q tunnel interface can
be added to the VLAN. Access and Dot1q tunnel interfaces are often connected to users.
When these interfaces are prevented from joining the mVLAN, users connected to the
interfaces cannot log in to the device, improving device security.
Generally, a VLANIF interface needs to be configured with only one management IP
addresses. In specified scenarios, for example, users in the same mVLAN belong to multiple
different network segments, you need to configure a primary management IP address and
multiple secondary management IP addresses.
You can only log in to the local device using the management interface, whereas you can log
in to both local and remote devices using a VLANIF interface of an mVLAN. When logging
in to the remote device using the VLANIF interface of an mVLAN, you need to configure
VLANIF interfaces on both local and remote devices and assign IP addresses on the same
network segment to them.
Before configuring an mVLAN, complete the following task:
NOTE
Only trunk and hybrid interfaces can join the mVLAN.
Procedure
Step 1 Run system-view
Step 2 Run vlan vlan-id
The VLAN view is displayed.
Step 3 Run management-vlan

The VLAN is configured as the mVLAN.
VLAN 1 cannot be configured as the mVLAN.
Step 4 Run quit
Exit from the VLAN view.
Step 5 Run interface vlanif vlan-id
A VLANIF interface is created and its view is displayed.
Step 6 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is assigned to the VLANIF interface.
----End
Follow-up Procedure
Log in to the router to implement centralized management through the NMS. Select either of
the following login modes according to your needs:
l To manage local devices, log in to the local router using Telnet, STelnet. For details, see
Configuring Telnet Login, Configuring STelnet Login in Huawei AR Series Access
Routers Configuration Guide – Basic Configurations.
l To manage remote devices, log in to the local device using Telnet or STelnet and log in
to remote devices using Telnet or STelnet from the local device. For details, see
(Optional) Using Telnet to Log In to Another Device From the Local Device, or
(Optional) Using STelnet to Log In to Another Device from the Local Device in Huawei
AR Series Access Routers Configuration Guide – Basic Configurations.
The login IP address is the IP address of the VLANIF interface of an mVLAN.
l Run the display vlan command to check the mVLAN configuration. In the command
output, the VLAN marked with a * is the mVLAN.
3.8 Configuration Examples for VLANs
3.8.1 Example for Configuring VLAN Assignment
Networking Requirements
As shown in Figure 3-19, multiple user terminals are connected to devices in an enterprise.
Users who use the same service access the enterprise network using different devices.
To ensure the communication security and avoid broadcast storms, the enterprise wants to
allow users who use the same service to communicate with each other and isolate users who
use different services.
Configure interface-based VLAN assignments on the device and add interfaces connected to
terminals of users who use the same service to the same VLAN. Users in different VLANs
communicate at Layer 2, and users in the same VLAN can communicate directly.

Figure 3-19 Networking of interface-based VLAN assignment
Eth2/0/2
Eth2/0/1
RouterA
User3
VLAN3
User1
VLAN2
Eth2/0/3
Eth2/0/2
Eth2/0/1
User4
VLAN3
User2
VLAN2
Eth2/0/3
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces connecting to user terminals to VLANs to isolate
Layer 2 traffic between users who use different services.
2. Configure the type of link between RouterA and RouterB and VLANs to allow users
who use the same service to communicate.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on RouterA, and add interfaces connected to user terminals to
different VLANs. The configuration of RouterB is similar to that of RouterA, and is not
mentioned here.
[Huawei] sysname RouterA
[RouterA] vlan batch 2 3
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 2
[RouterA-Ethernet2/0/1] quit
[RouterA-Ethernet2/0/2] port link-type access
[RouterA-Ethernet2/0/2] port default vlan 3
[RouterA-Ethernet2/0/2] quit
Step 2 Configure the type of the interface connected to RouterB on RouterA and VLANs. The
configuration of RouterB is similar to that of RouterA, and is not mentioned here.
[RouterA-Ethernet2/0/3] port link-type trunk
[RouterA-Ethernet2/0/3] port trunk allow-pass vlan 2 3
Step 3 Verify the configuration.
# Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24; add
User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
# Only User1's and User2's terminals can ping each other, and only User3's and User4's
terminals can ping each other.
----End

Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 2 to 3
#
interface Ethernet2/0/1
port link-type access
port default vlan 2
#
port default vlan 3
#
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
l Configuration file of RouterB
#
sysname RouterB
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
port trunk allow-pass vlan 2 to 3
#
return
3.8.2 Example for Configuring VLANIF Interfaces to Implement
Inter-VLAN Communication
Different user hosts of a company transmit the same service, and are located on different
network segments. User hosts transmitting the same service belong to different VLANs and
need to communicate.
As shown in Figure 3-20, User1 and User2 use the same service but belong to different
VLANs and are located on different network segments. User1 and User2 need to
communicate.

Figure 3-20 Configuring VLANIF interfaces to implement inter-VLAN communication
Router
VLAN 10 VLAN 20
10.10.10.3/24 10.10.20.3/24
User1 User2
Eth2/0/0
VLANIF10
10.10.10.2/24
Eth2/0/1
VLANIF20
10.10.20.2/24
1. Create VLANs and determine VLANs that users belong to.
2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 connectivity.
NOTE
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
Procedure
Step 1 Configure the router.
# Create VLANs.
[Huawei] sysname Router
[Router] vlan batch 10 20
# Add interfaces to VLANs.
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 10
[Router-Ethernet2/0/0] quit
# Assign IP addresses to VLANIF interfaces.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.10.10.2 24
[Router-Vlanif10] quit

# Configure the IP address of 10.10.10.3/24 and default gateway address as 10.10.10.2/24
(VLANIF 10's IP address) for User1 in VLAN 10.
# Configure the IP address of 10.10.20.3/24 and default gateway address as 10.10.20.2/24
(VLANIF 20's IP address) for User2 in VLAN 20.
# After the configuration is complete, User1 in VLAN 10 and User2 in VLAN 20 can
communicate.
----End
Configuration Files
Router configuration file
#
sysname Router
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
port default vlan 10
#
#
return
Intra-VLAN Communication
As shown in Figure 3-21, Router_1 and Router_2 are connected to Layer 2 networks that
VLAN 10 belongs to. Router_1 communicates with Router_2 through a Layer 3 network
where OSPF is enabled.
PCs of the two Layer 2 networks need to be interwork at Layer 3.

Figure 3-21 Configuring VLANIF interfaces to implement intra-VLAN communication
Eth2/0/1
Eth2/0/2
Eth2/0/2
Eth2/0/1
VLAN10
Router_1 Router_2
Router_3 Router_4
Eth2/0/2 Eth2/0/2
Eth2/0/1
VLAN10
Eth2/0/1
OSPF
1. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
2. Configure IP addresses for VLANIF interfaces to implement Layer 3 connectivity.
3. Configure basic OSPF functions to implement interworking.
Procedure
Step 1 Configure Router_1.
# Create VLAN 10 and VLAN 30.
[Huawei] sysname Router_1
[Router_1] vlan batch 10 30
# Add Eth2/0/1 to VLAN 10 and Eth2/0/2 to VLAN 30.
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 10
[Router_1-Ethernet2/0/1] quit
# Configure IP addresses of 10.10.10.1/24 and 10.10.30.1/24 for VLANIF 10 and VLANIF
30 respectively.
[Router_1] interface vlanif 10
[Router_1-Vlanif10] ip address 10.10.10.1 24
[Router_1-Vlanif10] quit

# Configure basic OSPF functions.
[Router_1] router id 1.1.1.1
[Router_1] ospf
[Router_1-ospf-1] area 0
[Router_1-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[Router_1-ospf-1-area-0.0.0.0] quit
[Router_2] vlan batch 10 30
# Add Eth2/0/1 to VLAN 10 and Eth2/0/2 to VLAN 30.
# Configure IP addresses of 10.10.20.1/24 and 10.10.30.2/24 for VLANIF 10 and VLANIF
30 respectively.
# Configure basic OSPF functions.
[Router_2] router id 2.2.2.2
[Router_2] ospf
# Create VLAN 10, add Eth2/0/1 to VLAN 10 in untagged mode and Eth2/0/2 to VLAN 10 in
tagged mode. The configuration of Router_4 is similar to that of Router_3, and is not
mentioned here.
[Router_3] vlan batch 10
[Router_3-Ethernet2/0/1] port link-type access
[Router_3-Ethernet2/0/1] port default vlan 10

# On the PC of the Layer 2 network connected to Router_1, set the default gateway address to
the IP address of VLANIF10, that is, 10.10.10.1/24.
# On the PC of the Layer 2 network connected to Router_2, set the default gateway address to
the IP address of VLANIF10, that is, 10.10.20.1/24.
# After the configuration is complete, PCs on the two Layer 2 networks are interwork at Layer
3.
----End
Configuration Files
l Router_1 configuration file
#
sysname Router_1
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
port trunk allow-pass vlan 10
#
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
#
sysname Router_2
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.20.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#
#
ospf 1

area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
#
sysname Router_3
#
vlan batch 10
#
#
#
return
#
sysname Router_4
#
vlan batch 10
#
#
#
return
Communication of Hosts on Different Network Segments in the
Same VLAN
On the enterprise network shown in Figure 3-22, hosts in the same VLAN belong to network
segments of 10.1.1.1/24 and 10.1.2.1/24. Hosts on the two network segments are required to
access the Internet through the Router and communicate.

Figure 3-22 Configuring VLANIF interfaces to implement communication of hosts on
different network segments in the same VLAN
Router
VLAN10
Host2
10.1.2.2/24
Host1
10.1.1.2/24
Eth2/0/1 Eth2/0/2
Eth2/0/3
VLANIF10
Primary IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
VLANIF20
10.10.10.1/24
Router_1 10.10.10.2/24
Internet
If only one IP address is configured for the VLANIF interface on the Router, only hosts on
one network segment can access the Internet through the Router. To enable all hosts on the
LAN can access the Internet through the Router, configure a secondary IP address for the
VLANIF interface. To enable hosts on the two network segments to communicate, the hosts
on the two network segments need to use the primary and secondary IP addresses of the
VLANIF interface as default gateway addresses.
1. Create VLANs and add interfaces to the VLANs.
2. Configure VLANIF interfaces and assign IP addresses to them so that hosts on the two
network segments can communicate.
3. Configure a routing protocol so that hosts can access the Internet through the Router.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs on Router.
[Huawei] sysname Router
[Router] vlan batch 10 20
# Add Eth2/0/1 and Eth2/0/2 to VLAN 10 and Eth2/0/3 to VLAN 20.

[Router-Ethernet2/0/3] port link-type trunk
[Router-Ethernet2/0/3] port trunk allow-pass vlan 20
Step 2 Configure VLANIF interfaces on Router.
# Create VLANIF 10 and configure the primary IP address of 10.1.1.1/24 and secondary IP
address of 10.1.2.1/24 for VLANIF 10, and create VLANIF 20 and configure the IP address
of 10.10.10.1/24 for VLANIF 20.
[Router-Vlanif10] ip address 10.1.2.1 24 sub
Step 3 Configure a routing protocol.
# Configure basic OSPF functions and configure OSPF to advertise network segments of
hosts and the network segment between the Router and Router_1.
[Router] ospf
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
NOTE
Perform the following configurations on the Router_1:
l Add the interface connected to the Router to VLAN 20 in tagged mode and specify an IP address
for VLANIF 20 on the same network segment as 10.10.10.1.
l Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Router and Router_1.
For details, see the router documentation.
# Configure the IP address of 10.1.1.2 and default gateway address of 10.1.1.1/24 (primary IP
address of VLANIF 10) for Host1; configure the IP address of 10.1.2.2 and default gateway
address of 10.1.2.1/24 (secondary IP address of VLANIF 10) for Host2.
# After the configuration is complete, Host1 and Host2 can ping each other successfully, and
they can ping 10.10.10.2/24, IP address of the router interface connected to the Router. That
is, they can access the Internet.
----End
Configuration Files
Router configuration file
#
sysname Router
#
vlan batch 10 20

#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
#
interface Vlanif20
ip address 10.10.10.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.10.10.0 0.0.0.255
#
return
3.8.5 Example for Configuring a Traffic Policy to Implement
Inter-VLAN Layer 3 Isolation
As shown in Figure 3-23, to ensure communication security, a company assigns visitors,
employees, and servers to VLAN 10, VLAN 20, and VLAN 30 respectively. The
requirements are as follows:
l Employees, visitors, and servers can access the Internet.
l Visitors can access only the Internet, and cannot communicate with employees in any
other VLANs.
l Employee A can access all resources in the server area, and other employees can access
port 21 (FTP service) of server A.

Figure 3-23 Configuring a traffic policy to implement inter-VLAN Layer 3 isolation
Router_4
Employee A
10.1.2.2/24
Visitor A
10.1.1.2/24
Eth2/0/1
Eth2/0/2
Eth2/0/3
Router
Server A
10.1.3.2/24
Router_1 Router_2 Router_3
Eth2/0/4
Eth2/0/2
Eth2/0/1
Eth2/0/3 Eth2/0/2
Eth2/0/1 Eth2/0/1
VLANIF100
10.1.100.1/24
Employee
area
Server
area
Employee B
10.1.2.3/24
VLAN20
VLAN10 VLAN30
Eth2/0/2
Internet
Visitor
area
1. Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of
visitors, employees, and servers.
2. Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
3. Configure a routing protocol so that visitors, employees, and servers can access the
Internet through the Router.
4. Configure and apply a traffic policy so that employee A can access all resources in the
server area, other employees can access only port 21 (FTP service) of server A,
employees can access only servers, and visitors can access only the Internet.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of visitors,
employees, and servers.
# Create VLAN 10 on Router_1, add Eth2/0/1 to VLAN 10 in untagged mode and Eth2/0/2 to
VLAN 10 in tagged mode. The configurations of Router_2 and Router_3 are similar to the
configuration of Router_1, and are not mentioned here.
[Router_1] vlan batch 10

[Router_1-Ethernet2/0/1] port link-type access
[Router_1-Ethernet2/0/1] port default vlan 10
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 on Router_4, and add Eth2/0/1-
Eth2/0/4 to VLAN 10, VLAN 20, VLAN 30, and VLAN 100 in tagged mode.
[Router_4] vlan batch 10 20 30 100
Step 2 Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
# On Router_4, Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 and assign IP
addresses of 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.100.1/24 to them respectively.
Step 3 Configure a routing protocol so that visitors, employees, and servers can access the Internet
through the Router.
# Configure basic OSPF functions on Router_4 and configure OSPF to advertise network
segments of hosts and the network segment between Router_4 and the router.
[Router_4] ospf
[Router_4-ospf-1] quit

NOTE
Perform the following configurations on the Router:
l Add the interface connected to the Router to VLAN 100 in tagged mode and specify an IP address
for VLANIF 100 on the same network segment as 10.1.100.1.
l Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Router and router_4.
For details, see the router documentation.
Step 4 Configure and apply a traffic policy to control access of employees, visitors, and servers.
1. Configure ACLs to define flows.
# Configure ACL 3000 on Router_4 to prevent visitors from accessing employees' PCs
and servers.
[Router_4] acl 3000
[Router_4-acl-adv-3000] rule deny ip destination 10.1.2.1 0.0.0.255
[Router_4-acl-adv-3000] quit
# Configure ACL 3001 on Router_4 so that employee A can access all resources in the
server area and other employees can access only port 21 of server A.
[Router_4] acl 3001
[Router_4-acl-adv-3001] rule permit tcp destination 10.1.3.2 0 destination-
port eq 21
[Router_4-acl-adv-3001] rule permit ip source 10.1.2.2 0 destination 10.1.3.1
0.0.0.255
[Router_4-acl-adv-3001] quit
2. Configure traffic classifiers to differentiate different flows.
# Configure traffic classifiers c_custom, and c_staff on Router_4 and reference ACLs
3000, and 3001 in the traffic classifiers respectively.
[Router_4] traffic classifier c_custom
[Router_4-classifier-c_custom] if-match acl 3000
[Router_4-classifier-c_custom] quit
[Router_4] traffic classifier c_staff
[Router_4-classifier-c_staff] if-match acl 3001
[Router_4-classifier-c_staff] quit
3. Configure a traffic behavior and define an action.
# Configure a traffic behavior named b1 on Router_4 and define the permit action.
[Router_4] traffic behavior b1
[Router_4-behavior-b1] permit
[Router_4-behavior-b1] quit
4. Configure traffic policies and associate traffic classifiers with the traffic behavior in the
traffic policies.
# Create traffic policies p_custom, and p_staff on Router_4, and associate traffic
classifiers c_custom, and c_staff with traffic behavior b1.
[Router_4] traffic policy p_custom
[Router_4-trafficpolicy-p_custom] classifier c_custom behavior b1
[Router_4-trafficpolicy-p_custom] quit
[Router_4] traffic policy p_staff
[Router_4-trafficpolicy-p_staff] classifier c_staff behavior b1
[Router_4-trafficpolicy-p_staff] quit
5. Apply the traffic policies to control access of employees, visitors, and servers.
# On Router_4, apply traffic policies p_custom, and p_staff in the inbound direction of
VLANIF 10, and VLANIF 20 respectively.
[Router_4-Vlanif10] traffic-policy p_custom inbound

[Router_4-Vlanif20] traffic-policy p_staff inbound
# Configure the IP address of 10.1.1.2 and default gateway address of 10.1.1.1/24 (VLANIF
10's IP address) for visitor A; configure the IP address of 10.1.2.2 and default gateway
address of 10.1.2.1/24 (VLANIF 20's IP address) for employee A; configure the IP address of
10.1.2.3 and default gateway address of 10.1.2.1/24 (VLANIF 20's IP address) for employee
B; configure the IP address of 10.1.3.2 and default gateway address of 10.1.3.1/24 (VLANIF
30's IP address) for server A.
# After the configuration is complete, the following situations occur:
l Visitor A fails to ping employee A or server A, and employee A and server A fail to ping
visitor A.
l Employee A can successfully ping server A. That is, employee A can use server A and
the FTP service of server A.
l Employee B fails to ping server A, and can only use the FTP service of server A.
l Visitors, employees A and B, server A all can ping 10.1.100.2/24, IP address of the
router interface connected to Router_4. That is, they can access the Internet.
----End
Configuration Files
#
sysname Router_1
#
vlan batch 10
#
#
#
return
#
sysname Router_2
#
vlan batch 20
#
#
#
#
return

3.1 Overview Of VLANs Definition

3.1 Overview Of VLANs Definition

Recommended

Recommended

More Related Content

Similar to 3.1 Overview Of VLANs Definition

Similar to 3.1 Overview Of VLANs Definition (20)

More from Angela Shin

More from Angela Shin (20)

Recently uploaded

Recently uploaded (20)

3.1 Overview Of VLANs Definition