Understanding and Configuring VLANs


A Virtual Local Area Network (VLAN) enables devices to be segmented into logically separate broadcast domains within the same LAN. VLANs improve network performance by directing network traffic only to the parts of the network that need to receive it. Network segments so created keep traffic isolated  based on the respective VLAN IDs associated to the transmitted frames. Applying targeted security features to specific network areas is also made simpler through the use of VLANs.


As per the standards, Netvisor ONE uses the 12-bit field in the header of each packet as a VLAN identifier or VLAN tag. The maximum number of VLANs that can be defined is 4092. VLANs 4093, 4094, and 4095 are reserved for internal use while VLAN 1 is the default fabric VLAN for untagged traffic. Untagged packets can be mapped to any VLAN, but Netvisor ONE maps this traffic to VLAN 1 by default.


Configuring an untagged VLAN is necessary while connecting a switch to devices that do not support IEEE80.1Q VLAN tags. The ports on a switch can be configured to automatically map untagged packets to a specific VLAN. Netvisor ONE also allows you to block untagged traffic on a port basis, that is, the untagged VLAN on a port can be removed or deleted.


About VLAN 1

  • VLAN 1 is enabled on all ports by default. However, VLAN 1 can be removed from any port on which it is the untagged VLAN. Now, the port has no untagged VLANs and all untagged traffic is dropped on that port.
  • To generalize the point above, if VLAN x is the untagged VLAN for a port and if VLAN x is removed from that port, then the port has no untagged VLAN and all untagged traffic is dropped on that port.
  • VLAN 1 can also function as a tagged VLAN for a port. This happens automatically in cases where VLAN 1 is the default untagged VLAN, and then another VLAN is configured as an untagged VLAN on the port.
  • VLAN 1 cannot be created or deleted. VLAN 1 configuration is stored in persistent storage.


The default fabric VLAN can be changed from VLAN 1 to another VLAN ID using the command fabric-local-modify.For example, to set VLAN 20 as the default fabric VLAN, use the command:


CLI (network-admin@Leaf1) > fabric-local-modify vlan 20


Warning: If you create a VLAN with scope fabric and configure it as the untagged VLAN on all ports, it can disrupt the fabric communication.


Note: The untagged VLAN feature is not the same as the default VLAN using the IEEE 802.1Q tag 1.


The vlan-create command creates VLANs on the current switch.


CLI(network-admin@Leaf1) > vlan-create


vlan-create

Creates a VLAN. You can create a VLAN either by specifying a VLAN ID or by specifying a range of VLAN IDs.

id 2...4092

Specify the VLAN ID between 2 and 4092.

Note: VLAN 0 and 1 represents all untagged or non-VLAN traffic, VLANs 4093, 4094, and 4095 are reserved for internal use.

range vlan-list

Specify the range of VLAN IDs.

Use this parameter if you want to specify a VLAN range instead of a VLAN ID.

scope [local|cluster|fabric]      

Specify the VLAN scope as local, cluster, or fabric.

Specify any of the following options:


vnet vnet-name

Specify the vNET name for this VLAN.

Note: A vNET segregates a physical fabric into many logical networks, each with separate resources, network services, and Quality of Service (QoS) guarantees.

vxlan 1..16777215

Specify the VXLAN identifier for the tunnel.

vxlan-mode [standard|transparent|qinq-access]

Specify the VXLAN encapsulation mode as standard, transparent, or Q-in-Q.

replicators [vtep-group name|none]

Specify the replicator group. Provide a VTEP group name to add a replicator. Specify none to not add a replicator or remove a configured replicator.

public-vlan 2..4092

Specify the Public VLAN for vNET VLAN.

description description-string

Provide  a VLAN description.

stats|no-stats  

Use the options to enable or disable  statistics collection for the VLANs being created.

ports port-list

Specify the ports assigned to the VLAN as list separated by commas.

untagged-ports port-list

Specify the untagged ports assigned to the VLAN as a list separated by commas.


Note: Netvisor ONE allows you to create a large number of VLANs by using the vlan-create command and the range keyword.  However, in large network topologies with several nodes with heavy CPU traffic, the CLI may timeout if you create large number of VLANs.  In such scenarios, try creating smaller number of VLANs.



By default, all ports are tagged on a newly created VLAN. However, if you want to specify select ports that should be trunked, then use the optional parameter ports with a comma separated list of ports, or specify a range of ports.


In some cases, you may not want a VLAN to be created on all ports. You can specify the port parameter as none to apply the VLAN only to the internal ports. For example:


CLI (network-admin@Leaf1) > vlan-create id 35 scope fabric ports none


To delete an existing VLAN, use the command:


CLI (network-admin@Leaf1) > vlan-delete


vlan-delete

Deletes a VLAN either by ID or by a range of IDs.

id 2...4092

Specify the VLAN ID that you want to delete.

range vlan-list

Specify the range of VLAN IDs that you want to delete.

Use this parameter instead of id,  if you want to specify a VLAN range.

Specify the following option:


vnet vnet-name

Specify the name of the  vNET from which the VLANs  are to be deleted.


Configuration of an existing VLAN can be modified using the vlan-modify command.


CLI (network-admin@Leaf1) >vlan-modify


vlan-modify

Modify a VLAN by specifying the VLAN ID.

id 2...4092

Specify the VLAN ID that you intend to modify.

between 1 and 4 of the following options:


description description-string

Provide a VLAN description.

vxlan 1..16777215

Specify  the VXLAN identifier for the tunnel.

replicators [vtep-group name | none]

Specify the replicator group. Provide a VTEP group name to add a replicator. Specify none to not add a replicator or remove a configured replicator.

vnet vnet name

Specify the vNET name for this VLAN.

public-vlan 2..4092

Specify the public VLAN ID for vNET VLAN.

Note: Public VLAN ID can only be specified for private VLANs.


For example, to modify VLAN25 description from blue to red:


CLI (network-admin@Leaf1) > vlan-modify id 25 description red


This description can be removed from VLAN25 using the command:


CLI (network-admin@Leaf1) > vlan-modify id 25 description ""


Netvisor ONE allows the addition of ports to a VLAN through the vlan-port-add command.


CLI (network-admin@Leaf1) > vlan-port-add


vlan-port-add

Add ports to VLANs.

Specify one of the following VLAN parameters:


vlan-id 2..4092

Specify the VLAN ID to which ports are to be added.

vlan-range vlan-list

Specify the range of VLAN IDs to which ports are to be added.

vlan-vnet vnet-name

Specify the vNET for the VLANs to which the ports are to be added.

Provide one of the following port arguments:


switch switch-name

Specify the name of the switch on which the ports are located.

ports port-list

Specify the ports that need to be added to the VLANs as a list separated by commas.

[untagged | tagged]

Specify either of the options to configure the ports as untagged or tagged ports.


For example, to configure ports 17 and 18 to accept untagged packets and map them to VLAN 595, use the following command:


CLI (network-admin@Leaf1) > vlan-port-add vlan-id 595 ports 17,18 untagged


To map ports on different switches into the scope fabric VLAN, use the following command:


CLI (network-admin@Leaf1) > vlan-port-add vlan-id 1-4095 switch switch-name ports port-list


Ports can be removed from a VLAN through the vlan-port-remove command.


CLI (network-admin@Leaf1) > vlan-port-remove


vlan-port-remove

Remove ports from VLANs.

Specify one of the following VLAN sectors:


vlan-id 2..4092

Specify the VLAN ID from which ports are to be removed.

vlan-range vlan-list

Specify the range of VLAN IDs from which ports are to be removed

vlan-vnet vnet name

Specify the vNET for the VLANs from which ports are to be removed.

Provide one of the following port arguments:


switch switch name

Specify the name of the switch on which the ports are located.

port port list

Specify the ports that need to be removed  from the VLANs as a list separated by commas.


The vlan-show command displays the VLAN information.


CLI (network-admin@Leaf1) > vlan-show


vlan-show

Display VLAN information.

Specify one of the following VLAN sectors:


id 2..4092

Specify the VLAN ID for which the information has to be displayed.

range vlan-list

Specify the range of VLAN IDs for which the information has to be displayed.

vnet vnet name

Specify the vNET for which VLAN information has to be displayed.

type [public | private]

Specify either of the type options to display  information for public VLANs or private VLANs.

vxlan 1..16777215

Specify the VXLAN identifier for the tunnel.

vxlan-mode [standard | transparent | qinq-access]

Specify any of the VXLAN modes to display information for standard, transparent, or q-in-q modes.

hw-vpn hw-vpn-number

Specify the hardware VPN number to display the related information.

hw-mcast-group hw-mcast-group-number

Specify the hardware multi-cast group number to display the related information.

replicators [vtep-group name | none]

Provide a VTEP group name to view the VLAN information for that replicator group. Specify none to view the  information on VLANs that do not involve replicator groups.

repl-vtep ip-address

Specify the IP address of the replicator VTEP to view the related information.

public-vlan 2..4092

Specify the public VLAN ID for vNET VLAN to view the related information.

scope [local | cluster | fabric]

Provide any of the scope options to view the information on  VLANs with  that specified scope.

description description-string

Specify  a description to view the information on VLANs with that specific description.

active [yes | no]

Specify yes to view information on active VLANs.

Specify no to view information on inactive VLANs.


For example: CLI (network-admin@Leaf1) > vlan-show layout vertical


switch:            leaf1

id:                1

type:              public

auto-vxlan:        no

replicators:       none

scope:             local

description:       default-1

active:            yes

stats:             yes

ports:             2-72

untagged-ports:    2-69

active-edge-ports: 69-70


CLI (network-admin@Leaf1) > vlan-show format all layout vertical


switch:            leaf1

id:                1

type:              public

auto-vxlan:        no

hw-vpn:            0

hw-mcast-group:    0

replicators:       none

repl-vtep:         ::

scope:             local

description:       default-1

active:            yes

stats:             yes

vrg:               0:0

ports:             2-72

untagged-ports:    2-69

active-edge-ports: 69


Network traffic statistics per VLAN can be displayed using the vlan-stats-show command. This command may be useful when troubleshooting network issues.


CLI (network-admin@Leaf1) > vlan-stats-show format all layout vertical


switch:       Leaf2

time:         10:51:02

vlan:         1

vnet:

ibytes:       36.2T

ipkts:        89.0G

idrops-bytes: 119M

idrops-pkts:  313K

obytes:       0

opkts:        0

odrops-bytes: 0

odrops-pkts:  0

switch:       Leaf2

time:         10:51:02

vlan:         35

vnet:

ibytes:       10.8K

ipkts:        154

idrops-bytes: 0

idrops-pkts:  0

obytes:       0

opkts:        0

odrops-bytes: 0

odrops-pkts:  0

switch:       Leaf1

time:         10:51:02

vlan:         1

vnet:

ibytes:       34.9T

ipkts:        84.6G

idrops-bytes: 3.03M

idrops-pkts:  5.69K

obytes:       0

opkts:        0

odrops-bytes: 0

odrops-pkts:  0


The output displays the following information:


  • switch — switch name
  • time — when the output was generated
  • VLAN ID — ID assigned to the VLAN
  • vnet — the vNET assigned to the VLAN
  • incoming and outgoing bytes — in K (Kilobytes), M (Megabytes), or G (Gigabytes)
  • incoming and outgoing packets — number of packets incoming and outgoing
  • incoming and outgoing dropped bytes — in K (Kilobytes), M (Megabytes), or G (Gigabytes)
  • incoming and outgoing dropped packets — number of dropped packets incoming and outgoing