Understanding and Configuring VLANs
A Virtual Local Area Network (VLAN) enables devices to be segmented into logically separate broadcast domains within the same LAN. VLANs improve network performance by directing network traffic only to the parts of the network that need to receive it. Network segments so created keep traffic isolated based on the respective VLAN IDs associated to the transmitted frames. Applying targeted security features to specific network areas is also made simpler through the use of VLANs.
As per the standards, Netvisor ONE uses the 12-bit field in the header of each packet as a VLAN identifier or VLAN tag. The maximum number of VLANs that can be defined is 4092. VLANs 4093, 4094, and 4095 are reserved for internal use while VLAN 1 is the default fabric VLAN for untagged traffic. Untagged packets can be mapped to any VLAN, but Netvisor ONE maps this traffic to VLAN 1 by default.
Configuring an untagged VLAN is necessary while connecting a switch to devices that do not support IEEE802.1Q VLAN tags. The ports on a switch can be configured to automatically map untagged packets to a specific VLAN. Netvisor ONE also allows you to block untagged traffic on a port basis, that is, the untagged VLAN on a port can be removed or deleted.
About VLAN 1
- VLAN 1 is enabled on all ports by default. However, VLAN 1 can be removed from any port on which it is the untagged VLAN. Now, the port has no untagged VLANs and all untagged traffic is dropped on that port.
- To generalize the point above, if VLAN x is the untagged VLAN for a port and if VLAN x is removed from that port, then the port has no untagged VLAN and all untagged traffic is dropped on that port.
- VLAN 1 can also function as a tagged VLAN for a port. This happens automatically in cases where VLAN 1 is the default untagged VLAN, and then another VLAN is configured as an untagged VLAN on the port.
- VLAN 1 cannot be created or deleted. VLAN 1 configuration is stored in persistent storage.
The default fabric VLAN can be changed from VLAN 1 to another VLAN ID using the command fabric-local-modify.For example, to set VLAN 20 as the default fabric VLAN, use the command:
CLI (network-admin@Leaf1) > fabric-local-modify vlan 20
Warning: If you create a VLAN with scope fabric and configure it as the untagged VLAN on all ports, it can disrupt the fabric communication.
Note: The untagged VLAN feature is not the same as the default VLAN using the IEEE 802.1Q tag 1.
The vlan-create command creates VLANs on the current switch.
CLI(network-admin@Leaf1) > vlan-create
vlan-create |
Creates a VLAN. You can create a VLAN either by specifying a VLAN ID or by specifying a range of VLAN IDs. |
id 2...4092 |
Specify the VLAN ID between 2 and 4092. Note: VLAN 0 and 1 represents all untagged or non-VLAN traffic, VLANs 4093, 4094, and 4095 are reserved for internal use. |
range vlan-list |
Specify the range of VLAN IDs. Use this parameter if you want to specify a VLAN range instead of a VLAN ID. |
scope [local|cluster|fabric] |
Specify the VLAN scope as local, cluster, or fabric. |
Specify any of the following options: |
|
vnet vnet-name |
Specify the vNET name for this VLAN. Note: A vNET segregates a physical fabric into many logical networks, each with separate resources, network services, and Quality of Service (QoS) guarantees. |
vxlan 1..16777215 |
Specify the VXLAN identifier for the tunnel. |
auto-vxlan|no-auto-vxlan |
Specify if you want to enable or disable auto-vxlan. Enabling this option automatically assigns a user-defined VLAN/VNI mapping to all VTEP connections in the fabric. If the vxlan option is not specified, the software assigns a VNI automatically. |
vxlan-mode [standard|transparent|qinq-access] |
Specify the VXLAN encapsulation mode as standard, transparent, or Q-in-Q. |
replicators [vtep-group name|none] |
Specify the replicator group. Provide a VTEP group name to add a replicator. Specify none to not add a replicator or remove a configured replicator. |
public-vlan 2..4092 |
Specify the Public VLAN for vNET VLAN. |
description description-string |
Provide a VLAN description. |
stats|no-stats |
Use the options to enable or disable statistics collection for the VLANs being created. |
ports port-list |
Specify the ports assigned to the VLAN as list separated by commas. |
untagged-ports port-list |
Specify the untagged ports assigned to the VLAN as a list separated by commas. |
Note: Netvisor ONE allows you to create a large number of VLANs by using the vlan-create command and the range keyword. However, in large network topologies with several nodes with heavy CPU traffic, the CLI may timeout if you create large number of VLANs. In such scenarios, try creating smaller number of VLANs.
By default, all ports are tagged on a newly created VLAN. However, if you want to specify select ports that should be trunked, then use the optional parameter ports with a comma separated list of ports, or specify a range of ports.
In some cases, you may not want a VLAN to be created on all ports. You can specify the port parameter as none to apply the VLAN only to the internal ports. For example:
CLI (network-admin@Leaf1) > vlan-create id 35 scope fabric ports none
To delete an existing VLAN, use the command:
CLI (network-admin@Leaf1) > vlan-delete
vlan-delete |
Deletes a VLAN either by ID or by a range of IDs. |
id 2...4092 |
Specify the VLAN ID that you want to delete. |
range vlan-list |
Specify the range of VLAN IDs that you want to delete. Use this parameter instead of id, if you want to specify a VLAN range. |
Specify the following option: |
|
vnet vnet-name |
Specify the name of the vNET from which the VLANs are to be deleted. |
Configuration of an existing VLAN can be modified using the vlan-modify command.
CLI (network-admin@Leaf1) >vlan-modify
vlan-modify |
Modify a VLAN by specifying the VLAN ID. |
id 2...4092 |
Specify the VLAN ID that you intend to modify. |
between 1 and 4 of the following options: |
|
description description-string |
Provide a VLAN description. |
vxlan 1..16777215 |
Specify the VXLAN identifier for the tunnel. |
replicators [vtep-group name | none] |
Specify the replicator group. Provide a VTEP group name to add a replicator. Specify none to not add a replicator or remove a configured replicator. |
vnet vnet name |
Specify the vNET name for this VLAN. |
public-vlan 2..4092 |
Specify the public VLAN ID for vNET VLAN. Note: Public VLAN ID can only be specified for private VLANs. |
For example, to modify VLAN25 description from blue to red:
CLI (network-admin@Leaf1) > vlan-modify id 25 description red
This description can be removed from VLAN25 using the command:
CLI (network-admin@Leaf1) > vlan-modify id 25 description ""
Netvisor ONE allows the addition of ports to a VLAN through the vlan-port-add command.
CLI (network-admin@Leaf1) > vlan-port-add
vlan-port-add |
Add ports to VLANs. |
Specify one of the following VLAN parameters: |
|
vlan-id 2..4092 |
Specify the VLAN ID to which ports are to be added. |
vlan-range vlan-list |
Specify the range of VLAN IDs to which ports are to be added. |
vlan-vnet vnet-name |
Specify the vNET for the VLANs to which the ports are to be added. |
Provide one of the following port arguments: |
|
switch switch-name |
Specify the name of the switch on which the ports are located. |
ports port-list |
Specify the ports that need to be added to the VLANs as a list separated by commas. |
[untagged | tagged] |
Specify either of the options to configure the ports as untagged or tagged ports. |
For example, to configure ports 17 and 18 to accept untagged packets and map them to VLAN 595, use the following command:
CLI (network-admin@Leaf1) > vlan-port-add vlan-id 595 ports 17,18 untagged
To map ports on different switches into the scope fabric VLAN, use the following command:
CLI (network-admin@Leaf1) > vlan-port-add vlan-id 1-4095 switch switch-name ports port-list
Ports can be removed from a VLAN through the vlan-port-remove command.
CLI (network-admin@Leaf1) > vlan-port-remove
vlan-port-remove |
Remove ports from VLANs. |
Specify one of the following VLAN sectors: |
|
vlan-id 2..4092 |
Specify the VLAN ID from which ports are to be removed. |
vlan-range vlan-list |
Specify the range of VLAN IDs from which ports are to be removed |
vlan-vnet vnet name |
Specify the vNET for the VLANs from which ports are to be removed. |
Provide one of the following port arguments: |
|
switch switch name |
Specify the name of the switch on which the ports are located. |
port port list |
Specify the ports that need to be removed from the VLANs as a list separated by commas. |
The vlan-show command displays the VLAN information.
CLI (network-admin@Leaf1) > vlan-show
vlan-show |
Display VLAN information. |
Specify one of the following VLAN sectors: |
|
id 2..4092 |
Specify the VLAN ID for which the information has to be displayed. |
range vlan-list |
Specify the range of VLAN IDs for which the information has to be displayed. |
vnet vnet name |
Specify the vNET for which VLAN information has to be displayed. |
type [public | private] |
Specify either of the type options to display information for public VLANs or private VLANs. |
vxlan 1..16777215 |
Specify the VXLAN identifier for the tunnel. |
vxlan-mode [standard | transparent | qinq-access] |
Specify any of the VXLAN modes to display information for standard, transparent, or q-in-q modes. |
hw-vpn hw-vpn-number |
Specify the hardware VPN number to display the related information. |
hw-mcast-group hw-mcast-group-number |
Specify the hardware multi-cast group number to display the related information. |
replicators [vtep-group name | none] |
Provide a VTEP group name to view the VLAN information for that replicator group. Specify none to view the information on VLANs that do not involve replicator groups. |
repl-vtep ip-address |
Specify the IP address of the replicator VTEP to view the related information. |
public-vlan 2..4092 |
Specify the public VLAN ID for vNET VLAN to view the related information. |
scope [local | cluster | fabric] |
Provide any of the scope options to view the information on VLANs with that specified scope. |
description description-string |
Specify a description to view the information on VLANs with that specific description. |
active [yes | no] |
Specify yes to view information on active VLANs. Specify no to view information on inactive VLANs. |
For example: CLI (network-admin@Leaf1) > vlan-show layout vertical
switch: leaf1
id: 1
type: public
auto-vxlan: no
replicators: none
scope: local
description: default-1
active: yes
stats: yes
ports: 2-72
untagged-ports: 2-69
active-edge-ports: 69-70
CLI (network-admin@Leaf1) > vlan-show format all layout vertical
switch: leaf1
id: 1
type: public
auto-vxlan: no
hw-vpn: 0
hw-mcast-group: 0
replicators: none
repl-vtep: ::
scope: local
description: default-1
active: yes
stats: yes
vrg: 0:0
ports: 2-72
untagged-ports: 2-69
active-edge-ports: 69
Network traffic statistics per VLAN can be displayed using the vlan-stats-show command. This command may be useful when troubleshooting network issues.
CLI (network-admin@Leaf1) > vlan-stats-show format all layout vertical
switch: Leaf2
time: 10:51:02
vlan: 1
vnet:
ibytes: 36.2T
ipkts: 89.0G
idrops-bytes: 119M
idrops-pkts: 313K
obytes: 0
opkts: 0
odrops-bytes: 0
odrops-pkts: 0
switch: Leaf2
time: 10:51:02
vlan: 35
vnet:
ibytes: 10.8K
ipkts: 154
idrops-bytes: 0
idrops-pkts: 0
obytes: 0
opkts: 0
odrops-bytes: 0
odrops-pkts: 0
switch: Leaf1
time: 10:51:02
vlan: 1
vnet:
ibytes: 34.9T
ipkts: 84.6G
idrops-bytes: 3.03M
idrops-pkts: 5.69K
obytes: 0
opkts: 0
odrops-bytes: 0
odrops-pkts: 0
The output displays the following information:
- switch — switch name
- time — when the output was generated
- VLAN ID — ID assigned to the VLAN
- vnet — the vNET assigned to the VLAN
- incoming and outgoing bytes — in K (Kilobytes), M (Megabytes), or G (Gigabytes)
- incoming and outgoing packets — number of packets incoming and outgoing
- incoming and outgoing dropped bytes — in K (Kilobytes), M (Megabytes), or G (Gigabytes)
- incoming and outgoing dropped packets — number of dropped packets incoming and outgoing