Allied Telesis 2.6.1 manual Summary of Vlan tagging rules, Protected VLANs

Page 79

Layer 2 Switching

79

Summary of VLAN tagging rules

When designing a VLAN and adding ports to VLANs, the following rules apply.

1.Each port, except for the mirror port, must belong to at least one static VLAN. By default, a port is an untagged member of the default VLAN.

2.A port can be untagged for zero or one VLAN. A port that is untagged for a VLAN transmits frames destined for that VLAN without a VLAN tag in the Ethernet frame.

3.A port can be tagged for zero or more VLANs. A port that is tagged for a VLAN transmits frames destined for that VLAN with a VLAN tag, including the numerical VLAN Identifier of the VLAN.

4.A port cannot be untagged and tagged for the same VLAN.

5.The mirror port, if there is one, is not a member of any VLAN.

Protected VLANs

If a VLAN is Protected, Layer 2 traffic between ports that are members of a Protected VLAN is blocked. Traffic can be Layer 3 switched to another VLAN. This feature prevents members of a Protected VLAN from communicating with each other yet still allows members to access another network. Layer 3 Routing between Ports in a Protected VLAN can be prevented by adding a Layer 3 filter. The Protected VLAN feature also allows all of the members of the Protected VLAN to be in the same subnet.

A typical application is a hotel installation where each room has a port that can be used to access the Internet. In this situation it is undesirable to allow communication between rooms.

To create a Protected VLAN, use the command:

CREATE VLAN=vlan-nameVID=2..4094 [PROTECTED]

VLAN Interaction with STPs and Trunk Groups

Each VLAN and port can only belong to one Spanning Tree entity (STP). A port cannot be added to a VLAN that is in a different STP from the VLANs to which the port already belongs, with one exception. The exception is that an untagged port in the default VLAN can be moved from the default VLAN to any other VLAN in any STP, if the port belongs only to the default VLAN as an untagged port.

All the ports in a trunk group must have the same VLAN configuration: they must belong to the same VLANs and have the same tagging status, and can only be operated on as a group.

Software Release 2.6.1 C613-02039-00 REV A

Image 79
Contents AT-8800 Series Switch Page Contents AT-8800 Series Switch User Guide Operating the switchMaintenance and Troubleshooting Page Why Read this User Guide? Introducing the AT-8800 Series SwitchChapter AT-8800 Series Switch Documentation Set Where To Find More InformationOnline Technical Support Features of the AT-8800 Series SwitchIntroduction Software Features Management FeaturesSpecial Feature Licences Do if You Clear Flash Memory Completely on This Chapter Getting Started with the Command Line Interface CLITerminal Communication Parameters Connecting a Terminal or PCParameters for terminal communication Value Assigning an IP Address Enter the password at the password promptGetting Started with the Command Line Interface CLI LoggingTo change the IP address for an interface, enter the command Setting RoutesChoosing a Password Changing a PasswordTo add a static route, enter the command Not available Using the CommandsTo display the current help file, enter the command Getting Command Line HelpAliases Setting System Parameters Enabling Special Feature LicencesGetting Started with the Graphical User Interface GUI Getting Started with the Graphical User Interface GUISupported browsers and operating systems What is the GUI?Accessing the Switch via the GUI Browser and PC SetupHttp Proxy Servers See Option 2 Installing the Switch into the LAN on Establishing a Connection to the SwitchSee Option 3 Connecting to an Installed Switch on See Option 1 Configuring the Switch before Installation onUse this procedure if Option 1 Configuring the Switch before InstallationSee Http Proxy Servers on page 23 for more information Plug the switch into the LAN Option 2 Installing the Switch into the LANDefault username is manager At the login prompt, enter the user name and passwordAssign the vlan1 interface an IP address See Secure Access on page 29 for more informationIf necessary, bypass the Http proxy server Option 3 Connecting to an Installed SwitchFind out the IP address of the switch’s interface Select a PCCreate a Security Officer user account Secure AccessTo enable system security, use the command Then enter the password for CIPHER, sbr4y3To create an RSA key pair, use the command System Status System StatusQuality of Service and traffic filters Using the GUI Navigation and FeaturesConfiguration Menu Using Configuration PagesAn example of a configuration page with a selection table Editable Fields Monitoring Menu Management MenuChanging the Password Diagnostics MenuContext Sensitive GUI Help Combining GUI and CLI Configuration Saving Configuration Entered with the GUIConfiguring Multiple Devices Upgrading the GUI To upgrade the GUIThen delete the GUI resource file, using the command Load the new file onto the switchInstall the new file as the preferred GUI TroubleshootingPoint your web browser at the switch’s IP address Deleting Temporary Files Accessing the Switch via the GUITraffic Flow Time and NTP SolutionSolutions IP Addresses and DhcpLoading Software Page A Security Officer prompt looks like Using Scripts onUser Accounts and Privileges Snmp and MIBs onLogin To display the current operating mode, enter the command Normal Mode and Security ModeOperating the switch Specific Parameters Storing Files in Flash Memory Remote ManagementExample output from the Show File command Using ScriptsStoring Multiple Scripts Saving the Switch’s ConfigurationFile Naming Conventions Loading and Uploading FilesFile extensions and file types Extension File type/function SPA Loading FilesDownload the patch file Setting Loader DefaultsExample Load a Patch File Using Http To load a patch file Configure the LoaderTo upload a log file Uploading Files From the SwitchExample Upload a Configuration File Using Tftp More informationUpgrading Switch Software To upgrade to a new software release Example Upgrade to a New Software Release UsingLoad the new release file onto the switch Test the release Enter the licence password for the software releaseMake the release the default permanent release Enter licence information for the releaseTo upgrade to a new patch file Example Upgrade to a new patch fileCheck that the file is successfully loaded Snmp and MIBs Using the Built-in EditorFor More About Operations and Facilities Where interface is the name of an interface, such as vlan11AT-8800 Series Switch User Guide Enabling and Disabling Switch Ports Switch PortsTo display information about switch ports, use the command To enable or disable a switch port, use the commandsSTP Autonegotiation of Port Speed and Duplex Mode Speed 10/100 Port TrunkingShow VLAN=ALL Packet Storm Protection Layer 2 SwitchingPort Mirroring Port security Virtual Local Area Networks VLANs Example output from the Show Switch Port Intrusion commandTpid Vlan TaggingFormat of user priority and Vlan data in an Ethernet frame Vlan Membership using Vlan Tags Vlan Membership of Untagged Packets Vlan membership of example of a network using tagged portsMember ports Vlans with untagged ports Creating VLANsTo destroy a VLAN, use the command To add tagged ports to a VLAN, use the commandProtected VLANs Summary of Vlan tagging rulesVlan Interaction with STPs and Trunk Groups Generic Vlan Registration Protocol Gvrp Layer 2 Switching ProcessIngress Rules Learning Process Forwarding Process Layer 2 Filtering Example output from the Show Switch Filter command Egress Rules Quality of ServiceSpanning Tree Modes Spanning Tree Protocol STPSpanning tree port states State Meaning Spanning Tree and Rapid Spanning Tree Port StatesRapid Spanning Tree port states State Meaning Configuring STP SET STP=stpnameALL PRIORITY=0..65535 Example output from the Show STP command Do not occur Parameter Meaning Switch Max AgeTo display STP port information, use the command Example output from the Show STP Port command 94AT-8800 Series Switch User GuideTo show STP counters, use the command Discarded 96AT-8800 Series Switch User GuideReceive TransmitIgmp Snooping Interfaces to Layer 3 ProtocolsDisable Igmpsnooping Group List Example output from the Show IP Igmp commandParameters TriggersEvent DescriptionLayer IP Multicasting Then use either of the following commandsDisplays the interfaces enabled for IP routing Figure Internet Protocol IPNovell IPX Routing Information Protocol RIPLayer 103 AppleTalk Example output from the Show IPX Circuit commandLayer 105 Resource Reservation Protocol RsvpPage Maintenance and Troubleshooting Switch startup messages How the Switch Starts UpSet system territory How to Avoid ProblemsWatch for software updates If you accidentally do this, you will need to What to Do if You Clear Flash Memory CompletelyWhat to Do if the PPP Link Disconnects Regularly What to Do if Passwords are LostGetting the Most Out of Technical Support Maintenance and Troubleshooting 113 Resetting Switch DefaultsChecking Connections Using Ping To get debugging output, enter the commandTelnet Fails Troubleshooting IP ConfigurationsTo set Ping defaults, enter the command Stop a Ping that is in progress, enter the commandMaintenance and Troubleshooting 115 Troubleshooting Dhcp IP AddressesYour switch is acting as a Dhcp client Your switch is acting as a Dhcp serverNo Routes are Visible to the Remote Router Troubleshooting IPX ConfigurationsTo check that the PPP link is active, enter the command Local Workstations Can Not Access Remote ServersCheck route tables Using Trace Route for IP TrafficTo halt a trace route that is in progress, enter the command