IBM Partner Pavilion BMD00082 VLANs, Network Segmentation, Port Access, Port-Based Vlan Tagging

SmartConnect User’s Guide

VLANs

Network Segmentation

Virtual Local Area Networks (VLANs) are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments.

By default, the VSE SmartConnect software treats all VLAN traffic as regular, untagged traffic (as if no VLAN is assigned), and does not use VLAN information for making decisions on whether to forward, drop, or segment traffic.

Switches with VSE SmartConnect software use VSGs to provide similar network segmenta- tion functions without the need to alter the configuration of the broader network.

Though VSG numbers do not technically correlate to any specific VLAN IDs, if VSGs are used as a way to emulate VLANs in the switch, for ease of management the administrator can set the name of the VSG to reflect the equivalent VLAN identity.

Port Access

VLAN security policies can be enforced for ports within VSGs by using Access Control Lists (ACLs). Port ACLs can be configured to consider a packet’s VLAN ID for making decisions on whether to permit or deny the packet’s ingress.

ACLs can be configured in the BBI through the Switch Policy menus (see “Access Control Lists” on page 106 and “Access Control List Sets” on page 111), and applied to ports through the Virtual Switch Groups menu (see “Virtual Switch Groups ACL QoS” on page 100).

Port-Based VLAN Tagging

Each internal and external port can be independently configured with a Port VLAN ID (PVID) for tagging purposes. Under specific circumstances, the configured VLAN ID will be added to or stripped from traffic passing through the switch.

„Upon the ingress of untagged packets:

†If the PVID on the port is 0 (the default), the packets will remain untagged.

†If the PVID on the port is set to any value other than 0, the switch will tag the packets, placing the port’s VLAN identifier into the frame headers. One application of this feature is to set a VLAN for traffic outbound from servers that do not perform their own VLAN tagging.