About static VLAN operation

A group of networked ports assigned to a VLAN form a broadcast domain configured on the switch. On a given switch, packets are bridged between source and destination ports that belong to the same VLAN. Thus, all ports passing traffic for a particular subnet address should be configured to the same VLAN. Cross-domain broadcast traffic in the switch is eliminated and bandwidth is saved by not allowing packets to flood out all ports.

Comparative operation of port based and protocol based VLANs

Function Port-Based VLANs Protocol-Based VLANs

IP Addressing

Usually configured with at least one unique IP address.

A port-based VLAN can have no IP address. However, this limits the switch features available to ports on that VLAN.

Multiple IP addresses allow multiple subnets within the same VLAN.

You can configure IP addresses on all protocol VLANs. However, IP addressing is used only on IPv4 and IPv6 VLANs.

Restrictions:

Loopback interfaces share the same IP address space with VLAN configurations.

The maximum number of IP addresses supported on a switch is 2048, which includes all IP addresses configured for both VLANs and loopback interfaces (except for the default loopback IP address 127.0.0.1).

Each IP address tconfigured on a VLAN interface must be unique in the switch it cannot be used by a VLAN interface or another loopback interface.

Untagged VLAN Membership

A port can be a member of one untagged, port-based VLAN. All other port-based VLAN assignments for that port must be tagged.

A port can be an untagged member of one protocol VLAN of a specific protocol type, such as IPX or IPv6. If the same protocol type is configured in multiple protocol VLANs, then a port can be an untagged member of only one of those. For example, if you have two protocol VLANs, 100 and 200, and both include IPX, then a port can be an untagged member of either VLAN 100 or VLAN 200, but not both

A port's untagged VLAN memberships can include up to four different protocol types. It can be an untagged member of one of the following:

Four single-protocol VLANs
Two protocol VLANs where one VLAN includes a single protocol and the other includes up to three protocols
One protocol VLAN where the VLAN includes four protocols

Tagged VLAN Membership A port can be a tagged member of any port-based VLAN. A port can be a taggedmember of any protocol-based VLAN.

Routing

The switch can internally route IP (IPv4) traffic between port-based VLANs and between port-based and IPv4 protocol-based VLANs if the switch configuration enables IP routing.

If the switch is not configured to route traffic internally between port-based VLANs, then an external router must be used to move traffic between VLANs.

If the switch configuration enables IP routing, the switch can internally route IPv4 traffic as follows:

Between multiple IPv4 protocol-based VLANs
Between IPv4 protocol-based VLANs and port-based VLANs.

Other protocol-based VLANs require an external router for moving traffic between VLANs.


	NOTE: NETbeui and SNA are non-routable protocols. End stations intended to receive traffic in these protocols must be attached to the same physical network.

Commands for Configuring Static VLANs

vlan vid [ tagged | untagged [ e | port-list ]]

vlan vid protocol [ ipx | ipv4 | ipv6 | arp | appletalk | sna | netbeui ]

vlan vid [ tagged | untagged [ e | port-list ]]

VLAN environments

You can configure different VLAN types in any combination. The default VLAN will always be present.

VLAN environment	Elements
The default VLAN (port-based; VID of 1) only	In the default VLAN configuration, all ports belong to VLAN 1 as untagged members. VLAN 1 is a port-based VLAN, for IPv4 traffic.
Multiple VLAN environment	The default VLAN, the configuration can include one or more other port-based VLANs, and one or more protocol VLANs. The switches covered in this guide allow up to 2048 (vids up to 4094) VLANs of all types. Using VLAN tagging, ports can belong to multiple VLANs of all types. Enabling routing on the switch enables it route IPv4 traffic between port-based VLANs and between port-based VLANs and IPv4protocol VLANs. Routing other types of traffic between VLANs requires an external router capable of processing the appropriate protocols.

VLAN environment

Elements

The default VLAN (port-based; VID of 1) only

In the default VLAN configuration, all ports belong to VLAN 1 as untagged members.

VLAN 1 is a port-based VLAN, for IPv4 traffic.

Multiple VLAN environment

The default VLAN, the configuration can include one or more other port-based VLANs, and one or more protocol VLANs.

The switches covered in this guide allow up to 2048 (vids up to 4094) VLANs of all types.

Using VLAN tagging, ports can belong to multiple VLANs of all types.

Enabling routing on the switch enables it route IPv4 traffic between port-based VLANs and between port-based VLANs and IPv4protocol VLANs. Routing other types of traffic between VLANs requires an external router capable of processing the appropriate protocols.

VLAN operation

General VLAN operation

A VLAN is composed of multiple ports operating as members of the same subnet or broadcast domain.
Ports on multiple devices can belong to the same VLAN.
Traffic moving between ports in the same VLAN is bridged (or switched).
Traffic moving between different VLANs must be routed.
A static VLAN is an 802.1Q-compliant VLAN, configured with one or more ports that remain members regardless of traffic usage.
A dynamic VLAN is an 802.1Q-compliant VLAN membership that the switch temporarily creates on a port to provide a link to another port either in the same VLAN on another device.

Types of static VLANs available in the switch

Port-based VLANs

This type of static VLAN creates a specific layer-2 broadcast domain comprised of member ports that bridge IPv4 traffic among themselves. Port-Based VLAN traffic is routable on the switches covered in this guide.

Protocol-based VLANs

This type of static VLAN creates a layer-3 broadcast domain for traffic of a particular protocol, and is composed of member ports that bridge traffic of the specified protocol type among themselves. Some protocol types are routable on the switches covered in this guide; see Comparative operation of port based and protocol based VLANs.

Designated VLANs

The switch uses these static, port-based VLAN types to separate switch management traffic from other network traffic. While these VLANs are not limited to management traffic, they provide improved security and availability.

Default VLAN	This port-based VLAN is always present in the switch and, in the default configuration, includes all ports as members.
Primary VLAN	The switch uses this port-based VLAN to run certain features and management functions, including DHCP/Bootp responses for switch management. In the default configuration, the Default VLAN is also the Primary VLAN. However, any port-based, non-default VLAN can be designated the Primary VLAN.
Secure Management VLAN	This optional, port-based VLAN establishes an isolated network for managing HP switches that support this feature. Access to this VLAN and to the switch's management functions are available only through ports configured as members.
Voice VLANs	This optional, port-based VLAN type enables separating, prioritizing, and authenticating voice traffic moving through your network, avoiding the possibility of broadcast storms affecting VoIP Voice-over-IP) operation.


	NOTE: In a multiple-VLAN environment that includes older switch models there may be problems related to the same MAC address appearing on different ports and VLANs on the same switch. In such cases the solution is to impose cabling and VLAN restrictions.

The default VLAN

Except for an IP address and subnet, no configuration steps are needed.

A switch in the default VLAN configuration

Devices connected to these ports are in the same broadcast domain.

Multiple port-based VLANs

In A switch with multiple VLANs configured and internal routing disabled, routing within the switch is disabled (the default). This means that communication between any routable VLANs on the switch must go through the external router. In this case, VLANs W and X can exchange traffic through the external router, but traffic in VLANs Y and Z is restricted to the respective VLANs.

Note that VLAN 1(the default) is present but not shown. The default VLAN cannot be deleted from the switch, but ports assigned to other VLANs can be removed from the default VLAN. If internal (IP) routing is enabled on the switch, then the external router is not needed for traffic to move between port-based VLANs.

A switch with multiple VLANs configured and internal routing disabled

Protocol VLAN environment

A switch with multiple VLANs configured and internal routing disabled illustrates a protocol VLAN environment also. In this case, VLANs W and X represent routable protocol VLANs. VLANs Y and Z can be any protocol VLAN.

As noted for the discussion of multiple port-based VLANs, VLAN 1 is not shown. Enabling internal (IP) routing on the switch allows IP traffic to move between VLANs on the switch, but routable, non-IP traffic always requires an external router.

Routing options for VLANs

Options for routing between VLAN types in the switch

		Port-Based	IPX	IPv4	IPv6	ARP	AppleTalk	SNA^[2]	NETbeui^[2]
Port-Based		Yes	—	Yes	—	—	—	—	—
Protocol	IPX	—	Yes^[1]	—	—	—	—	—	—
	IPX4	Yes	—	Yes	—	—	—	—	—
	IPV6	—	—	—	Yes^[1]	—	—	—	—
	ARP	—	—	—	—	Yes^[1]	—	—	—
	AppleTalk	—	—	—	—	—	Yes^[1]	—	—
	SNA	—	—	—	—	—	—	—	—
	NETbeui	—	—	—	—	—	—	—	—

^[2] Not a routable protocol type. End stations intended to receive traffic in these protocols must be attached to the same physical network. ^[1] Requires an external router to route between VLANs.

Overlapping (Tagged) VLANs

A port can be a member of more than one VLAN of the same type if the device to which the port connects complies with the 802.1Q VLAN standard.

For example, a port connected to a central server using a network interface card (NIC) that complies with the 802.1Q standard can be a member of multiple VLANs, allowing members of multiple VLANs to use the server.

Although these VLANs cannot communicate with each other through the server, they can all access the server over the same connection from the switch.
Where VLANs overlap in this way, VLAN "tags" are used in the individual packets to distinguish between traffic from different VLANs.
A VLAN tag includes the particular VLAN I.D. (VID) of the VLAN on which the packet was generated.

Overlapping VLANs using the same server

Similarly, using 802.1Q-compliant switches, you can connect multiple VLANs through a single switch-to-switch link.

Connecting multiple VLANs through the same link

prev	up	next
Viewing a VLAN MAC address configuration	home	Introducing tagged VLAN technology into networks running untagged VLANs