vlan id assignment

Understanding VLAN Assignments

A client is assigned to a VLAN by one of several methods. There is an order of precedence by which VLANs are assigned. The assignment of VLANs are (from lowest to highest precedence):

Tunnel-Type="VLAN"(13)

Tunnel-Medium-Type="IEEE-802" (6)

Tunnel-Private-Group-Id="101"

Aruba -User-VLAN

Aruba -Named-User-VLAN

VLAN Derivation Priorities for VLAN types

The VLAN derivation priorities for VLAN is defined below in the increasing order:

Use the following command to display user VLAN derivation related debug information:

(host) #show aaa debug vlan user [ip | ipv6 | mac]

How a VLAN Obtains an IP Address

A VLAN on the controller obtains its IP address in one of the following ways:

Assigning a Static Address to a VLAN

You can manually assign a static IP address to a VLAN on the controller . At least one VLAN on the controller must be assigned a static IP address.

In the WebUI

(host) (config) # interface vlan < id>

ip address < address> < netmask>

Configuring a VLAN to Receive a Dynamic Address

In a branch office, you can connect a controller to an uplink switch or server that dynamically assigns IP addresses to connected devices. For example, the controller can be connected to a DSL or cable modem, or a broadband remote access server (BRAS). The following figure shows a branch office where a controller connects to a cable modem. VLAN 1 has a static IP address, while VLAN 2 has a dynamic IP address assigned via DHCP or PPPoE from the uplink device.

Figure 1   IP Address Assignment to VLAN via DHCP or PPPoE

Configuring Multiple Wired Uplink Interfaces (Active-Standby)

You can assign up to four VLAN interfaces to operate in active-standby topology. An active-standby topology provides redundancy so that when an active interface fails, the user traffic can failover to the standby interface.

To allow the controller to obtain a dynamic IP address for a VLAN, enable the DHCP or PPPoE client on the controller for the VLAN.

The following restrictions apply when enabling the DHCP or PPPoE client on the controller :

Enabling the DHCP Client

The DHCP server assigns an IP address for a specified amount of time called a lease. The controller automatically renews the lease before it expires. When you shut down the VLAN, the DHCP lease is released.

Figure 2   Assigning VLAN uplink priority—Active-Standby configuration

In this example, the DHCP client has the client ID name myclient and the interface VLAN 62 has an uplink priority of 2.

interface vlan 62

uplink wired vlan 62 priority 2

interface vlan 62 ip address dhcp-client client-id myclient

Enabling the PPPoE Client

To authenticate to the BRAS and request a dynamic IP address, the controller must have the following configured:

When you shut down the VLAN, the PPPoE session terminates.

In this example, a PPoE service name, username and password are assigned. The interface VLAN 14 has an uplink priority of 3.

(host) (config) # interface vlan 14

ip address pppoe

(host) (config) # interface vlan 14 ip pppoe-service-name < service_name >

(host) (config) # interface vlan 14 ip pppoe-username < username >

(host) (config) #(host) (config) # interface vlan 14 ip pppoe-password *****

(host) (config) # uplink wired vlan 14 priority 3

Default Gateway from DHCP/PPPoE

You can specify that the router IP address obtained from the DHCP or PPPoE server be used as the default gateway for the controller .

(host) (config) # ip default-gateway import

Configuring DNS/WINS Server from DHPC/PPPoE

The DHCP or PPPoE server can also provide the IP address of a DNS server or NetBIOS name server, which can be passed to wireless clients through the controller ’s internal DHCP server.

For example, the following configures the DHCP server on the controller to assign addresses to authenticated employees; the IP address of the DNS server obtained by the controller via DHCP/PPPoE is provided to clients along with their IP address.

(host) (config) # ip dhcp pool employee-pool

d>efault-router 10.1.1.254

d>ns-server import

netbios-name-server import

network 10.1.1.0 255.255.255.0

Configuring Source NAT to Dynamic VLAN Address

When a VLAN interface obtains an IP address through DHCP or PPPoE, a NAT pool (dynamic-srcnat) and a session ACL (dynamic-session-acl) are automatically created which reference the dynamically-assigned IP addresses. This allows you to configure policies that map private local addresses to the public address(es) provided to the DHCP or PPPoE client. Whenever the IP address on the VLAN changes, the dynamic NAT pool address also changes to match the new address.

For example, the following rules for a guest policy deny traffic to internal network addresses. Traffic to other (external) destinations are source NATed to the IP address of the DHCP/PPPoE client on the controller .

(host) (config) # ip access-list session guest

any network 10.1.0.0 255.255.0.0 any deny

any any any src-nat pool dynamic-srcnat

Configuring Source NAT for VLAN Interfaces

The example configuration in the previous section illustrates how to configure source NAT using a policy that is applied to a user role. You can also enable source NAT for a VLAN interface to cause NAT to be performed on the source address for all traffic that exits the VLAN.

Packets that exit the VLAN are given a source IP address of the “outside” interface, which is determined by the following:

Example Configuration

In the following example, the controller operates within an enterprise network. VLAN 1 is the outside VLAN. Traffic from VLAN 6 is source NATed using the IP address of the controller . In this example, the IP address assigned to VLAN 1 is used as the controller ’s IP address; thus traffic from VLAN 6 would be source NATed to 66.1.131.5.

Figure 3   Example: Source NAT using Controller IP Address

(host) (config) # interface vlan 1

ip address 66.1.131.5 255.255.255.0

(host) (config) # interface vlan 6

(host) (config) # ip address 192.168.2.1 255.255.255.0

ip nat inside

ip default-gateway 66.1.131.1

Inter-VLAN Routing

On the controller , you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and netmask or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the VLAN interface. The controller , acting as a layer-3 switch, routes traffic between VLANs that are mapped to IP subnetworks; this forwarding is enabled by default.

In Figure 4 , VLAN 200 and VLAN 300 are assigned the IP addresses 2.1.1.1/24 and 3.1.1.1/24, respectively. Client A in VLAN 200 is able to access server B in VLAN 300 and vice-versa, provided that there is no firewall rule configured on the controller to prevent the flow of traffic between the VLANs.

Figure 4   Default Inter-VLAN Routing

You can optionally disable layer-3 traffic forwarding to or from a specified VLAN. When you disable layer-3 forwarding on a VLAN, the following restrictions apply:

To disable layer-3 forwarding for a VLAN configured on the controller :

Using the WebUI to restrict VLAN routing

Using the cli.

interface vlan <id>

   ip address {<ipaddr> <netmask>|dhcp-client|pppoe}

   no ip routing

• Go to Homepage
• Cancel Language Switch

Enterprise products, solutions & services

• Huawei Cloud

Cloud products, solutions & services

Products, Solutions and Services for Carrier

Phones, laptops, tablets, wearables & other devices

About Huawei, Press & Events , and More

• Português
• Español
• Français
• Türkçe

• Popular search
• Switches Routers Servers Storage Data Center Energy Cloud Computing
• Quick access
• Recommended

This document describes how to configure the components for LAN services, including link aggregation groups, VLANs, voice VLANs, MAC address tables, transparent bridging, as well as GVRP, STP/RSTP, and MSTP protocols.

• About This Document
• Overview of MAC Addresses
• Definition and Classification of MAC Address Entries
• Elements and Functions of a MAC Address Table
• MAC Address Entry Learning and Aging
• MAC Address Learning Control
• MAC Address Flapping
• Application Scenarios for MAC Address Tables
• Summary of MAC Address Table Configuration Tasks
• Default Settings for MAC Address Tables
• Licensing Requirements and Limitations for MAC Address Tables
• Configuring a Static MAC Address Entry
• Configuring a Blackhole MAC Address Entry
• Setting the Aging Time of Dynamic MAC Address Entries
• Disabling MAC Address Learning
• Configuring the MAC Address Limiting Function
• Configuring MAC Address Flapping Detection
• Configuring the Router to Discard Packets with an All-0 MAC Address
• Displaying MAC Address Entries
• Deleting MAC Address Entries
• Example for Configuring the MAC Address Table
• Example for Configuring Blackhole MAC Address Entries
• Example for Configuring MAC Address Limiting Rules on Interfaces
• Example for Configuring a MAC Address Learning Rule in a VLAN
• Correct MAC Address Entry Cannot Be Learned on the Device
• Overview of Link Aggregation
• Link Aggregation in Manual Mode
• Link Aggregation in LACP Mode
• Load Balancing Modes of Link Aggregation
• Application of Eth-Trunk
• Summary of Link Aggregation Configuration Tasks
• Licensing Requirements and Limitations for Link Aggregation
• Default Settings for Link Aggregation
• Creating an Eth-Trunk
• Setting the Manual Load Balancing Mode
• Adding Member Interfaces to an Eth-Trunk
• (Optional) Setting the Lower Threshold for the Number of Active Interfaces
• (Optional) Configuring a Load Balancing Mode
• Verifying the Link Aggregation Configuration
• Setting the LACP Mode
• (Optional) Setting the Upper and Lower Thresholds for the Number of Active Interfaces
• (Optional) Setting the LACP System Priority
• (Optional) Setting the LACP Interface Priority
• (Optional) Configuring LACP Preemption
• (Optional) Setting the Timeout Interval for Receiving LACPDUs
• Creating an Eth-Trunk Sub-interface
• Monitoring the LAG Operating
• Clearing LACP Packet Statistics
• Using Ping to Monitor the Reachability of Layer 3 Eth-Trunk Member Interfaces
• Example for Configuring Link Aggregation in Manual Load Balancing Mode
• Example for Configuring Link Aggregation in LACP Mode
• Example for Configuring Layer 3 Link Aggregation
• Traffic Is Unevenly Load Balanced Among Eth-Trunk Member Interfaces Because the Load Balancing Mode Is Incorrect
• Overview of VLANs
• Basic Concepts of VLAN
• Intra-VLAN Communication
• Inter-VLAN Communication
• Intra-VLAN Layer 2 Isolation
• Inter-VLAN Layer 3 Isolation
• Management VLAN
• Using VLAN Assignment to Implement Layer 2 Isolation
• Using VLANIF Interfaces to Implement Inter-VLAN Layer 3 Connectivity
• Using a Traffic Policy to Implement Inter-VLAN Access Control
• Summary of VLAN Configuration Tasks
• Default Settings for VLANs
• Licensing Requirements and Limitations for VLANs

Configuring VLAN Assignment

• Configuring Inter-VLAN Communication
• Configuring a Traffic Policy to Implement Intra-VLAN Layer 2 Isolation
• Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation
• Configuring an mVLAN
• Example for Configuring VLAN Assignment
• Example for Configuring VLANIF Interfaces to Implement Inter-VLAN Communication
• Example for Configuring VLANIF Interfaces to Implement Intra-VLAN Communication
• Example for Configuring VLANIF Interfaces to Implement Communication of Hosts on Different Network Segments in the Same VLAN
• Example for Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation
• Example for Configuring an mVLAN to Implement Remote Management
• A VLANIF Interface Fails to Be Created
• A VLANIF Interface Goes Down
• Users in a VLAN Cannot Communicate
• Directly Connected Devices Cannot Communicate
• Overview of VLAN Aggregation
• Understanding VLAN Aggregation
• Application Scenarios for VLAN Aggregation
• Default Settings for VLAN Aggregation
• Licensing Requirements and Limitations for VLAN Aggregation
• Creating a Sub-VLAN
• Creating a Super-VLAN
• Configuring a VLANIF Interface Corresponding to a Super-VLAN
• (Optional) Enabling Proxy ARP on the VLANIF Interface Corresponding to a Super-VLAN
• Verifying the VLAN Aggregation Configuration
• Example for Configuring VLAN Aggregation
• Overview of VLAN Termination
• Using a Dot1q Termination Sub-interface to Implement Inter-VLAN Communication
• Summary of VLAN Termination Configuration Tasks
• Default Settings for VLAN Termination
• Licensing Requirements and Limitations for VLAN Termination
• Configuring a Dot1q Termination Sub-interface to Implement Inter-VLAN Communication
• Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication
• Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication Across Different Networks
• Overview of Voice VLANs
• Understanding Voice VLANs
• Application Scenarios for Voice VLANs
• Default Settings for Voice VLANs
• Licensing Requirements and Limitations for Voice VLANs
• Configuring an OUI for a Voice VLAN
• Enabling the Voice VLAN Function
• Configuring the Auto Mode of Adding a Port to the Voice VLAN
• (Optional) Configuring the Secure or Normal Mode of a Voice VLAN
• (Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN
• (Optional) Configuring a Port to Communicate with a Voice Device of Another Vendor
• Verifying the Voice VLAN Configuration
• Configuring the Mode in Which Ports Are Added to a Voice VLAN
• Example for Configuring a Voice VLAN in Auto Mode
• Example for Configuring a Voice VLAN in Manual Mode
• Overview of QinQ
• QinQ Fundamentals
• Selective QinQ
• Application Scenarios for QinQ
• Summary of QinQ Configuration Tasks
• Licensing Requirements and Limitations for QinQ
• Configuring Basic QinQ
• Configuring Selective QinQ
• Configuring the TPID Value in an Outer VLAN Tag
• Example for Configuring Basic QinQ
• Example for Configuring Selective QinQ
• Overview of VLAN Mapping
• Understanding VLAN Mapping
• Application Scenarios for VLAN Mapping
• Summary of VLAN Mapping Configuration Tasks
• Licensing Requirements and Limitations for VLAN Mapping
• Configuring VLAN ID-based VLAN Mapping
• Configuring 802.1p Priority-based VLAN Mapping
• Example for Configuring VLAN ID-based VLAN Mapping
• Example for Configuring 802.1p Priority-based VLAN Mapping
• Overview of GVRP
• Basic Concepts
• Packet Structure
• Working Procedure
• Application Scenarios for GVRP
• Default Settings for GVRP
• Licensing Requirements and Limitations for GVRP
• Enabling GVRP
• (Optional) Setting the Registration Mode for a GVRP Interface
• (Optional) Setting the GARP Timers
• Verifying the GVRP Configuration
• Clearing GVRP Statistics
• Example for Configuring GVRP
• Overview of STP/RSTP
• BPDU Format
• STP Topology Calculation
• Improvements in RSTP
• RSTP Technology Details
• Application Scenarios for STP/RSTP
• Summary of STP/RSTP Configuration Tasks
• Default Settings for STP/RSTP
• Licensing Requirements and Limitations for STP
• Configuring the STP/RSTP Mode
• (Optional) Configuring the Root Bridge and Secondary Root Bridge
• (Optional) Setting a Priority for a Switching Device
• (Optional) Setting a Path Cost for a Port
• (Optional) Setting a Priority for a Port
• Enabling STP/RSTP
• Verifying the STP/RSTP Configuration
• Setting the STP Network Diameter
• Setting the STP Timeout Interval
• Setting the STP Timers
• Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation
• Setting the RSTP Network Diameter
• Setting the RSTP Timeout Interval
• Setting RSTP Timers
• Setting the Link Type for a Port
• Setting the Maximum Transmission Rate of an Interface
• Switching to the RSTP Mode
• Configuring Edge Ports and BPDU Filter Ports
• Configuring BPDU Protection on a Switching Device
• Configuring TC Protection on a Switching Device
• Configuring Root Protection on a Port
• Configuring Loop Protection on a Port
• Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices
• Clearing STP/RSTP Statistics
• Monitoring STP/RSTP Topology Change Statistics
• Example for Configuring Basic STP Functions
• Example for Configuring Basic RSTP Functions
• Overview of MSTP
• MSTP Background
• Basic MSTP Concepts
• MSTP Topology Calculation
• MSTP Fast Convergence
• Application Scenarios for MSTP
• Summary of MSTP Configuration Tasks
• Default Settings for MSTP
• Licensing Requirements and Limitations for MSTP
• Configuring the MSTP Mode
• Configuring and Activating an MST Region
• (Optional) Configuring a Priority for a Switching Device in an MSTI
• (Optional) Configuring a Path Cost of a Port in an MSTI
• (Optional) Configuring a Port Priority in an MSTI
• Enabling MSTP
• Verifying the Basic MSTP Configuration
• Setting the MSTP Network Diameter
• Setting the MSTP Timeout Interval
• Setting the Values of MSTP Timers
• Setting the Link Type of a Port
• Switching to the MSTP Mode
• Configuring a Port as an Edge Port and BPDU Filter Port
• Setting the Maximum Number of Hops in an MST Region
• Verifying the Configuration of the MSTP Parameters on an Interface
• Configuring Root Protection on an Interface
• Configuring Loop Protection on an Interface
• Checking the MSTP Protection Function Configuration
• Configuring a Proposal/Agreement Mechanism
• Configuring the MSTP Protocol Packet Format on an Interface
• Enabling the Digest Snooping Function
• Verifying the Configuration of the MSTP Interoperability Between Huawei Devices and Non-Huawei Devices
• Clearing MSTP Statistics
• Monitoring the Statistics on MSTP Topology Changes
• Example for Configuring Basic MSTP Functions
• Overview of SEP
• Principles of SEP
• Basic Concepts of SEP
• SEP Implementation Mechanisms
• Open-Ring Networking
• Closed-Ring Networking
• Multi-Ring Networking
• Hybrid SEP+MSTP Ring Networking
• SEP Multi-Instance
• Summary of SEP Configuration Tasks
• Licensing Requirements and Limitations for SEP
• Configuring a SEP Segment
• Configuring a Control VLAN
• Creating a Protected Instance
• Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface
• Verifying the Basic SEP Configuration
• Setting an Interface Blocking Mode
• Configuring the Preemption Mode
• Verifying the Configuration of Specifying an Interface to Block
• Configuring SEP Multi-Instance
• Reporting Topology Changes in a Lower-Layer Network - SEP Topology Change Notification
• Verifying the Configuration of the Topology Change Notification Function
• Clearing SEP Statistics
• Example for Configuring SEP on a Closed Ring Network
• Example for Configuring SEP on a Multi-Ring Network
• Example for Configuring a Hybrid SEP+MSTP Ring Network
• Example for Configuring SEP Multi-Instance
• Overview of ERPS
• Basic Concepts of ERPS
• ERPS Single-ring Principles
• ERPS Multi-ring Principles
• ERPS Multi-instance
• Application Scenarios for ERPS
• Summary of ERPS Configuration Tasks
• Licensing Requirements and Limitations for ERPS
• Default Settings for ERPS
• Creating an ERPS Ring
• Configuring the Control VLAN
• Configuring an ERP Instance and Activating the Mapping Between the ERP Instance and VLAN
• Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role
• (Optional) Configuring Timers in an ERPS Ring
• (Optional) Configuring the MEL Value
• Verifying the ERPSv1 Configuration
• Configuring the Topology Change Notification Function
• (Optional) Configuring ERPS Protection Switching
• Verifying the ERPSv2 Configuration
• Clearing ERPS Statistics
• Example for Configuring ERPS Multi-instance
• Example for Configuring Intersecting ERPS Rings
• Traffic Forwarding Fails in an ERPS Ring
• Overview of Layer 2 Protocol Transparent Transmission
• Understanding Layer 2 Protocol Transparent Transmission
• Application Scenarios for Layer 2 Protocol Transparent Transmission
• Licensing Requirements and Limitations for Layer 2 Protocol Transparent Transmission
• Replacing the Multicast Destination MAC Address of Layer 2 Protocol Packets with a Specified Multicast MAC Address
• Configuring a Transparent Bridge
• Enabling Layer 2 Protocol Transparent Transmission on an Interface
• Verifying the Configuration of Interface-based Layer 2 Protocol Transparent Transmission
• Example for Configuring Layer 2 Protocol Transparent Transmission
• Overview of Transparent Bridge
• Basic Principles of Transparent Bridging
• Local Bridging
• Remote Bridging
• Integrated Bridging and Routing
• VLAN ID Transparent Transmission
• Application Scenarios for Transparent Bridging
• Summary of Transparent Bridging Configuration Tasks
• Default Settings for Transparent Bridging
• Licensing Requirements and Limitations for Transparent Bridging
• Creating a Bridge Group
• Adding Local Interfaces to a Bridge Group
• (Optional) Disabling a Bridge Group from Bridging Specified Protocol Packets
• (Optional) Configuring a MAC Address Table for a Bridge Group
• Verifying the Configuration of the Local Bridging
• Enabling IP Routing for a Bridge Group
• Verifying the Configuration of the Local Bridging Integrated with IP Routing
• Adding a LAN-side Interface to a Bridge Group
• Adding a WAN-side Interface to a Bridge Group
• (Optional) Configuring Transparent Transmission of BPDUs
• (Optional) Configuring VLAN ID Transparent Transmission
• (Optional) Configuring DHCP Packet Termination
• Verifying the Configuration of the Remote Bridging
• Verifying the Configuration of the Remote Bridging Integrated with IP Routing
• Monitoring the Operation of Bridge Groups
• Clearing the Traffic Statistics of a Bridge Group
• Clearing the Traffic Statistics on the Bridge-if Interface of a Bridge Group
• Example for Configuring Local Bridging
• Example for Configuring Local Bridging with IP Routing
• Example for Configuring Remote Bridging
• Example for Configuring Remote Bridging with IP Routing
• Example for Configuring Remote Bridging with VLAN ID Transparent Transmission

VLANs can isolate the hosts that do not need to communicate with each other, which improves network security, reduces broadcast traffic, and mitigates broadcast storms.

After an interface is added to a VLAN, the interface can forward packets from the VLAN. Interface-based VLAN assignment allows hosts in the same VLAN to communicate and prevents hosts in different VLANs from communicating, so broadcast packets are limited in a VLAN.

Access interface

The router processes only tagged frames and an access interface connected to devices only receive and send untagged frames, so the access interface needs to add a VLAN tag to received frames. That is, you must configure the default VLAN for the access interface. After the default VLAN is configured, the access interface joins the VLAN.

An access interface needs to process only untagged frames. If a user connects a switching device to a user-side interface without permission, the user-side interface may receive tagged frames. You can configure the user-side interface to discard tagged frames, preventing unauthorized access.

Trunk interface

When a trunk interface connects to a device such as an AP or a voice terminal that can receive and send tagged and untagged frames simultaneously, you need to configure the default VLAN for the trunk interface so that the trunk interface can add the VLAN tag to untagged frames.

Hybrid interface

When a hybrid interface connects to an AP, a voice terminal, a hub, a host, or a server that sends untagged frames to the router , you need to configure the default VLAN for the hybrid interface so that the hybrid interface can add the VLAN tag to untagged frames.

Frames sent by a router all carry VLAN tags. In some scenarios, VLAN tags need to be removed from frames sent by a hybrid interface. A trunk interface allows untagged packets from only one VLAN, so the interface must be configured as hybrid.

By default, the type of an interface is hybrid, the default VLAN is VLAN 1, and an interface joins VLAN 1 in untagged mode.

Run system-view

The system view is displayed.

Run vlan vlan-id

A VLAN is created and the VLAN view is displayed, or the view of an existing VLAN is displayed.

Return to the system view.

Run interface interface-type interface-number

The view of the Ethernet interface to be added to the VLAN is displayed.

(Optional) Run portswitch

The virtual Ethernet (VE) interface is switched from Layer 3 mode to Layer 2 mode.

By default, a VE interface works in Layer 3 mode.

You need to perform this operation after accessing the VE interface view.

Run port link-type access

The Ethernet interface is configured as the access interface.

Run port default vlan vlan-id

The default VLAN is configured for the interface and the interface is added to the specified VLAN.

Run port link-type trunk

The Ethernet interface is configured as the trunk interface.

Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

The interface is added to the specified VLAN.

(Optional) Run port trunk pvid vlan vlan-id

The default VLAN is configured for the trunk interface.

This step is not supported in the VE interface view.

When the VLAN allowed by an interface is the default VLAN of the interface, packets from the VLAN are forwarded in untagged mode.

Run port link-type hybrid

The Ethernet interface is configured as the hybrid interface.

Run the following commands as required.

Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

The hybrid interface is added to the VLAN in untagged mode.

Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

The hybrid interface is added to the VLAN in tagged mode.

(Optional) Run port hybrid pvid vlan vlan-id

The default VLAN is configured for the hybrid interface.

Configuration Tips

To create multiple VLANs in a batch, run the vlan batch command in the system view.

• Create 10 contiguous VLANs: VLANs 11 to 20. < Huawei > system-view [ Huawei ] vlan batch 11 to 20

You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19 25 28 to 30 command creates four incontiguous VLAN ranges.

When multiple VLANs are created on the device, you are advised to configure names for the VLANs to facilitate management. After a name is configured for a VLAN, you can directly enter the VLAN view using the name.

# Set the name of VLAN 10 to huawei .

# After a name is configured for a VLAN, you can directly enter the VLAN view using the name.

To perform the same VLAN configuration for multiple Ethernet interfaces, use the port group, which can reduce the workload. To add access interfaces to a VLAN in a batch, you can also run the port interface-type { interface-number1 [ to interface-number2 ] }&<1-10> command in the VLAN view.

If the VLAN planning of an interface is changed, you need to delete the original VLAN configuration of the interface. If many incontiguous VLANs are configured on the interface, you need to delete the original VLAN configuration multiple times. To reduce deletion operations, restore the default VLAN configuration of the interface.

When the interface planning changes or the current interface type is different from the configured one, the interface type needs to be changed..

If a VLAN is not in use, you are advised to delete it immediately by running the command undo vlan vlan-id or undo vlan batch vlan-id1 to vlan-id2 , in order to save VLAN resources and reduce packets on a network.

Verifying the Configuration

Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to check information about all VLANs or a specified VLAN.

Document ID: EDOC1100034228

Views: 421855

Downloads: 287

What is Dynamic VLAN Assignment?

Written by Sean Blanton on May 24, 2021

Share This Article

When it comes to the modern enterprise, few things are more important than network and identity security. With bad actors lurking around every corner (even inside of an organization itself), maintaining a strong, secure network along with keeping credentials safe is of utmost importance to the IT admin. Several network securing tools and techniques are being employed by IT admins today, especially during the global pandemic, but one that has been a foundational approach for many years is dynamic VLAN assignment. Since IT admins are dramatically stepping up the security of their IT environments, some are asking: what is dynamic VLAN assignment and how can it help secure the network?

Network Security with Dynamic VLAN Assignment

The simple answer is that dynamic VLAN assignment (or VLAN steering as it is sometimes called) is an excellent technique used to build on the underlying core strategy to control network access. VLAN assignments build on the use of RADIUS to control access to the network.

Via RADIUS integration, a WiFi access point (WAP) requires not only an SSID and passphrase, but a user’s unique set of credentials to access the network. Once a user has passed credentials through to the WAP to the RADIUS server and directory service, the RADIUS server will reply to the WAP that the user has been authenticated and inform what VLAN they are assigned to.

IT admins configure the system to identify which users and/or groups are assigned to which VLAN. Those VLANs can be set up on the WiFi network for any number of reasons including security and compliance. By segmenting users and authenticating them with their unique credentials, IT admins can increase security significantly. This approach helps separate out critical areas of the network, and can be especially helpful in compliance situations where, for example, the cardholder data environment (CDE) can be separated from the rest of the network making PCI Compliance far easier.

Challenges with Dynamic VLAN Assignments

The challenge with this approach is the overhead for IT admins. Traditionally, to implement dynamic VLAN assignments would require a great deal of infrastructure, configuration, and administration. For starters, IT organizations would need to set up their own FreeRADIUS server and connect that instance to the wireless access points and the identity provider (IdP), often, Microsoft ® Active Directory ® .

In many networks, the IT group would also need to configure endpoints with supplicants so that they could talk to the RADIUS server over the proper protocols. All of this ended up being a significant disincentive for IT admins, and that is why many WiFi networks are secured simply with an SSID and passphrase.

With the introduction of modern cloud RADIUS solutions, however, IT admins can virtually outsource the entire process for RADIUS authentication to WiFi and dynamic VLAN assignments. This Cloud RADIUS offering doesn’t focus on RADIUS only, but also acts as the identity management source of truth that can replace an on-prem Active Directory instance. It is available from the JumpCloud Directory Platform .

Cloud RADIUS and More

JumpCloud Directory Platform is everything a directory service was, and reimagines it for the cloud era. This includes endpoint management , identity and access management, single sign-on, multi-factor authentication, and network authentication tools such as Cloud RADIUS. Relatively new to the JumpCloud Suite is dynamic VLAN assignment functionality, so network administrators can better authorize their users’ access to crucial network resources. This feature just adds one more log to the bright flame of this cloud directory.

Interested in dynamic VLAN assignment and the rest of what the platform has to offer? Contact us , or check out our knowledge base to learn more. You can see the full functionality of JumpCloud firsthand by trying JumpCloud Free! In order to properly get your feet wet, we’ve included ten users and ten systems, free to use. We’ll also give you ten days of 24×7 premium in-app chat support.

• Remote Work
• User Access

Reduce IT costs and complexity

Sean Blanton is the Director of Content at JumpCloud and has spent the past decade in the wide world of security, networking and IT and Infosec administration. When not at work Sean enjoys spending time with his young kids and geeking out on table top games.

Continue Learning with Related Posts

Continue learning with our newsletter.

• Create Post
• Create Chapter Note
• Create Note for Selection
• View All Notes
• Show All Notes on Page
• Hide All Notes on Page
• Print with Notes
• Share on Facebook
• Share on Twitter
• Email a Link
• Copy Link to Clipboard
• Cisco IOS Software

Published On: August 6ᵗʰ, 2019 02:03

Wireless LAN Configuration Guide, Cisco IOS Release 15M&T

Vlan assignment by name.

This feature provides the ability for the RADIUS server to assign an 802.1x client to a VLAN identified by name. This module describes how to configure wireless VLANs on a Cisco 800, 1800, 2800, or 3800 series integrated services router (ISR), hereafter referred to as an access point (AP).

This feature provides the ability for the RADIUS server to assign an 802.1x client to a VLAN identified by name.

Finding Feature Information

Information About VLAN Assignment by Name

How to Configure Wireless VLANs

Configuration Examples for VLAN Assignment by Name

Where to Go Next

Additional references for vlan assignment by name, feature information for vlan assignment by name.

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn . An account on Cisco.com is not required.

VLANs Overview

A VLAN is a switched network that is logically segmented by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or whether they are intermingled with other teams. You use VLANs to reconfigure the network through software rather than physically unplugging and moving devices or wires.

A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment such as LAN switches that operate bridging protocols between them with a separate group for each VLAN.

VLANs provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address scalability, security, and network management. You should consider several key issues when designing and building switched LAN networks:

LAN segmentation

Broadcast control

Performance

Network management

Communication between VLANs

You extend VLANs into a wireless LAN by adding IEEE 802.11q tag awareness to the AP. Frames destined for different VLANs are transmitted by the AP wirelessly on different service set identifiers (SSIDs). Only the clients associated with that VLAN receive those packets. Each SSID can have one VLAN assigned to it. The benefit of using multiple SSIDs and VLANs is that you can configure different security features for each group. For example, users in VLAN 1 might be forced to use MAC authentication while users in VLAN 2 are not.

The figure below shows both wired and wireless VLANs coexisting on a router with an integrated AP and switch.

Wireless Device Deployment in VLANs

The basic wireless components of a VLAN consist of an AP and a client associated to it using wireless technology.

You configure an AP to connect to a specific VLAN by configuring its SSID to recognize that VLAN. Because VLANs are identified by a VLAN ID, it follows that if the SSID on an AP is configured to recognize a specific VLAN ID, a connection to the VLAN is established. When this connection is made, associated wireless client devices having the same SSID can access the VLAN through the AP. The VLAN processes data to and from the clients the same way that it processes data to and from wired connections.

You can configure up to 10 SSIDs or VLANs on the Cisco 800 series routers, and up to 16 SSIDs or VLANs on the Cisco 1800 series fixed-configuration routers and the Cisco 1841, 2800 and 3800 series modular routers with an AP high-speed WAN interface card (HWIC). You can assign only one SSID to a VLAN.

The limits for the 16 configurable VLANs on routers with an AP HWIC are:

1 static and 15 dynamic VLANs

1 static and 15 unsecured VLANs

16 dynamic VLANs

16 unsecured VLANs

The limits for the 16 configurable VLANs on the Cisco 1800 series fixed-configuration routers are:

1 static Wired Equivalent Privacy (WEP) encrypted VLAN, 7 dynamic WEP VLANs, and 8 unsecured VLANs

8 dynamic and 8 unsecured VLANs

The limits for the 10 configurable VLANs on the Cisco 800 series routers are:

1 static WEP encrypted VLAN, 3 dynamic WEP VLANs, and 6 unencrypted VLANs

You can use the VLAN feature to deploy wireless devices with greater efficiency and flexibility. For example, one AP can handle the specific requirements of multiple users having widely varied network access and permissions. Without VLAN capability, multiple APs would be needed to serve classes of users based on the access and permissions they were assigned.

These are two common strategies for deploying wireless VLANs:

Segmentation by user groups: You can segment your wireless LAN user community and enforce a different security policy for each user group. For example, you can create wired and wireless VLANs in an enterprise environment for full-time and part-time employees and also provide guest access.

Segmentation by device types: You can segment your wireless LAN to allow different devices with different security capabilities to join the network. For example, some wireless users might have handheld devices that support only static WEP, and some wireless users might have more sophisticated devices using dynamic WEP. You can group and isolate these devices into separate VLANs.

Assignment of Users to VLANs Using a RADIUS Server

You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network.

The VLAN-mapping process consists of these steps:

A client device associates to the AP using any SSID configured on the AP.

The client begins RADIUS authentication.

When the client authenticates, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the AP. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the AP.

These are the RADIUS user attributes used for VLAN ID assignment. Each attribute must have a common tag value to identify the grouped relationship.

IETF 64 (Tunnel Type): Set this attribute to VLAN.

IETF 65 (Tunnel Medium Type): Set this attribute to 802.

IETF 81 (Tunnel Private Group ID): Set this attribute to a VLAN ID.

Configuring a Wireless VLAN

Assigning names to vlans, assigning a name to a vlan.

Using the LAN and VLAN Segmentation with Wireless Devices figure as a reference, perform this task to configure a VLAN on an AP.

2. configure terminal

3. dot11 ssid name

4. vlan vlan-id

6. interface dot11Radio interface

7. ssid name

10. interface dot11Radio interface.x

11. encapsulation dot1q vlan-id [ native ]

13. copy running-config startup-config

14. show vlans

You can assign a name to a VLAN in addition to its numerical ID. VLAN names can contain up to 32 ASCII characters. The access point stores each VLAN name and ID pair in a table.

Remember these guidelines when using VLAN names:

The mapping of a VLAN name to a VLAN ID is local to each access point, so across your network, you can assign the same VLAN name to a different VLAN ID.

Every VLAN configured on your access point must have an ID, but VLAN names are optional.

VLAN names can contain up to 32 ASCII characters in length. However, a VLAN name cannot be a number from 1 to 4095. For example, vlan4095 is a valid VLAN name, but 4095 is not. The access point reserves the numbers 1 through 4095 for VLAN IDs.

Perform this task to assign a name to a VLAN.

3. dot11 vlan-name name vlan vlan-id

5. copy running-config startup-config

6. show dot11 vlan-name [ vlan-name ]

Example: VLAN Configuration Scenario

The following VLAN configuration scenario shows how to use VLANs to manage wireless devices in a typical branch office. In this example, two levels of access are available through VLANs configured on the network:

Employee access—Users can access all company files, databases, and sensitive information. Employees are required to authenticate using Cisco Light Extensible Authentication Protocol (LEAP).

Guess access—Users can access only the Internet and any external files stored specifically for guest users.

In this scenario, a minimum of two VLAN connections are required, one for each level of access. Because the AP can support up to 16 SSIDs on the AP HWIC and Cisco 1800 fixed-configuration routers, and up to 10 SSIDs on the Cisco 800 series routers, you can use the basic design shown in the table below.

Employees configure their wireless client adapters to use the SSID named employee and guests configure their client adapters to use the SSID named guest. When these clients associate to the AP, they automatically belong to the correct VLAN. Wired clients attached to the router through the integrated switch can also belong to a specific VLAN. Wireless VLAN clients and wired VLAN clients can share subnets or they can belong to completely different subnets. This type of configuration can be accomplished using bridging or integrated routing and bridging (IRB) or routing on the dot11 interface.

The following examples show two configuration methods:

Bridge traffic between wireless VLANs and wired VLANs using IRB and route traffic from these networks through the bridged virtual interface (BVI). The clients in the wireless VLANs and wired VLANs will be in the same respective subnets as the IP address of the BVI interfaces.

Use routing to keep the wireless and wired VLANs in separate subnets.

Example: Configuring Wireless VLANs on an Access Point in Bridging Mode

Using the VLAN configuration scenario above, this example shows how to configure VLAN 1 and VLAN 2 on an AP in bridging mode. When the AP has been configured, the example shows how to configure each client device to recognize either the employee SSID or the guest SSID.

This example shows the following configuration steps:

Create a global SSID.

Assign a VLAN to each configured SSID.

Assign authentication types to each SSID.

Configure subinterfaces and 802.1q encapsulation for each VLAN under the dot11 interface.

Assign a bridge group for each subinterface.

Assign the same bridge group to the relevant wired VLAN.

Create a BVI interface and assign an IP address for each bridge group.

Configure the protocol to route each bridge group.

Example: Configuring Wireless VLANs on an Access Point in Routing Mode

Using the VLAN configuration scenario described in the previous section, this example shows how to configure VLAN 1 and VLAN 2 on an AP in routing mode. Routing can be used to keep the wireless and wired VLANs on separate subnets. After the AP has been configured, the example shows how to configure each client device to recognize either the employee SSID or the guest SSID.

Configure an IP address for each subinterface.

If you want to configure quality of service (QoS) parameters on an AP, see the “Configuring QoS on an Access Point” module.

The following sections provide references related to configuring VLANs for wireless LANs.

Related Documents

Technical assistance.

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Custom Book

Welcome to the custom book wizard. Using this tool you can create books containing a custom selection of content. To get started, enter a name for the book or select an existing book to add to.

Select the topics and posts that you would like to add to your book.

Preview your selected content before you download or save to your dashboard.

PDF View with Adobe Reader on a variety of devices.

ePub View in various apps on iPhone, iPad, Android, Sony Reader or Windows devices.

Mobi View on Kindle device or Kindle app on multiple devices.

Save to Dashboard

Save the custom book to your dashboard for future downloads.

Your contact details will be kept confidential and will not be shared outside Cisco. If we need additional information regarding your feedback, we will contact you at this email address.

Select Folder

Content library - -.

Click on the file types below to dowload the content in that format.

VLAN assignment in an authentication session

A switch supports concurrent 802.1X and either web-based or MAC authentication sessions on a port (with up to 32 clients allowed). If you have configured RADIUS as the primary authentication method for a type of access, when a client authenticates on a port, the RADIUS server assigns an untagged VLAN that is statically configured on the switch for use in the authentication session. See the documentation provided with the RADIUS server application.)

If a switch port is configured to accept multiple 802.1X and/or web-based or MAC authentication client sessions, all authenticated clients must use the same port-based, untagged VLAN membership assigned for the earliest, currently active client session. On a port where one or more authenticated client sessions are already running, all clients are on the same untagged VLAN.

If the RADIUS server subsequently authenticates a new client, but attempts to re-assign the port to a different, untagged VLAN than the one already in use for the previously existing, authenticated client sessions, the connection for the new client will fail.

Tagged and untagged VLAN attributes

When you configure a user profile on a RADIUS server to assign a VLAN to an authenticated client, you can use either the VLAN's name or VLAN ID (VID) number. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100 , you could configure the RADIUS server to use either "100" or "vlan100" to specify the VLAN.

After the RADIUS server validates a client's username and password, the RADIUS server returns an Access-Accept packet that contains the VLAN assignment and the following attributes for use in the authentication session:

Egress-VLANID: Configures an optional, egress VLAN ID for either tagged or untagged packets (RFC 4675).

Egress-VLAN-Name: Configures an optional, egress VLAN for either tagged or untagged packets when the VLAN ID is not known (RFC 4675).

Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID: Tunnel attributes that specify an untagged VLAN assignment (RFC 3580).

Tunnel (untagged VLAN) attributes may be included in the same RADIUS packet as the Egress-VLANID and Egress-VLAN-Name attributes. These attributes are not mutually exclusive.

The switch processes the VLAN information returned from the remote RADIUS server for each successfully 802.1X-, web-based, and MAC authenticated client (user). The VLAN information is part of the user's profile stored in the RADIUS server's database and is applied if the VLANs exist on the switch.

The support for RADIUS-assigned tagged and untagged VLAN configuration on an authenticated port allows you to use IDM to dynamically configure tagged and untagged VLANs as required for different client devices, such as PCs and IP phones, that share the same switch port.

Copyright © 2015 Hewlett-Packard Development Company, L.P.

Wifi vlan assignment with sae_password?

So i was reading in a bit into the sae_password option in the hostapd configuration for non OpenWrt.

I was wondering if something like this exists in OpenWrt aswell:

Basicly from what I understand i can use it like:

is sae_password supported in uci format with the parameters or in the version of hostapd itself?, I do know dynamic_vlan and the other options are, but im not sure if sae_password works.

Im running OpenWrt 22.05.0-RC-1

It this what you mean?

If so - yes.

But since VLANs etc. are not assigned to WiFi in this manner in OpenWrt, I'm not sure if you're referencing the remaining syntax: |vlanid=3|id=pw identifier

Definitely read this:

I have not tried it myself or even looked if it works with WPA3.

almost if I use it like this, it shows in uci like:

option key 'xxx'

but that is not really what I want, I have tried using list sae_password 'xxx|vlanid=3|id=pw identifier' but that doesn't seem to work since sae_password can have multiple keys according the githubs commenting.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.