Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
VLAN Management VL ANs 196 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 13 VL AN Description Each VLAN is configured with a unique VID (VLAN ID) with a value from 1 to 4094. A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN. A port is an untagged member of a VLAN if all packets destined for that port into the VLAN have no VLAN tag. A port is a tagged member of a VLAN if all packets destined for that port into the VLAN have a VLAN tag. A port can be a member of one untagged VLAN and can be a member of several tagged VLANs. A port in VLAN Access mode can be part of only one VLAN. If it is in General or Trunk mode, the port can be part of one or more VLANs. VLANs address security and scalability issues. Traffic from a VLAN stays within the VLAN, and terminates at devices in the VLAN. It also eases network configuration by logically connecting devices without physically relocating those devices. If a frame is VLAN-tagged, a four-byte VLAN tag is added to each Ethernet frame. The tag contains a VLAN ID between 1 and 4094, and a VLAN Priority Tag (VPT) between 0 and 7. See Quality of Service for details about VPT. When a frame enters a VLAN-aware device, it is classified as belonging to a VLAN, based on the four-byte VLAN tag in the frame. If there is no VLAN tag in the frame or the frame is priority-tagged only, the frame is classified to the VLAN based on the PVID (Port VLAN Identifier) configured at the ingress port where the frame is received. The frame is discarded at the ingress port if Ingress Filtering is enabled and the ingress port is not a member of the VLAN to which the packet belongs. A frame is regarded as priority-tagged only if the VID in its VLAN tag is 0. Frames belonging to a VLAN remain within the VLAN. This is achieved by sending or forwarding a frame only to egress ports that are members of the target VLAN. An egress port may be a tagged or untagged member of a VLAN. The egress port: •Adds a VLAN tag to the frame if the egress port is a tagged member of the target VLAN, and the original frame does not have a VLAN tag. •Removes the VLAN tag from the frame if the egress port is an untagged member of the target VLAN, and the original frame has a VLAN tag.
VLAN Management VL ANs Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 197 13 VL AN Roles VLANs function at Layer 2. All VLAN traffic (Unicast/Broadcast/Multicast) remains within its VLAN. Devices attached to different VLANs do not have direct connectivity to each other over the Ethernet MAC layer. Devices from different VLANs can communicate with each other only through Layer 3 routers. An IP router, for example, is required to route IP traffic between VLANs if each VLAN represents an IP subnet. The IP router might be a traditional router, where each of its interfaces connects to only one VLAN. Traffic to and from a traditional IP router must be VLAN untagged. The IP router can be a VLAN-aware router, where each of its interfaces can connect to one or more VLANs. Traffic to and from a VLAN-aware IP router can be VLAN tagged or untagged. Adjacent VLAN-aware devices exchange VLAN information with each other by using Generic VLAN Registration Protocol (GVRP). As a result, VLAN information is propagated through a bridged network. VLANs on a device can be created statically or dynamically, based on the GVRP information exchanged by devices. A VLAN can be static or dynamic (from GVRP), but not both. For more information about GVRP, refer to the GVRP Settings section. Some VLANs can have additional roles, including: •Voice VLAN: For more information refer to the Voice VLAN section. •Guest VLAN: Set in the Edit VLAN Authentication page. •Default VLAN: For more information refer to the Configuring Default VLAN Settings section. •Management VLAN (in Layer 2-system-mode systems): For more information refer to the Layer 2 IP Addressing section. QinQ QinQ provides isolation between service provider networks and customers networks. The device is a provider bridge that supports port-based c-tagged service interface. With QinQ, the device adds an ID tag known as Service Tag (S-tag) to forward traffic over the network. The S-tag is used to segregate traffic between various customers, while preserving the customer VLAN tags.
VLAN Management Configuring Default VL AN Settings 198 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 13 Customer traffic is encapsulated with an S-tag with TPID 0x8100, regardless of whether it was originally c-tagged or untagged. The S-tag allows this traffic to be treated as an aggregate within a provider bridge network, where the bridging is based on the S-tag VID (S-VID) only. The S-Tag is preserved while traffic is forwarded through the network service providers infrastructure, and is later removed by an egress device. An additional benefit of QinQ is that there is no need to configure customers edge devices. QinQ is enabled in the VLAN Management > Interface Settings page. VL AN Configuration Workflow To configure VLANs: 1. If required, change the default VLAN by using the Configuring Default VLAN Settings section. 2. Create the required VLANs by using the Creating VLANs section. 3. Set the desired VLAN-related configuration for ports and enable QinQ on an interface using the Configuring VLAN Interface Settings section. 4. Assign interfaces to VLANs by using the Configuring Port to VLAN section or the Configuring VLAN Membership section. 5. View the current VLAN port membership for all the interfaces in the Configuring VLAN Membership section. Configuring Default VLAN Settings When using factory default settings, the device automatically creates VLAN 1 as the default VLAN, the default interface status of all ports is Trunk, and all ports are configured as untagged members of the default VLAN. The default VLAN has the following characteristics: •It is distinct, non-static/non-dynamic, and all ports are untagged members by default. •It cannot be deleted. •It cannot be given a label.
VLAN Management Configuring Default VL AN Settings Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 199 13 •It cannot be used for any special role, such as unauthenticated VLAN or Voice VLAN. This is only relevant for OUI-enabled voice VLAN. •If a port is no longer a member of any VLAN, the device automatically configures the port as an untagged member of the default VLAN. A port is no longer a member of a VLAN if the VLAN is deleted or the port is removed from the VLAN. •RADIUS servers cannot assign the default VLAN to 802.1x supplicants by using Dynamic VLAN Assignment. When the VID of the default VLAN is changed, the device performs the following on all the ports in the VLAN, after saving the configuration and rebooting the device: •Removes VLAN membership of the ports from the original default VLAN (possible only after reboot). •Changes the PVID (Port VLAN Identifier) of the ports to the VID of the new default VLAN. •The original default VLAN ID is removed from the device. To be used, it must be recreated. •Adds the ports as untagged VLAN members of the new default VLAN. To change the default VLAN: STEP 1Click VLAN Management > Default VLAN Settings. STEP 2Enter the value for the following field: •Current Default VLAN ID—Displays the current default VLAN ID. •Default VLAN ID After Reboot—Enter a new VLAN ID to replace the default VLAN ID after reboot. STEP 3Click Apply. STEP 4Click Save (in the upper-right corner of the window) and save the Running Configuration to the Startup Configuration. The Default VLAN ID After Reset becomes the Current Default VLAN ID after you reboot the device.
VLAN Management Creating VL ANs 200 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 13 Creating VLANs You can create a VLAN, but this has no effect until the VLAN is attached to at least one port, either manually or dynamically. Ports must always belong to one or more VLANs. The 300 Series device supports up to 4K VLANs, including the default VLAN. Each VLAN must be configured with a unique VID (VLAN ID) with a value from 1 to 4094. The device reserves VID 4095 as the Discard VLAN. All packets classified to the Discard VLAN are discarded at ingress, and are not forwarded to a port. To c r e a t e a V L A N : STEP 1Click VLAN Management > VLAN Settings. This page displays the following fields for all VLANs: •VLAN ID—User-defined VLAN ID. •VLAN Name—User-defined VLAN name. •Originators—V L A N t y p e : -GV R P—VLAN was dynamically created through Generic VLAN Registration Protocol (GVRP). -Static—V L A N i s u s e r- d e f i n e d . -Default—VLAN is the default VLAN. STEP 2Click Add to add a new VLAN. The page enables the creation of either a single VLAN or a range of VLANs. STEP 3To create a single VLAN, select the VLAN radio button, enter the VLAN ID (VID), and optionally the VLAN Name. To create a range of VLANs, select the Range radio button, and specify the range of VLANs to be created by entering the Starting VID and Ending VID, inclusive. When using the Range function, the maximum number of VLANs you can create at one time is 100. STEP 4Click Apply to create the VLAN(s).
VLAN Management Configuring VL AN Interface Settings Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 201 13 Configuring VLAN Interface Settings The Interface Settings page displays and enables configuration of VLAN-related parameters for all interfaces To configure the VLAN settings: STEP 1Click VLAN Management > Interface Settings. STEP 2Select an interface type (Port or LAG), and click Go. Ports or LAGs and their VLAN parameters are displayed. STEP 3To configure a Port or LAG, select it and click Edit. STEP 4Enter the values for the following fields: •Interface—Select a Port/LAG. •Interface VLAN Mode—Select the interface mode for the VLAN. The options are: -General—The interface can support all functions as defined in the IEEE 802.1q specification. The interface can be a tagged or untagged member of one or more VLANs. -Access—The interface is an untagged member of a single VLAN. A port configured in this mode is known as an access port. -Tr u n k—The interface is an untagged member of one VLAN at most, and is a tagged member of zero or more VLANs. A port configured in this mode is known as a trunk port. -Customer—Selecting this option places the interface in QinQ mode. This enables you to use your own VLAN arrangements (PVID) across the provider network. The device is in Q-in-Q mode when it has one or more customer ports. See QinQ. •Administrative PVID—Enter the Port VLAN ID (PVID) of the VLAN to which incoming untagged and priority tagged frames are classified. The possible values are 1 to 4094. •Frame Type—Select the type of frame that the interface can receive. Frames that are not of the configured frame type are discarded at ingress. These frame types are only available in General mode. Possible values are: -Admit All—The interface accepts all types of frames: untagged frames, tagged frames, and priority tagged frames.
VLAN Management Defining VLAN Membership 202 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 13 -Admit Tagged Only—The interface accepts only tagged frames. -Admit Untagged Only—The interface accepts only untagged and priority frames. •Ingress Filtering—(Available only in General mode) Select to enable ingress filtering. When an interface is ingress filtering enabled, the interface discards all incoming frames that are classified as VLANs of which the interface is not a member. Ingress filtering can be disabled or enabled on general ports. It is always enabled on access ports and trunk ports. STEP 5Click Apply. The parameters are written to the Running Configuration file. Defining VLAN Membership The Port to VLAN and Port VLAN Membership pages display the VLAN memberships of the ports in various presentations. You can use them to add or remove memberships to or from the VLANs. When a port is forbidden default VLAN membership, that port is not allowed membership in any other VLAN. An internal VID of 4095 is assigned to the port. To forward the packets properly, intermediate VLAN-aware devices that carry VLAN traffic along the path between end nodes must either be manually configured or must dynamically learn the VLANs and their port memberships from Generic VLAN Registration Protocol (GVRP). Untagged port membership between two VLAN-aware devices with no intervening VLAN-aware devices, must be to the same VLAN. In other words, the PVID on the ports between the two devices must be the same if the ports are to send and receive untagged packets to and from the VLAN. Otherwise, traffic might leak from one VLAN to another. Frames that are VLAN-tagged can pass through other network devices that are VLAN-aware or VLAN-unaware. If a destination end node is VLAN-unaware, but is to receive traffic from a VLAN, then the last VLAN-aware device (if there is one), must send frames of the destination VLAN to the end node untagged.
VLAN Management Defining VLAN Membership Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 203 13 Configuring Port to VLAN Use the Port to VLAN page to display and configure the ports within a specific VLAN. To map ports or LAGs to a VLAN: STEP 1Click VLAN Management > Port to VLAN. STEP 2Select a VLAN and the interface type (Port or LAG), and click Go to display or to change the port characteristic with respect to the VLAN. The port mode for each port or LAG appears with its current port mode (Access, Trunk, General or Customer) configured from the Interface Settings page. Each port or LAG appears with its current registration to the VLAN. STEP 3Change the registration of an interface to the VLAN by selecting the desired option from the following list: •Forbidden—The interface is not allowed to join the VLAN even from GVRP registration. When a port is not a member of any other VLAN, enabling this option on the port makes the port part of internal VLAN 4095 (a reserved VID). •Excluded—The interface is currently not a member of the VLAN. This is the default for all the ports and LAGs. The port can join the VLAN through GVRP registration. •Tagged—The interface is a tagged member of the VLAN. •Untagged—The interface is an untagged member of the VLAN. Frames of the VLAN are sent untagged to the interface VLAN. •Multicast TV VLAN—The interface used for Digital TV using Multicast IP. The port joins the VLAN with a VLAN tag of Multicast TV VLAN. See Access Port Multicast T V VLAN for more information. •PVID—Select to set the PVID of the interface to the VID of the VLAN. PVID is a per-port setting. STEP 4Click Apply. The interfaces are assigned to the VLAN, and written to the Running Configuration file. You can continue to display and/or configure port membership of another VLAN by selecting another VLAN ID.
VLAN Management Defining VLAN Membership 204 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 13 Configuring VLAN Membership The Port VLAN Membership page displays all ports on the device along with a list of VLANs to which each port belongs. If the port-based authentication method for an interface is 802.1x and the Administrative Port Control is Auto, then: •Until the port is authenticated, it is excluded from all VLANs, except guest and unauthenticated ones. In the VLAN to Port page, the port is marked with an upper case P. •When the port is authenticated, it receives membership in the VLAN in which it was configured. To assign a port to one or more VLANs: STEP 1Click VLAN Management > Port VLAN Membership. STEP 2Select interface type (Port or LAG), and click Go. The following fields are displayed for all interfaces of the selected type: •Interface—Port/LAG ID. •Mode—Interface VLAN mode that was selected in the Interface Settings page. •Administrative VLANs—Drop-down list that displays all VLANs of which the interface might be a member. •Operational VLANs—Drop-down list that displays all VLANs of which the interface is currently a member. •LAG—If interface selected is Port, displays the LAG in which it is a member. STEP 3Select a port, and click the Join VLAN button. STEP 4Enter the values for the following fields: •Interface—Select a Port or LAG. •Mode—Displays the port VLAN mode that was selected in the Interface Settings page. •Select VLAN—To associate a port with a VLAN(s), move the VLAN ID(s) from the left list to the right list by using the arrow buttons. The default VLAN might appear in the right list if it is tagged, but it cannot be selected. •Tagging—Select one of the following tagging/PVID options:
VLAN Management GVRP S et tings Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 205 13 -Ta g g e d—Select whether the port is tagged. This is not relevant for Access ports. -Untagged—Select whether port is untagged. This is not relevant for Access ports. -PVID—Port PVID is set to this VLAN. If the interface is in access mode or trunk mode, the device automatically makes the interface an untagged member of the VLAN. If the interface is in general mode, you must manually configure VLAN membership. STEP 5Click Apply. The settings are modified and written to the Running Configuration file. To see the administrative and operational VLANs on an interface, click Details. GVRP Settings Adjacent VLAN-aware devices can exchange VLAN information with each other by using the Generic VLAN Registration Protocol (GVRP). GVRP is based on the Generic Attribute Registration Protocol (GARP) and propagates VLAN information throughout a bridged network. Since GVRP requires support for tagging, the port must be configured in Trunk or General mode. When a port joins a VLAN by using GVRP, it is added to the VLAN as a dynamic member, unless this was expressly forbidden in the Port VLAN Membership page. If the VLAN does not exist, it is dynamically created when Dynamic VLAN creation is enabled for this port (in the GVRP Settings page). GVRP must be activated globally as well as on each port. When it is activated, it transmits and receives GARP Packet Data Units (GPDUs). VLANs that are defined but not active are not propagated. To propagate the VLAN, it must be up on at least one port. By default, GVRP is disabled globally and on ports.