Network Activity: March 2015

eNSP - Multiplex Vlan ( private vlan )

Mux (multiplex) vlan is Huawei Private vlan. The concept of a private vlan is to provide Layer 2 traffic isolation between ports.

Mux vlan includes three types of ports.

Mux Vlan port - A Mux Vlan is the master Vlan. A Mux Vlan port can communicate with all ports including separate and group ports. Vlans that correspond to the separate and group ports need to be bound to the Mux Vlan.

Subordinate Separate port - separate ports belong to a separe Vlan and can communicate with the Mux Vlan only. Traffic is forward to the related Mux Vlan port.

Subordinate Group port - group ports belong to the group Vlan and can communicate with each other and with the related Mux Vlan ports. Group ports and separate ports do not communicate with each other.

topology:

1 - Configure AR1:

[AR1] interface g0/0/0
[AR1-GigabitEthernet0/0/0] ip address 192.168.0.254 24

2 - Configure S1:

[S1] vlan batch 5 7 10
[S1] vlan 10
[S1-Vlan10] mux-vlan
[S1-Vlan10] subordinate separate 5
[S1-Vlan10] subordinate group 7
[S1-Vlan10] quit
[S1] interface g0/0/1
[S1-GigabitEthernet0/0/1] port link-type access
[S1-GigabitEthernet0/0/1] port default vlan 5
[S1-GigabitEthernet0/0/1] port mux-vlan enable
[S1-GigabitEthernet0/0/1] interface g0/0/2
[S1-GigabitEthernet0/0/2] port link-type access
[S1-GigabitEthernet0/0/2] port default vlan 5
[S1-GigabitEthernet0/0/2] port mux-vlan enable
[S1-GigabitEthernet0/0/2] interface g0/0/3
[S1-GigabitEthernet0/0/3] port link-type access
[S1-GigabitEthernet0/0/3] port default vlan 5
[S1-GigabitEthernet0/0/3] port mux-vlan enable
[S1-GigabitEthernet0/0/3] interface g0/0/9
[S1-GigabitEthernet0/0/9] port link-type access
[S1-GigabitEthernet0/0/9] port default vlan 7
[S1-GigabitEthernet0/0/9] port mux-vlan enable
[S1-GigabitEthernet0/0/9] interface g0/0/10
[S1-GigabitEthernet0/0/10] port link-type access
[S1-GigabitEthernet0/0/10] port default vlan 7
[S1-GigabitEthernet0/0/10] port mux-vlan enable
[S1-GigabitEthernet0/0/10] interface g0/0/24
[S1-GigabitEthernet0/0/24] port link-type access
[S1-GigabitEthernet0/0/24] port default vlan 10
[S1-GigabitEthernet0/0/24] port mux-vlan enable

3 - Clients:

Client1 - 192.168.0.1 255.255.255.0 / GW - 192.168.0.254

Client2 - 192.168.0.2 255.255.255.0 / GW - 192.168.0.254

Client3 - 192.168.0.3 255.255.255.0 / GW - 192.168.0.254

Client7 - 192.168.0.7 255.255.255.0 / GW - 192.168.0.254

Client8 - 192.168.0.8 255.255.255.0 / GW - 192.168.0.254

Connectivity test:

clients in the subordinate separate Vlan will NOT be able to ping clients in the subordinate group vlan and each other but will be able to ping the gateway.

clients in the subordinate group vlan are able to ping the gateway and each other but they are NOT able to ping clients in the subordinate separate vlan.

eNSP - Super-Vlan (Vlan aggregation)

Inter-vlan communication is achieved by configuring a ip address on the Vlanif interfaces. If a network as a large number of vlans, it will require an excessive use of ip addresses.

The concept of Super-vlans was introduced to save ip address space. A Super-vlan is a group of sub-vlans. It has a vlan interface, but no physical ports can be added to it. A sub-vlan has physical ports but no ip address assigned to the vlanif interface. Packets cannot be forward between sub-vlans at Layer 2, if Layer 3 communication is needed from a sub-vlan it will use the ip address of the Super-vlan as the gateway ip address.

The local Address Resolution Protocol (ARP) proxy function is used to perform Layer 3 communications between sub-vlans and between sub-vlans and other networks.

topology:

1 - Create vlans:

[S1] vlan batch 10 20

[S2] vlan batch 10 20

[S3] vlan batch 10 20 100

2 - Configure Trunk ports:

[S1] interface g0/0/1

[S1-GigabitEthernet0/0/1] port link-type trunk

[S1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20

[S1-GigabitEthernet0/0/1] interface g0/0/2

[S1-GigabitEthernet0/0/2] port link-type trunk

[S1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20

[S2] interface g0/0/1

[S2-GigabitEthernet0/0/1] port link-type trunk

[S2-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20

[S2-GigabitEthernet0/0/1] interface g0/0/2

[S2-GigabitEthernet0/0/2] port link-type trunk

[S2-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20

[S3] interface g0/0/1

[S3-GigabitEthernet0/0/1] port link-type trunk

[S3-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20

[S3-GigabitEthernet0/0/1] interface g0/0/2

[S3-GigabitEthernet0/0/2] port link-type trunk

[S3-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20

3 - Configure Access ports:

[S1] interface e0/0/1

[S1-Ethernet0/0/1] port link-type access

[S1-Ethernet0/0/1] port default vlan 10

[S1-Ethernet0/0/1] interface e0/0/2

[S1-Ethernet0/0/2] port link-type access

[S1-Ethernet0/0/2] port default vlan 20

[S2] interface e0/0/1

[S2-Ethernet0/0/1] port link-type access

[S2-Ethernet0/0/1] port default vlan 10

[S2-Ethernet0/0/1] interface e0/0/2

[S2-Ethernet0/0/2] port link-type access

[S2-Ethernet0/0/2] port default vlan 20

4 - Configure Super-Vlan:

[S3] vlan 100

[S3-vlan100] aggregate-vlan

[S3-vlan100] access-vlan 10 20

[S3-vlan100] quit

[S3] interface vlanif 100

[S3-Vlanif100] ip address 192.168.0.254 24

[S3-Vlanif100] arp-proxy inter-sub-vlan-proxy enable

Connectivity test:

client1 - 192.168.0.1 24

client2 - 192.168.0.2 24

client3 - 192.168.0.3 24

client4 - 192.168.0.4 24

eNSP - inter-Vlan routing

With Vlan implementation many users are cutoff from other users within other vlan domains. To establish connectivity between Vlan's a Layer 3 device is needed.

topology: (inter-vlan routing with a router)

1 - Create Vlans:

[S1] vlan batch 10 20

note: use "display vlan" to see Vlan database.

2 - Configure access ports:

[S1] interface e0/0/1
[S1-Ethernet0/0/1] port link-type access
[S1-Ethernet0/0/1] port default vlan 10
[S1-Ethernet0/0/1] interface e0/0/2
[S1-Ethernet0/0/2] port link-type access
[S1-Ethernet0/0/2] port default vlan 20

note: use "display port vlan" to see which ports are assigned to which vlans.

3 - Configure trunk on the switch:

[S1] interface g0/0/1
[S1-GigabitEthernet0/0/1] port link-type trunk
[S1-GigabitEthernet0/0/1] port trunk allow-pass vlan all

4 - Configure trunk on the router:

[R1] interface g0/0/0
[R1-GigabitEthernet0/0/0] interface g0/0/0.10
[R1-GigabitEthernet0/0/0.10] dot1q termination vid 10
[R1-GigabitEthernet0/0/0.10] ip address 192.168.10.1 24
[R1-GigabitEthernet0/0/0.10] arp broadcast enable
[R1-GigabitEthernet0/0/0.10] interface g0/0/0.20
[R1-GigabitEthernet0/0/0.20] dot1q termination vid 20
[R1-GigabitEthernet0/0/0.20] ip address 192.168.20.1 24
[R1-GigabitEthernet0/0/0.20] arp broadcast enable

note: ARP broadcast is disable by default, if ARP broadcast remains disable the router will discard the packets. By enabling ARP broadcast on the sub-interface the router is able to construct a tagged ARP broadcast packet and send the packet from the sub-interface.

5 - Assign IP addresses to clients:

Client 1

IP - 192.168.10.100

MASK - 255.255.255.0

GW - 192.168.10.1

Client 2

IP - 192.168.20.100

MASK - 255.255.255.0

GW - 192.168.20.1

Connectivity test

topology: (L3 switch based vlan routing)

1 - Create vlans:

[S1] vlan batch 10 20 30 40

[S2] vlan batch 10 20 30 40

2 - Assign ports to vlans:

[S1] interface e0/0/1
[S1-Ethernet0/0/1] port link-type access
[S1-Ethernet0/0/1] port default vlan 10
[S1-Ethernet0/0/1] interface e0/0/2
[S1-Ethernet0/0/2] port link-type access
[S1-Ethernet0/0/2] port default vlan 20

[S2] interface e0/0/1
[S2-Ethernet0/0/1] port link-type access
[S2-Ethernet0/0/1] port default vlan 40
[S2-Ethernet0/0/1] interface e0/0/2
[S2-Ethernet0/0/2] port link-type access
[S2-Ethernet0/0/2] port default vlan 30

3 - Configure trunk:

[S1] interface g0/0/1
[S1-GigabitEthernet0/0/1] port link-type trunk
[S1-GigabitEthernet0/0/1] port trunk allow-pass vlan all

[S2] interface g0/0/1
[S2-GigabitEthernet0/0/1] port link-type trunk
[S2-GigabitEthernet0/0/1] port trunk allow-pass vlan all

4 - Configure Vlanif interfaces:

[S1] interface vlanif 10
[S1-VlanIf10] ip address 192.168.10.1 24
[S1-VlanIf10] interface vlanif 20
[S1-VlanIf20] ip address 192.168.20.1 24
[S1-VlanIf20] interface vlanif 30
[S1-VlanIf30] ip address 192.168.30.2 24
[S1-VlanIf30] interface vlanif 40
[S1-VlanIf40] ip address 192.168.40.2 24

[S2] interface vlanif 10
[S2-VlanIf10] ip address 192.168.10.2 24
[S2-VlanIf10] interface vlanif 20
[S2-VlanIf20] ip address 192.168.20.2 24
[S2-VlanIf20] interface vlanif 30
[S2-VlanIf30] ip address 192.168.30.1 24
[S2-VlanIf30] interface vlanif 40
[S2-VlanIf40] ip address 192.168.40.1 24

note: Vlan routing is implemented by creating vlan interfaces that operate as a gateway for each vlan within the layer 3 switch.

Connectivity test

eNSP - VLAN (access, trunk and hybrid ports)

VLAN practice...

topology:

Vlan 10 - 192.168.10.0/24
Vlan 20 - 192.168.20.0/24

1 - Create Vlans:

[S1] vlan batch 10 20

note: vlans can be created as well with the command "vlan [id]". Use the command "display Vlan" to see vlan DataBase.

2 - Assign ports to the Vlans:

[S1] interface g0/0/1

[S1-GigabitEthernet0/0/1] port link-type access

[S1-GigabitEthernet0/0/1] port default vlan 10

[S1-GigabitEthernet0/0/1] interface g0/0/2

[S1-GigabitEthernet0/0/2] port link-type access

[S1-GigabitEthernet0/0/2] port default vlan 20

[S1-GigabitEthernet0/0/2] quit

3 - Assign trunk port:

[S1] interface g0/0/24

[S1-GigabitEthernet0/0/24] port link-type trunk

[S1-GigabitEthernet0/0/24] port trunk allow-pass vlan all

[S1-GigabitEthernet0/0/24] quit

4 - Configure S2:

[S2] vlan batch 10 20

[S2] interface g0/0/1

[S2-GigabitEthernet0/0/1] port link-type access

[S2-GigabitEthernet0/0/1] port default vlan 20

[S2-GigabitEthernet0/0/1] interface g0/0/2

[S2-GigabitEthernet0/0/2] port link-type access

[S2-GigabitEthernet0/0/2] port default vlan 10

[S2-GigabitEthernet0/0/2] interface g0/0/24

[S2-GigabitEthernet0/0/24] port link-type trunk

[S2-GigabitEthernet0/0/24] port trunk allow-pass vlan all

[S2-GigabitEthernet0/0/24] quit

5 - Assign ip addresses to hosts:

client 1 - 192.168.10.100 255.255.255.0

client 2 - 192.168.20.100 255.255.255.0

client 3 - 192.168.10.101 255.255.255.0

client 4 - 192.168.20.101 255.255.255.0

Check connectivity by pinging hosts within the same Vlan.

6 - Hybrid ports:

Hybrid ports can operate as access ports and/or trunk ports, they are the default port type on Huawei switches.

This scenario is to simulate an end device that as the ability of tagging vlan packets. The ip address scheme is the same as in the previous scenario.

1 - Create Vlans on both switches:

[S1] vlan batch 10 20

[S2] vlan batch 10 20

2 - Configure interfaces between switches:

[S1] interface g0/0/1

[S1-GigabitEthernet0/0/1] port link-type hybrid

[S1-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20

[S2] interface g0/0/1

[S2-GigabitEthernet0/0/1] port link-type hybrid

[S2-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20

3 - Configure interfaces that connect to end devices:

[S1] interface g0/0/1

[S1-GigabitEthernet0/0/1] port link-type hybrid

[S1-GigabitEthernet0/0/1] port hybrid tagged vlan 20
[S1-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[S1-GigabitEthernet0/0/1] port hybrid pvid vlan 10

[S2] interface g0/0/1

[S2-GigabitEthernet0/0/1] port link-type hybrid

[S2-GigabitEthernet0/0/1] port hybrid tagged vlan 20
[S2-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[S2-GigabitEthernet0/0/1] port hybrid pvid vlan 10

Check connectivity by pinging hosts within the same Vlan. All hosts are in Vlan 10 regardless of the ip address. To test Vlan 20, configure the settings of client 2.

Go to settings > udpPacket

Make sure that the destination MAC and IP are the same as Client 4, the Vlan ID is set to 20, click "Send". Go to client 4, right click and select capture > Ethernet 0/0/1. Wireshark will start.

WireShark is showing that the udp packets are being sent trough Vlan 20, this illustrate the scenario where two end devices connect to the same interface but are in different Vlans.