at8000 s configurando vlan avancado

Marvell Confidential

VLAN Advanced Features

AT - 8000S


Agenda

• Advanced VLAN classification– MAC based VLAN

• Private VLAN Edge


Advanced VLAN Classification

• In Legacy VLAN implementation an untagged packet is classified according to the PVID configured on the port.

• The device implements an additional advance method of untagged packet classification– MAC based VLAN


Packet Classification Flowchart

Is Packet Tagged?

Frame classified according to VLAN tag

Is MAC mapped to VLAN?

Frame classified according to MAC Group to VLAN

mapping

Yes

No

PVID based classification


MAC Based VLANs

• A classification that enables to classify packets to different VLANs based on the packet’s source MAC address.

• This feature is usually used for – VLAN segregation based on device type– Roaming

• Classification can be based on specific MAC address or MAC address prefix


MAC Based VLANs – User Control

• Map MAC addresses and prefixes of MAC addresses to a certain “Group-of-MACs”

• On a specific interface – map a certain Group-of-MACs to a VID. – Can be applied only on general VLAN mode interfaces

• If an untagged packet matches one of the Group-of-MACs defined on the interface, the VID is assigned according.

• Defined rules can’t contain overlapping ranges on the same interface.


MAC Based VLANs – CLI

• Use the following VLAN configuration command to map a MAC address or range of MAC addresses to a group of MAC addresses:

map mac mac-address {prefix-mask | host} macs-group group

• Use the no form of this command to delete the map:

no map mac mac-address {prefix-mask | host}



• Use the following Interface configuration command to set a mac-based classification rule:

switchport general map macs-group group vlan vlan-id

• Use the no form of this command to delete the classification:

no switchport general map macs-group group



• Use the following EXEC command to show macs-groups information :

show vlan macs-groups


Private VLAN Edge• The device supports private VLAN edge feature

• A port can be defined as a protected port.

• Traffic received on this port will be forwarded only to the specific uplink port defined in the command.

• Only a Gigabit ports can be designated as an uplink port

• Protected port applies VLAN ingress filtering rules

• Uplink port does not apply VLAN egress filtering on traffic received from protected VLAN


Private VLAN Edge

• Traffic tagging by uplink port:– VID exists on uplink port – regular VLAN egress tagging rules. – VID does not exist on uplink port – traffic is forwarded

untagged

• Protected port and uplink port can be in any VLAN mode

• IP address cannot be defined on this protected port


PVE - CLI• Use the following Interface Mode command to define a

protected portswitchport protected ethernet port

Note: Uplink port must be a GE port

• Use the “no” form of command to disable protection:no switchport protected

console(config)# interface ethernet 1/e1console(config-if)# switchport protected ethernet 1/g2console(config-if)#


Private VLAN Edge - Exampleconsole# show interfaces switchport ethernet 1/e1Port : 1/e1Port Mode: AccessGvrp Status: disabledIngress Filtering: trueAcceptable Frame Type: admitAllIngress UnTagged VLAN ( NATIVE ): 1Protected: Enabled, Uplink is 1/g2

Port is member in:

Vlan Name Egress rule Port Membership Type---- -------------------------------- ----------- --------------------1 1 Untagged System

at8000 s configurando vlan avancado

Technology