Zyxel Ethernet Switches can operate either with Port-based VLAN or Tag-based VLAN (802.1Q).
Port-based VLAN (Port-based VLAN)
To select the type of VLAN, go to the Basic Settings > Switch Setup web configurator menu and set VLAN Type = Port Based . To further configure the VLAN, go to the Advanced Application > VLAN menu.
A port-based VLAN is configured as follows: you must specify for each switch port N a list of ports that are allowed to transfer data from port N.
Using port-based VLANs, you can configure quite complex schemes of "overlapping" virtual networks, but this method has a significant drawback: it does not allow extending VLANs to several switches. To transfer VLAN information between switches, 802.1Q frame tagging is used.
Tag-based VLAN (802.1Q)
The IEEE 802.1Q standard defines changes in the Ethernet frame structure that allow VLAN information to be transmitted over a network. A tag is inserted into the Ethernet frame, in which the VLAN identifier (VID) is indicated. The VID field takes 12 bits, the VLAN number can be any value from 1 to 4094; numbers 0 and 4095 are reserved for special purposes. A frame with a tag is called tagged (tagged).
In addition to the VID, a 3-bit priority is indicated in the tag. The IEEE 802.1p standard provides for the presence of this field.
The tag takes 4 bytes. It consists of TPID (Tag Protocol Identifier, 2 bytes) and TCI (Tag Control Information, 2 bytes). The original field of the frame type is shifted to the right, the TPID indicating the new frame type (802.1Q) becomes its place. TCI contains 12 bits of VID and 3 bits of priority.
Adding four bytes to the maximum Ethernet frame size leads to problems in the operation of many switches. This is due to the fact that the maximum size of the tagged frame is not 1518 bytes, but 1522. If you cannot replace outdated equipment that does not support enlarged frames, you can reduce the MTU in the network device settings by 4 bytes: from 1500 to 1496.
Untagged frame - A frame in which the 802.1Q feature is not set.
Priority-tagged frame - A frame containing the VLAN tag set, but the VID field is 0. Such a frame does not belong to any VLAN, it only has a priority field.
VLAN-tagged frame - A frame with an 802.1Q field and a VID greater than 0.
VLAN support on the network
Each VLAN group has a unique identification (unique VID) on the network. Hosts within a single VLAN can transfer data between themselves.
All network devices can be divided into two groups:
VLAN Aware - devices that support the VLAN feature in accordance with 802.1Q and can receive packets with this field in mind.
Unaware VLAN - devices that cannot handle packets with VID and Priority. Sometimes these devices cannot even process these frames (it does not pass frames with MTU through itself - 1522 bytes). When a frame is sent to a VLAN-Unaware device, the tag is removed, and after receiving a frame from it, the default tag is set.
If there is a frame with a marker, it is sent to the forwarding process without changes. If it doesn't have a marker, then a marker is placed on it according to the ingress rule.
If the frame is tagged
it is passed on unchanged
If the frame is untagged or is a priority frame
it is labeled PVID by default
after that the frame is passed on
The default VLAN ID that is assigned to each port
Forwarding process (redirection):
Makes decisions about filtering or forwarding a packet to the destination port according to the VLAN and MAC tables.
Specifies whether to leave the VLAN tag in the frame. If it is known that a VLAN-Unaware device is connected to the port, then the tag is removed.
Protocol-based VLAN configuration
Port : the port number on which this rule will be applied
Ethernet-type : the value of the type field of the Ethernet frame
VID : VLAN ID to mark the frame
Priority : the value of the priority field with which the frame will be marked
The VLAN menu displays information about current VLANs (static and dynamic). Dynamic VLANs are registered using the GVRP protocol and static VLANs are manually entered by the administrator.
Static VLANs are configured in the Static VLAN menu. When configuring, specify the name, VID and port status in relation to the VLAN:
Fixed - the port is the output for this VLAN;
Forbidden - it is forbidden to transfer frames belonging to VLAN to the port;
Normal - it is prohibited to transfer frames belonging to the VLAN to the port until this port receives information about this VLAN using the GVRP protocol. The normal state when GVRP is disabled is equivalent to the forbidden state.
The Tx Tagging flag indicates whether to leave a marker when sending a frame from the port.
Using static VLAN tables, only the issuance of tagged frames from the switch is regulated. For example, if the port is in the forbidden state with respect to some VLAN ID = 200, then the port will not be allowed to issue frames with a tag of 200. At the same time, receiving a frame with a tag of 200 on this port is not prohibited. Inbound frame checking can be enabled in the Port Security menu.
802.1q VLAN settings on ports
Each port has a set of fields:
PVID - (explanation see above)
Acceptable Frame Type - types of frames received: either any or with tags only
VLAN Trunking - if enabled, all VLANs are tagged to this port, unless explicitly stated otherwise. In the switch, especially if it works somewhere in the center of the network, dynamic VLANs can be registered that need to be “carried out” transparently to other parts of the network. In this case, VLAN Trunking is useful, otherwise you would have to explicitly enter all possible VLANs into the table.
Ingress check - if enabled, only frames with VLAN IDs for which this port is an output port are received per port.
GVRP - is a protocol for transferring VLAN information over a network from one switch to another. If required, it must be enabled on both the switch and on individual ports.
Port Isolation (in the VLAN 802.1Q settings) - if enabled, data cannot be transferred between client ports. Client ports are allowed only communication with uplink ports.
Port Isolation (in the Port-based VLAN settings) - if enabled, data cannot be transferred from one port to another. Only communication between ports and a switch (CPU) for configuration is allowed.
The network service provider can use VLAN Stacking to separate all of its clients, who can also conduct their own VLANs through the provider’s network even if the VLAN IDs of one client match those of other clients.
This is done using “double tagging” - adding another (external) VLAN tag.
Each switch port can have two roles (Port Role):
Access Port - an incoming frame is considered to be an “unmarked” second tag, therefore, a second (tunnel) tag is placed on it at the entrance. Such ports are typically used at the edge of the provider's network.
Tunnel Port - the function is available only on gigabit ports. The incoming frame is processed in the same way as when configuring the Access Port, only if the type field (TPID) of the frame does not match the SP TPID (Service Provider's TPID) configured on the switch (VLAN Stacking menu, above).
In addition to the role, an SP VID - an “external” VLAN ID - and an external Priority SP Priority are set to the port.
Here is an example of creating and configuring an 802.1Q-based VLAN using the commands of an Ethernet switch. Create a VLAN with the number 100 in which ports 5-8 will be included and from which frames with the 802.1Q tag (tagged frames) will be sent.
|ES-4124 # config - to create and configure the VLAN, you must enter the config mode
ES-4124 (config) # vlan 100 - we create VLAN with number 100
ES-4124 (config-vlan) # name vlan100 - the name of the static VLAN table
ES-4124 (config-vlan) # fixed 5-8 - ports 5-8 are included in VLAN 100
ES-4124 (config-vlan) # no untagged 5-8 - we indicate that on ports 5-8, the switch will send outgoing frames with the 802.1Q tag set
ES-4124 (config-vlan) # exit - exit config-vlan mode
ES-4124 (config) # interface port-channel 5-8 — Enter config-interface mode to determine the PVID on ports 5-8
ES-4124 (config-interface) # pvid 100 - set PVID = 100 on ports 5-8
ES-4124 (config-interface) # exit - exit config-interface mode
ES-4124 (config) # exit - exit config mode
ES-4124 # wr mem - write the settings made to the switch memory
To configure a static VLAN table in config-vlan mode, use the following commands:
|vlan||command to create number VLAN|
|name||command sets the name of the static VLAN table|
|fixed||command defines ports which will be output for this VLAN|
|forbidden||command indicates that to ports it is forbidden to transmit frames belonging to this VLAN|
|normal||command specifies ports which are not included in a specific VLAN, but can be enabled via GVRP|
|untagged||command specifies to send outgoing frames from ports without tag 801.1Q|
|no untagged||command specifies to send outgoing frames from ports tagged with 802.1Q|
no fixed or
|command sets port settings Normal status|
Where = VLAN ID [1-4094], = SVLAN entry name and = list of switch ports.
When creating a default VLAN, all ports are in NORMAL mode.
Information on all commands of the Ethernet switch is in the user manual.