From theory to practice: the wide application of MUX VLAN in the network

Background of MUX VLAN

MUX VLAN (Multiplex VLAN) provides a mechanism for controlling network resources through VLAN. In an enterprise network, enterprise employees and enterprise customers can access the enterprise's servers. For an enterprise, it is hoped that internal employees can communicate with each other, while enterprise customers are isolated and cannot access each other.

In order to make all users able to access the enterprise server, you can configure inter-VLAN communication. If the enterprise is large and has a large number of users, you must assign VLANs to users who cannot access each other, which not only consumes a large number of VLAN IDs, but also increases the workload of network administrators and the amount of maintenance.

The Layer 2 traffic isolation mechanism provided by MUX VLAN enables internal employees of an enterprise to communicate with each other, while enterprise customers are isolated from each other.

Basic Concepts

MUX VLAN is divided into Principal VLAN and Subordinate VLAN, and Subordinate VLAN is further divided into Separate VLAN and Group VLAN.

• The Separate port can only communicate with the Principal port and is completely isolated from other types of interfaces.
• Each Separate VLAN must be bound to a Principal VLAN. | | | Group VLAN (interoperable slave VLAN) | Group port |
• The Group port can communicate with the Principal port, and interfaces in the same group can also communicate with each other, but cannot communicate with other group interfaces or Separate ports.
• Each Group VLAN must be bound to a Principal VLAN. |

Application Scenario

According to the MUX VLAN feature, enterprises can use Principal port to connect to enterprise servers, Separate port to connect to enterprise customers, and Group port to connect to enterprise employees. In this way, both enterprise customers and enterprise employees can access enterprise servers, while enterprise employees can communicate with each other, enterprise customers cannot communicate with each other, and enterprise customers and enterprise employees cannot visit each other.

For aggregation layer devices, you can create a VLANIF interface for the Principal VLAN. The IP address of the VLANIF interface can be used as the gateway address of the host or server. As shown in the following figure, configuring MUX VLAN on the aggregation device Switch1 can flexibly implement isolation or intercommunication of access traffic.

MUX VLAN Configuration Commands

(1) Configure the principal VLAN in the MUX VLAN:

 [Huawei-vlan100] mux-vlan

Configure the VLAN as a MUX VLAN, that is, a Principal VLAN. If the specified VLAN has been used for a Principal VLAN, then the VLAN cannot be used in the configuration of a Super-VLAN or Sub-VLAN.

(2) Configure the Group VLAN in the Subordinate VLAN:

 [Huawei-vlan100] subordinate group { vlan-id1 [ to vlan-id2 ] }

A maximum of 128 group VLANs can be configured under one principal VLAN.

(3) Configure Separate VLAN in Subordinate VLAN:

 [Huawei-vlan100] subordinate separate vlan-id

Only one separate VLAN can be configured under a principal VLAN. The VLAN IDs of the group VLAN and separate VLAN in the same MUX VLAN cannot be the same.

(4) Enable the MUX VLAN function on the interface:

 [Huawei-GigabitEthernet0/0/1] port mux-vlan enable vlan-id

Enable the MUX VLAN function on the interface. The negotiation-auto and negotiation-desirable interfaces do not support the port mux-vlan enable configuration.

MUX VLAN Configuration Example

Network diagram for configuring MUX-VLAN

In an enterprise network, all employees can access the enterprise's servers. However, the enterprise hopes that some employees can communicate with each other, while other employees are isolated and cannot access each other.

Configuration Roadmap

The configuration roadmap is as follows:

• Configure the MUX VLAN function of the primary VLAN.
• Configure the Group VLAN function.
• Configure the Separate VLAN function.
• Add interfaces to VLANs and enable the MUX VLAN function.

Procedure

(1) Create VLAN2, VLAN3, and VLAN4:

 <HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 2 3 4

(2) Configure Group VLAN and Separate VLAN in MUX VLAN:

 [Switch] vlan 2 [Switch-vlan2] mux-vlan [Switch-vlan2] subordinate group 3 [Switch-vlan2] subordinate separate 4 [Switch-vlan2] quit

(3) Configure the interface to join the VLAN and enable the MUX VLAN function:

 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type access [Switch-GigabitEthernet1/0/1] port default vlan 2 [Switch-GigabitEthernet1/0/1] port mux-vlan enable vlan 2 [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type access [Switch-GigabitEthernet1/0/2] port default vlan 3 [Switch-GigabitEthernet1/0/2] port mux-vlan enable vlan 3 [Switch-GigabitEthernet1/0/2] quit [Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] port link-type access [Switch-GigabitEthernet1/0/3] port default vlan 3 [Switch-GigabitEthernet1/0/3] port mux-vlan enable vlan 3 [Switch-GigabitEthernet1/0/3] quit [Switch] interface gigabitethernet 1/0/4 [Switch-GigabitEthernet1/0/4] port link-type access [Switch-GigabitEthernet1/0/4] port default vlan 4 [Switch-GigabitEthernet1/0/4] port mux-vlan enable vlan 4 [Switch-GigabitEthernet1/0/4] quit [Switch] interface gigabitethernet 1/0/5 [Switch-GigabitEthernet1/0/5] port link-type access [Switch-GigabitEthernet1/0/5] port default vlan 4 [Switch-GigabitEthernet1/0/5] port mux-vlan enable vlan 4 [Switch-GigabitEthernet1/0/5] quit