Explore VLAN aggregation: How to optimize your network performance

VLAN technology is widely used in campus networks. VLAN is usually used to isolate broadcast domains. Each VLAN belongs to a broadcast domain. When planning a network, a gateway needs to be assigned to each broadcast domain. If there are too many VLANs, it will make IP address planning more difficult and even waste a large number of IP addresses. This series mainly introduces several advanced VLAN technologies, including VLAN aggregation, MUX VLAN, and QinQ, to further deepen the understanding and application of advanced VLAN technologies.

background

In general three-layer switches, one VLAN corresponds to one VLANIF interface to achieve intercommunication between broadcast domains, which leads to waste of IP addresses in some cases. Because in the subnet corresponding to a VLAN, the subnet number, subnet broadcast address, and subnet gateway address cannot be used as the host IP address in the VLAN, and the actual number of hosts connected to the subnet may be less than the number of available IP addresses, the idle IP addresses will also be wasted because they can no longer be used by other VLANs.

For example, in the VLAN planning shown in the figure above, VLAN2 is expected to have a demand for 10 host addresses in the future, but according to the addressing method, it needs to be assigned at least one subnet 10.1.1.0/28 with a mask length of 28, where 10.1.1.0 is the subnet number, 10.1.1.15 is the subnet directed broadcast address, and 10.1.1.1 is the subnet default gateway address. None of these three addresses can be used as host addresses. The remaining addresses in the range of 10.1.1.2 to 10.1.1.14 can be used by hosts, a total of 13.

To solve the above problems, VLAN aggregation came into being. It introduces the concepts of Super-VLAN and Sub-VLAN, so that each Sub-VLAN corresponds to a broadcast domain, and multiple Sub-VLANs are associated with a Super-VLAN. Only one IP subnet is assigned to the Super-VLAN, and all Sub-VLANs use the IP subnet and default gateway of the Super-VLAN for Layer 3 communication.

What is VLAN aggregation?

VLAN aggregation (also called Super VLAN) means using multiple VLANs (called Sub-VLANs) to isolate broadcast domains in a physical network, and aggregating these Sub-VLANs into a logical VLAN (called Super-VLAN). These Sub-VLANs use the same IP subnet and default gateway, thereby saving IP address resources.

How it works

Compared with a common VLAN, which has a Layer 3 logical interface and several physical interfaces, the Super-VLAN and Sub-VLAN defined by VLAN aggregation are special:

• Sub-VLAN: contains only physical interfaces and cannot establish a Layer 3 VLANIF interface. It is used to isolate broadcast domains. The Layer 3 communication between hosts in each Sub-VLAN and the outside world is achieved through the Layer 3 VLANIF interface of the Super-VLAN.
• Super-VLAN: Only a Layer 3 VLANIF interface is established, no physical interface is included, and it corresponds to the subnet gateway. Unlike a common VLAN, the Up state of its VLANIF interface does not depend on the Up state of its own physical interface, but is Up state as long as there is an Up physical interface in the Sub-VLAN it contains.

VLAN aggregation implementation diagram

According to the implementation method of VLAN aggregation, VLAN10 is set as Super-VLAN, subnet 10.1.1.0/24 is allocated, and VLAN2 to VLAN4 are used as Sub-VLANs of Super-VLAN10.

1. Internal communication within the same Sub-VLAN

The same Sub-VLANs belong to the same broadcast domain, so the same Sub-VLANs can communicate directly at Layer 2.

2. Example of communication between different Sub-VLANs

When different Sub-VLANs communicate with each other, the IP addresses belong to the same network segment, so the host will send an ARP request. However, different Sub-VLANs actually belong to different broadcast domains, so the ARP message cannot be transmitted to other Sub-VLANs, the ARP request cannot be responded to, and the device cannot learn the MAC address of the other end, so the communication between Sub-VLANs cannot be completed. To achieve communication between Sub-VLANs, you need to enable the ARP proxy function in the VLANIF of the Super-VLAN.

After ARP proxy is enabled on Super-VLAN VLANIF100, the communication process between PC1 and PC2 is as follows:

• PC1 finds that PC2 is in the same network segment as itself and there is no corresponding entry for PC2 in its ARP table. It then directly sends an ARP broadcast request for PC2's MAC address.
• VLANIF 100 corresponding to the Super-VLAN that serves as the gateway receives the ARP request from PC1. Since the ARP proxy function between Sub-VLANs is enabled on the gateway, an ARP broadcast is sent to all Sub-VLAN interfaces of Super-VLAN 100 to request the MAC address of PC2.
• After receiving the ARP broadcast sent by the gateway, PC2 sends an ARP reply to this request.
• After receiving the response from PC2, the gateway responds with its own MAC address to PC1. All subsequent messages that PC1 wants to send to PC2 are first sent to the gateway, which performs layer 3 forwarding.

3. Sub-VLAN and Layer 2 communication with other devices

When a Sub-VLAN communicates with other devices at Layer 2, it is no different from Layer 2 communication within a common VLAN.

Since the Super-VLAN does not belong to any physical interface, any packets carrying Super-VLAN tags will not be processed.

Example of Sub-VLAN Layer 2 communication process:

• The packets entering SW1 from PC1 will be tagged with VLAN 10. In SW1, this tag will not be changed to the tag of VLAN 100 because VLAN 10 is a sub-VLAN of VLAN 100.
• When the message goes out from GE0/0/0 of SW1, it still carries the tag of VLAN10. In other words, SW1 itself will not send messages of VLAN100. Even if other devices send messages of VLAN100 to this device, these messages will be discarded because there is no physical interface corresponding to VLAN100 on SW1.
• For other devices, the only valid VLANs are Sub-VLAN 10, 20, and 30, and all messages are exchanged in these VLANs. Therefore, although VLAN aggregation is configured on SW1, the Layer 2 communication with other devices does not involve Super-VLAN, which is the same as the normal Layer 2 communication process.

When a PC in a Sub-VLAN needs to communicate with other networks at Layer 3, the data is first sent to the default gateway, that is, the VLANIF corresponding to the Super-VLAN, and then routed.

VLAN Aggregation Application Scenarios

As shown in the figure below, a company has multiple departments. To improve business security, different departments are divided into different VLANs. Each department needs to access the Internet, and due to business needs, departments 1 and 2 need to communicate with each other, and departments 3 and 4 need to communicate with each other, but the company's IP addresses are limited.

The company's needs can be met by deploying VLAN aggregation. Super VLAN 2 and Super VLAN 3 are deployed on the Switch, and Sub VLAN 21 and Sub VLAN 22 are aggregated into Super VLAN 2, and Sub VLAN 31 and Sub VLAN 32 are aggregated into Super VLAN 3. In this way, only IP addresses need to be allocated to Super VLAN 2 and Super VLAN 3 on the Switch. Users of Department 1 and Department 2 can access the Internet through the IP address of Super VLAN 2, and users of Department 3 and Department 4 can access the Internet through the IP address of Super VLAN 3. This not only meets the needs of each department to access the Internet, but also saves IP address resources. At the same time, by configuring Proxy ARP on Super VLAN 2 and Super VLAN 3 of the Switch, the communication between Department 1 and Department 2, and between Department 3 and Department 4 can be realized.

VLAN aggregation key configuration commands

(1) Create a super-VLAN:

 [Huawei-vlan100] aggregate-vlan

• A super-VLAN cannot contain any physical interface, and VLAN1 cannot be configured as a super-VLAN.
• The VLAN ID in the Super-VLAN and the VLAN ID in the Sub-VLAN must be different.

(2) Adding a sub-VLAN to a super-VLAN

 [Huawei-vlan100] access-vlan { vlan-id1 [ to vlan-id2 ] }

 [Huawei-vlan100] access-vlan { vlan-id1 [ to vlan-id2 ] }

When adding a Sub-VLAN to a Super-VLAN, ensure that no corresponding VLANIF interface is created for the Sub-VLAN.

(3) (Optional) Enable Proxy ARP on the VLANIF interface corresponding to the super-VLAN

 [Huawei-vlanif100] arp-proxy inter-sub-vlan-proxy enable

Enable the proxy ARP function between sub-VLANs.

Configuration Examples

Configuring VLAN aggregation network diagram

A company has multiple departments in the same network segment. To improve business security, users in different departments are divided into different VLANs. As shown in the figure above, VLAN2 and VLAN3 belong to different departments. Each department needs to access the Internet, and users in different departments need to communicate with each other due to business needs.

1. Configuration ideas

You can deploy VLAN aggregation on SwitchB and aggregate VLANs of different departments into Super VLAN. In this way, users of different departments can access the Internet through Super VLAN. At the same time, to enable users between departments to communicate, deploy the Proxy ARP function on Super VLAN. The configuration roadmap is as follows:

• Configure VLANs and interfaces on SwitchA and SwitchB, divide users from different departments into different VLANs, and transparently transmit traffic from each VLAN to SwitchB.
• Configure the Super-VLAN and its corresponding VLANIF interface and upstream routes on SwitchB so that users in different departments can access the Internet.
• Enable the Proxy ARP function of the Super-VLAN on SwitchB to enable Layer 3 communication between users in different departments.

2. Operation steps

(1) Basic configuration, I will not go into details. The key configuration is given below.

(2) Configure Super-VLAN 4 on SwitchB and add VLAN 2 and VLAN 3 to Super-VLAN 4 as its sub-VLANs.

 [SwitchB] vlan 4 [SwitchB-vlan4] aggregate-vlan [SwitchB-vlan4] access-vlan 2 to 3 [SwitchB-vlan4] quit

(3) Create and configure VLANIF4 so that users from different departments can access the Internet through Super-VLAN 4.

 [SwitchB] interface vlanif 4 [SwitchB-Vlanif4] ip address 10.1.1.1 255.255.255.0 [SwitchB-Vlanif4] quit

(4) Configure a default static route to the egress gateway Router on SwitchB so that users can access the Internet.

 [SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2

(5) Configure Proxy ARP in Super-VLAN 4 of SwitchB to enable Layer 3 communication between users in different departments.

 [SwitchB] interface vlanif 4 [SwitchB-Vlanif4] arp-proxy inter-sub-vlan-proxy enable [SwitchB-Vlanif4] quit