AIX > Tips & Techniques > Application Development

Understanding 802.1q VLANs

Follow these simple rules to better understand and work with 802.1q virtual LANs, or VLANs.

 

VLANs (short for virtual LANs) are used to divide networks into smaller, more manageable chunks. This helps to reduce the size of the broadcast domain and helps with security through isolation. Essentially, there are two types of VLAN specifications for Ethernet:

• Port-based VLAN. A defined VLAN based on the port number of the switch. This is easy to configure but often limited to one single switch.
• 802.1q Tag VLAN. In 802.1q, the VLAN information is written into the Ethernet packet itself. Each packet carries a VLAN ID, called a tag. This allows VLANs to be configured across multiple switches. Note that it’s possible for VLAN tags to be stripped by H/W and/or S/W.

When using 802.1q, four bytes are added to the Ethernet frame, of which 12 bits are used for the VLAN ID. Theoretically, there can be up to 4096 VLANs per network.

An Ethernet packet that contains a VLAN ID is called a tagged packet. Conversely, an Ethernet packet with no VLAN ID is called an untagged packet. Typically all packets leave untagged, unless tagged by the adapter prior to arriving at the switch port.

Egress and Ingress Rules

Egress rules determine which frames can be transmitted out of a port, based on the Egress List of the VLAN associated with it. Each VLAN has an Egress List that specifies the ports out of which frames can be forwarded, and specifies whether the frames will be transmitted as tagged or untagged frames.

Ingress rules are a means of filtering out undesired traffic on a port. When Ingress Filtering is enabled, a port determines if a frame can be processed based on whether the port is on the Egress List of the VLAN associated with the frame.

When an untagged packet arrives at the switch port, the switch will write a VLAN ID into the header of the frame according to the PVID (port VLAN) port definition. Typically, most switches today have all ports are set to a default PVID of 1. See Figure 1. When a tagged frame arrives at a switch port the tag is respected. See Figure 2.

A VID defines the member of a port group. A packet can only travel inside a member port when the member port is part of a VID port group. The network shown in Figure 3 consists of three switches connecting two VLAN groups, 100 and 200. Different VID groups aren’t visible to one another. See Figure 4.

How This Applies to System p, AIX and HACMP

VIDs can be assigned to any physical Ethernet adapter on the AIX OS. The process is very simple. Go to smitty vlan, select the physical adapter and assign the VID. When packets leave the adapter, they’re tagged accordingly. Multiple VIDs can be assigned to the same adapter. This is very useful when applying QoS rules to mark, shape and police traffic.

In virtual environments, when a vadapter is created, it’s assigned a PVID. This PVID is stripped by the Hypervisor on exit. Additionally, as with physical adapters, multiple VIDs can also be assigned. This is a two-step process. First, assign the VID(s) on the HMC. Next, assign the VID identifier(s) to AIX. Note that for each VID assigned, AIX will create another Ethernet adapter.

The rules for HACMP are simple. Keep all adapters that are on the same network in the same VLAN. Personally, I wouldn’t assign VIDs from AIX in HACMP clusters. It’s just unnecessary complexity. If cluster nodes are virtual and contained with the same frame, ensure the PVID for each of the adapters defined in the topology configuration are the same. If they’re split across frames, the PVIDs can differ, but for best practice, make them the same.

There are no egress/ingress rules in the System p platform or the AIX OS.

 

Tweet