VLAN support
The Cisco Nexus 3550-F Fusion (formerly ExaLINK Fusion) supports traffic separation using VLAN tags, and adding, removing or rewriting VLAN tags of packets passing through the device.
Concepts
The concept of switch objects on the Nexus 3550-F already allows network segmentation without using VLANs.
The VLAN feature on the Nexus 3550-F allows VLAN tagging ports to be added to switch or mux objects. A VLAN tagging port can be shared between more than one switch or mux object, so that the port can be used as a trunking port.
VLAN tag rewriting can be achieved by adding VLAN tagging ports with different VLAN IDs to the same object.
The Nexus 3550-F supports up to 256 different VLANs, and the VLAN ID can be up to 4093.
Enabling VLAN support
VLAN support is enabled or disabled per switch and mux object. To enable VLAN support on an object, use the following command:
admin@N3550-F(config-switch:my_switch)> vlan-enable
Enabled VLAN support on switch "my_switch"
When VLAN support is enabled on an object, ports already in the object will become untagged ports, and will only accept untagged packets.
VLAN support can be disabled on an object using the no
form of the command:
admin@N3550-F(config-switch:my_switch)> no vlan-enable
Disabled VLAN support on switch "my_switch"
Adding ports to a VLAN enabled object
The following port
command can be used to add an untagged port to a VLAN
enabled object:
admin@N3550-F(config-switch:my_switch)> port A1
Added port "A1" to switch "my_switch"
This variant of the port
command can be used to add a VLAN tagged port to
a VLAN enabled object:
admin@N3550-F(config-switch:my_switch)> port A2 vlan 10
Added port "A2" with VLAN ID 10 to switch "my_switch"
Note: A port can only be added to an object once. This means that the same port can not be both tagged and untagged in an object, or be added with two different VLAN IDs.
The show
command can be used to see the ports added to the object,
and the VLAN IDs used for each port:
admin@N3550-F(config-switch:my_switch)> show
Switch name : my_switch
VLAN tagging : enabled
IGMP snooping : disabled
Port VLAN ID
---- --------
A1 untagged
A2 10
Mux VLAN modes
The mux object supports two distinct VLAN modes, described below. If a mux
object has VLAN tagging enabled, the use of raw
mode is not compatible.
fast-vlan
: A packet that arrives at a downstream port in the mux will be forwarded to the upstream port of that mux, irrespective of whether the packet has a VLAN tag, the VLAN ID, or if the packet is untagged. When this packet is transmitted out of the associated upstream port, it will have the tag associated with that upstream port (or will be untagged, if the upstream port is untagged). Since a lookup is not required, this mode only incurs the added latency of inserting, removing, or modifying a tag. The latency from downstream to upstream port in this mode is approximately 107ns.layer2
: The VLAN tag of a packet that arrives at a downstream port in the mux will be inspected. The upstream port to forward the packet to depends on the VLAN tag (or lack thereof) in the packet. The packet is transmitted out of the associated upstream port with the tag associated with the upstream port. This mode can be used to select between multiple upstream ports, or translate VLAN IDs between the downstream and upstream ports. The latency from downstream to upstream port in this mode is approximately 125ns.
Sharing physical ports between objects
Ports can be shared between multiple objects provided that the VLAN ID of that port is different for each object. Switch ports and mux upstream ports have no further restrictions on use.
Physical mux downstream ports can be shared between multiple mux objects,
provided that the mux is configured in layer2
mode. Downstream ports that are
members of a mux configured in fast-vlan
mode can only be used in one object.
Example configurations
Fast trunking of a common WAN connection
In this example, three clients share a common WAN connection, with traffic forcibly separated using VLAN tags. Segregation is done in fast-vlan mode, which means that when forwarding a packet from downstream to upstream ports, the VLAN tag of the frame is not inspected. This means that, for example, if a client in mux m1 (VLAN 10) sends an untagged packet into a downstream port, it will leave the upstream port tagged with VLAN ID 10. Also, if a client in mux m1 sends a tagged packet into a downstream port, that tag will be translated to VLAN ID 10 prior to leaving the upstream port.
When a packet arrives at the upstream ports in this configuration, forwarding is conducted based upon VLAN ID. For example:
-
When a packet arrives at port A10 with tag 10, it will only be forwarded to downstream ports in mux m1. When this packet leaves these downstream ports it will be untagged.
-
When a packet arrives at port A10 with no tag it will be dropped. This is because no mux objects include port A1 as an untagged upstream port.
Nexus 3550-F 1 configuration:
mux m1
vlan-enable
mode fast-vlan
port up A10 vlan 10
port A1
port A11
mux m2
vlan-enable
mode fast-vlan
port up A10 vlan 20
port B1
port B13
mux m3
vlan-enable
mode fast-vlan
port up A10 vlan 30
port C1
port C15
Nexus 3550-F 2 has the same configuration, with the downstream ports replaced appropriately.
In this configuration the latencies at 10GbE are as follows:
- Downstream to upstream: 107 ns
- Upstream to downstream: 125 ns
Sharing of upstream ports with tag translation
In this example two upstream WAN ports are shared between multiple clients, with translation of tags between downstream and upstream ports. Clients can choose to send packets over the Wireless or Wired WAN link based upon VLAN ID. Under this config:
- We define two groups of clients at each end, group 1 and group 2.
- We segregate these clients so that whichever WAN link they use, we prevent group 1 from communicating with group 2.
- When a client transmits an untagged packet, it will be transmitted with a VLAN tag over the wireless link. The VLAN ID is the group number of the client.
- When a client transmits a packet tagged with VLAN ID 30, it will be transmitted over the wired WAN. The VLAN ID will be translated to the group ID of the client.
- Any other VLAN IDs used by the client will cause the packets to be dropped (not forwarded).
- When the wireless WAN upstream port receives a packet, it will forward it to group 1 or group 2 clients based on the VLAN tag. These packets will be transmitted out of the downstream port with no tag.
- When the wired WAN upstream port receives a packet, it will forward it to group 1 or group 2 clients based on the VLAN tag. These packets will be transmitted out of the downstream port with tag 30.
Nexus 3550-F 1 configuration:
mux wireless_group_1
vlan-enable
mode layer2
port up B4 vlan 1
port A1
port A3
mux wired_group_1
vlan-enable
mode layer2
port up B16 vlan 1
port A1 vlan 30
port A3 vlan 30
mux wireless_group_2
vlan-enable
mode layer2
port up B4 vlan 2
port B1
port C1
mux wired_group_2
vlan-enable
mode layer2
port up B16 vlan 2
port B1 vlan 30
port C1 vlan 30
Nexus 3550-F 2 configuration:
mux wireless_group_1
vlan-enable
mode layer2
port up B1 vlan 1
port A16
mux wired_group_1
vlan-enable
mode layer2
port up B13 vlan 1
port A16 vlan 30
mux wireless_group_2
vlan-enable
mode layer2
port up B1 vlan 2
port B10
mux wired_group_2
vlan-enable
mode layer2
port up B13 vlan 2
port B10 vlan 30
In this configuration the latencies at 10GbE are as follows:
- Downstream to upstream: 125 ns
- Upstream to downstream: 125 ns
Switch trunking ports
This configuration sets up port A1 as a trunking port for two switch objects:
switch my_switch_1
vlan-enable
port A1 vlan 10
port A2
port A3
switch my_switch_2
vlan-enable
port A1 vlan 20
port A4
port A5
This page was last updated on Feb-19-2021.