VLAN Support

The Cisco Nexus 3550-F Fusion (formerly ExaLINK Fusion) supports traffic separation using VLAN tags, and adding, removing or rewriting VLAN tags of packets passing through the device.

Concepts

The concept of switch objects on the Nexus 3550-F already allows network segmentation without using VLANs.

The VLAN feature on the Nexus 3550-F allows VLAN tagging ports to be added to switch or mux objects. A VLAN tagging port can be shared between more than one switch or mux object, so that the port can be used as a trunking port.

VLAN tag rewriting can be achieved by adding VLAN tagging ports with different VLAN IDs to the same object.

The Nexus 3550-F supports up to 256 different VLANs, and the VLAN ID can be up to 4093.

Enabling VLAN Support

VLAN support is enabled or disabled per switch and mux object. To enable VLAN support on an object, use the following command:

admin@N3550-F(config-switch:my_switch)> vlan-enable
Enabled VLAN support on switch "my_switch"

When VLAN support is enabled on an object, ports already in the object will become untagged ports, and will only accept untagged packets.

VLAN support can be disabled on an object using the no form of the command:

admin@N3550-F(config-switch:my_switch)> no vlan-enable
Disabled VLAN support on switch "my_switch"

Adding Ports to a VLAN Enabled Object

The following port command can be used to add an untagged port to a VLAN enabled object:

admin@N3550-F(config-switch:my_switch)> port A1
Added port "A1" to switch "my_switch"

This variant of the port command can be used to add a VLAN tagged port to a VLAN enabled object:

admin@N3550-F(config-switch:my_switch)> port A2 vlan 10
Added port "A2" with VLAN ID 10 to switch "my_switch"
note.gif

Noteblank.gifA port can only be added to an object once.

This means that the same port can not be both tagged and untagged in an object, or be added with two different VLAN IDs.

The show command can be used to see the ports added to the object, and the VLAN IDs used for each port:

admin@N3550-F(config-switch:my_switch)> show
Switch name   : my_switch
VLAN tagging  : enabled
IGMP snooping : disabled

Port VLAN ID
---- --------
A1   untagged
A2   10

Mux VLAN Modes

The mux object supports two distinct VLAN modes, described below. If a mux object has VLAN tagging enabled, the use of raw mode is not compatible.

  • fast-vlan: A packet that arrives at a downstream port in the mux will be forwarded to the upstream port of that mux, irrespective of whether the packet has a VLAN tag, the VLAN ID, or if the packet is untagged. When this packet is transmitted out of the associated upstream port, it will have the tag associated with that upstream port (or will be untagged, if the upstream port is untagged). Since a lookup is not required, this mode only incurs the added latency of inserting, removing, or modifying a tag. The latency from downstream to upstream port in this mode is approximately 107ns.
  • layer2: The VLAN tag of a packet that arrives at a downstream port in the mux will be inspected. The upstream port to forward the packet to depends on the VLAN tag (or lack thereof) in the packet. The packet is transmitted out of the associated upstream port with the tag associated with the upstream port. This mode can be used to select between multiple upstream ports, or translate VLAN IDs between the downstream and upstream ports. The latency from downstream to upstream port in this mode is approximately 125ns.

Sharing Physical Ports Between Objects

Ports can be shared between multiple objects provided that the VLAN ID of that port is different for each object. Switch ports and mux upstream ports have no further restrictions on use.

Physical mux downstream ports can be shared between multiple mux objects, provided that the mux is configured in layer2 mode. Downstream ports that are members of a mux configured in fast-vlan mode can only be used in one object.

Example Configurations

Fast trunking of a common WAN connection

In this example, three clients share a common WAN connection, with traffic forcibly separated using VLAN tags. Segregation is done in fast-vlan mode, which means that when forwarding a packet from downstream to upstream ports, the VLAN tag of the frame is not inspected. This means that, for example, if a client in mux m1 (VLAN 10) sends an untagged packet into a downstream port, it will leave the upstream port tagged with VLAN ID 10. Also, if a client in mux m1 sends a tagged packet into a downstream port, that tag will be translated to VLAN ID 10 prior to leaving the upstream port.

When a packet arrives at the upstream ports in this configuration, forwarding is conducted based upon VLAN ID. For example:

  • When a packet arrives at port A10 with tag 10, it will only be forwarded to downstream ports in mux m1. When this packet leaves these downstream ports it will be untagged.

  • When a packet arrives at port A10 with no tag it will be dropped. This is because no mux objects include port A1 as an untagged upstream port.

459713.png

Nexus 3550-F 1 configuration:

mux m1
  vlan-enable
  mode fast-vlan
  port up A10 vlan 10
  port A1
  port A11

mux m2
  vlan-enable
  mode fast-vlan
  port up A10 vlan 20
  port B1
  port B13

mux m3
  vlan-enable
  mode fast-vlan
  port up A10 vlan 30
  port C1
  port C15

Nexus 3550-F 2 has the same configuration, with the downstream ports replaced appropriately.

In this configuration the latencies at 10GbE are as follows:

  • Downstream to upstream: 107 ns
  • Upstream to downstream: 125 ns

Sharing of upstream ports with tag translation

In this example two upstream WAN ports are shared between multiple clients, with translation of tags between downstream and upstream ports. Clients can choose to send packets over the Wireless or Wired WAN link based upon VLAN ID. Under this config:

  • We define two groups of clients at each end, group 1 and group 2.
  • We segregate these clients so that whichever WAN link they use, we prevent group 1 from communicating with group 2.
  • When a client transmits an untagged packet, it will be transmitted with a VLAN tag over the wireless link. The VLAN ID is the group number of the client.
  • When a client transmits a packet tagged with VLAN ID 30, it will be transmitted over the wired WAN. The VLAN ID will be translated to the group ID of the client.
  • Any other VLAN IDs used by the client will cause the packets to be dropped (not forwarded).
  • When the wireless WAN upstream port receives a packet, it will forward it to group 1 or group 2 clients based on the VLAN tag. These packets will be transmitted out of the downstream port with no tag.
  • When the wired WAN upstream port receives a packet, it will forward it to group 1 or group 2 clients based on the VLAN tag. These packets will be transmitted out of the downstream port with tag 30.

459712.png

Nexus 3550-F 1 configuration:

mux wireless_group_1
  vlan-enable
  mode layer2
  port up B4 vlan 1
  port A1
  port A3

mux wired_group_1
  vlan-enable
  mode layer2
  port up B16 vlan 1
  port A1 vlan 30
  port A3 vlan 30

mux wireless_group_2
  vlan-enable
  mode layer2
  port up B4 vlan 2
  port B1
  port C1

mux wired_group_2
  vlan-enable
  mode layer2
  port up B16 vlan 2
  port B1 vlan 30
  port C1 vlan 30

Nexus 3550-F 2 configuration:

mux wireless_group_1
  vlan-enable
  mode layer2
  port up B1 vlan 1
  port A16

mux wired_group_1
  vlan-enable
  mode layer2
  port up B13 vlan 1
  port A16 vlan 30

mux wireless_group_2
  vlan-enable
  mode layer2
  port up B1 vlan 2
  port B10

mux wired_group_2
  vlan-enable
  mode layer2
  port up B13 vlan 2
  port B10 vlan 30

In this configuration the latencies at 10GbE are as follows:

  • Downstream to upstream: 125 ns
  • Upstream to downstream: 125 ns

Switch trunking ports

This configuration sets up port A1 as a trunking port for two switch objects:

switch my_switch_1
  vlan-enable
  port A1 vlan 10
  port A2
  port A3

switch my_switch_2
  vlan-enable
  port A1 vlan 20
  port A4
  port A5