Layer€4 filtering, Vlans, Ieee 802.1q vlan support – HP 9304M User Manual

HP ProCurve Routing Switch 9308M / 9304M Reviewer’s Guide

2.4.4.2 Layer 4 Filtering

The 9300 routing switches can filter based on IP addresses, IP port number and IPX network number.
More details are given later in the Filtering section. These filters can be used in permit or deny
situations, allowing fine tuning of traffic based on Layer 4 information.

2.5 VLANs

A Virtual LAN is a logical collection of ports or nodes that belong to a single broadcast/multicast
domain. VLANs were originally devised as a solution to limit the size of any one broadcast domain to
allow scaling of switched environments. With the advent of routing switch solutions, however, use of
VLANs in end user environments is now largely done for network policy or security reasons. VLANs are
also used in the HP ProCurve routing switches to establish groups of ports that are switched, linked to
the router through a router virtual interface. See the Layer 3 services above for a more detailed
explanation.

The HP ProCurve routing switches support up to 4096 VLANs (8 default), although normal VLAN usage
is usually less than twenty VLANs. VLAN membership can be designated through any one of the
following:

� A particular port (port-based)

� A 802.Q tag � IP protocol � IP subnet � NetBIOS

� IPX network number

� AppleTalk

� Decnet

� Other

VLANs can overlap on a single port. For example, it may be advantageous to have a server connected
through a single port to be a member of two different VLANs such that two different groups of PCs can
access the same server, but the two groups of PCs cannot talk directly with each other.

Port-based VLANs can be further subdivided by using protocol VLANs. Protocol VLANs establish
packet membership based on the packet’s IP subnet number, IPX network number, etc. Since a packet
could be part of several VLANs simultaneously there is a hierarchy of VLAN ownership. Port-based
VLANs are the lowest level. Layer 3 protocol-based VLANs, IP, IPX, AppleTalk, DECnet and NetBIOS
are in the middle. IP sub-net and IPX network number VLANs are at the top.

VLANs can also be assigned to the virtual interfaces of the router in the routing switch. This provides a
means of communication between two VLANs. VLANs defined only on switched ports within the
routing switch cannot talk to each other without going through the router.

2.5.1 IEEE 802.1Q VLAN Support

The HP ProCurve routing switches support the IEEE 802.1Q VLAN tagging standard. The routing
switches can have multiple VLAN traffic share a single physical link. 802.1Q also allows interoperability
at this level between different vendors in a standards-based way.

Ports with only a single VLAN designation can be designated as untagged ports. Packets leaving these
ports will not be 802.1Q tagged.

2.5.2 IEEE 802.1D Spanning Tree Protocol

The HP ProCurve routing switches support multiple instance spanning tree protocol. Each VLAN can
have an instance of spanning tree running. This is useful in multiple VLAN environments where loops
exist for redundancy purposes at the Layer 2 level.

Note that other HP switches support a single instance of spanning tree per box, per the 802.1D spec. If
an HP Layer 2 switch is connected to a HP ProCurve routing switch and both are running spanning
tree, the 9300 port connected to the HP switch needs to be an untagged port for the spanning tree
protocols to be recognized, so that within the routing switch VLAN a port will be behave correctly
according to Spanning Tree.

©1999 Hewlett-Packard Company

Revision 4.0 – 4/1/1999

Page: 14 of

27