How to setup Nebula Switch VLAN configuration?

Zyxel_Kay

Introduction

If you are familiar with VLAN according to 802.1Q, you might already be familiar with terminology such as "PVID", "untagged Membership", "tagged Membership" and VLAN-Tag etc.
However, more and more networking devices show in their VLAN setup terms such as "Trunk", "Trunking", "Access" etc., which causes massive confusion to a topic, which seems anyways hard to come by. Especially the switch port settings within Nebula use this terminology and by this differ very much from how we previously learned to set up VLANs.

In this article, we want to tackle the confusion surrounding this topic and hopefully give some insight into how VLAN is set up within Nebula.

A Recap of 802.1Q VLAN

If we look back on how VLAN are defined, there are some very basic parameters we have to get straight first - according to the 802.1Q standard, frames belonging to a VLAN are differentiated upon the size of the header and certain bytes that are added, and have certain content written into them in case of a VLAN membership. We call this a VLAN-Tag. See below graphic for your reference:

A switch port will only accept the enlarged frame, if it has been made aware, that there is a bigger frame to be expected than the usual frame-size, and if the content of the VLAN-ID (VID) matches what the switch has been made aware of. This is called Tagged Membership. Once accepted, the switch will treat the incoming frame as belonging to the VLAN the frame was tagged for.

If we have an Untagged Membership, that means that the switch port itself is not expecting any kind of tagged traffic, but instead normal-sized frames without VLAN-Tag. What it will do, however, is, in conjunction with the PVID, treat the untagged incoming frame as belonging to a certain VLAN. For this, you can imagine if the VLANs set on the port indicate "railroads/lanes with an identifier number":

Now that we have taken a look at how VLAN works generically according to the IEEE standard defining VLAN, let's put this into context of the new ways of setting up VLAN via Trunk & Access Mode.

Setting up VLANs easier - Trunk & Access Mode

VLAN is following a concept that is hard to grasp for a lot of people. It's one of these fields, which you do not understand at all until you understand them really thoroughly. But once you really get a grip on how they work, they become "easy as pie". Competitors like Cisco have changed the way they assign VLAN memberships to something which seems more intuitive for the unskilled engineer, and which by now has established itself as a parallel industry-standard running along the 802.1Q definition of VLAN, using Trunk Mode and Access Mode to define the memberships. In our Nebula solution, in order to cater to this growing demand, we have also implemented this concept of assigning VLAN memberships. Let's take a look at what the menu looks like for Trunk Mode  first and put that into perspective of the 802.1Q Standard - the menu can be found via:

Site-Wide > Configure > Switch > Switch ports

Now check the checkbox of one of the ports you wanted to edit and press the "Edit" button, and you will be prompted with the port editing menu:

What we want to focus on, is the marked area consisting of Type, PVID & Allowed VLANS

• Type Let's you choose between Trunk & Access Mode
• PVID - Let's you set the PVID for the port
• Allowed VLANs (only in Trunk Mode) - Let's you set what VLANs are activated/tagged/assigned to the port
• VLAN Type (only in Access Mode) - Allows you to assign certain dynamic VLAN distribution mechanisms such as Voice VLAN etc.

So now that we have discussed where to find the settings and what can be set up, how do we translate the Trunk & Access Type to our formerly gained knowledge on 802.1Q. It's pretty simple, honestly:

Trunk

The Trunk VLAN type is basically chosen when we have a VLAN-capable device on the peer side. So if we want to handle any sort of tagged VLAN traffic, we choose Trunk-Type. Then, we set the PVID to our needs. The PVID always has to match our untagged, membership, and there only can be one untagged membership per port = one PVID per port as well. So setting the PVID to = 1, we automatically in the background assign this switch port an Untagged Membership in VLAN 1 as well. Moving on, we have "Allowed VLANS" defined, by default with "all". This basically can be stated as: "This port has been assigned with all 4096 VLANs. Since PVID 1 is set and there is a match within the Allowed VLANs, VLAN1 is untagged, but all the other VLANs from 2 to 4096 are set to tagged membership".

If we only want a specific selection, for example, Untagged VLAN1, and tagged VLAN10, 20, 30, we would set up the following:

This basically can be stated as: "We are setting up the port to accept untagged traffic and treat it as VLAN1 traffic. Apart from that, tagged frames with the VID 10,20,30 are also allowed to enter. Anything differing from this will be rejected".

Having these examples at hand, it should be clear, why the Trunk Type is very easy and intuitive to set up and is slowly becoming an industry-standard in VLAN setup.

Access

The Access mode vastly differs from the Trunk VLAN type in the sense, that the Access mode has no VLANs configurable except for the PVID. As we learned before, the PVID always has to match the untagged membership. Access Type is especially used on ports of which you know the connected end devices are not VLAN-capable, also often referred to as "edge-ports". This is commonly the case with normal desktop PCs and laptops.

Let's look at this example:

This can be described this way: "We set the switch port VLAN type to "Access". This exclusively allows for incoming frames, which have no tag attached, to be treated as belonging to VLAN1."

Don't get confused, that the "VLAN type" is set to "None". The VLAN type only comes into play, when you want to assign dynamically assigned VLAN mechanisms, such as Voice VLAN etc. - the wording might be confusing and is a bit unlucky in the respect that it conflicts with the "Type" above:

With this newly gained knowledge, you should now be able to assign VLANs in Nebula in a breeze and gain a full understanding of VLAN and how they function.