IBM Partner Pavilion BMD00082 Benutzerhandbuch
SmartConnect User’s Guide
28
Chapter 3: Switch Virtualization
BMD00082, February 2009
VLANs
Network Segmentation
Virtual Local Area Networks (VLANs) are commonly used to split up groups of network users
into manageable broadcast domains, to create logical segmentation of workgroups, and to
enforce security policies among logical segments.
into manageable broadcast domains, to create logical segmentation of workgroups, and to
enforce security policies among logical segments.
By default, the VSE SmartConnect software treats all VLAN traffic as regular, untagged traffic
(as if no VLAN is assigned), and does not use VLAN information for making decisions on
whether to forward, drop, or segment traffic.
(as if no VLAN is assigned), and does not use VLAN information for making decisions on
whether to forward, drop, or segment traffic.
Switches with VSE SmartConnect software use VSGs to provide similar network segmenta-
tion functions without the need to alter the configuration of the broader network.
tion functions without the need to alter the configuration of the broader network.
Though VSG numbers do not technically correlate to any specific VLAN IDs, if VSGs are
used as a way to emulate VLANs in the switch, for ease of management the administrator can
set the name of the VSG to reflect the equivalent VLAN identity.
used as a way to emulate VLANs in the switch, for ease of management the administrator can
set the name of the VSG to reflect the equivalent VLAN identity.
Port Access
VLAN security policies can be enforced for ports within VSGs by using Access Control Lists
(ACLs). Port ACLs can be configured to consider a packet’s VLAN ID for making decisions
on whether to permit or deny the packet’s ingress.
(ACLs). Port ACLs can be configured to consider a packet’s VLAN ID for making decisions
on whether to permit or deny the packet’s ingress.
ACLs can be configured in the BBI through the Switch Policy menus (see
), and applied to ports through
the Virtual Switch Groups menu (see
).
Port-Based VLAN Tagging
Each internal and external port can be independently configured with a Port VLAN ID (PVID)
for tagging purposes. Under specific circumstances, the configured VLAN ID will be added to
or stripped from traffic passing through the switch.
for tagging purposes. Under specific circumstances, the configured VLAN ID will be added to
or stripped from traffic passing through the switch.
Upon the ingress of untagged packets:
If the PVID on the port is 0 (the default), the packets will remain untagged.
If the PVID on the port is set to any value other than 0, the switch will tag the packets,
placing the port’s VLAN identifier into the frame headers. One application of this
feature is to set a VLAN for traffic outbound from servers that do not perform their
own VLAN tagging.
placing the port’s VLAN identifier into the frame headers. One application of this
feature is to set a VLAN for traffic outbound from servers that do not perform their
own VLAN tagging.