When it comes to network security and performance optimization, VLAN (Virtual Local Area Network) segmentation is a key strategy. It not only provides better network management, but also enhances data isolation and access control.

• Have you ever thought about how 4094 VLANs can be divided?
• Which method is easy to use and simple?

The attentive editor has specially sorted it out for you all to play with.

How to divide VLAN

• VLAN based on interface: Assign VLAN ID based on switch interface. The configuration is simple and can be used in various scenarios.
• VLAN classification based on MAC: Allocate VLAN IDs based on the source MAC address of the packet. It is often used in scenarios where the user's location changes and there is no need to reconfigure the VLAN.
• Divide VLANs based on subnets: assign VLAN IDs based on the source IP addresses of packets. Generally used for unified management of users on the same network segment.
• VLAN classification based on protocol: Allocate VLAN IDs based on the protocol type of the packet. It is suitable for unified management of users with the same application or service.
• Divide VLANs based on matching policies: Allocate VLAN IDs based on specified policies (such as matching source MAC, source IP, and port of packets). Suitable for scenarios with relatively high security requirements.

Among several ways to divide VLANs, dividing VLANs based on interfaces is the most commonly used and simplest way. So how to configure it and how to use it?

Before configuring and using it, let’s review the commonly used link types of ports:

• access: used to connect the switch to the PC;
• trunk: used to connect switches to switches;
• Hybrid: It can be used to connect a switch to a PC or a switch to a switch. This type is often used when using hub link switches.

Okay, let’s take actual networking as an example to explain the configuration of VLAN division based on interfaces.

Case presentation

Scenario 1: How can two users on one switch be divided into VLANs through interfaces to achieve isolation?

Let’s first see if two PCs on the same network segment are directly connected to the switch without dividing them into VLANs. Can they ping successfully?

As can be seen from the picture above, it can be pinged. Why is this?

Because by default, the interfaces of Huawei switches are added to VLAN 1 by default. The two PCs are directly connected to the switch. As long as they belong to the same network segment, they can communicate with each other.

So how to achieve isolation through VLAN? Just add the interface to a different VLAN and that's it. For example, the switch GE0/0/1 and GE0/0/2 ports are added to VLAN 10 and VLAN 20 respectively using the access type.

interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
1.
2.
3.
4.
5.
6.
7.

At this time, the two PCs are divided into different VLANs based on the interfaces, and the interconnection cannot be pinged, thus achieving isolation.

Friends, have you ever wondered why it can isolate?

Capture packets on G0/0/1 and G0/0/2 of switch SW1 and find that the ARP broadcast packet of G0/0/1 is not sent to G0/0/2.

According to the working principle of the access interface for sending and receiving data packets, it can be judged that after the data packet reaches G0/0/2, it is unpacked and found that the VLAN ID is inconsistent with the VLAN ID of G0/0/2, so the data packet is lost.

Scenario 2: There are four users across switches. How to divide VLANs through interfaces to achieve isolation and interoperability?

As shown below: By default, four PCs belong to the same network segment and can ping each other. Assume that PC1 and PC3 belong to the same department, and PC2 and PC4 belong to the same department. How to configure interface-based VLAN so that the same department can communicate with each other, but different departments cannot communicate with each other?

Two users PC1 and PC3 in the same department are assigned to the same VLAN10. The GE0/0/1 ports of switch 1 and the GE0/0/1 ports of switch 2 are added to VLAN 10 using the access type.

interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
1.
2.
3.

Two users PC2 and PC4 in another department are assigned to another VLAN 20.

interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
1.
2.
3.

The ports GE0/0/23 of the two connected switches are added to VLAN 10 and VLAN 20 respectively as trunk ports to achieve cross-switch communication.

interface GigabitEthernet0/0/23
  port link-type trunk
  port trunk allow-pass vlan 10 20
1.
2.
3.

In this way, users PC1 and PC3 in the same department can communicate with each other, but users PC2 and PC4 in different departments cannot communicate with each other.

Configuration skills sharing

Did you find that in the above two scenarios, the number of VLANs and ports is relatively small, but in real networking, it is often necessary to configure multiple VLANs and multiple ports. Is there any way to quickly complete the configuration? The editor below will introduce the methods of batch configuration and quick restoration of port VLAN default configuration.

1. Create VLANs in batches

< Huawei > system-view
[Huawei]vlan batch 2 to 100
1.
2.

2. Add batch ports to VLAN

[Huawei] port-group group-member GigabitEthernet 0/0/10 to GigabitEthernet 0/0/20
[Huawei-port-group]port link-type access
[Huawei-port-group]port default vlan 100
1.
2.
3.

3. Quickly restore port VLAN default configuration

If you want to quickly restore the default configuration of a port VLAN, you must know what the default configuration is? On Huawei switches, all ports are only added to VLAN1 by default. So let’s take a look at how to quickly restore the default configuration under the three link types.

• Access interface: Do it in one step, the command is undo port default vlan
• Trunk and hybrid ports: Three steps to complete, first restore the PVID configuration, then delete all vlans under the port, and then add the default VLAN1. The specific commands are as follows: