Allied Telesis AT-S63 User Manual

Page 690

background image

Chapter 29: MAC Address-based VLANs

690

Section VI: Virtual LANs

addresses or egress ports from a VLAN. Here is how the example might
look.

A switch can support more than one MAC-address VLAN at a time and a
port can be an egress member of more than one VLAN. While this can
prove useful in some situations, it can also result in VLAN leakage where
the traffic of one VLAN crosses the boundary into other VLANs.

The problem arises in the case of unknown unicast traffic. If the switch
receives a packet from a member of a MAC address-based VLAN with an
unknown destination address, it floods the packet on all egress ports of
the VLAN. If the VLAN contains a port that is also serving as an egress
port of another VLAN, the node connected to the port receives the flooded
packets, even if it does not belong to the same VLAN as the node that
generated the packet.

Here’s an example. Assume that Port 4 on a switch has been designated
an egress port of three MAC address-based VLANs. Any unknown unicast
traffic that the switch receives that belong to any of the VLANs will be
flooded out Port 4, even if there are no active members of that particular
VLAN on the port. This means that whatever device is connected to the
port receives the flooded traffic of all three VLANs.

If security is a major concern for your network, you might not want to
assign a port as an egress port to more than one VLAN when planning
your MAC address-based VLANs.

When a packet whose source MAC address is part of a MAC address-
based VLAN arrives on a port, the switch performs one of the following
actions:

ˆ

If the packet’s destination MAC address is not in the MAC address
table, the switch floods the packet out all egress ports of the VLAN,
excluding the port where the packet was received.

ˆ

If the packet’s destination MAC address is in the MAC address table
and if the port where the address was learned is one of the VLAN’s

Table 24. Revised Example of Mappings of MAC Addresses to Egress Ports

MAC Address

End Node

Egress Port

00:30:84:54:1A:45

Workstation (Port 1)

1-6

00:30:84:C3:5A:11

Workstation (Port 2)

1

00:30:84:22:67:17

Workstation (Port 3)

1

00:30:84:78:75:1C

Workstation (Port 4)

1

00:30:79:7A:11:10

Server (Port 5)

1

00:30:42:53:10:3A

Printer (Port 6)

1

See also other documents in the category Allied Telesis Computer hardware: