LAN Switching - Configuring VLANs  [Support] (2024)

Table Of Contents

Configuring VLANs

Understanding VLANs

VLAN Overview

VLAN Ranges

Configurable VLAN Parameters

Understanding Token Ring VLANs

Token Ring TrBRF VLANs

Token Ring TrCRF VLANs

VLAN Default Configuration

VLAN Configuration Guidelines and Restrictions

Configuring VLANs

VLAN Configuration Options

VLAN Configuration in Global Configuration Mode

VLAN Configuration in VLAN Database Mode

VLAN Locking

Creating or Modifying an Ethernet VLAN

Assigning a Layer 2 LAN Interface to a VLAN

Configuring the Internal VLAN Allocation Policy

Configuring VLAN Translation

VLAN Translation Guidelines and Restrictions

Configuring VLAN Translation on a Trunk Port

Enabling VLAN Translation on Other Ports in a Port Group

Mapping 802.1Q VLANs to ISL VLANs

Configuring VLANs

This chapter describes how to configure VLANs in CiscoIOSSoftware Release12.2SX..

NoteFor complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Software Releases 12.2SX Command References at thisURL:

http://www.cisco.com/en/US/docs/ios/mcl/122sx_mcl.html

This chapter consists of these sections:

•Understanding VLANs

•VLAN Default Configuration

•VLAN Configuration Guidelines and Restrictions

•Configuring VLANs

Understanding VLANs

The following sections describe how VLANs work:

•VLAN Overview

•VLAN Ranges

•Configurable VLAN Parameters

•Understanding Token Ring VLANs

VLAN Overview

A VLAN is a group of end stations with a common set of requirements, independent of physical location. VLANs have the same attributes as a physical LAN but allow you to group end stations even if they are not located physically on the same LAN segment.

VLANs are usually associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Traffic between VLANs must be routed. LAN port VLAN membership is assigned manually on an port-by-port basis.

VLAN Ranges

NoteYou must enable the extended system ID to use 4096 VLANs (see the "Understanding the Bridge ID" section on page22-2).

CiscoIOSSoftware Release12.2SX supports 4096 VLANs in accordance with the IEEE 802.1Q standard. These VLANs are organized into several ranges; you use each range slightly differently. Some of these VLANs are propagated to other switches in the network when you use the VLAN Trunking Protocol (VTP). The extended-range VLANs are not propagated, so you must configure extended-range VLANs manually on each network device.

Table17-1 describes the VLAN ranges.

The following information applies to VLAN ranges:

•Layer3 LAN ports, WAN interfaces and subinterfaces, and some software features use internal VLANs in the extended range. You cannot use an extended range VLAN that has been allocated for internal use.

•To display the VLANs used internally, enter the show vlan internal usage command. With earlier releases, enter the show vlan internal usage and show cwan vlans commands.

•You can configure ascending internal VLAN allocation (from 1006 and up) or descending internal VLAN allocation (from 4094 and down).

•You must enable the extended system ID to use extended range VLANs (see the "Understanding the Bridge ID" section on page21-2).

Configurable VLAN Parameters

Note•Ethernet VLAN 1 uses only default values.

•Except for the VLAN name, Ethernet VLANs 1006 through 4094 use only default values.

•You can configure the VLAN name for Ethernet VLANs 1006 through 4094.

You can configure the following parameters for VLANs 2 through 1001:

•VLAN name

•VLAN type (Ethernet, FDDI, FDDI network entity title [NET], TrBRF, or TrCRF)

•VLAN state (active or suspended)

•Security Association Identifier (SAID)

•Bridge identification number for TrBRF VLANs

•Ring number for FDDI and TrCRF VLANs

•Parent VLAN number for TrCRF VLANs

•Spanning Tree Protocol (STP) type for TrCRF VLANs

Understanding Token Ring VLANs

The following section describes the two Token Ring VLAN types supported on network devices running VTP version2:

•Token Ring TrBRF VLANs

•Token Ring TrCRF VLANs

NoteCiscoIOSSoftware Release12.2SX does not support Inter-Switch Link (ISL)-encapsulated Token Ring frames. In VTP server mode, you can configure Token Ring VLANs from the switch.

Token Ring TrBRF VLANs

Token Ring Bridge Relay Function (TrBRF) VLANs interconnect multiple Token Ring Concentrator Relay Function (TrCRF) VLANs in a switched Token Ring network (see Figure17-1). The TrBRF can be extended across a network devices interconnected via trunk links. The connection between the TrCRF and the TrBRF is referred to as a logical port.

Figure17-1Interconnected Token Ring TrBRF and TrCRF VLANs

For source routing, the switch appears as a single bridge between the logical rings. The TrBRF can function as a source-route bridge (SRB) or a source-route transparent (SRT) bridge running either the IBM or IEEE STP. If an SRB is used, you can define duplicate MAC addresses on different logical rings.

The Token Ring software runs an instance of STP for each TrBRF VLAN and each TrCRF VLAN. For TrCRF VLANs, STP removes loops in the logical ring. For TrBRF VLANs, STP interacts with external bridges to remove loops from the bridge topology, similar to STP operation on Ethernet VLANs.

CautionCertain parent TrBRF STP and TrCRF bridge mode configurations can place the logical ports (the connection between the TrBRF and the TrCRF) of the TrBRF in a blocked state. For more information, see the "VLAN Configuration Guidelines and Restrictions" section.

To accommodate IBM System Network Architecture (SNA) traffic, you can use a combination of SRT and SRB modes. In a mixed mode, the TrBRF determines that some ports (logical ports connected to TrCRFs) operate in SRB mode while other ports operate in SRT mode

Token Ring TrCRF VLANs

Token Ring Concentrator Relay Function (TrCRF) VLANs define port groups with the same logical ring number. You can configure two types of TrCRFs in your network: undistributed and backup.

TrCRFs typically are undistributed, which means each TrCRF is limited to the ports on a single network device. Multiple undistributed TrCRFs on the same or separate network devices can be associated with a single parent TrBRF (see Figure17-2). The parent TrBRF acts as a multiport bridge, forwarding traffic between the undistributed TrCRFs.

NoteTo pass data between rings located on separate network devices, you can associate the rings to the same TrBRF and configure the TrBRF for an SRB.

Figure17-2Undistributed TrCRFs

By default, Token Ring ports are associated with the default TrCRF (VLAN 1003, trcrf-default), which has the default TrBRF (VLAN 1005, trbrf-default) as its parent. In this configuration, a distributed TrCRF is possible (see Figure17-3), and traffic is passed between the default TrCRFs located on separate network devices if the network devices are connected through an ISL trunk.

Figure17-3Distributed TrCRF

Within a TrCRF, source-route switching forwards frames based on either MAC addresses or route descriptors. The entire VLAN can operate as a single ring, with frames switched between ports within a single TrCRF.

You can specify the maximum hop count for All-Routes and Spanning Tree Explorer frames for each TrCRF. When you specify the maximum hop count, you limit the maximum number of hops an explorer is allowed to traverse. If a port determines that the explorer frame it is receiving has traversed more than the number of hops specified, it does not forward the frame. The TrCRF determines the number of hops an explorer has traversed by the number of bridge hops in the route information field.

If the ISL connection between network devices fails, you can use a backup TrCRF to configure an alternate route for traffic between undistributed TrCRFs. Only one backup TrCRF for a TrBRF is allowed, and only one port per network device can belong to a backup TrCRF.

If the ISL connection between the network devices fails, the port in the backup TrCRF on each affected network device automatically becomes active, rerouting traffic between the undistributed TrCRFs through the backup TrCRF. When the ISL connection is reestablished, all but one port in the backup TrCRF is disabled. Figure17-4 illustrates the backup TrCRF.

Figure17-4Backup TrCRF

VLAN Default Configuration

Tables 17-2 through 17-6 show the default configurations for the different VLAN media types.

VLAN Configuration Guidelines and Restrictions

When creating and modifying VLANs in your network, follow these guidelines and restrictions:

•Supervisor engine redundancy does not support nondefault VLAN data file names or locations. Do not enter the vtp file file_name command on a switch that has a redundant supervisor engine.

•Before installing a redundant supervisor engine, enter the no vtp file command to return to the default configuration.

•RPR+ redundancy (see Chapter6, "Configuring RPR SupervisorEngineRedundancy") does not support a configuration entered in VLAN database mode. Use global configuration mode with RPR+ redundancy.

•You can configure extended-range VLANs only in global configuration mode. You cannot configure extended-range VLANs in VLAN database mode. See the "VLAN Configuration Options" section.

•Before you can create a VLAN, the switch must be in VTP server mode or VTP transparent mode. For information on configuring VTP, see Chapter16, "Configuring VTP."

•The VLAN configuration is stored in the vlan.dat file, which is stored in nonvolatile memory. You can cause inconsistency in the VLAN database if you manually delete the vlan.dat file. If you want to modify the VLAN configuration or VTP, use the commands described in this guide and in the Cisco IOS Software Releases 12.2SX Command References publication.

•To do a complete backup of your configuration, include the vlan.dat file in the backup.

•The Cisco IOS end command is not supported in VLAN database mode.

•You cannot enter Ctrl-Z to exit VLAN database mode.

•CiscoIOSSoftware Release12.2SX does not support Token Ring or FDDI media. The switch does not forward FDDI, FDDI-Net, TrCRF, or TrBRF traffic, but it can propagate the VLAN configuration through VTP.

•In VTP server mode, you can configure FDDI and Token Ring VLANs from the switch.

•You must configure a TrBRF before you configure the TrCRF (the parent TrBRF VLAN you specify must exist).

•In a Token Ring environment, the logical interfaces (the connection between the TrBRF and the TrCRF) of the TrBRF are placed in a blocked state if either of these conditions exists:

–The TrBRF is running the IBM STP, and the TrCRF is in SRT mode.

–The TrBRF is running the IEEE STP, and the TrCRF is in SRB mode.

Configuring VLANs

These sections describe how to configure VLANs:

•VLAN Configuration Options

•Creating or Modifying an Ethernet VLAN

•Assigning a Layer 2 LAN Interface to a VLAN

•Configuring the Internal VLAN Allocation Policy

•Configuring VLAN Translation

•Mapping 802.1Q VLANs to ISL VLANs

NoteVLANs support a number of parameters that are not discussed in detail in this section. For complete information, see the Cisco IOS Software Releases 12.2SX Command References publication.

VLAN Configuration Options

These sections describe the VLAN configuration options:

•VLAN Configuration in Global Configuration Mode

•VLAN Configuration in VLAN Database Mode

•VLAN Locking

VLAN Configuration in Global Configuration Mode

If the switch is in VTP server or transparent mode (see the "Configuring VTP" section on page16-6), you can configure VLANs in global and config-vlan configuration modes. When you configure VLANs in global and config-vlan configuration modes, the VLAN configuration is saved in the vlan.dat files. To display the VLAN configuration, enter the show vlan command.

If the switch is in VLAN transparent mode, use the copy running-config startup-config command to save the VLAN configuration to the startup-config file. After you save the running configuration as the startup configuration, use the show running-config and show startup-config commands to display the VLAN configuration.

Note•When the switch boots, if the VTP domain name and the VTP mode in the startup-config file and vlan.dat files do not match, the switch uses the configuration in the vlan.dat file.

•You can configure extended-range VLANs only in global configuration mode. You cannot configure extended-range VLANs in VLAN database mode.

VLAN Configuration in VLAN Database Mode

NoteYou cannot configure extended-range VLANs in VLAN database mode. You can configure extended-range VLANs only in global configuration mode. RPR+ redundancy does not support configuration entered in VLAN database mode. Use global configuration mode with RPR+ redundancy.

If the switch is in VTP server or transparent mode, you can configure VLANs in the VLAN database mode. When you configure VLANs in VLAN database mode, the VLAN configuration is saved in the vlan.dat files. To display the VLAN configuration, enter the show vlan command.

You use the interface configuration command mode to define the port membership mode and add and remove ports from a VLAN. The results of these commands are written to the running-config file, and you can display the file by entering the show running-config command.

VLAN Locking

Release12.2(33)SXH and later releases support the VLAN locking feature, which provides an extra level of verification to ensure that you have configured the intended VLAN.

When VLAN locking is enabled, you need to specify the VLAN name when you change a port from one VLAN to another. This feature affects switchport commands (in interface configuration mode) that specify the VLANs or private VLANs for access and trunk ports.

For additional information about how to configure access and trunk ports with VLAN locking enabled, see the "Configuring LAN Interfaces for Layer 2 Switching" section on page13-6.

For additional information about how to configure ports in private VLANs with VLAN locking enabled, see the "Configuring Private VLANs" section on page18-11.

By default, the VLAN locking is disabled. To enable VLAN locking, perform this task:

Creating or Modifying an Ethernet VLAN

User-configured VLANs have unique IDs from 1 to 4094, except for reserved VLANs (see Table17-1). Enter the vlan command with an unused ID to create a VLAN. Enter the vlan command for an existing VLAN to modify the VLAN (you cannot modify an existing VLAN that is being used by a Layer3 port or a software feature).

See the "VLAN Default Configuration" section for the list of default parameters that are assigned when you create a VLAN. If you do not specify the VLAN type with the media keyword, the VLAN is an Ethernet VLAN.

To create or modify a VLAN, perform this task:

When you create or modify an Ethernet VLAN, note the following information:

•RPR+ redundancy does not support a configuration entered in VLAN database mode. Use global configuration mode with RPR+ redundancy.

•Because Layer3 ports and some software features require internal VLANs allocated from 1006 and up, configure extended-range VLANs starting with 4094.

•You can configure extended-range VLANs only in global configuration mode. You cannot configure extended-range VLANs in VLAN database mode.

•Layer3 ports and some software features use extended-range VLANs. If the VLAN you are trying to create or modify is being used by a Layer3 port or a software feature, the switch displays a message and does not modify the VLAN configuration.

When deleting VLANs, note the following information:

•You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.

•When you delete a VLAN, any LAN ports configured as access ports assigned to that VLAN become inactive. The ports remain associated with the VLAN (and inactive) until you assign them to a new VLAN.

This example shows how to create an Ethernet VLAN in global configuration mode and verify the configuration:

Router# configure terminal

Router(config)# vlan 3 

Router(config-vlan)# end 

Router# show vlan id 3 

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

3 VLAN0003 active 

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

3 enet 100003 1500 - - - - - 0 0 

Primary Secondary Type Interfaces

------- --------- ----------------- ------------------------------------------

This example shows how to create an Ethernet VLAN in VLAN database mode:

Router# vlan database 

Router(vlan)# vlan 3 

VLAN 3 added:

 Name: VLAN0003

Router(vlan)# exit 

APPLY completed.

Exiting....

This example shows how to verify the configuration:

Router# show vlan name VLAN0003 

VLAN Name Status Ports

---- -------------------------------- --------- ---------------------

3 VLAN0003 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- ------ ------

3 enet 100003 1500 - - - - 0 0

Router# 

Assigning a Layer 2 LAN Interface to a VLAN

A VLAN created in a management domain remains unused until you assign one or more LAN ports to the VLAN.

NoteMake sure you assign LAN ports to a VLAN of the appropriate type. Assign Ethernet ports to Ethernet-type VLANs.

To assign one or more LAN ports to a VLAN, complete the procedures in the "Configuring LAN Interfaces for Layer 2 Switching" section on page13-6.

Configuring the Internal VLAN Allocation Policy

For more information about VLAN allocation, see the "VLAN Ranges" section.

NoteThe internal VLAN allocation policy is applied only following a reload.

To configure the internal VLAN allocation policy, perform this task:

When you configure the internal VLAN allocation policy, note the following information:

•Enter the ascending keyword to allocate internal VLANs from 1006 and up.

•Enter the descending keyword to allocate internal VLAN from 4094 and down.

This example shows how to configure descending as the internal VLAN allocation policy:

Router# configure terminal 

Router(config)# vlan internal allocation policy descending 

Configuring VLAN Translation

On trunk ports, you can translate one VLAN number to another VLAN number, which transfers all traffic received in one VLAN to the other VLAN.

These sections describe VLAN translation:

•VLAN Translation Guidelines and Restrictions

•Configuring VLAN Translation on a Trunk Port

•Enabling VLAN Translation on Other Ports in a Port Group

NoteTo avoid spanning tree loops, be careful not to misconfigure the VLAN translation feature.

VLAN Translation Guidelines and Restrictions

When translating VLANs, follow these guidelines and restrictions:

•A VLAN translation configuration is inactive if it is applied to ports that are not Layer 2 trunks.

•Do not configure translation of ingress native VLAN traffic on an 802.1Q trunk. Because 802.1Q native VLAN traffic is untagged, it cannot be recognized for translation. You can translate traffic from other VLANs to the native VLAN of an 802.1Q trunk.

•Do not remove the VLAN to which you are translating from the trunk.

•The VLAN translation configuration applies to all ports in a port group. VLAN translation is disabled by default on all ports in a port group. Enable VLAN translation on ports as needed.

•The following table lists:

–The modules that support VLAN translation

–The port groups to which VLAN translation configuration applies

–The number of VLAN translations supported by the port groups

–The trunk types supported by the modules

NoteTo configure a port as a trunk, see the "Configuring a Layer 2 Switching Port as a Trunk" section on page13-9.

Configuring VLAN Translation on a Trunk Port

To translate VLANs on a trunk port, perform this task:

This example shows how to map VLAN 1649 to VLAN 755 Gigabit Ethernet port 5/2:

Router# configure terminal 

Router(config)# interface gigabitethernet 5/2 

Router(config-if)# switchport vlan mapping 1649 755 

Router(config-if)# end 

Router# 

This example shows how to verify the configuration:

Router# show interface gigabitethernet 5/2 vlan mapping 

State: enabled

Original VLAN Translated VLAN

------------- ---------------

 1649 755 

Enabling VLAN Translation on Other Ports in a Port Group

To enable VLAN translation on other ports in a port group, perform this task:

This example shows how to enable VLAN translation on a port:

Router# configure terminal 

Router(config)# interface gigabitethernet 5/2 

Router(config-if)# switchport vlan mapping enable 

Router(config-if)# end 

Router# 

Mapping 802.1Q VLANs to ISL VLANs

The valid range of user-configurable ISL VLANs is 1 through 1001 and 1006 through 4094. The valid range of VLANs specified in the IEEE 802.1Q standard is 1 to 4094. You can map 802.1Q VLAN numbers to ISL VLAN numbers.

802.1Q VLANs in the range 1 through 1001 and 1006 through 4094 are automatically mapped to the corresponding ISL VLAN. 802.1Q VLAN numbers corresponding to reserved VLAN numbers must be mapped to an ISL VLAN in order to be recognized and forwarded by Cisco network devices.

These restrictions apply when mapping 802.1Q VLANs to ISL VLANs:

•You can configure up to eight 802.1Q-to-ISL VLAN mappings.

•You can only map 802.1Q VLANs to Ethernet-type ISL VLANs.

•Do not enter the native VLAN of any 802.1Q trunk in the mapping table.

•When you map an 802.1Q VLAN to an ISL VLAN, traffic on the 802.1Q VLAN corresponding to the mapped ISL VLAN is blocked. For example, if you map 802.1Q VLAN 1007 to ISL VLAN 200, traffic on 802.1Q VLAN 200 is blocked.

•VLAN mappings are local to each switch. Make sure that you configure the same VLAN mappings on all appropriate network devices.

To map an 802.1Q VLAN to an ISL VLAN, perform this task:

This example shows how to map 802.1Q VLAN 1003 to ISL VLAN 200:

Router# configure terminal 

Router(config)# vlan mapping dot1q 1003 isl 200 

Router(config)# end 

Router# 

This example shows how to verify the configuration:

Router# show vlan 

<...output truncated...>

802.1Q Trunk Remapped VLANs:

802.1Q VLAN ISL VLAN

----------- -----------

 1003 200