Your software release may not support all the features documented in
this module. For the latest caveats and feature information, see Bug Search
Tool and the release notes for your platform and software release. To find
information about the features documented in this module, and to see a list of
the releases in which each feature is supported, see the feature information
table at the end of this module.
Use Cisco Feature Navigator to find information about platform support
and Cisco software image support. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is
Prerequisites for VLANs
The following are prerequisites and considerations for configuring VLANs:
Before you create VLANs, you must decide whether to use VLAN Trunking Protocol (VTP) to maintain global VLAN configuration for your network.
If you plan to configure many VLANs on the controller and to not enable routing, you can set the
Switch Database Management (SDM) feature to the VLAN template, which configures system
resources to support the maximum number of unicast MAC addresses.
Controllers running the LAN Base feature set support only static routing on SVIs.
A VLAN should be present in the controller to be able to add it to the VLAN group.
The following are
restrictions for VLANs:
controller supports per-VLAN spanning-tree plus
(PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One
spanning-tree instance is allowed per VLAN.
IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet
Configuring an interface VLAN router's MAC address is not
supported. The interface VLAN already has an MAC address assigned by default.
VLANs are not supported on the
Information About VLANs
A VLAN is a switched
network that is logically segmented by function, project team, or application,
without regard to the physical locations of the users. VLANs have the same
attributes as physical LANs, but you can group end stations even if they are
not physically located on the same LAN segment. Any
controller port can belong to a VLAN, and
unicast, broadcast, and multicast packets are forwarded and flooded only to end
stations in the VLAN. Each VLAN is considered a logical network, and packets
destined for stations that do not belong to the VLAN must be forwarded through
a router or a
controller supporting fallback bridging. Because a VLAN is considered a separate logical network,
it contains its own bridge Management Information Base (MIB) information and
can support its own implementation of spanning tree.
VLANs are often
associated with IP subnetworks. For example, all the end stations in a
particular IP subnet belong to the same VLAN. Interface VLAN membership on the
controller is assigned manually on an
interface-by-interface basis. When you assign
controller interfaces to VLANs by using this
method, it is known as interface-based, or static, VLAN membership.
between VLANs must be routed.
controller can route traffic between VLANs by
controller virtual interfaces (SVIs). An SVI must
be explicitly configured and assigned an IP address to route traffic between
controller supports VLANs in VTP client, server,
and transparent modes. VLANs are identified by a number from 1 to 4094. VLAN 1
is the default VLAN and is created during system initialization. VLAN IDs 1002
through 1005 are reserved for Token Ring and FDDI VLANs. All of the VLANs
except 1002 to 1005 are available for user configuration.
can configure up to 4094 VLANs on the
You configure a port
to belong to a VLAN by assigning a membership mode that specifies the kind of
traffic the port carries and the number of VLANs to which it can belong.
When a port belongs
to a VLAN, the
controller learns and manages the addresses
associated with the port on a per-VLAN basis.
Table 1 Port Membership
Modes and Characteristics
static-access port can belong to one VLAN and is manually assigned to that
VTP is not
required. If you do not want VTP to globally propagate information, set the VTP
mode to transparent. To participate in VTP, there must be at least one trunk
port on the
connected to a trunk port
of a second
A trunk port
is a member of all VLANs by default, including extended-range VLANs, but
membership can be limited by configuring the allowed-VLAN list. You can also
modify the pruning-eligible list to block flooded traffic to VLANs on trunk
ports that are included in the list.
recommended but not required. VTP maintains VLAN configuration consistency by
managing the addition, deletion, and renaming of VLANs on a network-wide basis.
VTP exchanges VLAN configuration messages with other
controllers over trunk links.
dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is
dynamically assigned by a VLAN Member Policy Server (VMPS).
You can have
dynamic-access ports and trunk ports on the same
controller, but you must connect the
dynamic-access port to an end station or hub and not to another
the VMPS and the client with the same VTP domain name.
participate in VTP, at least one trunk port on the
must be connected to a
trunk port of a second
A voice VLAN
port is an access port attached to a Cisco IP Phone, configured to use one VLAN
for voice traffic and another VLAN for data traffic from a device attached to
VTP is not
required; it has no effect on a voice VLAN.
VLAN IDs 1 to 1005 are written to the vlan.dat file (VLAN database), and you
can display them by entering the
privileged EXEC command. The vlan.dat file is stored in flash memory. If the
VTP mode is transparent, they are also saved in the
controller running configuration file.
You use the interface
configuration mode to define the port membership mode and to add and remove
ports from VLANs. The results of these commands are written to the
running-configuration file, and you can display the file by entering the
running-config privileged EXEC command.
When you save VLAN and
VTP information (including extended-range VLAN configuration information) in
the startup configuration file and reboot the
controller configuration is selected as follows:
If the VTP mode is
transparent in the startup configuration, and the VLAN database and the VTP
domain name from the VLAN database matches that in the startup configuration
file, the VLAN database is ignored (cleared), and the VTP and VLAN
configurations in the startup configuration file are used. The VLAN database
revision number remains unchanged in the VLAN database.
If the VTP mode or
domain name in the startup configuration does not match the VLAN database, the
domain name and VTP mode and configuration for the VLAN IDs 1 to 1005 use the
VLAN database information.
In VTP versions 1
and 2, if VTP mode is server, the domain name and VLAN configuration for VLAN
IDs 1 to 1005 use the VLAN database information. VTP version 3 also supports
VLANs 1006 to 4094.
VLANs are VLANs with IDs from 1 to 1005.
Follow these guidelines when creating and modifying normal-range VLANs in
are identified with a number between 1 and 1001. VLAN numbers 1002 through 1005
are reserved for Token Ring and FDDI VLANs.
configurations for VLANs 1 to 1005 are always saved in the VLAN database. If
the VTP mode is transparent, VTP and VLAN configurations are also saved in the
controller running configuration file.
controller is in VTP server or VTP transparent
mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the
VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and
cannot be removed.)
Extended-range VLANs created in VTP
transparent mode are not saved in the VLAN database and are not propagated. VTP
version 3 supports extended range VLAN (VLANs 1006 to 4094) database
propagation in VTP server mode.
Before you can
create a VLAN, the
controller must be in VTP server mode or VTP
transparent mode. If the
controller is a VTP server, you must define a VTP
domain or VTP will not function.
controller does not support Token Ring or FDDI
controller does not forward FDDI, FDDI-Net,
TrCRF, or TrBRF traffic, but it does propagate the VLAN configuration through
controller supports 128 spanning tree instances.
controller has more active VLANs than supported
spanning-tree instances, spanning tree can be enabled on 128 VLANs and is
disabled on the remaining VLANs. If you have already used all available
spanning-tree instances on a
controller, adding another VLAN anywhere in the
VTP domain creates a VLAN on that
controller that is not running spanning-tree. If
you have the default allowed list on the trunk ports of that
controller (which is to allow all VLANs), the new
VLAN is carried on all trunk ports. Depending on the topology of the network,
this could create a loop in the new VLAN that would not be broken, particularly
if there are several adjacent
controllers that all have run out of spanning-tree
instances. You can prevent this possibility by setting allowed lists on the
trunk ports of
controllers that have used up their allocation of
If the number of
VLANs on the
controller exceeds the number of supported
spanning-tree instances, we recommend that you configure the IEEE 802.1s
Multiple STP (MSTP) on your
controller to map multiple VLANs to a single
Extended-range VLANs are VLANs with IDs from 1006 to 4094.
guidelines when creating extended-range VLANs:
IDs in the extended range are not saved in the VLAN database and are not
recognized by VTP unless the
is running VTP version 3.
You cannot include
extended-range VLANs in the pruning eligible range.
For VTP version 1
or 2, you can set the VTP mode to transparent in global configuration mode. You
should save this configuration to the startup configuration so that the
boots up in VTP transparent mode. Otherwise, you lose the extended-range VLAN
configuration if the
resets. If you create extended-range VLANs in VTP version 3, you cannot convert
to VTP version 1 or 2.
Whenever a client
connects to a wireless network (WLAN), the client is placed in a VLAN that is
associated with the WLAN. In a large venue such as an auditorium, a stadium, or
a conference room where there are numerous wireless clients, having only a
single WLAN to accommodate many clients might be a challenge.
The VLAN group
feature uses a single WLAN that can support multiple VLANs. The clients can get
assigned to one of the configured VLANs. This feature maps a WLAN to a single
VLAN or multiple VLANs using the VLAN groups. When a wireless client associates
to the WLAN, the VLAN is derived by an algorithm based on the MAC address of
the wireless client. A VLAN is assigned to the client and the client gets the
IP address from the assigned VLAN. This feature also extends the current AP
group architecture and AAA override architecture, where the AP groups and AAA
override can override a VLAN or a VLAN group to which the WLAN is mapped.
system marks VLAN as "dirty" for 30 minutes when the clients are unable to
receive IP address using DHCP. The system might not clear the "dirty" flag from
the VLAN even after 30 minutes for a VLAN group. This is expected behavior
because the timestamp of each interface has to be checked to see if it is
greater than 30 minutes, due to which there is a lag of 5 minutes for the
global timer to expire.
VTP version 1 and 2, if the
controller is in VTP transparent mode, you can
assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
controller supports only Ethernet interfaces.
Because FDDI and Token Ring VLANs are not locally supported, you only configure
FDDI and Token Ring media-specific characteristics for VTP global
advertisements to other
controller does not support Token Ring
connections, a remote device with Token Ring connections could be managed from
one of the supported
Controllers running VTP Version 2 advertise
information about these Token Ring VLANs:
Enters a VLAN
ID, and enters VLAN configuration mode. Enter a new VLAN ID to create a VLAN,
or enter an existing VLAN ID to modify that VLAN.
VLAN ID range for this command is 1 to 4094.
Controller(config-vlan)# name test20
Enters a name for the VLAN. If no name is entered for the VLAN, the default is
to append the
vlan-id value with leading zeros to the word VLAN. For
example, VLAN0004 is a default VLAN name for VLAN 4.
When you delete a
VLAN from a
controller that is in VTP server mode, the VLAN
is removed from the VLAN database for all
controllers in the VTP domain. When you delete a
VLAN from a
controller that is in VTP transparent mode, the
VLAN is deleted only on that specific
You cannot delete
the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or
Token Ring VLANs 1002 to 1005.
When you delete a
VLAN, any ports assigned to that VLAN become inactive. They remain associated
with the VLAN (and thus inactive) until you assign them to a new VLAN.
5.show vlan brief
Command or Action
privileged EXEC mode. Enter your password if prompted.
Controller# configure terminal
Enters the global
Controller(config)# no vlan 4
Removes the VLAN
by entering the VLAN ID.
privileged EXEC mode.
show vlan brief
Controller# show vlan brief
Controller# copy running-config startup-config
(Optional) Saves your entries
in the configuration file.
Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs.
With VTP version 1 or 2, extended-range VLAN configurations are not stored in the VLAN
database, but because VTP mode is transparent, they are stored in the controller running
configuration file, and you can save the configuration in the startup configuration file. Extended-range VLANs created in VTP version 3 are stored in the VLAN database.
You can change only the MTU size and the remote SPAN configuration state on extended-range VLANs; all other characteristics must remain at the default state.
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
most tools on the Cisco Support website requires a Cisco.com user ID and