Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for VLANs
The following are prerequisites and considerations for configuring VLANs:
Before you create VLANs, you must decide whether to use VLAN Trunking Protocol (VTP) to maintain global VLAN configuration for your network.
If you plan to configure many VLANs on the controller and to not enable routing, you can set the Switch Database Management (SDM) feature to the VLAN template, which configures system resources to support the maximum number of unicast MAC addresses.
Controllers running the LAN Base feature set support only static routing on SVIs.
A VLAN should be present in the controller to be able to add it to the VLAN group.
Restrictions for VLANs
The following are restrictions for VLANs:
The controller supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
The controller supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
Private VLANs are not supported on the controller.
Information About VLANs
A VLAN is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you can group end stations even if they are not physically located on the same LAN segment. Any controller port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router or a controller supporting fallback bridging. Because a VLAN is considered a separate logical network, it contains its own bridge Management Information Base (MIB) information and can support its own implementation of spanning tree.
VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the controller is assigned manually on an interface-by-interface basis. When you assign controller interfaces to VLANs by using this method, it is known as interface-based, or static, VLAN membership.
Traffic between VLANs must be routed.
The controller can route traffic between VLANs by using controller virtual interfaces (SVIs). An SVI must be explicitly configured and assigned an IP address to route traffic between VLANs.
The controller supports VLANs in VTP client, server, and transparent modes. VLANs are identified by a number from 1 to 4094. VLAN 1 is the default VLAN and is created during system initialization. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. All of the VLANs except 1002 to 1005 are available for user configuration.
There are 3 VTP versions: VTP version 1, version 2, and version 3. All VTP versions support both normal and extended range VLANs, but only with VTP version 3, does the controller propagate extended range VLAN configuration information. When extended range VLANs are created in VTP versions 1 and 2, their configuration information is not propagated. Even the local VTP database entries on the controller are not updated, but the extended range VLANs configuration information is created and stored in the running configuration file.
You can configure up to 4094 VLANs on the controller.
You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries and the number of VLANs to which it can belong.
When a port belongs to a VLAN, the controller learns and manages the addresses associated with the port on a per-VLAN basis.
Table 1 Port Membership Modes and Characteristics
VLAN Membership Characteristics
A static-access port can belong to one VLAN and is manually assigned to that VLAN.
VTP is not required. If you do not want VTP to globally propagate information, set the VTP mode to transparent. To participate in VTP, there must be at least one trunk port on the controller connected to a trunk port of a second controller.
A trunk port is a member of all VLANs by default, including extended-range VLANs, but membership can be limited by configuring the allowed-VLAN list. You can also modify the pruning-eligible list to block flooded traffic to VLANs on trunk ports that are included in the list.
VTP is recommended but not required. VTP maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP exchanges VLAN configuration messages with other controllers over trunk links.
A dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is dynamically assigned by a VLAN Member Policy Server (VMPS).
You can have dynamic-access ports and trunk ports on the same controller, but you must connect the dynamic-access port to an end station or hub and not to another controller.
VTP is required.
Configure the VMPS and the client with the same VTP domain name.
To participate in VTP, at least one trunk port on the controller must be connected to a trunk port of a second controller .
A voice VLAN port is an access port attached to a Cisco IP Phone, configured to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
VTP is not required; it has no effect on a voice VLAN.
Configurations for VLAN IDs 1 to 1005 are written to the vlan.dat file (VLAN database), and you can display them by entering the show vlan privileged EXEC command. The vlan.dat file is stored in flash memory. If the VTP mode is transparent, they are also saved in the controller running configuration file.
You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs. The results of these commands are written to the running-configuration file, and you can display the file by entering the show running-config privileged EXEC command.
When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the controller, the controller configuration is selected as follows:
If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.
If the VTP mode or domain name in the startup configuration does not match the VLAN database, the domain name and VTP mode and configuration for the VLAN IDs 1 to 1005 use the VLAN database information.
In VTP versions 1 and 2, if VTP mode is server, the domain name and VLAN configuration for VLAN IDs 1 to 1005 use the VLAN database information. VTP version 3 also supports VLANs 1006 to 4094.
Normal-Range VLAN Configuration Guidelines
Normal-range VLANs are VLANs with IDs from 1 to 1005.
Follow these guidelines when creating and modifying normal-range VLANs in your network:
Normal-range VLANs are identified with a number between 1 and 1001. VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
VLAN configurations for VLANs 1 to 1005 are always saved in the VLAN database. If the VTP mode is transparent, VTP and VLAN configurations are also saved in the controller running configuration file.
If the controller is in VTP server or VTP transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.)
Extended-range VLANs created in VTP transparent mode are not saved in the VLAN database and are not propagated. VTP version 3 supports extended range VLAN (VLANs 1006 to 4094) database propagation in VTP server mode.
Before you can create a VLAN, the controller must be in VTP server mode or VTP transparent mode. If the controller is a VTP server, you must define a VTP domain or VTP will not function.
The controller does not support Token Ring or FDDI media. The controller does not forward FDDI, FDDI-Net, TrCRF, or TrBRF traffic, but it does propagate the VLAN configuration through VTP.
The controller supports 128 spanning tree instances. If a controller has more active VLANs than supported spanning-tree instances, spanning tree can be enabled on 128 VLANs and is disabled on the remaining VLANs. If you have already used all available spanning-tree instances on a controller, adding another VLAN anywhere in the VTP domain creates a VLAN on that controller that is not running spanning-tree. If you have the default allowed list on the trunk ports of that controller (which is to allow all VLANs), the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there are several adjacent controllers that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of controllers that have used up their allocation of spanning-tree instances. If the number of VLANs on the controller exceeds the number of supported spanning-tree instances, we recommend that you configure the IEEE 802.1s Multiple STP (MSTP) on your controller to map multiple VLANs to a single spanning-tree instance.
Extended-range VLANs are VLANs with IDs from 1006 to 4094.
Follow these guidelines when creating extended-range VLANs:
VLAN IDs in the extended range are not saved in the VLAN database and are not recognized by VTP unless the controller is running VTP version 3.
You cannot include extended-range VLANs in the pruning eligible range.
For VTP version 1 or 2, you can set the VTP mode to transparent in global configuration mode. You should save this configuration to the startup configuration so that the controller boots up in VTP transparent mode. Otherwise, you lose the extended-range VLAN configuration if the controller resets. If you create extended-range VLANs in VTP version 3, you cannot convert to VTP version 1 or 2.
. When the maximum number of spanning-tree instances are on the controller, spanning tree is disabled on any newly created VLANs. If the number of VLANs on the controller exceeds the maximum number of spanning-tree instances, we recommend that you configure the IEEE 802.1s Multiple STP (MSTP) on your controller to map multiple VLANs to a single spanning-tree instance.
Whenever a wireless client connects to a wireless network (WLAN), the client is placed in a VLAN that is associated with the WLAN. In a large venue such as an auditorium, a stadium, or a conference room where there are numerous wireless clients, having only a single WLAN to accommodate many clients might be a challenge.
The VLAN group feature uses a single WLAN that can support multiple VLANs. The clients can get assigned to one of the configured VLANs. This feature maps a WLAN to a single VLAN or multiple VLANs using the VLAN groups. When a wireless client associates to the WLAN, the VLAN is derived by an algorithm based on the MAC address of the wireless client. A VLAN is assigned to the client and the client gets the IP address from the assigned VLAN. This feature also extends the current AP group architecture and AAA override architecture, where the AP groups and AAA override can override a VLAN or a VLAN group to which the WLAN is mapped.
With VTP version 1 and 2, if the controller is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
The controller supports only Ethernet interfaces. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to other controllers.
Although the controller does not support Token Ring connections, a remote device with Token Ring connections could be managed from one of the supported controllers. Controllers running VTP Version 2 advertise information about these Token Ring VLANs:
Enters a VLAN ID, and enters VLAN configuration mode. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN.
The available VLAN ID range for this command is 1 to 4094.
Additional vlan command options include:
access-map—Creates VLAN access-maps or enters the vlan access map command mode.
configuration—Enters the vlan feature configuration mode.
dot1q—Configures VLAN dot1q tag native parameters.
filter—Applies a VLAN filter map to a VLAN list.
group—Creates a VLAN group.
Controller(config-vlan)# name test20
(Optional) Enters a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id value with leading zeros to the word VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4.
The following additional VLAN configuration command options are available:
are—Sets the maximum number of All Router Explorer (ARE) hops for the VLAN.
backupcrf—Enables or disables the backup concentrator relay function (CRF) mode for the VLAN.
bridge—Sets the value of the bridge number for the FDDI net or Token Ring net type VLANs.
exit—Applies changes, bumps the revision number, and exits.
media—Sets the media type of the VLAN.
no—Negates the command or default.
parent—Sets the value of the ID for the parent VLAN for FDDI or Token Ring type VLANs.
remote-span—Configures a remote SPAN VLAN.
ring—Sets the ring number value for FDDI or Token Ring type VLANs.
said—Sets the IEEE 802.10 SAID value.
shutdown—Shuts down the VLAN switching.
state—Sets the operational VLAN state to active or suspended.
ste—Sets the maximum number of Spanning Tree Explorer (STE) hops for the VLAN.
stp—Sets the Spanning Tree characteristics of the VLAN.
When you delete a VLAN from a controller that is in VTP server mode, the VLAN is removed from the VLAN database for all controllers in the VTP domain. When you delete a VLAN from a controller that is in VTP transparent mode, the VLAN is deleted only on that specific controller .
You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.
When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN.
Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs.
With VTP version 1 or 2, extended-range VLAN configurations are not stored in the VLAN database, but because VTP mode is transparent, they are stored in the controller running configuration file, and you can save the configuration in the startup configuration file. Extended-range VLANs created in VTP version 3 are stored in the VLAN database.
You can change only the MTU size and the remote SPAN configuration state on extended-range VLANs; all other characteristics must remain at the default state.
Enters the interface configuration mode for the selected VLAN.
Controller(config-if)# ip mtu 1024Controller(config-if)#
(Optional) Modifies the VLAN by changing the MTU size. You can configure the MTU size between 68 to 1500 bytes.
Although all VLAN commands appear in the CLI help, only the ip mtumtu-size and remote-span commands are supported for extended-range VLANs.
Returns to privileged EXEC mode.
show vlan idvlan-id
Controller# show vlan id 2000
Verifies that the VLAN has been created.
copy running-config startup config
Controller# copy running-config startup-config
Saves your entries in the controller startup configuration file. To save an extended-range VLAN configuration, you need to save the VTP transparent mode configuration and the extended-range VLAN configuration in the controller startup configuration file. Otherwise, if the controller resets, it will default to VTP server mode, and the extended-range VLAN IDs will not be saved.
This step is not required for VTP version 3 because VLANs are saved in the VLAN database.
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.