Table Of Contents
Changing the Management VLAN for a New Switch
Changing the Management VLAN Through a Telnet Connection
Assigning VLAN Port Membership Modes
Assigning Static-Access Ports to a VLAN
Overlapping VLANs and Multi-VLAN Ports
VTP Modes and Mode Transitions
Upgrading from Previous Software Releases
Disabling VTP (VTP Transparent Mode)
Configuring VLANs in the VTP Database
Deleting a VLAN from the Database
Assigning Static-Access Ports to a VLAN
IEEE 802.1Q Configuration Considerations
Trunks Interacting with Other Features
Defining the Allowed VLANs on a Trunk
Changing the Pruning-Eligible List
Configuring the Native VLAN for Untagged Traffic
Configuring 802.1p Class of Service
Configuring the CoS Port Priorities
Load Sharing Using STP Port Priorities
Configuring STP Port Priorities and Load Sharing
Load Sharing Using STP Path Cost
VMPS Database Configuration File
Configuring Dynamic VLAN Membership
Configuring Dynamic Ports on VMPS Clients
Changing the Reconfirmation Interval
Administering and Monitoring the VMPS
Troubleshooting Dynamic Port VLAN Membership
Dynamic Port VLAN Membership Configuration Example
Configuring VLANs
This chapter provides these topics about configuring virtual LANs (VLANs):
•
Assigning VLAN Port Membership Modes
•
•
•
Note
For information about configuring these settings from Cluster Management Suite (CMS), refer to the online help.
This switch software release is based on Cisco IOS Release 12.0. It has been enhanced to support a set of features for the Catalyst 2900 XL and Catalyst 3500 XL switches. This chapter provides procedures for using only the commands that have been created or changed for these switches. The switch command reference provides complete descriptions of these commands. This guide does not provide Cisco IOS Release 12.0 commands and information already documented in the Cisco IOS Release 12.0 documentation on Cisco.com.
For information about configuring these settings from Cluster Management Suite (CMS), refer to the online help.
Overview
A virtual LAN (VLAN) is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router or bridge as shown in Figure 8-1. VLANs are identified with a number of 1 to 1001.
Because a VLAN is considered a separate logical network, it contains its own bridge Management Information Base (MIB) information and can support its own implementation of the Spanning Tree Protocol (STP). For information about managing VLAN STP instances, see the "Supported STP Instances" section.
Table 8-1 lists the number of supported VLANs and STP instances on the switches.
Figure 8-1 VLANs as Logically Defined Networks
The switches in Table 8-1 support both Inter-Switch Link (ISL) and IEEE 802.1Q trunking methods for sending VLAN traffic over 100BASE-T and Gigabit Ethernet ports.
The GigaStack GBIC also supports both trunking methods. When you are configuring a cascaded stack of Catalyst 3500 XL switches using the GigaStack GBIC and want to include more than one VLAN in the stack, be sure to configure all of the GigaStack GBIC interfaces as trunk ports by using the switchport mode trunk interface configuration command and to use the same encapsulation method by using the switchport encapsulation {isl | dot1q} interface configuration command. For more information on these commands, refer to the switch command reference.
Trunking is supported on all 8-MB switches running Release 12.0(5)XP and later. Trunking is not supported on some older software releases and on some older Catalyst 2900 XL switches and modules. For information about which older devices and software releases support trunking, refer to the release notes for Release 11.2(8)SA6 or earlier (http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/index.htm).
Management VLANs
Communication with the switch management interfaces is through the switch IP address. The IP address is associated with the management VLAN, which by default is VLAN 1.
The management VLAN has these characteristics:
•
•
•
•
Before changing the management VLAN on your switch network, make sure you follow these guidelines:
•
•
•
•
•
If you are using SNMP or CMS to manage the switch, ensure that the port through which you are connected to a switch is in the management VLAN.
For information about the roles management VLANs play in switch clusters, see the "Management VLAN" section.
Changing the Management VLAN for a New Switch
If you add a new switch to an existing cluster and the cluster is using a management VLAN other than the default VLAN 1, the command switch automatically senses that the new switch has a different management VLAN and has not been configured. The command switch issues commands to change the management VLAN on the new switch to match the one in use by the cluster. This automatic change of the VLAN only occurs for new, out-of-box switches that do not have a config.text file and for which there have been no changes to the running configuration.
Before a new switch can be added to a cluster, it must be connected to a port that belongs to the cluster management VLAN. If the cluster is configured with a management VLAN other than the default, the command switch changes the management VLAN for new switches when they are connected to the cluster. In this way, the new switch can exchange CDP messages with the command switch and be proposed as a cluster candidate.
Note
Because the switch is new and unconfigured, its management VLAN is changed to the cluster management VLAN when it is first added to the cluster. All ports that have an active link at the time of this change become members of the new management VLAN.
For information about the roles management VLANs play in switch clusters, see the "Management VLAN" section.
Changing the Management VLAN Through a Telnet Connection
Before you start, review the "Management VLANs" section. Beginning in privileged EXEC mode on the command switch, follow these steps to configure the management VLAN interface through a Telnet connection:
Assigning VLAN Port Membership Modes
You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs it can belong to. Table 8-2 lists the membership modes and characteristics.
When a port belongs to a VLAN, the switch learns and manages the addresses associated with the port on a per-VLAN basis. For more information, see the "Managing the MAC Address Tables" section.
VLAN Membership Combinations
You can configure your switch ports in various VLAN membership combinations as listed in Table 8-3.
Table 8-3 VLAN Combinations
Static-access ports
No
If you do not want to use VTP to globally propagate the VLAN configuration information, you can assign a static-access port to a VLAN and set the VTP mode to transparent to disable VTP.
Static-access and
multi-VLAN portsNo
"Overlapping VLANs and Multi-VLAN Ports" section
You must connect the multi-VLAN port to a router or server.
The switch automatically transitions to VTP transparent mode (VTP is disabled). No VTP configuration is required.
Some restrictions apply to multi-VLAN ports. For more information, see the "Avoiding Configuration Conflicts" section.
Static-access and
trunk portsRecommended
"Configuring VTP Server Mode" section
Add, modify, or remove VLANs in the database as described in the "Configuring VLANs in the VTP Database" section
"Assigning Static-Access Ports to a VLAN" section
You can configure at least one trunk port on the switch and make sure that this trunk port is connected to the trunk port of a second switch.
Some restrictions apply to trunk ports. For more information, see the "Trunks Interacting with Other Features" section.
You can change the VTP version on the switch and enable VTP pruning.
You can define the allowed-VLAN list, change the pruning-eligible list, and configure the native VLAN for untagged traffic on the trunk port.
Dynamic-access and
trunk portsYes
"Configuring Dynamic VLAN Membership" section
"Configuring Dynamic Ports on VMPS Clients" section
"Configuring a Trunk Port" section so that the VMPS client can receive VTP information from the VMPS
You must connect the dynamic-access port to an end station and not to another switch.
Configure the VMPS and the client with the same VTP domain name.
You can change the reconfirmation interval and the retry count on the VMPS client switch.
You can define the allowed-VLAN list, change the pruning-eligible list, and configure the native VLAN for untagged traffic on the trunk port.
Assigning Static-Access Ports to a VLAN
By default, all ports are static-access ports assigned to the management VLAN, VLAN 1.
You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information (VTP is disabled). Configuring the switch for VTP transparent mode disables VTP.
Beginning in privileged EXEC mode, follow these steps to assign ports for multi-VLAN membership:
Overlapping VLANs and Multi-VLAN Ports
A multi-VLAN port connected to a router can link two or more VLANs. Intra-VLAN traffic stays within the boundaries of the respective VLANs as shown in Figure 8-2. Connectivity between VLANs is through the router connected to the multi-VLAN port.
A multi-VLAN port performs normal switching functions in all its assigned VLANs. For example, when a multi-VLAN port receives an unknown Media Access Control (MAC) address, all the VLANs to which the port belongs learn the address. Multi-VLAN ports also respond to the STP messages generated by the different instances of STP in each VLAN.
For the restrictions that apply to multi-VLAN ports, see the "Avoiding Configuration Conflicts" section.
Figure 8-2 Two VLANs Sharing a Port Connected to a Router
Caution
Beginning in privileged EXEC mode, follow these steps to assign ports for multi-VLAN membership:
Using VTP
VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
Before you create VLANs, you must decide whether to use VTP in your network. Using VTP, you can make configuration changes centrally on a single switch, such as a Catalyst 2900 XL or Catalyst 3500 XL switch, and have those changes automatically communicated to all the other switches in the network. Without VTP, you cannot send information about VLANs to other switches.
The VTP Domain
A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility. A switch can be in only one VTP domain. You make global VLAN configuration changes for the domain by using the CLI, Cluster Management software, or SNMP.
By default, a Catalyst 2900 XL or Catalyst 3500 XL switch is in the no-management-domain state until it receives an advertisement for a domain over a trunk link (a link that carries the traffic of multiple VLANs) or until you configure a domain name. The default VTP mode is server mode, but VLAN information is not propagated over the network until a domain name is specified or learned.
If the switch receives a VTP advertisement over a trunk link, it inherits the domain name and configuration revision number. The switch then ignores advertisements with a different domain name or an earlier configuration revision number.
When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP advertisements are sent over all trunk connections, including Inter-Switch Link (ISL), IEEE 802.1Q, IEEE 802.10, and ATM LANE.
If you configure a switch for VTP transparent mode, you can create and modify VLANs, but the changes are not sent to other switches in the domain, and they affect only the individual switch.
For domain name and password configuration guidelines, see the "Domain Names" section.
VTP Modes and Mode Transitions
You can configure a supported switch to be in one of the VTP modes listed in Table 8-4.
Two configurations can cause a switch to automatically change its VTP mode:
•
•
The "VTP Configuration Guidelines" section provides tips and caveats for configuring VTP.
VTP Advertisements
Each switch in the VTP domain sends periodic global configuration advertisements from each trunk port to a reserved multicast address. Neighboring switches receive these advertisements and update their VTP and VLAN configurations as necessary.
Note
VTP advertisements distribute this global domain information in VTP advertisements:
•
•
•
•
VTP advertisements distribute this VLAN information for each configured VLAN:
•
•
•
•
•
VTP Version 2
VTP version 2 supports these features not supported in version 1:
•
•
•
•
VTP Pruning
Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them.
VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in the pruning-eligible list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible on Catalyst 2900 XL and Catalyst 3500 XL trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is also supported with VTP version 1 and version 2.
Figure 8-3 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links indicated (port 5 on Switch 2 and port 4 on Switch 4).
Figure 8-3 Optimized Flooded Traffic with VTP Pruning
VTP Configuration Guidelines
Domain Names
When configuring VTP for the first time, you must always assign a domain name. All switches in the VTP domain must also be configured with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Caution
VTP Version Numbers
When you add a VTP client, follow this caution and procedure:
Caution
Beginning in user EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain:
After resetting the configuration revision number, add the switch to the VTP domain.
Note
Passwords
You can configure a password for the VTP domain, but it is not required. All domain switches must share the same password. Switches without a password or with the wrong password reject VTP advertisements.
Caution
If you configure a VTP password for a domain, a Catalyst 2900 XL or Catalyst 3500 XL switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password. After the configuration, the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement.
If you are adding a new switch to an existing network that has VTP capability, the new switch learns the domain name only after the applicable password has been configured on the switch.
Upgrading from Previous Software Releases
When you upgrade from a software version that does not support VTP (such as Release 11.2(8)SA3) to a software version that does, ports that belong to a VLAN retain their VLAN membership, and VTP enters transparent mode. The domain name becomes UPGRADE, and VTP does not propagate the VLAN configuration to other switches.
If you want the switch to propagate VLAN configuration information to other switches and to learn the VLANs enabled on the network, you must configure the switch with the correct domain name and the domain password and change the VTP mode to VTP server.
VTP Version
Follow these guidelines when deciding which VTP version to implement:
•
•
•
•
•
Default VTP Configuration
Table 8-5 shows the default VTP configuration.
Table 8-5 VTP Default Configuration
VTP domain name
Null.
VTP mode
Server.
VTP version 2 enable state
Version 2 is disabled.
VTP password
None.
VTP pruning
Disabled.
Configuring VTP
You can configure VTP through the CLI by entering commands in the VLAN database command mode. When you enter the exit command in VLAN database mode, it applies all the commands that you entered. VTP messages are sent to other switches in the VTP domain, and you enter privileged EXEC mode.
If you are configuring VTP on a cluster member switch to a VLAN, first log in to the member switch by using the privileged EXEC rcommand command. For more information on how to use this command, refer to the switch command reference.
Note
After you configure VTP, you must configure a trunk port so that the switch can send and receive VTP advertisements. For more information, see the "How VLAN Trunks Work" section.
Configuring VTP Server Mode
When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network.
Beginning in privileged EXEC mode, follow these steps to configure the switch for VTP server mode:
Configuring VTP Client Mode
When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly.
Caution
Beginning in privileged EXEC mode, follow these steps to configure the switch for VTP client mode:
Disabling VTP (VTP Transparent Mode)
When you configure the switch for VTP transparent mode, you disable VTP on the switch. The switch then does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch does forward received VTP advertisements on all of its trunk links.
Beginning in privileged EXEC mode, follow these steps to configure the switch for VTP transparent mode:
Enabling VTP Version 2
VTP version 2 is disabled by default on VTP version 2-capable switches. When you enable VTP version 2 on a switch, every VTP version 2-capable switch in the VTP domain enables version 2.
Caution
Note
For more information on VTP version configuration guidelines, see the "VTP Version" section.
Beginning in privileged EXEC mode, follow these steps to enable VTP version 2:
Disabling VTP Version 2
Beginning in privileged EXEC mode, follow these steps to disable VTP version 2:
Enabling VTP Pruning
Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You enable VTP pruning on a switch in VTP server mode.
Pruning is supported with VTP version 1 and version 2. If you enable pruning on the VTP server, it is enabled for the entire VTP domain.
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible on Catalyst 2900 XL and Catalyst 3500 XL trunk ports. For information, see the "Changing the Pruning-Eligible List" section.
Beginning in privileged EXEC mode, follow these steps to enable VTP pruning:
Monitoring VTP
You monitor VTP by displaying its configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch.
Beginning in privileged EXEC mode, follow these steps to monitor VTP activity:
Step 1
show vtp status
Display the VTP switch configuration information.
Step 2
show vtp counters
Display counters about VTP messages being sent and received.
VLANs in the VTP Database
You can set these parameters when you add a new VLAN to or modify an existing VLAN in the VTP database:
•
•
•
•
•
•
•
•
•
•
•
The "Default VLAN Configuration" section lists the default values and possible ranges for each VLAN media type.
Token Ring VLANs
Although the Catalyst 2900 XL and Catalyst 3500 XL switches do not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches. Switches running this release advertise information about these Token Ring VLANs when running VTP version 2:
•
•
For more information on configuring Token Ring VLANs, refer to the Catalyst 5000 Series Software Configuration Guide.
VLAN Configuration Guidelines
Follow these guidelines when creating and modifying VLANs in your network:
•
•
•
Default VLAN Configuration
Table 8-6 through Table 8-10 shows the default configuration for the different VLAN media types.
Note
Configuring VLANs in the VTP Database
You use the CLI vlan database VLAN database command to add, change, and delete VLANs. In VTP server or transparent mode, commands to add, change, and delete VLANs are written to the file vlan.dat, and you can display them by entering the privileged EXEC show vlan command. The vlan.dat file is stored in nonvolatile memory. The vlan.dat file is upgraded automatically, but you cannot return to an earlier version of Cisco IOS after you upgrade to this release.
Caution
You use the interface configuration command mode to define the port membership mode and add and remove ports from VLANs. The results of these commands are written to the running-configuration file, and you can display the file by entering the privileged EXEC show running-config command.
Note
Adding a VLAN
Each VLAN has a unique, 4-digit ID that can be a number from 1 to 1001. To add a VLAN to the VLAN database, assign a number and name to the VLAN. For the list of default parameters that are assigned when you add a VLAN, see the "Default VLAN Configuration" section.
If you do not specify the VLAN media type, the VLAN is an Ethernet VLAN.
Beginning in privileged EXEC mode, follow these steps to add an Ethernet VLAN:
