Table Of Contents
Creating and Maintaining VLANs
Clusters, VLAN Membership, and the Management VLAN
Assigning Static-Access Ports to a VLAN
VTP Modes and VTP Mode Transitions
CLI: Configuring VTP Server Mode
CLI: Configuring VTP Client Mode
CLI: Disabling VTP (VTP Transparent Mode)
Configuring VLANs in the VTP Database
CLI: Assigning Static-Access Ports to a VLAN
IEEE 802.1Q Configuration Considerations
Trunks Interacting with Other Features
CLI: Defining the Allowed VLANs on a Trunk
CLI: Configuring the Native VLAN for Untagged Traffic
Configuring IEEE 802.1p Class of Service
CLI: Configuring the CoS Port Priorities
CLI: Configuring CoS Priority Queues
Load Sharing Using STP Port Priorities
CLI: Configuring STP Port Priorities and Load Sharing
Load Sharing Using STP Path Cost
CLI: Configuring STP Path Costs and Load Sharing
Creating and Maintaining VLANs
A virtual LAN (VLAN) is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router or bridge as shown in Figure 5-1. Because a VLAN is considered a separate logical network, it contains its own bridge Management Information Base (MIB) information and can support its own implementation of the Spanning Tree Protocol (STP).
This chapter describes how to create and maintain VLANs through the Cluster Management software and the command-line interface (CLI). It contains the following information:
•
How to configure static-access ports without having the VLAN Trunk Protocol (VTP) database globally propagate VLAN configuration information.
•
•
•
•
Figure 5-1 VLANs as Logically Defined Networks
Number of Supported VLANs
Table 5-1 lists the number of supported VLANs on Catalyst 2950 switches.
Table 5-1 Number of Supported VLANs
2950 switches with 16 MB of DRAM
64
Yes
VLANs are identified with a number between 1 and 1001. Regardless of the switch model, only 64 STP instances are supported.
The switches in Table 5-1 support IEEE 802.1Q trunking methods for transmitting VLAN traffic over 100BaseT, 100BaseFX, and Gigabit Ethernet ports.
VLAN Port Membership Modes
You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs it can belong to. Table 5-2 lists the membership modes and characteristics.
When a port belongs to a VLAN, the switch learns and manages the addresses associated with the port on a per-VLAN basis. For more information, see the "Managing the MAC Address Tables" section.
VLAN Membership Combinations
You can configure your switch ports in various VLAN membership combinations as listed in Table 5-3.
Table 5-3 VLAN Combinations
Static-access ports
No
If you do not want to use VTP to globally propagate the VLAN configuration information, you can assign a static-access port to a VLAN and set the VTP mode to transparent to disable VTP.
Static-access and
trunk portsRecommended
"CLI: Configuring VTP Server Mode" section
Add, modify, or remove VLANs in the database as described in the "Configuring VLANs in the VTP Database" section
"CLI: Assigning Static-Access Ports to a VLAN" section
Make sure to configure at least one trunk port on the switch and that this trunk port is connected to the trunk port of a second switch.
Some restrictions apply to trunk ports. For more information, see the "Trunks Interacting with Other Features" section.
You can change the VTP version on the switch.
You can define the allowed-VLAN list and configure the native VLAN for untagged traffic on the trunk port.
Clusters, VLAN Membership, and the Management VLAN
This software release supports the grouping of switches into a cluster that can be managed as a single entity. The command switch is the single point of management for the cluster and cluster members.
Links among a command switch, cluster members, and candidate switches must be through ports that belong to the management VLAN. By default, the management VLAN is VLAN 1. If you are using SNMP or the Cluster Management Suite (CMS) to manage the switch, ensure that the port through which you are connected to a switch is in the management VLAN. For information on configuring the management VLAN, see the "Changing the Management VLAN" section.
If you are configuring VLANs on a member switch, you might need to enter an extra command from the command-switch CLI to access the member switch. When configuring port parameters, for example, you can use the privileged EXEC rcommand command and the number of the member switch to display the member-switch CLI. Once you have accessed the member switch, command mode changes, and IOS commands operate as usual. Enter exit on the member switch in privileged EXEC mode to return to the command-switch CLI.
For more information about the rcommand command, refer to the Catalyst 2950 Desktop Switch Command Reference.
Assigning Static-Access Ports to a VLAN
By default, all ports are static-access ports assigned to the management VLAN, VLAN 1.
You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information (VTP is disabled). To assign a VLAN, you access the VLAN Membership window (Figure 5-2) by selecting VLAN > VLAN Membership from the menu bar and clicking the Assign
VLANs tab.Figure 5-2 VLAN Membership: Assign VLANs Tab
You configure the switch for VTP transparent mode, which disables VTP, by selecting VLAN > VTP Management from the menu bar and clicking the VTP Configuration tab (Figure 5-3).
You can also assign the port through the CLI on standalone, command, and member switches. If you are assigning a port on a cluster member to a VLAN, first log in to the member switch by using the privileged EXEC rcommand command. For more information on how to use this command, refer to the Catalyst 2950 Desktop Switch Command Reference.
Using the VLAN Trunk Protocol
VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
Before you create VLANs, you must decide whether to use VTP in your network. Using VTP, you can make configuration changes centrally on a single switch, such as a Catalyst 2950, 2900 XL, or 3500 XL switch, and have those changes automatically communicated to all the other switches in the network. Without VTP, you cannot send information about VLANs to other switches.
The VTP Domain
A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility. A switch can be in only one VTP domain. You make global VLAN configuration changes for the domain by using the CLI, Cluster Management software, or Simple Network Management Protocol (SNMP).
By default, a Catalyst 2950, 2900 XL, or 3500 XL switch is in the no-management-domain state until it receives an advertisement for a domain over a trunk link (a link that carries the traffic of multiple VLANs) or until you configure a domain name. The default VTP mode is server mode, but VLAN information is not propagated over the network until a domain name is specified or learned.
If the switch receives a VTP advertisement over a trunk link, it inherits the domain name and configuration revision number. The switch then ignores advertisements with a different domain name or an earlier configuration revision number.
When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP advertisements are sent over all trunk connections, including IEEE 802.1Q.
If you configure a switch for VTP transparent mode, you can create and modify VLANs, but the changes are not transmitted to other switches in the domain, and they affect only the individual switch.
For domain name and password configuration guidelines, see the "Domain Names" section.
VTP Modes and VTP Mode Transitions
You can configure a supported switch to be in one of the VTP modes listed in Table 5-4:
The "VTP Configuration Guidelines" section provides tips and caveats for configuring VTP.
VTP Advertisements
Each switch in the VTP domain sends periodic global configuration advertisements from each trunk port to a reserved multicast address. Neighboring switches receive these advertisements and update their VTP and VLAN configurations as necessary.
Note
VTP advertisements distribute the following global domain information in VTP advertisements:
•
•
•
•
VTP advertisements distribute the following VLAN information for each configured VLAN:
•
•
•
•
•
VTP Version 2
VTP version 2 supports the following features not supported in version 1:
•
•
•
•
VTP Configuration Guidelines
The following sections describe the guidelines you should follow when configuring the VTP domain name, password, and the VTP version number.
Domain Names
When configuring VTP for the first time, you must always assign a domain name. In addition, all switches in the VTP domain must be configured with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Caution
Passwords
You can configure a password for the VTP domain, but it is not required. All domain switches must share the same password. Switches without a password or with the wrong password reject VTP advertisements.
Caution
If you configure a VTP password for a domain, a Catalyst 2950, 2900 XL, or
3500 XL switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password. After the configuration, the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement.If you are adding a new switch to an existing network that has VTP capability, the new switch learns the domain name only after the applicable password has been configured on the switch.
VTP Version
Follow these guidelines when deciding which VTP version to implement:
•
•
•
•
Default VTP Configuration
Table 5-5 shows the default VTP configuration.
Table 5-5 VTP Default Configuration
VTP domain name
Null.
VTP mode
Server.
VTP version 2 enable state
Version 2 is disabled.
VTP password
None.
Configuring VTP
You can configure VTP by using the VTP Management window (Figure 5-3).
To display this window, select VLAN > VTP Management from the menu bar, and click the VTP Configuration tab.
Figure 5-3 VTP Management: VTP Configuration Tab
After you configure VTP, you must configure a trunk port so that the switch can send and receive VTP advertisements. For more information, see the "How VLAN Trunks Work" section.
You can also configure VTP through the CLI on standalone, command, and member switches by entering commands in the VLAN database command mode. If you are configuring VTP on a cluster member switch to a VLAN, first log in to the member switch by using the privileged EXEC rcommand command. For more information on how to use this command, refer to the Catalyst 2950 Desktop Switch Command Reference.
When you enter the exit command in VLAN database mode, it applies all the commands that you entered. VTP messages are sent to other switches in the VTP domain, and you are returned to privileged EXEC mode.
Note
CLI: Configuring VTP Server Mode
When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network.
Beginning in privileged EXEC mode, follow these steps to configure the switch for VTP server mode:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Configuring VTP Client Mode
When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly.
Caution
Beginning in privileged EXEC mode, follow these steps to configure the switch for VTP client mode:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Disabling VTP (VTP Transparent Mode)
When you configure the switch for VTP transparent mode, you disable VTP on the switch. The switch then does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch does forward received VTP advertisements on all of its trunk links.
Beginning in privileged EXEC mode, follow these steps to configure the switch for VTP transparent mode:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Enabling VTP Version 2
VTP version 2 is disabled by default on VTP version 2-capable switches. When you enable VTP version 2 on a switch, every VTP version 2-capable switch in the VTP domain enables version 2.
Caution
Note
For more information on VTP version configuration guidelines, see the "VTP Version" section.
Beginning in privileged EXEC mode, follow these steps to enable VTP version 2:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Disabling VTP Version 2
Beginning in privileged EXEC mode, follow these steps to disable VTP version 2:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Monitoring VTP
You monitor VTP by displaying its configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch.
Beginning in privileged EXEC mode, follow these steps to monitor VTP activity:
Step 1
show vtp status
Display the VTP switch configuration information.
Step 2
show vtp counters
Display counters about VTP messages being sent and received.
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
VLANs in the VTP Database
You can set the following parameters when you add a new VLAN to or modify an existing VLAN in the VTP database:
•
•
•
•
•
•
•
•
•
•
•
The "Default VLAN Configuration" section lists the default values and possible ranges for each VLAN media type.
Token Ring VLANs
Although the 2950, 2900 XL, and 3500 XL switches do not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches. Switches running this IOS release advertise information about the following Token Ring VLANs when running VTP version 2:
•
•
For more information on configuring Token Ring VLANs, see the Catalyst 5000 Series Software Configuration Guide.
VLAN Configuration Guidelines
Follow these guidelines when creating and modifying VLANs in your network:
•
•
•
Default VLAN Configuration
Table 5-6 through Table 5-10 shows the default configuration for the different VLAN media types.
Note
Configuring VLANs in the VTP Database
You can use the VTP Management window (Figure 5-4) or the CLI to add, modify or remove VLAN configurations in the VTP database. VTP globally propagates these VLAN changes throughout the VTP domain.
To display this window, select VLAN > VTP Management from the menu bar, and click the VLAN Configuration tab. Click Help to for more information on using this window.
Figure 5-4 VTP Management: VLAN Configuration Tab
You use the CLI vlan database command mode to add, change, and delete VLANs. In VTP server or transparent mode, commands to add, change, and delete VLANs are written to the file vlan.dat, and you can display them by entering the privileged EXEC mode show vlan command. The vlan.dat file is stored in nonvolatile memory. The vlan.dat file is upgraded automatically, but you cannot return to an earlier version of Cisco IOS after you upgrade to this release.
Caution
You use the interface configuration command mode to define the port membership mode and add and remove ports from VLAN. The results of these commands are written to the running-configuration file, and you can display the file by entering the privileged EXEC mode show running-config command.
Note
CLI: Adding an VLAN
Each VLAN has a unique, 4-digit ID that can be a number from 1 to 1001. To add a VLAN to the VLAN database, assign a number and name to the VLAN. For the list of default parameters that are assigned when you add a VLAN, see the "Default VLAN Configuration" section.
If you do not specify the VLAN type, the VLAN is an Ethernet VLAN.
Beginning in privileged EXEC mode, follow these steps to add an Ethernet VLAN:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Modifying a VLAN
Beginning in privileged EXEC mode, follow these steps to modify an Ethernet VLAN:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Deleting a VLAN
When you delete a VLAN from a switch that is in VTP server mode, the VLAN is removed from all switches in the VTP domain. When you delete a VLAN from a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch.
You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.
Caution
Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Assigning Static-Access Ports to a VLAN
By default, all ports are static-access ports assigned to VLAN 1, which is the default management VLAN. If you are assigning a port on a cluster member switch to a VLAN, first log in to the member switch by using the privileged EXEC rcommand command. For more information on how to use this command, refer to the Cisco IOS Desktop Switching Command Reference (online only).
Beginning in privileged EXEC mode, follow these steps to assign a port to a VLAN in the VTP database:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
How VLAN Trunks Work
A trunk is a point-to-point link that transmits and receives traffic between switches or between switches and routers. Trunks carry the traffic of multiple VLANs and can extend VLANs across an entire network.
Figure 5-5 shows a network of switches that are connected by 802.1Q trunks.
Figure 5-5 Catalyst 2950, 2900 XL, and 3500 XL Switches in a 802.1Q Trunking Environment
IEEE 802.1Q Configuration Considerations
IEEE 802.1Q trunks impose some limitations on the trunking strategy for a network. The following restrictions apply when using 802.1Q trunks:
•
•
Trunks Interacting with Other Features
IEEE 802.1Q trunking interacts with other switch features as described in Table 5-11.
Configuring a Trunk Port
You configure trunk ports by using the Assign VLANs (Figure 5-2) and Trunk Configuration (Figure 5-6) tabs of the VLAN Membership window.
To display this window, select VLAN > VLAN Membership from the menu bar. Then click the Assign VLANs tab or the Trunk Configuration tab.
Figure 5-6 VLAN Membership: Trunk Configuration Tab
You can also configure a trunk port through the CLI on standalone, command, and member switches. If you are assigning a port on a cluster member switch to a VLAN, first log in to the member switch by using the privileged EXEC rcommand command. For more information on how to use this command, refer to the Catalyst 2950 Desktop Switch Command Reference.
CLI: Configuring a Trunk Port
For information on trunk port interactions with other features, see the "Trunks Interacting with Other Features" section.
Note
Beginning in privileged EXEC mode, follow these steps to configure a port as a 802.1Q trunk port:
Note
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Disabling a Trunk Port
You can disable trunking on a port by returning it to its default static-access mode.
Beginning in privileged EXEC mode, follow these steps to disable trunking on a port:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Defining the Allowed VLANs on a Trunk
By default, a trunk port sends to and receives traffic from all VLANs in the VLAN database. All VLANs, 1 to 1005, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk. To restrict the traffic a trunk carries, use the remove vlan-list parameter to remove specific VLANs from the allowed list.
A trunk port can become a member of a VLAN if the VLAN is enabled, if VTP knows of the VLAN, and if the VLAN is in the allowed list for the port. When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port, the trunk port automatically becomes a member of the enabled VLAN. When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port, the trunk port does not become a member of the new VLAN.
Beginning in privileged EXEC mode, follow these steps to modify the allowed list of a 802.1Q trunk:
The "Finding More Information About IOS Commands" section contains the path to the complete IOS documentation.
CLI: Configuring the Native VLAN for Untagged Traffic
A trunk port configured with 802.1Q tagging can receive both tagged and untagged traffic. By default, the switch forwards untagged traffic with the native VLAN configured for the port. The native VLAN is VLAN 1 by default.
Note
For information about 802.1Q configuration issues, see the "IEEE 802.1Q Configuration Considerations" section.
Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on a 802.1Q trunk:
