Feedback
Contents
VLAN Commands
action
To set the action for the VLAN access map entry, use the action command in access-map configuration mode. To return to the default setting, use the no form of this command.
Syntax Description
Command History
Usage Guidelines
You enter access-map configuration mode by using the vlan access-map global configuration command.
If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.
In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.
The drop and forward parameters are not used in the no form of the command.
You can verify your settings by entering the show vlan access-map privileged EXEC command.
Examples
This example shows how to identify and apply a VLAN access map (vmap4) to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:
Switch(config)# vlan access-map vmap4 Switch(config-access-map)# match ip address al2 Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan filter vmap4 vlan-list 5-6
Related Commands
Command
Description
Displays the VLAN access maps created on the switch.
Defines a VLAN map and enters access-map configuration mode where you can specify a MAC ACL to match and the action to be taken.
clear vtp counters
To clear the VLAN Trunking Protocol (VTP) and pruning counters, use the clear vtp counters command in privileged EXEC mode on the switch stack or on a standalone switch.
Command History
Related Commands
Command
Description
Displays general information about VTP management domain, status, and counters.
debug sw-vlan
To enable debugging of VLAN manager activities, use the debug sw-vlan command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug sw-vlan { badpmcookies | cfg-vlan { bootup | cli } | events | mapping | packets | redundancy | registries }
no debug sw-vlan { badpmcookies | cfg-vlan { bootup | cli } | events | mapping | packets | redundancy | registries }
Syntax Description
badpmcookies
Displays debug messages for VLAN manager incidents of bad port manager cookies.
cfg-vlan
Displays VLAN configuration debug messages.
bootup
Displays messages when the switch is booting up.
cli
Displays messages when the command-line interface (CLI) is in VLAN configuration mode.
events
Displays debug messages for VLAN manager events.
mapping
Displays debug messages for VLAN mapping.
packets
Displays debug messages for packet handling and encapsulation processes.
redundancy
Displays debug messages for VTP VLAN redundancy.
registries
Displays debug messages for VLAN manager registries.
Command History
Usage Guidelines
The undebug sw-vlan command is the same as the no debug sw-vlan command.
When you enable debugging on a switch stack, it is enabled only on the active switch. To enable debugging on a stack member, start a session from the active switch using the session switch-number EXEC command. Then enter the debug command at the command-line prompt of the stack member.
Related Commands
Command
Description
Enables debugging of the VLAN manager IFS error tests.
Enables debugging of the activation and deactivation of ISL VLAN IDs.
Enables debugging of the VTP code.
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain.
Displays general information about VTP management domain, status, and counters.
debug sw-vlan ifs
To enable debugging of the VLAN manager IOS file system (IFS) error tests, use the debug sw-vlan ifs command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug sw-vlan ifs { open { read | write } | read { 1 | 2 | 3 | 4 } | write }
no debug sw-vlan ifs { open { read | write } | read { 1 | 2 | 3 | 4 } | write }
Syntax Description
open read
Displays VLAN manager IFS file-read operation debug messages.
open write
Displays VLAN manager IFS file-write operation debug messages.
read
Displays file-read operation debug messages for the specified error test (1, 2, 3, or 4).
write
Displays file-write operation debug messages.
Command History
Usage Guidelines
The undebug sw-vlan ifs command is the same as the no debug sw-vlan ifs command.
When you enable debugging on a switch stack, it is enabled only on the active switch. To enable debugging on a stack member, start a session from the active switch using the session switch-number EXEC command. Then enter the debug command at the command-line prompt of the stack member.
When selecting the file read operation, Operation 1 reads the file header, which contains the header verification word and the file version number. Operation 2 reads the main body of the file, which contains most of the domain and VLAN information. Operation 3 reads type length version (TLV) descriptor structures. Operation 4 reads TLV data.
Related Commands
Command
Description
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain.
debug sw-vlan notification
To enable debugging of the activation and deactivation of Inter-Link Switch (ISL) VLAN IDs, use the debug sw-vlan notification command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug sw-vlan notification { accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange }
no debug sw-vlan notification { accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange }
Syntax Description
accfwdchange
Displays debug messages for VLAN manager notification of aggregated access interface spanning-tree forward changes.
allowedvlancfgchange
Displays debug messages for VLAN manager notification of changes to the allowed VLAN configuration.
fwdchange
Displays debug messages for VLAN manager notification of spanning-tree forwarding changes.
linkchange
Displays debug messages for VLAN manager notification of interface link-state changes.
modechange
Displays debug messages for VLAN manager notification of interface mode changes.
pruningcfgchange
Displays debug messages for VLAN manager notification of changes to the pruning configuration.
statechange
Displays debug messages for VLAN manager notification of interface state changes.
Command History
Usage Guidelines
The undebug sw-vlan notification command is the same as the no debug sw-vlan notification command.
When you enable debugging on a switch stack, it is enabled only on the active switch. To enable debugging on a stack member, start a session from the active switch using the session switch-number EXEC command. Then enter the debug command at the command-line prompt of the stack member.
Related Commands
Command
Description
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain.
debug sw-vlan vtp
To enable debugging of the VLAN Trunking Protocol (VTP) code, use the debug sw-vlan vtp command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug sw-vlan vtp { events | packets | pruning [ packets | xmit ] | redundancy | xmit }
no debug sw-vlan vtp { events | packets | pruning | redundancy | xmit }
Syntax Description
events
Displays debug messages for general-purpose logic flow and detailed VTP messages generated by the VTP_LOG_RUNTIME macro in the VTP code.
packets
Displays debug messages for the contents of all incoming VTP packets that have been passed into the VTP code from the Cisco IOS VTP platform-dependent layer, except for pruning packets.
pruning
Displays debug messages generated by the pruning segment of the VTP code.
packets
(Optional) Displays debug messages for the contents of all incoming VTP pruning packets that have been passed into the VTP code from the Cisco IOS VTP platform-dependent layer.
xmit
(Optional) Displays debug messages for the contents of all outgoing VTP packets that the VTP code requests the Cisco IOS VTP platform-dependent layer to send.
redundancy
Displays debug messages for VTP redundancy.
xmit
Displays debug messages for the contents of all outgoing VTP packets that the VTP code requests the Cisco IOS VTP platform-dependent layer to send, except for pruning packets.
Command History
Usage Guidelines
The undebug sw-vlan vtp command is the same as the no debug sw-vlan vtp command.
When you enable debugging on a switch stack, it is enabled only on the active switch. To enable debugging on a stack member, start a session from the active switch using the session switch-number EXEC command. Then enter the debug command at the command-line prompt of the stack member.
If no further parameters are entered after the pruning keyword, VTP pruning debugging messages appear. They are generated by the VTP_PRUNING_LOG_NOTICE, VTP_PRUNING_LOG_INFO, VTP_PRUNING_LOG_DEBUG, VTP_PRUNING_LOG_ALERT, and VTP_PRUNING_LOG_WARNING macros in the VTP pruning code.
Related Commands
Command
Description
Displays general information about VTP management domain, status, and counters.
interface vlan
To create or access a dynamic switch virtual interface (SVI) and to enter interface configuration mode, use the interface vlan command in global configuration mode. To delete an SVI, use the no form of this command.
Syntax Description
Command History
Usage Guidelines
SVIs are created the first time you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id corresponds to the VLAN-tag associated with data frames on an ISL or IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port.
If you delete an SVI using the no interface vlan vlan-id command, it is no longer visible in the output from the show interfaces privileged EXEC command.
You can re-instate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but the previous configuration is gone.
The interrelationship between the number of SVIs configured on a switch or a switch stack and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables.
You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.
Related Commands
Command
Description
show interfaces
Displays the administrative and operational status of all interfaces or a specified interface.
match (access-map configuration)
To set the VLAN map to match packets against one or more access lists, use the match command in access-map configuration mode on the switch stack or on a standalone switch. To remove the match parameters, use the no form of this command.
match { ip address { name | number } [ name | number ] [ name | number ] ... | mac address { name } [ name ] [ name ] ... }
no match { ip address { name | number } [ name | number ] [ name | number ] ... | mac address { name } [ name ] [ name ] ... }
Syntax Description
ip address Sets the access map to match packets against an IP address access list.
mac address Sets the access map to match packets against a MAC address access list.
name Name of the access list to match packets against.
number Number of the access list to match packets against. This option is not valid for MAC access lists.
Command History
Usage Guidelines
You enter access-map configuration mode by using the vlan access-map global configuration command.
You must enter one access list name or number; others are optional. You can match packets against one or more access lists. Matching any of the lists counts as a match of the entry.
In access-map configuration mode, use the match command to define the match conditions for a VLAN map applied to a VLAN. Use the action command to set the action that occurs when the packet matches the conditions.
Packets are matched only against access lists of the same protocol type; IP packets are matched against IP access lists, and all other packets are matched against MAC access lists.
Both IP and MAC addresses can be specified for the same map entry.
Examples
This example shows how to define and apply a VLAN access map vmap4 to VLANs 5 and 6 that will cause the interface to drop an IP packet if the packet matches the conditions defined in access list al2:
Switch(config)# vlan access-map vmap4 Switch(config-access-map)# match ip address al2 Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# vlan filter vmap4 vlan-list 5-6You can verify your settings by entering the show vlan access-map privileged EXEC command.
Related Commands
Command
Description
Sets the action for the VLAN access map entry.
Displays the VLAN access maps created on the switch.
Defines a VLAN map and enters access-map configuration mode where you can specify a MAC ACL to match and the action to be taken.
remote-span
To configure a VLAN as a Remote Switched Port Analyzer (RSPAN) VLAN, use the remote-span command in VLAN configuration mode on the switch stack or on a standalone switch. To remove the RSPAN designation from the VLAN, use the no form of this command.
Command History
Usage Guidelines
You can configure RSPAN VLANs only in config-VLAN mode (entered by using the vlan global configuration command).
If VLAN Trunking Protocol (VTP) is enabled, the RSPAN feature is propagated by VTP for VLAN IDs that are lower than 1005. If the RSPAN VLAN ID is in the extended range, you must manually configure intermediate switches (those in the RSPAN VLAN between the source switch and the destination switch).
Before you configure the RSPAN remote-span command, use the vlan (global configuration) command to create the VLAN.
The RSPAN VLAN has these characteristics:
- No MAC address learning occurs on it.
- RSPAN VLAN traffic flows only on trunk ports.
- Spanning Tree Protocol (STP) can run in the RSPAN VLAN, but it does not run on RSPAN destination ports.
When an existing VLAN is configured as an RSPAN VLAN, the VLAN is first deleted and then recreated as an RSPAN VLAN. Any access ports are made inactive until the RSPAN feature is disabled.
Examples
This example shows how to configure a VLAN as an RSPAN VLAN:
Switch(config)# vlan 901 Switch(config-vlan)# remote-spanThis example shows how to remove the RSPAN feature from a VLAN:
Switch(config)# vlan 901 Switch(config-vlan)# no remote-spanYou can verify your settings by entering the show vlan remote-span user EXEC command.
Related Commands
Command
Description
monitor session destination
Configures a FSPAN or FRSPAN destination session.
monitor session filter
Configures a FSPAN or FRSPAN session filter.
monitor session source
Configures a FSPAN or FRSPAN source session.
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain.
Adds a VLAN and enters the VLAN configuration mode.
show vlan
To display the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) on the switch, use the show vlan command in user EXEC mode.
Syntax Description
brief (Optional) Displays one line for each VLAN with the VLAN name, status, and its ports.
dot1q tag native (Optional) Displays the IEEE 802.1Q native VLAN tagging status.
id vlan-id (Optional) Displays information about a single VLAN identified by the VLAN ID number. For vlan-id, the range is 1 to 4094.
mtu (Optional) Displays a list of VLANs and the minimum and maximum transmission unit (MTU) sizes configured on ports in the VLAN.
name vlan-name (Optional) Displays information about a single VLAN identified by the VLAN name. The VLAN name is an ASCII string from 1 to 32 characters.
remote-span (Optional) Displays information about Remote SPAN (RSPAN) VLANs.
summary (Optional) Displays VLAN summary information.
Command History
Usage Guidelines
In the show vlan mtu command output, the MTU_Mismatch column shows whether all the ports in the VLAN have the same MTU. When yes appears in the column, it means that the VLAN has ports with different MTUs, and packets that are switched from a port with a larger MTU to a port with a smaller MTU might be dropped. If the VLAN does not have an SVI, the hyphen (-) symbol appears in the SVI_MTU column. If the MTU-Mismatch column displays yes, the names of the ports with the MinMTU and the MaxMTU appear.
Examples
This is an example of output from the show vlan command. See the table that follows for descriptions of the fields in the display.
Switch> show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4 Gi1/0/5, Gi1/0/6, Gi1/0/7 Gi1/0/8, Gi1/0/9, Gi1/0/10 Gi1/0/11, Gi1/0/12, Gi1/0/13 Gi1/0/14, Gi1/0/15, Gi1/0/16 Gi1/0/17, Gi1/0/18, Gi1/0/19 Gi1/0/20, Gi1/0/21, Gi1/0/22 Gi1/0/23, Gi1/0/24, Gi1/0/25 Gi1/0/26, Gi1/0/27, Gi1/0/28 Gi1/0/29, Gi1/0/30, Gi1/0/31 Gi1/0/32, Gi1/0/33, Gi1/0/34 Gi1/0/35, Gi1/0/36, Gi1/0/37 Gi1/0/38, Gi1/0/39, Gi1/0/40 Gi1/0/41, Gi1/0/42, Gi1/0/43 Gi1/0/44, Gi1/0/45, Gi1/0/46 Gi1/0/47, Gi1/0/48 2 VLAN0002 active 40 vlan-40 active 300 VLAN0300 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup 2000 VLAN2000 active 3000 VLAN3000 active VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 0 0 2 enet 100002 1500 - - - - - 0 0 40 enet 100040 1500 - - - - - 0 0 300 enet 100300 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 2000 enet 102000 1500 - - - - - 0 0 3000 enet 103000 1500 - - - - - 0 0 Remote SPAN VLANs ------------------------------------------------------------------------------ 2000,3000 Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------
Table 1 show vlan Command Output Fields Field
Description
VLAN
VLAN number.
Name
Name, if configured, of the VLAN.
Status
Status of the VLAN (active or suspend).
Ports
Ports that belong to the VLAN.
Type
Media type of the VLAN.
SAID
Security association ID value for the VLAN.
MTU
Maximum transmission unit size for the VLAN.
Parent
Parent VLAN, if one exists.
RingNo
Ring number for the VLAN, if applicable.
BrdgNo
Bridge number for the VLAN, if applicable.
Stp
Spanning Tree Protocol type used on the VLAN.
BrdgMode
Bridging mode for this VLAN—possible values are source-route bridging (SRB) and source-route transparent (SRT); the default is SRB.
Trans1
Translation bridge 1.
Trans2
Translation bridge 2.
Remote SPAN VLANs
Identifies any RSPAN VLANs that have been configured.
Primary/Secondary/Type/Ports
Includes any private VLANs that have been configured, including the primary VLAN ID, the secondary VLAN ID, the type of secondary VLAN (community or isolated), and the ports that belong to it.
This is an example of output from the show vlan dot1q tag native command:
Switch> show vlan dot1q tag native dot1q native vlan tagging is disabledThis is an example of output from the show vlan summary command:
Switch> show vlan summary Number of existing VLANs : 45 Number of existing VTP VLANs : 45 Number of existing extended VLANS : 0This is an example of output from the show vlan id command:
Switch# show vlan id 2 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 2 VLAN0200 active Gi1/0/7, Gi1/0/8 2 VLAN0200 active Gi2/0/1, Gi2/0/2 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 2 enet 100002 1500 - - - - - 0 0 Remote SPAN VLANs ------------------------------------------------------------------------------ Disabled
Related Commands
Command
Description
switchport mode
Configures the VLAN membership mode of a port.
Adds a VLAN and enters the VLAN configuration mode.
show vlan access-map
To display information about a particular VLAN access map or for all VLAN access maps, use the show vlan access-map command in privileged EXEC mode
Syntax Description
Command History
Related Commands
Command
Description
Displays information about all VLAN filters or about a particular VLAN or VLAN access map.
Defines a VLAN map and enters access-map configuration mode where you can specify a MAC ACL to match and the action to be taken.
Applies a VLAN map to one or more VLANs.
show vlan filter
To display information about all VLAN filters or about a particular VLAN or VLAN access map, use the show vlan filter command in privileged EXEC mode.
Syntax Description
access-map name (Optional) Displays filtering information for the specified VLAN access map.
vlan vlan-id (Optional) Displays filtering information for the specified VLAN. The range is 1 to 4094.
Command History
Related Commands
Command
Description
Displays the VLAN access maps created on the switch.
Defines a VLAN map and enters access-map configuration mode where you can specify a MAC ACL to match and the action to be taken.
Applies a VLAN map to one or more VLANs.
show vlan group
To display the VLANs that are mapped to VLAN groups, use the show vlan group command in privileged EXEC mode.
Syntax Description
group-name vlan-group-name (Optional) Displays the VLANs mapped to the specified VLAN group.
user_count (Optional) Displays the number of users in each VLAN mapped to a specified VLAN group.
Command History
Usage Guidelines
The show vlan group command displays the existing VLAN groups and lists the VLANs and VLAN ranges that are members of each VLAN group. If you enter the group-name keyword, only the members of the specified VLAN group are displayed.
Examples
This example shows how to display the members of a specified VLAN group:
Switch# show vlan group group-name group2 vlan group group1 :40-45This example shows how to display number of users in each of the VLANs in a group:
Switch# show vlan group group-name group2 user_count VLAN : Count ------------------- 40 : 5 41 : 8 42 : 12 43 : 2 44 : 9 45 : 0
Related Commands
Command
Description
Creates or modifies a VLAN group.
show vtp
To display general information about the VLAN Trunking Protocol (VTP) management domain, status, and counters, use the show vtp command in EXEC mode.
Syntax Description
counters Displays the VTP statistics for the switch.
devices Displays information about all VTP version 3 devices in the domain. This keyword applies only if the switch is not running VTP version 3.
conflicts (Optional) Displays information about VTP version 3 devices that have conflicting primary servers. This command is ignored when the switch is in VTP transparent or VTP off mode.
interface Displays VTP status and configuration for all interfaces or the specified interface.
interface-id (Optional) Interface for which to display VTP status and configuration. This can be a physical interface or a port channel.
password Displays the configured VTP password (available in privileged EXEC mode only).
status Displays general information about the VTP management domain status.
Command History
Usage Guidelines
When you enter the show vtp password command when the switch is running VTP version 3, the display follows these rules:
- If the password password global configuration command did not specify the hidden keyword and encryption is not enabled on the switch, the password appears in clear text.
- If the password password command did not specify the hidden keyword and encryption is enabled on the switch, the encrypted password appears.
- If the password password command is included the hidden keyword, the hexadecimal secret key is displayed.
Examples
This is an example of output from the show vtp devices command. A Yes in the Conflict column means that the responding server is in conflict with the local server for the feature; that is, when two switches in the same domain do not have the same primary server for a database.
Switch# show vtp devices Retrieving information from the VTP domain. Waiting for 5 seconds. VTP Database Conf switch ID Primary Server Revision System Name lict ------------ ---- -------------- -------------- ---------- ---------------------- VLAN Yes 00b0.8e50.d000 000c.0412.6300 12354 main.cisco.com MST No 00b0.8e50.d000 0004.AB45.6000 24 main.cisco.com VLAN Yes 000c.0412.6300=000c.0412.6300 67 qwerty.cisco.comThis is an example of output from the show vtp counters command. The table that follows describes each field in the display.
Switch> show vtp counters VTP statistics: Summary advertisements received : 0 Subset advertisements received : 0 Request advertisements received : 0 Summary advertisements transmitted : 0 Subset advertisements transmitted : 0 Request advertisements transmitted : 0 Number of config revision errors : 0 Number of config digest errors : 0 Number of V1 summary errors : 0 VTP pruning statistics: Trunk Join Transmitted Join Received Summary advts received from non-pruning-capable device ---------------- ---------------- ---------------- --------------------------- Gi1/0/47 0 0 0 Gi1/0/48 0 0 0 Gi2/0/1 0 0 0 Gi3/0/2 0 0 0
Table 2 show vtp counters Field Descriptions Field
Description
Summary advertisements received
Number of summary advertisements received by this switch on its trunk ports. Summary advertisements contain the management domain name, the configuration revision number, the update timestamp and identity, the authentication checksum, and the number of subset advertisements to follow.
Subset advertisements received
Number of subset advertisements received by this switch on its trunk ports. Subset advertisements contain all the information for one or more VLANs.
Request advertisements received
Number of advertisement requests received by this switch on its trunk ports. Advertisement requests normally request information on all VLANs. They can also request information on a subset of VLANs.
Summary advertisements transmitted
Number of summary advertisements sent by this switch on its trunk ports. Summary advertisements contain the management domain name, the configuration revision number, the update timestamp and identity, the authentication checksum, and the number of subset advertisements to follow.
Subset advertisements transmitted
Number of subset advertisements sent by this switch on its trunk ports. Subset advertisements contain all the information for one or more VLANs.
Request advertisements transmitted
Number of advertisement requests sent by this switch on its trunk ports. Advertisement requests normally request information on all VLANs. They can also request information on a subset of VLANs.
Number of configuration revision errors
Number of revision errors.
Whenever you define a new VLAN, delete an existing one, suspend or resume an existing VLAN, or modify the parameters on an existing VLAN, the configuration revision number of the switch increments.
Revision errors increment whenever the switch receives an advertisement whose revision number matches the revision number of the switch, but the MD5 digest values do not match. This error means that the VTP password in the two switches is different or that the switches have different configurations.
These errors means that the switch is filtering incoming advertisements, which causes the VTP database to become unsynchronized across the network.
Number of configuration digest errors
Number of MD5 digest errors.
Digest errors increment whenever the MD5 digest in the summary packet and the MD5 digest of the received advertisement calculated by the switch do not match. This error usually means that the VTP password in the two switches is different. To solve this problem, make sure the VTP password on all switches is the same.
These errors mean that the switch is filtering incoming advertisements, which causes the VTP database to become unsynchronized across the network.
Number of V1 summary errors
Number of Version 1 errors.
Version 1 summary errors increment whenever a switch in VTP V2 mode receives a VTP Version 1 frame. These errors mean that at least one neighboring switch is either running VTP Version 1 or VTP Version 2 with V2-mode disabled. To solve this problem, change the configuration of the switches in VTP V2-mode to disabled.
Join Transmitted
Number of VTP pruning messages sent on the trunk.
Join Received
Number of VTP pruning messages received on the trunk.
Summary Advts Received from non-pruning-capable device
Number of VTP summary messages received on the trunk from devices that do not support pruning.
This is an example of output from the show vtp status command. The table that follows describes each field in the display.
Switch> show vtp status VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name : VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : 2037.06ce.3580 Configuration last modified by 192.168.1.1 at 10-10-12 04:34:02 Local updater ID is 192.168.1.1 on interface LIIN0 (first layer3 interface found ) Feature VLAN: -------------- VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 2 MD5 digest : 0xA0 0xA1 0xFE 0x4E 0x7E 0x5D 0x97 0x41 0x89 0xB9 0x9B 0x70 0x03 0x61 0xE9 0x27
Table 3 show vtp status Field Descriptions Field
Description
VTP Version capable
Displays the VTP versions that are capable of operating on the switch.
VTP Version running
Displays the VTP version operating on the switch. By default, the switch implements Version 1 but can be set to Version 2.
VTP Domain Name
Name that identifies the administrative domain for the switch.
VTP Pruning Mode
Displays whether pruning is enabled or disabled. Enabling pruning on a VTP server enables pruning for the entire management domain. Pruning restricts flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.
VTP Traps Generation
Displays whether VTP traps are sent to a network management station.
Device ID
Displays the MAC address of the local device.
Configuration last modified
Displays the date and time of the last configuration modification. Displays the IP address of the switch that caused the configuration change to the database.
VTP Operating Mode
Displays the VTP operating mode, which can be server, client, or transparent.
Server—A switch in VTP server mode is enabled for VTP and sends advertisements. You can configure VLANs on it. The switch guarantees that it can recover all the VLAN information in the current VTP database from NVRAM after reboot. By default, every switch is a VTP server.
Note The switch automatically changes from VTP server mode to VTP client mode if it detects a failure while writing the configuration to NVRAM and cannot return to server mode until the NVRAM is functioning.
Client—A switch in VTP client mode is enabled for VTP, can send advertisements, but does not have enough nonvolatile storage to store VLAN configurations. You cannot configure VLANs on it. When a VTP client starts up, it does not send VTP advertisements until it receives advertisements to initialize its VLAN database.
Transparent—A switch in VTP transparent mode is disabled for VTP, does not send or learn from advertisements sent by other devices, and cannot affect VLAN configurations on other devices in the network. The switch receives VTP advertisements and forwards them on all trunk ports except the one on which the advertisement was received.
Maximum VLANs Supported Locally
Maximum number of VLANs supported locally.
Number of Existing VLANs
Number of existing VLANs.
Configuration Revision
Current configuration revision number on this switch.
MD5 Digest
A 16-byte checksum of the VTP configuration.
This is an example of output from the show vtp status command for a switch running VTP version 3.
Switch> show vtp status VTP Version capable : 1 to 3 VTP version running : 3 VTP Domain Name : Cisco VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : 0021.1bcd.c700 Feature VLAN: -------------- VTP Operating Mode : Server Number of existing VLANs : 7 Number of existing extended VLANs : 0 Configuration Revision : 0 Primary ID : 0000.0000.0000 Primary Description : MD5 digest : 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Feature MST: -------------- VTP Operating Mode : Client Configuration Revision : 0 Primary ID : 0000.0000.0000 Primary Description : MD5 digest : 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Feature UNKNOWN: ----------------
Related Commands
Command
Description
Clears the VLAN Trunking Protocol (VTP) and pruning counters.
show wireless vlan group
spanning-tree vlan
To configure spanning tree on a per-VLAN basis, use the spanning-tree vlan command in global configuration mode on the switch stack or on a standalone switch. To return to the default setting, use the no form of this command.
spanning-tree vlan vlan-id [ forward-time seconds | hello-time seconds | max-age seconds | priority priority | root { primary | secondary } [ diameter net-diameter [ hello-time seconds ] ] ]
no spanning-tree vlan vlan-id [ forward-time | hello-time | max-age | priority | root ]
Syntax Description
vlan-id VLAN range associated with a spanning-tree instance. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
forward-time seconds (Optional) Sets the forward-delay time for the specified spanning-tree instance. The forwarding time specifies how long each of the listening and learning states last before the interface begins forwarding. The range is 4 to 30 seconds.
hello-time seconds (Optional) Sets the interval between hello bridge protocol data units (BPDUs) sent by the root switch configuration messages. The range is 1 to 10 seconds.
max-age seconds (Optional) Sets the interval between messages the spanning tree receives from the root switch. If a switch does not receive a BPDU message from the root switch within this interval, it recomputes the spanning-tree topology. The range is 6 to 40 seconds.
priority priority (Optional) Sets the switch priority for the specified spanning-tree instance. This setting affects the likelihood that the switch is selected as the root switch. A lower value increases the probability that the switch is selected as the root switch.
The range is 0 to 61440 in increments of 4096. Valid priority values are 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. All other values are rejected.
root primary (Optional) Forces this switch to be the root switch.
root secondary (Optional) Sets this switch to be the root switch should the primary root switch fail.
diameter net-diameter (Optional) Sets the maximum number of switches between any two end stations. The range is 2 to 7.
Command Default
Spanning tree is enabled on all VLANs.
The forward-delay time is 15 seconds.
The hello time is 2 seconds.
The max-age is 20 seconds.
The primary root switch priority is 24576.
The secondary root switch priority is 28672.
Command History
Usage Guidelines
Disabling the STP causes the VLAN to stop participating in the spanning-tree topology. Interfaces that are administratively down remain down. Received BPDUs are forwarded like other multicast frames. The VLAN does not detect and prevent loops when STP is disabled.
You can disable the STP on a VLAN that is not currently active and verify the change by using the show running-config or the show spanning-tree vlan vlan-id privileged EXEC command. The setting takes effect when the VLAN is activated.
When disabling or reenabling the STP, you can specify a range of VLANs that you want to disable or enable.
When a VLAN is disabled and then enabled, all assigned VLANs continue to be its members. However, all spanning-tree bridge parameters are returned to their previous settings (the last setting before the VLAN was disabled).
You can enable spanning-tree options on a VLAN that has no interfaces assigned to it. The setting takes effect when you assign interfaces to it.
When setting the max-age seconds, if a switch does not receive BPDUs from the root switch within the specified interval, it recomputes the spanning-tree topology. The max-age setting must be greater than the hello-time setting.
The spanning-tree vlan vlan-id root command should be used only on backbone switches.
When you enter the spanning-tree vlan vlan-id root command, the software checks the switch priority of the current root switch for each VLAN. Because of the extended system ID support, the switch sets the switch priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN. If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value.)
When you enter the spanning-tree vlan vlan-id root secondary command, because of support for the extended system ID, the software changes the switch priority from the default value (32768) to 28672. If the root switch should fail, this switch becomes the next root switch (if the other switches in the network use the default switch priority of 32768, and therefore, are unlikely to become the root switch).
Examples
This example shows how to disable the STP on VLAN 5:
Switch(config)# no spanning-tree vlan 5You can verify your setting by entering the show spanning-tree privileged EXEC command. In this instance, VLAN 5 does not appear in the list.
This example shows how to set the spanning-tree forwarding time to 18 seconds for VLANs 20 and 25:
Switch(config)# spanning-tree vlan 20,25 forward-time 18This example shows how to set the spanning-tree hello-delay time to 3 seconds for VLANs 20 to 24:
Switch(config)# spanning-tree vlan 20-24 hello-time 3This example shows how to set spanning-tree max-age to 30 seconds for VLAN 20:
Switch(config)# spanning-tree vlan 20 max-age 30This example shows how to reset the max-age parameter to the default value for spanning-tree instance 100 and 105 to 108:
Switch(config)# no spanning-tree vlan 100, 105-108 max-ageThis example shows how to set the spanning-tree priority to 8192 for VLAN 20:
Switch(config)# spanning-tree vlan 20 priority 8192This example shows how to configure the switch as the root for VLAN 10 with a network diameter of 4:
Switch(config)# spanning-tree vlan 10 root primary diameter 4This example shows how to configure the switch as the secondary root switch for VLAN 10 with a network diameter of 4:
Switch(config)# spanning-tree vlan 10 root secondary diameter 4You can verify your settings by entering the show spanning-tree vlan vlan-id privileged EXEC command.
switchport priority extend
To set a port priority for the incoming untagged frames or the priority of frames received by the IP phone connected to the specified port, use the switchport priority extend command in interface configuration mode on the switch stack or on a standalone switch. To return to the default setting, use the no form of this command.
Syntax Description
cos value
Sets the IP phone port to override the IEEE 802.1p priority received from the PC or the attached device with the specified class of service (CoS) value. The range is 0 to 7. Seven is the highest priority. The default is 0.
trust
Sets the IP phone port to trust the IEEE 802.1p priority received from the PC or the attached device.
Command Default
The default port priority is set to a CoS value of 0 for untagged frames received on the port.
Command History
Usage Guidelines
When voice VLAN is enabled, you can configure the switch to send the Cisco Discovery Protocol (CDP) packets to instruct the IP phone how to send data packets from the device attached to the access port on the Cisco IP Phone. You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration to the Cisco IP Phone. (CDP is enabled by default globally and on all switch interfaces.)
You should configure voice VLAN on switch access ports. You can configure a voice VLAN only on Layer 2 ports.
Before you enable voice VLAN, we recommend that you enable quality of service (QoS) on the interface by entering the trust device cisco-phone interface configuration command. If you use the auto QoS feature, these settings are automatically configured.
Examples
This example shows how to configure the IP phone connected to the specified port to trust the received IEEE 802.1p priority:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport priority extend trustYou can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.
switchport trunk
To set the trunk characteristics when the interface is in trunking mode, use the switchport trunk command in interface configuration mode on the switch stack or on a standalone switch. To reset a trunking characteristic to the default, use the no form of this command.
switchport trunk { allowed vlan vlan-list | native vlan vlan-id | pruning vlan vlan-list }
no switchport trunk { allowed vlan | native vlan | pruning vlan }
Syntax Description
allowed vlan vlan-list Sets the list of allowed VLANs that can receive and send traffic on this interface in tagged format when in trunking mode. See the following vlan-list format. The none keyword is not valid. The default is all.
native vlan vlan-id Sets the native VLAN for sending and receiving untagged traffic when the interface is in IEEE 802.1Q trunking mode. The range is 1 to 4094.
pruning vlan vlan-list Sets the list of VLANs that are eligible for VTP pruning when in trunking mode. The all keyword is not valid.
The vlan-list format is all | none | [add | remove | except] vlan-atom ,vlan-atom... where:
- all specifies all VLANs from 1 to 4094. This keyword is not allowed on commands that do not permit all VLANs in the list to be set at the same time.
- none means an empty list. This keyword is not allowed on commands that require certain VLANs to be set or at least one VLAN to be set.
- add adds the defined list of VLANs to those currently set instead of replacing the list. Valid IDs are from 1 to 1005; extended-range VLANs (VLAN IDs greater than 1005) are valid in some cases.
Separate nonconsecutive VLAN IDs with a comma; use a hyphen to designate a range of IDs.
NoteYou can add extended-range VLANs to the allowed VLAN list, but not to the pruning-eligible VLAN list.
- except lists the VLANs that should be calculated by inverting the defined list of VLANs. (VLANs are added except the ones specified.) Valid IDs are from 1 to 1005. Separate nonconsecutive VLAN IDs with a comma; use a hyphen to designate a range of IDs.
- vlan-atom is either a single VLAN number from 1 to 4094 or a continuous range of VLANs described by two VLAN numbers, the lesser one first, separated by a hyphen.
Command Default
The default encapsulation is negotiate.
VLAN 1 is the default native VLAN ID on the port.
The default for all VLAN lists is to include all VLANs.
Command History
Usage Guidelines
Native VLANs:
- All untagged traffic received on an IEEE 802.1Q trunk port is forwarded with the native VLAN configured for the port.
- If a packet has a VLAN ID that is the same as the sending-port native VLAN ID, the packet is sent without a tag; otherwise, the switch sends the packet with a tag.
- The no form of the native vlan command resets the native mode VLAN to the appropriate default VLAN for the device.
Allowed VLAN:
- To reduce the risk of spanning-tree loops or storms, you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to send and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), Dynamic Trunking Protocol (DTP), and VLAN Trunking Protocol (VTP) in VLAN 1.
- The no form of the allowed vlan command resets the list to the default list, which allows all VLANs.
Trunk pruning:
- The pruning-eligible list applies only to trunk ports.
- Each trunk port has its own eligibility list.
- If you do not want a VLAN to be pruned, remove it from the pruning-eligible list. VLANs that are pruning-ineligible receive flooded traffic.
- VLAN 1, VLANs 1002 to 1005, and extended-range VLANs (VLANs 1006 to 4094) cannot be pruned.
Examples
This example shows how to configure VLAN 3 as the default for the port to send all untagged traffic:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport trunk native vlan 3This example shows how to add VLANs 1, 2, 5, and 6 to the allowed list:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport trunk allowed vlan add 1,2,5,6This example shows how to remove VLANs 3 and 10 to 15 from the pruning-eligible list:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport trunk pruning vlan remove 3,10-15You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.
Related Commands
Command
Description
show interfaces
Displays the administrative and operational status of all interfaces or a specified interface.
switchport mode
Configures the VLAN membership mode of a port.
switchport voice vlan
To configure voice VLAN on the port, use the switchport voice vlan command in interface configuration mode on the switch stack or on a standalone switch. To return to the default setting, use the no form of this command.
Syntax Description
vlan-id The VLAN to be used for voice traffic. The range is 1 to 4094. By default, the IP phone forwards the voice traffic with an IEEE 802.1Q priority of 5.
dot1p Configures the telephone to use IEEE 802.1p priority tagging and uses VLAN 0 (the native VLAN). By default, the Cisco IP phone forwards the voice traffic with an IEEE 802.1p priority of 5.
none Does not instruct the IP telephone about the voice VLAN. The telephone uses the configuration from the telephone key pad.
untagged Configures the telephone to send untagged voice traffic. This is the default for the telephone.
Command Default
The switch default is not to automatically configure the telephone (none).
The telephone default is not to tag frames.
Command History
Usage Guidelines
You should configure voice VLAN on Layer 2 access ports.
You must enable Cisco Discovery Protocol (CDP) on the switch port connected to the Cisco IP phone for the switch to send configuration information to the phone. CDP is enabled by default globally and on the interface.
Before you enable voice VLAN, we recommend that you enable quality of service (QoS) on the interface by entering the trust device cisco-phone interface configuration command. If you use the auto QoS feature, these settings are automatically configured.
When you enter a VLAN ID, the IP phone forwards voice traffic in IEEE 802.1Q frames, tagged with the specified VLAN ID. The switch puts IEEE 802.1Q voice traffic in the voice VLAN.
When you select dot1q, none, or untagged, the switch puts the indicated voice traffic in the access VLAN.
In all configurations, the voice traffic carries a Layer 2 IP precedence value. The default is 5 for voice traffic.
When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to 2. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but not on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the Cisco IP phone.
If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.
You cannot configure static secure MAC addresses in the voice VLAN.
A voice-VLAN port cannot be a private-VLAN port.
The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.
Related Commands
Command
Description
show interfaces
Displays the administrative and operational status of all interfaces or a specified interface.
Sets a port priority for the incoming untagged frames or the priority of frames received by the IP phone connected to the specified port.
vlan
To add a VLAN and to enter the VLAN configuration mode, use the vlan command in global configuration mode. To delete the VLAN, use the no form of this command.
Syntax Description
vlan-id ID of the VLAN to be added and configured. The range is 1 to 4094. You can enter a single VLAN ID, a series of VLAN IDs separated by commas, or a range of VLAN IDs separated by hyphens.
Command History
Usage Guidelines
You can use the vlan vlan-id global configuration command to add normal-range VLANs (VLAN IDs 1 to 1005) or extended-range VLANs (VLAN IDs 1006 to 4094). Configuration information for normal-range VLANs is always saved in the VLAN database. With VTP version 1 and 2, extended-range VLANs are not learned by VTP and are not added to the VLAN database. When VTP mode is transparent, VTP mode and domain name and all VLAN configurations are saved in the running configuration, and you can save them in the switch startup configuration file.
VTP version 3 supports propagation of extended-range VLANs and you can create them in VTP server or client mode.
When you save the VLAN and VTP configurations in the startup configuration file and reboot the switch, the configuration is selected in these ways:
- If both the VLAN database and the configuration file show the VTP mode as transparent and the VTP domain names match, the VLAN database is ignored. The VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.
- If the VTP mode is server, or if the startup VTP mode or domain names do not match the VLAN database, the VTP mode and the VLAN configuration for the first 1005 VLANs use the VLAN database information. With VTP version 3, all VLAN-IDs are in the VLAN database.
If you enter an invalid VLAN ID, you receive an error message and do not enter VLAN configuration mode.
Entering the vlan command with a VLAN ID enables VLAN configuration mode. When you enter the VLAN ID of an existing VLAN, you do not create a new VLAN, but you can modify VLAN parameters for that VLAN. The specified VLANs are added or modified when you exit the VLAN configuration mode. Only the shutdown command (for VLANs 1 to 1005) takes effect immediately.
NoteAlthough all commands are visible, the only VLAN configuration command that is supported on extended-range VLANs is remote-span. For extended-range VLANs, all other characteristics must remain at the default state.
These configuration commands are available in VLAN configuration mode. The no form of each command returns the characteristic to its default state:
- are are-number—Defines the maximum number of all-routes explorer (ARE) hops for this VLAN. This keyword applies only to TrCRF VLANs.The range is 0 to 13. The default is 7. If no value is entered, 0 is assumed to be the maximum.
- backupcrf—Specifies the backup CRF mode. This keyword applies only to TrCRF VLANs.
- bridge {bridge-number | type}—Specifies the logical distributed source-routing bridge, the bridge that interconnects all logical rings having this VLAN as a parent VLAN in FDDI-NET, Token Ring-NET, and TrBRF VLANs. The range is 0 to 15. The default bridge number is 0 (no source-routing bridge) for FDDI-NET, TrBRF, and Token Ring-NET VLANs. The type keyword applies only to TrCRF VLANs and is one of these:
- exit—Applies changes, increments the VLAN database revision number (VLANs 1 to 1005 only), and exits VLAN configuration mode.
- media—Defines the VLAN media type and is one of these:
See the table that follows for valid commands and syntax for different media types.
- ethernet is Ethernet media type (the default).
- fd-net is FDDI network entity title (NET) media type.
- fddi is FDDI media type.
- tokenring is Token Ring media type if the VTP v2 mode is disabled, or TrCRF if the VTP Version 2 (v) mode is enabled.
- tr-net is Token Ring network entity title (NET) media type if the VTP v2 mode is disabled or TrBRF media type if the VTP v2 mode is enabled.
- name vlan-name—Names the VLAN with an ASCII string from 1 to 32 characters that must be unique within the administrative domain. The default is VLANxxxx where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number.
- no—Negates a command or returns it to the default setting.
- parent parent-vlan-id—Specifies the parent VLAN of an existing FDDI, Token Ring, or TrCRF VLAN. This parameter identifies the TrBRF to which a TrCRF belongs and is required when defining a TrCRF. The range is 0 to 1005. The default parent VLAN ID is 0 (no parent VLAN) for FDDI and Token Ring VLANs. For both Token Ring and TrCRF VLANs, the parent VLAN ID must already exist in the database and be associated with a Token Ring-NET or TrBRF VLAN.
- remote-span—Configures the VLAN as a Remote SPAN (RSPAN) VLAN. When the RSPAN feature is added to an existing VLAN, the VLAN is first deleted and is then recreated with the RSPAN feature. Any access ports are deactivated until the RSPAN feature is removed. If VTP is enabled, the new RSPAN VLAN is propagated by VTP for VLAN IDs that are lower than 1024. Learning is disabled on the VLAN. See the remote-span command for more information.
- ring ring-number—Defines the logical ring for an FDDI, Token Ring, or TrCRF VLAN. The range is 1 to 4095. The default for Token Ring VLANs is 0. For FDDI VLANs, there is no default.
- said said-value—Specifies the security association identifier (SAID) as documented in IEEE 802.10. The range is 1 to 4294967294, and the number must be unique within the administrative domain. The default value is 100000 plus the VLAN ID number.
- shutdown—Shuts down VLAN switching on the VLAN. This command takes effect immediately. Other commands take effect when you exit VLAN configuration mode.
- state—Specifies the VLAN state:
- ste ste-number—Defines the maximum number of spanning-tree explorer (STE) hops. This keyword applies only to TrCRF VLANs. The range is 0 to 13. The default is 7.
- stp type—Defines the spanning-tree type for FDDI-NET, Token Ring-NET, or TrBRF VLANs. For FDDI-NET VLANs, the default STP type is ieee. For Token Ring-NET VLANs, the default STP type is ibm. For FDDI and Token Ring VLANs, the default is no type specified.
- tb-vlan1 tb-vlan1-id and tb-vlan2 tb-vlan2-id—Specifies the first and second VLAN to which this VLAN is translationally bridged. Translational VLANs translate FDDI or Token Ring to Ethernet, for example. The range is 0 to 1005. If no value is specified, 0 (no transitional bridging) is assumed.
The following table describes the rules for configuring VLANs:
Table 4 Valid Commands and Syntax for Different Media Types Media Type
Valid Syntax
Ethernet
name vlan-name, media ethernet, state {suspend | active}, said said-value, remote-span, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
FDDI
name vlan-name, media fddi, state {suspend | active}, said said-value, ring ring-number, parent parent-vlan-id, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
FDDI-NET
name vlan-name, media fd-net , state {suspend | active}, said said-value, bridge bridge-number, stp type {ieee | ibm | auto}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
If VTP v2 mode is disabled, do not set the stp type to auto.
Token Ring
VTP v1 mode is enabled.
name vlan-name, media tokenring, state {suspend | active}, said said-value, ring ring-number, parent parent-vlan-id, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
Token Ring concentrator relay function (TrCRF)
VTP v2 mode is enabled.
name vlan-name, media tokenring, state {suspend | active}, said said-value, ring ring-number, parent parent-vlan-id, bridge type {srb | srt}, are are-number, ste ste-number, backupcrf {enable | disable}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
Token Ring-NET
VTP v1 mode is enabled.
name vlan-name, media tr-net, state {suspend | active}, said said-value, bridge bridge-number, stp type {ieee | ibm}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
Token Ring bridge relay function (TrBRF)
VTP v2 mode is enabled.
name vlan-name, media tr-net, state {suspend | active}, said said-value, bridge bridge-number, stp type {ieee | ibm | auto}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
Table 5 VLAN Configuration Rules Configuration
Rule
VTP v2 mode is enabled, and you are configuring a TrCRF VLAN media type.
Specify a parent VLAN ID of a TrBRF that already exists in the database.
Specify a ring number. Do not leave this field blank.
Specify unique ring numbers when TrCRF VLANs have the same parent VLAN ID. Only one backup concentrator relay function (CRF) can be enabled.
VTP v2 mode is enabled, and you are configuring VLANs other than TrCRF media type.
Do not specify a backup CRF.
VTP v2 mode is enabled, and you are configuring a TrBRF VLAN media type.
Specify a bridge number. Do not leave this field blank.
VTP v1 mode is enabled.
No VLAN can have an STP type set to auto.
This rule applies to Ethernet, FDDI, FDDI-NET, Token Ring, and Token Ring-NET VLANs.
Add a VLAN that requires translational bridging (values are not set to zero).
The translational bridging VLAN IDs that are used must already exist in the database.
The translational bridging VLAN IDs that a configuration points to must also contain a pointer to the original VLAN in one of the translational bridging parameters (for example, Ethernet points to FDDI, and FDDI points to Ethernet).
The translational bridging VLAN IDs that a configuration points to must be different media types than the original VLAN (for example, Ethernet can point to Token Ring).
If both translational bridging VLAN IDs are configured, these VLANs must be different media types (for example, Ethernet can point to FDDI and Token Ring).
Examples
This example shows how to add an Ethernet VLAN with default media characteristics. The default includes a vlan-name of VLAN xxx, where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number. The default media is ethernet; the state is active. The default said-value is 100000 plus the VLAN ID; the mtu-size variable is 1500; the stp-type is ieee. When you enter the exit VLAN configuration command, the VLAN is added if it did not already exist; otherwise, this command does nothing.
This example shows how to create a new VLAN with all default characteristics and enter VLAN configuration mode:
Switch(config)# vlan 200 Switch(config-vlan)# exit Switch(config)#This example shows how to create a new extended-range VLAN with all the default characteristics, to enter VLAN configuration mode, and to save the new VLAN in the switch startup configuration file:
Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup configYou can verify your setting by entering the show vlan privileged EXEC command.
Related Commands
Command
Description
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain.
vlan access-map
To create or modify a VLAN map entry for VLAN packet filtering, and change the mode to the VLAN access-map configuration, use the vlan access-map command in global configuration mode on the switch stack or on a standalone switch. To delete a VLAN map entry, use the no form of this command.
vlan access-map name [ number ]
no vlan access-map name [ number ]
NoteThis command is not supported on switches running the LAN Base feature set.
Syntax Description
name Name of the VLAN map.
number (Optional) The sequence number of the map entry that you want to create or modify (0 to 65535). If you are creating a VLAN map and the sequence number is not specified, it is automatically assigned in increments of 10, starting from 10. This number is the sequence to insert to, or delete from, a VLAN access-map entry.
Command History
Usage Guidelines
In global configuration mode, use this command to create or modify a VLAN map. This entry changes the mode to VLAN access-map configuration, where you can use the match access-map configuration command to specify the access lists for IP or non-IP traffic to match and use the action command to set whether a match causes the packet to be forwarded or dropped.
In VLAN access-map configuration mode, these commands are available:
- action—Sets the action to be taken (forward or drop).
- default—Sets a command to its defaults.
- exit—Exits from VLAN access-map configuration mode.
- match—Sets the values to match (IP address or MAC address).
- no—Negates a command or set its defaults.
When you do not specify an entry number (sequence number), it is added to the end of the map.
There can be only one VLAN map per VLAN and it is applied as packets are received by a VLAN.
You can use the no vlan access-map name [number] command with a sequence number to delete a single entry.
Use the vlan filter interface configuration command to apply a VLAN map to one or more VLANs.
For more information about VLAN map entries, see the software configuration guide for this release.
Examples
This example shows how to create a VLAN map named vac1 and apply matching conditions and actions to it. If no other entries already exist in the map, this will be entry 10.
Switch(config)# vlan access-map vac1 Switch(config-access-map)# match ip address acl1 Switch(config-access-map)# action forwardThis example shows how to delete VLAN map vac1:
Switch(config)# no vlan access-map vac1
Related Commands
Command
Description
Sets the action for the VLAN access map entry.
Sets the VLAN map to match packets against one or more access lists.
Displays the VLAN access maps created on the switch.
Applies a VLAN map to one or more VLANs.
vlan configuration
Syntax Description
vlan-id VLAN ID. The range is from 1 to 4094. The VLAN range can be specified in the format shown in this example: 1-5, 10 or 2-5,7-19.
Command History
Usage Guidelines
If you use the vlan configuration command to configure a VLAN that you have not yet created and you later want to create that VLAN, use the vlan command to create the configured VLAN.
The show vlan command does not display a VLAN until you actually create the VLAN.
This command does not require a license.
vlan dot1q tag native
To enable tagging of native VLAN frames on all IEEE 802.1Q trunk ports, use the vlan dot1q tag native command in global configuration mode on the switch stack or on a standalone switch. To return to the default setting, use the no form of this command.
vlan dot1q tag native
no vlan dot1q tag native
NoteThis command is not supported on switches running the LAN Base feature set.
Command History
Usage Guidelines
When enabled, native VLAN packets going out all IEEE 802.1Q trunk ports are tagged.
When disabled, native VLAN packets going out all IEEE 802.1Q trunk ports are not tagged.
You can use this command with the IEEE 802.1Q tunneling feature. This feature operates on an edge switch of a service-provider network and expands VLAN space by using a VLAN-in-VLAN hierarchy and tagging the tagged packets. You must use IEEE 802.1Q trunk ports for sending packets to the service-provider network. However, packets going through the core of the service-provider network might also be carried on IEEE 802.1Q trunks. If the native VLANs of an IEEE 802.1Q trunks match the native VLAN of a tunneling port on the same switch, traffic on the native VLAN is not tagged on the sending trunk port. This command ensures that native VLAN packets on all IEEE 802.1Q trunk ports are tagged.
For more information about IEEE 802.1Q tunneling, see the software configuration guide for this release.
Related Commands
Command
Description
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain.
vlan filter
To apply a VLAN map to one or more VLANs, use the vlan filter command in global configuration mode on the switch stack or on a standalone switch. To remove the map, use the no form of this command.
vlan filter mapname vlan-list { list | all }
no vlan filter mapname vlan-list { list | all }
NoteThis command is not supported on switches running the LAN Base feature set.
Syntax Description
mapname Name of the VLAN map entry.
vlan-list Specifies which VLANs to apply the map to.
list The list of one or more VLANs in the form tt, uu-vv, xx, yy-zz, where spaces around commas and dashes are optional. The range is 1 to 4094.
all Adds the map to all VLANs.
Command History
Usage Guidelines
To avoid accidentally dropping too many packets and disabling connectivity in the middle of the configuration process, we recommend that you completely define the VLAN access map before applying it to a VLAN.
For more information about VLAN map entries, see the software configuration guide for this release.
Examples
This example applies VLAN map entry map1 to VLANs 20 and 30:
Switch(config)# vlan filter map1 vlan-list 20, 30This example shows how to delete VLAN map entry mac1 from VLAN 20:
Switch(config)# no vlan filter map1 vlan-list 20You can verify your settings by entering the show vlan filter privileged EXEC command.
Related Commands
Command
Description
Displays the VLAN access maps created on the switch.
Displays information about all VLAN filters or about a particular VLAN or VLAN access map.
Defines a VLAN map and enters access-map configuration mode where you can specify a MAC ACL to match and the action to be taken.
vlan group
To create or modify a VLAN group, use the vlan group command in global configuration mode. To remove a VLAN list from the VLAN group, use the no form of this command.
Syntax Description
group-name Name of the VLAN group. The group name may contain up to 32 characters and must begin with a letter.
vlan-list vlan-list Specifies one or more VLANs to be added to the VLAN group. The vlan-list argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID range. Multiple entries are separated by a hyphen (-) or a comma (,).
Command History
Usage Guidelines
If the named VLAN group does not exist, the vlan group command creates the group and maps the specified VLAN list to the group. If the named VLAN group exists, the specified VLAN list is mapped to the group.
The no form of the vlan group command removes the specified VLAN list from the VLAN group. When you remove the last VLAN from the VLAN group, the VLAN group is deleted.
A maximum of 100 VLAN groups can be configured, and a maximum of 4094 VLANs can be mapped to a VLAN group.
Related Commands
Command
Description
Displays the VLANs mapped to VLAN groups.
vtp (global configuration)
To set or modify the VLAN Trunking Protocol (VTP) configuration characteristics, use the vtp command in global configuration mode on the switch stack or on a standalone switch. To remove the settings or to return to the default settings, use the no form of this command.
vtp { domain domain-name | file filename | interface interface-name [ only ] | mode { client | off | server | transparent } [ mst | unknown | vlan ] | password password [ hidden | secret ] | pruning | version number }
no vtp { file | interface | mode [ client | off | server | transparent ] [ mst | unknown | vlan ] | password | pruning | version }
Syntax Description
domain domain-name The VTP domain name, an ASCII string from 1 to 32 characters that identifies the VTP administrative domain for the switch. The domain name is case sensitive.
file filename The Cisco IOS file system file where the VTP VLAN configuration is stored.
interface interface-name The name of the interface providing the VTP ID updated for this device.
only (Optional) Uses only the IP address of this interface as the VTP IP updater.
mode Specifies the VTP device mode as client, server, or transparent.
client Places the switch in VTP client mode. A switch in VTP client mode is enabled for VTP, and can send advertisements, but does not have enough nonvolatile storage to store VLAN configurations. You cannot configure VLANs on the switch. When a VTP client starts up, it does not send VTP advertisements until it receives advertisements to initialize its VLAN database.
off Places the switch in VTP off mode. A switch in VTP off mode functions the same as a VTP transparent device except that it does not forward VTP advertisements on trunk ports.
server Places the switch in VTP server mode. A switch in VTP server mode is enabled for VTP and sends advertisements. You can configure VLANs on the switch. The switch can recover all the VLAN information in the current VTP database from nonvolatile storage after reboot.
transparent Places the switch in VTP transparent mode. A switch in VTP transparent mode is disabled for VTP, does not send advertisements or learn from advertisements sent by other devices, and cannot affect VLAN configurations on other devices in the network. The switch receives VTP advertisements and forwards them on all trunk ports except the one on which the advertisement was received.
When VTP mode is transparent, the mode and domain name are saved in the switch running configuration file, and you can save them in the switch startup configuration file by entering the copy running-config startup config privileged EXEC command.
mst (Optional) Sets the mode for the multiple spanning tree (MST) VTP database (only VTP Version 3).
unknown (Optional) Sets the mode for unknown VTP databases (only VTP Version 3).
vlan (Optional) Sets the mode for VLAN VTP database. This is the default (only VTP Version 3).
password password Sets the administrative domain password for the generation of the 16-byte secret value used in MD5 digest calculation to be sent in VTP advertisements and to validate received VTP advertisements. The password can be an ASCII string from 1 to 32 characters. The password is case sensitive.
hidden (Optional) Specifies that the key generated from the password string is saved in the VLAN database file. When the hidden keyword is not specified, the password string is saved in clear text. When the hidden password is entered, you need to reenter the password to issue a command in the domain. This keyword is supported only in VTP Version 3.
secret (Optional) Allows the user to directly configure the password secret key (only VTP Version 3).
pruning Enables VTP pruning on the switch.
version number Sets the VTP Version to Version 1, Version 2, or Version 3.
Command Default
The default filename is flash:vlan.dat.
The default mode is server mode and the default database is VLAN.
In VTP Version 3, for the MST database, the default mode is transparent.
No domain name or password is defined.
No password is configured.
Pruning is disabled.
The default version is Version 1.
Command History
Usage Guidelines
When you save VTP mode, domain name, and VLAN configurations in the switch startup configuration file and reboot the switch, the VTP and VLAN configurations are selected by these conditions:
- If both the VLAN database and the configuration file show the VTP mode as transparent and the VTP domain names match, the VLAN database is ignored. The VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.
- If the startup VTP mode is server mode, or the startup VTP mode or domain names do not match the VLAN database, VTP mode and VLAN configuration for the first 1005 VLANs are selected by VLAN database information, and VLANs greater than 1005 are configured from the switch configuration file.
The vtp file filename cannot be used to load a new database; it renames only the file in which the existing database is stored.
Follow these guidelines when configuring a VTP domain name:
- The switch is in the no-management-domain state until you configure a domain name. While in the no-management-domain state, the switch does not send any VTP advertisements even if changes occur to the local VLAN configuration. The switch leaves the no-management-domain state after it receives the first VTP summary packet on any port that is trunking or after you configure a domain name by using the vtp domain command. If the switch receives its domain from a summary packet, it resets its configuration revision number to 0. After the switch leaves the no-management-domain state, it can not be configured to reenter it until you clear the NVRAM and reload the software.
- Domain names are case-sensitive.
- After you configure a domain name, it cannot be removed. You can only reassign it to a different domain.
Follow these guidelines when setting VTP mode:
- The no vtp mode command returns the switch to VTP server mode.
- The vtp mode server command is the same as no vtp mode except that it does not return an error if the switch is not in client or transparent mode.
- If the receiving switch is in client mode, the client switch changes its configuration to duplicate the configuration of the server. If you have switches in client mode, be sure to make all VTP or VLAN configuration changes on a switch in server mode. If the receiving switch is in server mode or transparent mode, the switch configuration is not changed.
- Switches in transparent mode do not participate in VTP. If you make VTP or VLAN configuration changes on a switch in transparent mode, the changes are not propagated to other switches in the network.
- If you change the VTP or VLAN configuration on a switch that is in server mode, that change is propagated to all the switches in the same VTP domain.
- The vtp mode transparent command disables VTP from the domain but does not remove the domain from the switch.
- In VTP Versions 1 and 2, the VTP mode must be transparent for you to add extended-range VLANs or for VTP and VLAN information to be saved in the running configuration file. VTP supports extended-range VLANs in client and server mode and saved them in the VLAN database.
- With VTP Versions 1 and 2, if extended-range VLANs are configured on the switch and you attempt to set the VTP mode to server or client, you receive an error message, and the configuration is not allowed. Changing VTP mode is allowed with extended VLANs in VTP Version 3.
- The VTP mode must be transparent for you to add extended-range VLANs or for VTP and VLAN information to be saved in the running configuration file.
- VTP can be set to either server or client mode only when dynamic VLAN creation is disabled.
- The vtp mode off command sets the device to off. The no vtp mode off command resets the device to the VTP server mode.
Follow these guidelines when setting a VTP password:
- Passwords are case sensitive. Passwords should match on all switches in the same domain.
- When you use the no vtp password form of the command, the switch returns to the no-password state.
- The hidden and secret keywords are supported only in VTP Version 3. If you convert from VTP Version 2 to VTP Version 3, you must remove the hidden or secret keyword before the conversion.
Follow these guidelines when setting VTP pruning:
- VTP pruning removes information about each pruning-eligible VLAN from VTP updates if there are no stations belonging to that VLAN.
- If you enable pruning on the VTP server, it is enabled for the entire management domain for VLAN IDs 1 to 1005.
- Only VLANs in the pruning-eligible list can be pruned.
- Pruning is supported with VTP Version 1 and Version 2.
Follow these guidelines when setting the VTP version:
- Toggling the Version 2 (v2) mode state modifies parameters of certain default VLANs.
- Each VTP switch automatically detects the capabilities of all the other VTP devices. To use Version 2, all VTP switches in the network must support Version 2; otherwise, you must configure them to operate in VTP Version 1 mode.
- If all switches in a domain are VTP Version 2-capable, you need only to configure Version 2 on one switch; the version number is then propagated to the other Version-2 capable switches in the VTP domain.
- If you are using VTP in a Token Ring environment, VTP Version 2 must be enabled.
- If you are configuring a Token Ring bridge relay function (TrBRF) or Token Ring concentrator relay function (TrCRF) VLAN media type, you must use Version 2.
- If you are configuring a Token Ring or Token Ring-NET VLAN media type, you must use Version 1.
- In VTP Version 3, all database VTP information is propagated across the VTP domain, not only VLAN database information.
- Two VTP Version 3 regions can only communicate over a VTP Version 1 or VTP Version 2 region in transparent mode.
You cannot save password, pruning, and version configurations in the switch configuration file.
Examples
This example shows how to rename the filename for VTP configuration storage to vtpfilename:
Switch(config)# vtp file vtpfilenameThis example shows how to clear the device storage filename:
Switch(config)# no vtp file vtpconfig Clearing device storage filename.This example shows how to specify the name of the interface providing the VTP updater ID for this device:
Switch(config)# vtp interface gigabitethernetThis example shows how to set the administrative domain for the switch:
Switch(config)# vtp domain OurDomainNameThis example shows how to place the switch in VTP transparent mode:
Switch(config)# vtp mode transparentThis example shows how to configure the VTP domain password:
Switch(config)# vtp password ThisIsOurDomain’sPasswordThis example shows how to enable pruning in the VLAN database:
Switch(config)# vtp pruning Pruning switched ONThis example shows how to enable Version 2 mode in the VLAN database:
Switch(config)# vtp version 2You can verify your settings by entering the show vtp status privileged EXEC command.
Related Commands
Command
Description
Displays general information about VTP management domain, status, and counters.
Enables or disables VTP on an interface.
vtp (interface configuration)
To enable the VLAN Trunking Protocol (VTP) on a per-port basis, use the vtp command in interface configuration mode. To disable VTP on the interface, use the no form of this command.
Command History
Related Commands
Command
Description
Globally configures VTP domain name, password, pruning, version, and mode.
vtp primary
To configure a switch as the VLAN Trunking Protocol (VTP) primary server, use the vtp primary command in privileged EXEC mode
Syntax Description
Command History
Usage Guidelines
This command is supported only on switches configured for VTP Version 3.
A VTP primary server updates the database information and sends updates that are honored by all devices in the system. A VTP secondary server can only back up the updated VTP configurations received from the primary server to NVRAM.
By default, all devices come up as secondary servers. Primary server status is needed only for database updates when the administrator issues a takeover message in the domain. You can have a working VTP domain without any primary servers.
Primary server status is lost if the device reloads or domain parameters change.
This command does not support the no form.
NoteThis command is supported only when the switch is running VTP Version 3.
NoteAlthough visible in the command line help, the vtp {password password | pruning | version number} commands are not supported.
Related Commands
Command
Description
Displays general information about VTP management domain, status, and counters.
Globally configures VTP domain name, password, pruning, version, and mode.
