Catalyst 6500 Series Software Configuration Guide, 8.7
Configuring VLANs
Download this chapter
Configuring VLANsConfiguring VLANs
give_us_feedback

Table Of Contents

Configuring VLANs

Understanding How VLANs Work

VLAN Ranges

Configurable VLAN Parameters

Default VLAN Configuration

Configuring VLANs on the Switch

Normal-Range VLAN Configuration Guidelines

Creating Normal-Range VLANs

Modifying Normal-Range VLANs

Configuring Extended-Range VLANs on the Switch

Extended-Range VLAN Configuration Guidelines

Creating Extended-Range VLANs

Mapping VLANs to VLANs

Mapping 802.1Q VLANs to ISL VLANs

Deleting 802.1Q-to-ISL VLAN Mappings

Allocating Internal VLANs

Assigning Switch Ports to a VLAN

Enabling or Disabling VLAN Port-Provisioning Verification

Deleting a VLAN

Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis

Understanding VLAN Mapping

Configuration Guidelines and Restrictions

Enabling or Disabling VLAN Mapping on an Individual Port

Configuring VLAN Mapping on an Individual Port

Clearing the VLAN Mapping

Displaying the VLAN Mapping Information

Configuring Private VLANs on the Switch

Understanding How Private VLANs Work

Private VLAN Configuration Guidelines

Creating a Primary Private VLAN

Viewing the Port Capability of a Private VLAN Port

Deleting a Private VLAN

Deleting an Isolated, Community, or Two-Way Community VLAN

Deleting a Private VLAN Mapping

Private VLAN Support on the MSFC

Configuring FDDI VLANs on the Switch

Configuring Token Ring VLANs on the Switch

Understanding How Token Ring TrBRF VLANs Work

Understanding How Token Ring TrCRF VLANs Work

Token Ring VLAN Configuration Guidelines

Creating or Modifying a Token Ring TrBRF VLAN

Creating or Modifying a Token Ring TrCRF VLAN

Configuring VLANs for the Firewall Services Module


Configuring VLANs

This chapter describes how to configure VLANs for the Catalyst 6500 series switches.

Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.

This chapter consists of these sections:

Understanding How VLANs Work

Configuring VLANs on the Switch

Configuring Extended-Range VLANs on the Switch

Mapping VLANs to VLANs

Allocating Internal VLANs

Assigning Switch Ports to a VLAN

Enabling or Disabling VLAN Port-Provisioning Verification

Deleting a VLAN

Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis

Configuring Private VLANs on the Switch

Configuring FDDI VLANs on the Switch

Configuring Token Ring VLANs on the Switch

Configuring VLANs for the Firewall Services Module

Understanding How VLANs Work

A VLAN is a group of end stations with a common set of requirements, independent of their physical location. A VLAN has the same attributes as a physical LAN but allows you to group the end stations even if they are not located physically on the same LAN segment.

A VLAN allows you to group the ports on a switch to limit the unicast, multicast, and broadcast traffic flooding. The flooded traffic that originates from a particular VLAN is flooded only out the ports that belong to that VLAN.

Figure 11-1 shows an example of VLANs that are segmented into logically defined networks.

These sections describe VLANs:

VLAN Ranges

Configurable VLAN Parameters

Default VLAN Configuration

Figure 11-1 VLANs as Logically Defined Networks

VLANs are often associated with the IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. The traffic between the VLANs must be routed. Port VLAN membership on the switch is assigned manually on a port-by-port basis. When you assign the switch ports to the VLANs using this method, it is known as port-based, or static, VLAN membership.

The in-band (sc0) interface of a switch can be assigned to any VLAN, so that you can access another switch on the same VLAN directly without a router. Only one IP address at a time can be assigned to the in-band interface. If you change the IP address and assign the interface to a different VLAN, the previous IP address and VLAN assignment are overwritten.

VLAN Ranges

Catalyst 6500 series switches support 4096 VLANs in accordance with the IEEE 802.1Q standard. These VLANs are organized into two ranges; you use each range slightly differently. Some of these VLANs are propagated to other switches in the network when you use a management protocol, such as the VLAN Trunking Protocol (VTP). Other VLANs are not propagated and you must configure them on each applicable switch.

VLANs are divided into the following two ranges:

Normal-range VLANs: 1-1023

Extended-range VLANs: 1024-4094

Note With VTP version 3, you can manage VLANs 1006-4094. These VLANs are propagated with VTP version 3.

Configurable VLAN Parameters

Whenever you create or modify VLANs 2-1005, you can set the parameters as follows:

Note Ethernet VLANs 1 and 1025-4094 can use the defaults only.

Note With software release 8.3(1) and later releases, you can name all user VLANs. This capability is independent of any VTP version or mode.

VLAN number

VLAN name

VLAN type: Ethernet, FDDI, FDDINET, Token Ring Bridge Relay Function (TrBRF), or Token Ring Concentrator Relay Function (TrCRF)

VLAN state: active or suspended

Multi-Instance Spanning Tree Protocol (MISTP) instance

Private VLAN type: primary, isolated, community, two-way community, or none

Security Association Identifier (SAID)

Maximum transmission unit (MTU) for the VLAN

Ring number for FDDI and TrCRF VLANs

Bridge identification number for TrBRF VLANs

Parent VLAN number for TrCRF VLANs

STP type for TrCRF VLANs: IEEE, IBM, or auto

VLAN to use when translating from one VLAN media type to another (VLANs 1-1005 only); requires a different VLAN number for each media type

Source routing bridge mode for Token Ring VLANs: source-routing bridge (SRB) or source-routing transparent bridge (SRT)

Backup for TrCRF VLAN

Maximum hops VLAN All-Routes Explorer frames (ARE) and Spanning Tree Explorer frames (STE) for Token Ring

Remote Switched Port Analyzer (RSPAN)

Default VLAN Configuration

Table 11-1 shows the default VLAN configuration for the Catalyst 6500 series switches.

Table 11-1 VLAN Default Configuration 

Feature
Default Value

Native (default) VLAN

VLAN 1

Port VLAN assignments

All ports assigned to VLAN 1

Token Ring ports assigned to VLAN 1003 (trcrf-default)

VLAN state

Active

MTU size

1500 bytes

4472 bytes for Token Ring VLANs

SAID value

100,000 plus the VLAN number (for example, the SAID for VLAN 8 is 100008, and the SAID for VLAN 4050 is 104050)

Pruning eligibility

VLANs 2-1000 are pruning eligible; VLANs 1025-4094 are not pruning eligible

MAC address reduction

Disabled

Spanning-tree mode

PVST+

Default FDDI VLAN

VLAN 1002

Default FDDI NET VLAN

VLAN 1004

Default Token Ring TrBRF VLAN

VLAN 1005 (trbrf-default) with bridge number 0F

Default Token Ring TrCRF VLAN

VLAN 1003 (trcrf-default)

Spanning Tree Protocol (STP) version for TrBRF VLAN

IBM

VLAN port-provisioning verification

Disabled

TrCRF bridge mode

SRB

Remote switched port analyzer (RSPAN)

Disabled


Configuring VLANs on the Switch

These sections describe how to configure user VLANs 1-4094:

Normal-Range VLAN Configuration Guidelines

Creating Normal-Range VLANs

Modifying Normal-Range VLANs

Note You cannot configure or modify normal-range VLAN 1.

Normal-Range VLAN Configuration Guidelines

This section describes the guidelines for creating and modifying the user VLANs in your network:

The default VLAN type is Ethernet; if you do not specify a VLAN type, the VLAN will be an Ethernet VLAN.

If you wish to use VTP to maintain global VLAN configuration information on your network, configure VTP before you create any normal-range VLANs. See Chapter 10, "Configuring VTP" for configuring VTP. (You cannot use VTP to manage extended-range VLANs 1025-4094.)

Note With VTP version 3, you can manage VLANs 1006-4094. These VLANs are propagated with VTP version 3.

The FlexWAN modules and routed ports automatically allocate a number of VLANs for their own use, starting at VLAN 1025. If you use these devices, you must allow for the number of VLANs required.

Creating Normal-Range VLANs

You can create one VLAN at a time or you can create a range of VLANs with a single command. If you create a range of VLANs, you cannot specify a name; the VLAN names must be unique.

To create a normal-range VLAN, perform this task in privileged mode:

 
Task
Command

Step 1 

Create a normal-range Ethernet VLAN.

set vlan vlan [name name] [said said] [mtu mtu] [translation vlan]

Step 2 

Verify the VLAN configuration.

show vlan [vlan]

This example shows how to create the normal-range VLANs and verify the configuration when the switch is in Per VLAN Spanning Tree + (PVST+) mode: 

Console> (enable) set vlan 500-520

Vlan 500 configuration successful

Vlan 501 configuration successful

Vlan 502 configuration successful

Vlan 503 configuration successful

 .

 .

 .

Vlan 520 configuration successful

Console> (enable) show vlan 500-520

VLAN Name                             Status    IfIndex Mod/Ports, Vlans

---- -------------------------------- --------- ------- ------------------------

500                                    active    342

501                                    active    343

502                                    active    344

503                                    active    345

 .

 .

 .

520                                    active    362

VLAN Type  SAID       MTU   Parent RingNo BrdgNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------

500  enet  100500     1500  -      -      -      -    -        0      0

501  enet  100501     1500  -      -      -      -    -        0      0

502  enet  100502     1500  -      -      -      -    -        0      0

503  enet  100503     1500  -      -      -      -    -        0      0

 .

 .

 .

520  enet  100520     1500  -      -      -      -    -        0      0

VLAN AREHops STEHops Backup CRF

---- ------- ------- ----------

Console> (enable)

Modifying Normal-Range VLANs

To modify the VLAN parameters on an existing normal-range VLAN, perform this task in privileged mode:

 
Task
Command

Step 1 

Modify an existing normal-range VLAN.

set vlan vlan [name name] [state {active | suspend}] [said said] [mtu mtu] [translation vlan]

Step 2 

Verify the VLAN configuration.

show vlan [vlan]

Configuring Extended-Range VLANs on the Switch

These sections explain how to configure extended-range VLANs 1025-4094:

Extended-Range VLAN Configuration Guidelines

Creating Extended-Range VLANs

Extended-Range VLAN Configuration Guidelines

This section describes the guidelines for creating extended-range VLANs 1024-4094:

You can create only Ethernet-type VLANs in the extended range.

You must enable MAC address reduction in order to use the extended-range VLANs.

You can only create and delete the extended-range VLANs from the CLI or SNMP.

You cannot use VTP to manage these VLANs; they must be statically configured on each switch.

Note With VTP version 3, you can manage VLANs 1006-4094. These VLANs are propagated with VTP version 3. For configuration purposes, the extended range consists of VLANs 1025-4094.

You cannot use the extended-range VLANs if you have dot1q-to-isl mappings.

You can configure the private VLAN parameters and RSPAN for the extended-range VLANs; however, all other parameters for the extended-range VLANs use the system defaults only.

The switch may allocate a block of VLANs from the extended range for internal purposes; for example, the switch may allocate the VLANs for the routed ports or FlexWAN modules. The block of VLANs is always allocated starting from VLAN 1006 up. If you have any VLANs within the range that are required by the FlexWAN module, all of the VLANs that are required will not be allocated, because the VLANs are never allocated from the user's VLAN area.

Caution The FlexWAN modules and routed ports automatically allocate a sequential block of internal VLANs starting at VLAN 1006. If you use these devices, you must allow the required number of VLANs for them. If not enough VLANs are available for the FlexWAN module, some ports may not work. Refer to the Catalyst 6500 Series and Cisco 7600 Series Router FlexWAN Module Installation and Configuration Note for more information.
Caution If you move a FlexWAN module from one slot to another on the same switch, it will allocate another block of VLANs without deleting the previous block. You should reboot the switch if you move the FlexWAN module.

Creating Extended-Range VLANs

To create the extended-range VLANs, you must first enable MAC address reduction, which provides the IDs for the extended-range VLANs. After you enable MAC address reduction, you cannot disable it as long as any extended-range VLANs exist.

Note If you wish to use the extended-range VLANs and you have existing 802.1Q-to-ISL mappings in your system, you must delete the mappings. See the "Deleting 802.1Q-to-ISL VLAN Mappings" section for more information.

Note With software release 8.1(1) and later releases, you can name the extended-range VLANs. This capability is independent of any VTP version or mode.

To enable MAC address reduction and create an Ethernet VLAN in the extended range, perform this task in privileged mode:

 
Task
Command

Step 1 

Enable MAC address reduction.

set spantree macreduction {enable | disable}

Step 2 

Create a VLAN.

set vlan vlan

Step 3 

Verify the VLAN configuration.

show vlan [vlan]

This example shows how to enable MAC address reduction and create an extended-range Ethernet VLAN: 

Console> (enable) set spantree macreduction enable

MAC address reduction enabled

Console> (enable) set vlan 2000 

Vlan 2000 configuration successful

Console> (enable) show vlan 2000

VLAN Name                             Status    IfIndex Mod/Ports, Vlans

---- -------------------------------- --------- ------- ------------------------

2000 VLAN2000                         active    61


VLAN Type  SAID       MTU   Parent RingNo BrdgNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------

2000 enet  102000     1500  -      -      -      -    -        0      0


VLAN Inst DynCreated  RSPAN

---- ---- ---------- --------

2000 -    static     disabled

Console> (enable)

This example shows how to display a summary of active, suspended, and extended VLANs: 

Console> (enable) show vlan summary


Vlan status    Count  Vlans

-------------  --------------------------------------------------------

VTP Active       504   1-100,102-500,1000,1002-1005

VTP Suspended      1   101

Extended           1   2000

Console> (enable)

Mapping VLANs to VLANs

Note To configure the VLAN mappings on a per-port or per-ASIC basis, see the "Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis" section.

Note With software release 8.3(1) and later releases, the global VLAN mapping feature is not needed because ISL trunks now support the entire VLAN range (1 to 4094).

You can map the VLANs from the 802.1Q trunks that are connected to the VLANs on the non-Cisco devices to the ISL trunks that are connected to the other VLANs on the Catalyst 6500 series switches.

Note If you map the 802.1Q VLANs to the ISL VLANs, you can retain the mappings from a previous Catalyst 6500 series software release but you cannot use the extended-range VLANs.

This section describes how to map the VLANs to VLANs:

Mapping 802.1Q VLANs to ISL VLANs

Deleting 802.1Q-to-ISL VLAN Mappings

Mapping 802.1Q VLANs to ISL VLANs

Your network might have non-Cisco devices that are connected to the Catalyst 6500 series switches through the 802.1Q trunks.

The valid range of the user-configured Inter-Switch Link (ISL) VLANs is 1-1000 (and 1002-1005) and 1025-4094. The valid range of VLANs that is specified in the IEEE 802.1Q standard is 0-4095. In a network environment with the non-Cisco devices that are connected to the Cisco switches through the 802.1Q trunks, you can map the 802.1Q VLAN numbers that are greater than 1000 to the ISL VLAN numbers. If you use any VLANs in the extended range (1025-4094) for dot1q mappings, you cannot use any of the extended-range VLANs for any other purpose.

The 802.1Q VLANs in the range 1-1000 are automatically mapped to the corresponding ISL VLAN. The 802.1Q VLAN numbers greater than 1000 must be mapped to an ISL VLAN in order to be recognized and forwarded by the Cisco switches.

These restrictions apply when mapping the 802.1Q VLANs to the ISL VLANs:

The global VLAN mapping feature and the per-port/per-ASIC VLAN mapping features (see the "Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis" section) are mutually exclusive; only one feature can be enabled at any time.

If there are any extended-range VLANs present on the switch, you cannot map any new 802.1Q VLANs-to-ISL VLANs.

You can configure up to eight 802.1Q-to-ISL VLAN mappings on the switch.

You can only map the 802.1Q VLANs to the Ethernet-type ISL VLANs.

Do not enter the native VLAN of any 802.1Q trunk in the mapping table.

When you map an 802.1Q VLAN to an ISL VLAN, the traffic on the 802.1Q VLAN corresponding to the mapped ISL VLAN is blocked. For example, if you map 802.1Q VLAN 2000 to ISL VLAN 200, the traffic on 802.1Q VLAN 200 is blocked.

The VLAN mappings are local to each switch. Make sure that you configure the same VLAN mappings on all appropriate switches in the network.

To map an 802.1Q VLAN to an ISL VLAN, perform this task in privileged mode:

 
Task
Command

Step 1 

Map an 802.1Q VLAN to an ISL Ethernet VLAN. The valid range for dot1q_vlan is 1001-4095. The valid range for isl_vlan is 1-1000.

set vlan mapping dot1q dot1q_vlan isl isl_vlan

Step 2 

Verify the VLAN mapping.

show vlan mapping

This example shows how to map 802.1Q VLANs 2000, 3000, and 4000 to ISL VLANs 200, 300, and 400, and verify the configuration: 

Console> (enable) set vlan mapping dot1q 2000 isl 200 

Vlan mapping successful

Console> (enable) set vlan mapping dot1q 3000 isl 300

Vlan mapping successful

Console> (enable) set vlan mapping dot1q 4000 isl 400

Vlan mapping successful

Console> (enable) show vlan mapping

802.1q vlan     ISL vlan        Effective

------------------------------------------

2000            200             true

3000            300             true

4000            400             true

Console> (enable)

Deleting 802.1Q-to-ISL VLAN Mappings

To delete an 802.1Q-to-ISL VLAN mapping, perform this task in privileged mode:

 
Task
Command

Step 1 

Delete an 802.1Q-to-ISL VLAN mapping.

clear vlan mapping dot1q {dot1q_vlan | all}

Step 2 

Verify the VLAN mapping.

show vlan mapping

This example shows how to delete the VLAN mapping for 802.1Q VLAN 2000: 

Console> (enable) clear vlan mapping dot1q 2000

Vlan 2000 mapping entry deleted

Console> (enable)

This example shows how to delete all 802.1Q-to-ISL VLAN mappings: 

Console> (enable) clear vlan mapping dot1q all

All vlan mapping entries deleted

Console> (enable)

Allocating Internal VLANs

The VLANs are classified as either user VLANs or internal VLANs. A user VLAN can be any VLAN from 1-4094 created by a user. The internal VLANs are the VLANs that are used by the software features that require the dedicated VLANs in order to function. The internal VLANs are allocated by the VLAN Manager as needed using VLANs 1006-4094. The internal VLANs are allocated in ascending order, starting at VLAN 1006. You should assign the user VLANs as close to VLAN 4094 as possible in order to avoid conflicts between the user VLANs and the internal VLANs.

Note Because the number of available VLANs is fixed, make sure that a sufficient number of VLANs remains available for internal VLAN allocation after you have assigned the user VLANs.

Assigning Switch Ports to a VLAN

A VLAN that is created in a management domain remains unused until you assign one or more switch ports to the VLAN. You can create a new VLAN and then specify the module and ports later, or you can create the VLAN and specify the module and ports in a single step.

Note Make sure that you assign the switch ports to a VLAN of the proper type. For example, assign the Ethernet, Fast Ethernet, and Gigabit Ethernet ports to the Ethernet-type VLANs.

To assign one or more switch ports to a VLAN, perform this task in privileged mode:

 
Task
Command

Step 1 

Assign one or more switch ports to a VLAN.

set vlan vlan mod/port

Step 2 

Verify the port VLAN membership.

show vlan [vlan]
show port [mod[/port]]

This example shows how to assign the switch ports to a VLAN and verify the assignment: 

Console> (enable) set vlan 560 4/10

VLAN 560 modified.

VLAN 1 modified.

VLAN  Mod/Ports

---- -----------------------

560   4/10

Console> (enable) show vlan 560

VLAN Name                             Status    IfIndex Mod/Ports, Vlans

---- -------------------------------- --------- ------- ------------------------

560  Engineering                      active    348     4/10

VLAN Type  SAID       MTU   Parent RingNo BrdgNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------

560  enet  100560     1500  -      -      -      -    -        0      0

VLAN AREHops STEHops Backup CRF

---- ------- ------- ----------

Console> (enable) show port 4/10

Port  Name               Status     Vlan       Duplex Speed Type

----- ------------------ ---------- ---------- ------ ----- ------------

4/10                     connected  560        a-half a-100 10/100BaseTX


Port  AuxiliaryVlan AuxVlan-Status

----- ------------- --------------

 4/10  none          none   


.

.

.


Last-Time-Cleared

--------------------------

Tue Jun 6 2000, 16:45:18

Console> (enable)

Enabling or Disabling VLAN Port-Provisioning Verification

When VLAN port-provisioning verification is enabled, you must specify the VLAN name in addition to the VLAN number when assigning the switch ports to the VLANs. Because you are required to specify both the VLAN name and the VLAN number, this verification feature helps to ensure that the ports are not inadvertently placed in the wrong VLAN.

When the feature is enabled, you can still create new VLANs by entering the set vlan vlan mod/port command but you cannot add additional ports to the VLAN without specifying both the VLAN number and the VLAN name. The feature does not affect assigning ports to VLANs using other features such as SNMP, dynamic VLANs, and 802.1X. VLAN port-provisioning verification is disabled by default.

To enable or disable VLAN port-provisioning verification, perform this task in privileged mode:

 
Task
Command

Step 1 

Enable or disable VLAN port-provisioning verification.

set vlan verify-port-provisioning {enable | disable}

Step 2 

Verify the VLAN port-provisioning verification status.

show vlan verify-port-provisioning

This example shows how to enable VLAN port-provisioning verification: 

Console> (enable) set vlan verify-port-provisioning enable

vlan verify-port-provisioning feature enabled

Console> (enable)

This example shows how to verify the status of VLAN port-provisioning verification: 

Console> (enable) show vlan verify-port-provisioning

Vlan Verify Port Provisioning feature enabled

Console> (enable)

This example shows how to create VLAN 150 and add port 3/16 (with VLAN port-provisioning verification enabled): 

Console> (enable) set vlan 150 3/16

Vlan 150 configuration successful

VLAN 150 modified.

VLAN 1 modified.

VLAN  Mod/Ports

---- -----------------------

150   3/16

Console> (enable)

This example shows what happens when you try to add port 3/17 to VLAN 150 with VLAN port-provisioning verification enabled: 

Console> (enable) set vlan 150 3/17

Port Provisioning Verification is enabled on the switch.

To move port(s) into the VLAN, use 'set vlan <vlan> <port> <vlan_name>' command.

Console> (enable)

This example shows how to add port 3/17 to VLAN 150 with VLAN port-provisioning verification enabled: 

Console> (enable) set vlan 150 name Eng 

VTP advertisements transmitting temporarily stopped,

and will resume after the command finishes.

Vlan 150 configuration successful

Console> (enable) 


Console> (enable) set vlan 150 3/17 Eng

VLAN 150 modified.

VLAN 1 modified.

VLAN  Mod/Ports

---- -----------------------

150   3/16-17

Console> (enable)

Deleting a VLAN

This section describes the guidelines for deleting the VLANs:

When you delete a normal-range Ethernet VLAN in VTP server mode, the VLAN is removed from all switches in the VTP domain.

When you delete a normal-range VLAN in VTP transparent mode, the VLAN is deleted only on the current switch.

You can delete an extended-range VLAN only on the switch where it was created.

You cannot delete the default VLANs.

To delete a Token Ring TrBRF VLAN, you must first reassign its child TrCRFs to another parent TrBRF, or delete the child TrCRFs.

Caution When you delete a VLAN, any ports that are assigned to that VLAN become inactive. Such ports remain associated with the VLAN (and are inactive) until you assign them to a new VLAN.

You can delete a single VLAN or a range of VLANs. To delete a VLAN on the switch, perform this task in privileged mode:

Task
Command

Delete a VLAN.

clear vlan vlan


This example shows how to delete a VLAN (in this case, the switch is a VTP server): 

Console> (enable) clear vlan 500

This command will deactivate all ports on vlan(s) 500

Do you want to continue(y/n) [n]?y

Vlan 500 deleted

Console> (enable)


This command will deactivate all ports on vlan(s) 10

All ports on normal range vlan(s) 10

will be deactivated in the entire management domain.

Do you want to continue(y/n) [n]?

Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis

These sections describe how to configure VLAN mapping on a per-port or per-ASIC basis:

Understanding VLAN Mapping

Configuration Guidelines and Restrictions

Enabling or Disabling VLAN Mapping on an Individual Port

Configuring VLAN Mapping on an Individual Port

Clearing the VLAN Mapping

Displaying the VLAN Mapping Information

Understanding VLAN Mapping

With software release 8.4(1) and later releases, VLAN mapping has been enhanced to allow you to map any type of VLAN to any other type of VLAN without any VLAN range restrictions. VLAN mapping is now configurable on a per-port or per-ASIC basis.

Note Before software release 8.4(1), VLAN mapping was configured globally. For detailed information, see the "Mapping VLANs to VLANs" section.

Configuration Guidelines and Restrictions

This section describes the configuration guidelines and restrictions for configuring VLAN mapping:

With VLAN mapping, you have the following options depending on the type of ASIC on the switching module or supervisor engine (for the individual module ASIC specifics, see Table 11-2):

VLAN mapping is not supported.

Per-port VLAN mapping is supported.

Per-ASIC VLAN mapping without the ability to enable or disable VLAN mapping on an individual port basis is supported.

Per-ASIC VLAN mapping with the ability to enable or disable VLAN mapping on an individual port basis is supported.

If a module does not support per-port VLAN mapping and supports only per-ASIC VLAN mapping, VLAN mapping is applied to all the ports in the ASIC. If you change the mapping for any port in the ASIC, the change is applied to all the ports in the ASIC.

Global VLAN mapping

The global VLAN mapping feature (see the "Mapping VLANs to VLANs" section) and the per-port/per-ASIC VLAN mapping features are mutually exclusive; only one feature can be enabled at any time.

If global VLAN mapping is configured for any of the VLANs and you try to configure per-port/per-ASIC VLAN mapping, the command is rejected and an error message is displayed. Conversely, if per-port/per-ASIC VLAN mapping is configured for any of the VLANs and you try to configure global VLAN mapping, the command is rejected and an error message is displayed.

Global VLAN mapping supports a maximum of eight VLANs. If VLAN X is mapped to VLAN Y, VLAN Y is mapped to a discarded VLAN internally. Per-port/per-ASIC VLAN mapping does not work that way. If VLAN X is mapped to VLAN Y, all the internally switched traffic to a port on VLAN Y is mapped to VLAN X.

VLAN mapping is applied in both directions. For example, if port P has a VLAN mapping of VLAN x to VLAN y, all the traffic received by port P on VLAN X is mapped and processed in VLAN Y, and all the traffic internally tagged with VLAN Y that leaves port P, is tagged with VLAN X.

EtherChannel

VLAN mapping is supported on EtherChannels, both PAgP and LACP. If you enable or disable VLAN mapping on one port of the channel, the feature is enabled or disabled on all the ports in the channel. Similarly, if you configure a VLAN mapping on one port in the channel, the mapping is applied to all ports in the channel.

All the ports in the EtherChannel must have the same port ASIC capability in terms of VLAN mapping. If you try to configure a VLAN mapping on an EtherChannel where some of the ports in the channel do not have the same port ASIC capabilities, the command is rejected.

SPAN and RSPAN

If per-port VLAN mapping is enabled on a port, the port ASIC changes the source VLAN to the translated VLAN. Any SPAN configuration works on the translated VLAN.

The RSPAN VLAN cannot be translated; you must not configure the RSPAN VLAN to be mapped to any VLAN. Similarly, the translated VLAN cannot be used as an RSPAN VLAN.

Spanning tree

In the PVST+ implementation, spanning-tree BPDUs are tagged with a TLV of "VLAN ID" on each trunk port. This TLV helps spanning tree in determining the port VLAN ID consistency. In PVST+ and Rapid-PVST+, this VLAN ID is equal to the spanning-tree instance number (the VLAN ID).

With Shared Spanning Tree Protocol (SSTP), be careful when per-port/per-ASIC VLAN mapping is enabled on a port. For example, in Figure 11-2, switch 1 and switch 2 are connected using trunk T that carries VLAN 101. On switch 2, per-port/per-ASIC VLAN mapping is enabled on trunk port P and one of the mappings is VLAN 101 to VLAN 202. As shown in Figure 11-2, on the trunk link, the BPDU has the 802.1Q VLAN and the TLV VLAN as VLAN 101. When this BPDU reaches port P, its 802.1Q VLAN is changed to VLAN 202 because of the mapping but the TLV VLAN still remains VLAN 101. When the BPDU reaches the spanning-tree process, spanning tree concludes that the VLAN 101 BPDU is received on VLAN 202 and thinks that it is inconsistent and reports this as an inconsistent port.

To correct this problem, the spanning tree processes this BPDU in VLAN 202 and the TLV VLAN is mapped to the translated VLAN and checked for consistency. When that occurs, the spanning-tree instance 101 of switch 1 is merged with the spanning-tree instance 202 of switch 2. This process is also done on the transmit side.

Figure 11-2 Understanding VLAN Mapping and Spanning Tree

Tip Before designing your spanning-tree topology, you should take into account the way in which VLANs are merged. You should clear the source VLAN from the port on which VLAN mapping is enabled and clear the translated VLAN from the neighboring end. Doing this ensures that the source VLAN of the customer port and the translated VLAN of the provider port are merged.

Table 11-2 Per-Module Port ASIC VLAN Mapping Capabilities 

Module
Maximum Number of Per-Port VLAN Mappings Supported
Capabilities/Limitations

WS-X6548-RJ-45
WS-X6548-RJ-21
WS-X6148X2-RJ-45
WS-X6148X2-45AF
WS-X6196-RJ-211

32

Per-ASIC VLAN mapping. Mapping can be enabled or disabled on a per-port basis on ISL trunks. Mapping is always on for 802.1Q trunks and there is no way to disable it. Mapping is supported for ISL and 802.1Q trunks.

WS-X6K-S2U-MSFC2
WS-X6K-S2-MSFC2
WS-X6K-S2-PFC2
WS-SUP720-3B
WS-SUP720-3BXL
WS-SUP720
WS-X6516A-GBIC2
WS-X6516-GE-TX

32

Per-ASIC VLAN mapping. Mapping can be enabled or disabled on individual ports in the ASIC. Supports any-to-any type of VLAN translation. Supported only on 802.1Q trunks.3

WS-X6748-SFP4
WS-X6724-SFP
WS-X6748-GE-TX

128

Per-ASIC VLAN mapping. Mapping can be enabled or disabled on individual ports in the ASIC. Supports any-to-any type of VLAN translation. Mapping is supported for ISL and 802.1Q trunks.

WS-X6148A-GE-TX
WS-X6148A-GE-45A
WS-X6148-FE-SFP

WS-X6148A-RJ-45
WS-X6148A-45AF
WS-X6704-10GE5

8

Per-port VLAN mapping. Supports any-to-any type of VLAN translation. Mapping is supported for ISL and 802.1Q trunks.

WS-X6502-10GE

16

Per-port VLAN mapping. Supports any-to-any type of VLAN translation. Supported only on 802.1Q trunks.

WS-SUP32-GE-3B

16

Per-port VLAN mapping. Supports any-to-any type of VLAN translation. Mapping is supported for ISL and 802.1Q trunks.

1 WS-X6196-RJ-21 does not have per-ASIC VLAN mapping. VLAN mapping is per-two ASICs: Ports 1 through 96 (instead of only 48 ports per ASIC).

2 WS-X6516A-GBIC does not have per-ASIC VLAN mapping. VLAN mapping is per-two ASICs: Ports 1 through 8 and ports 9 through 16 (instead of only 4 ports per ASIC).

3 The ASICs in these modules have the following limitation: When dot1q-all-tagged is disabled, VLAN translation does not occur for packets transmitted on the native VLAN.

4 WS-X6748-SFP does not have per-ASIC VLAN mapping. VLAN mapping is per-two ASICs: Ports 1 through 24 and ports 25 through 48 (instead of only 12 ports per ASIC).

5 WS-X6704-10GE: Mapping can be enabled or disabled on individual ports in the ASIC. 128 per-port VLAN mappings supported.


Enabling or Disabling VLAN Mapping on an Individual Port

Note Before using the set port vlan-mapping command to configure VLAN mapping on an individual port, you must enable port VLAN mapping by entering the set port vlan-mapping mod/port enable command.

Enter the set port vlan-mapping mod/port {enable | disable} command to enable or disable VLAN mapping on an individual port. VLAN translation occurs only when the mapping is enabled and the port is trunking. For the ASICs that support VLAN mapping only on a per-ASIC basis, but with the ability to enable or disable VLAN mapping on an individual port basis, this command is applied to the port configuration only and not to the ASIC. If you disable VLAN mapping, the mapping is still preserved. VLAN mapping is disabled by default.

To enable or disable VLAN mapping on an individual port, perform this task in privileged mode:

 
Task
Command

Step 1 

Enable or disable VLAN mapping on an individual port.

set port vlan-mapping mod/port {enable | disable}

Step 2 

Display VLAN mapping configuration.

show port vlan-mapping [mod | mod/port]

This example shows how to enable VLAN mapping on an individual port: 

Console>(enable) set port vlan-mapping 7/1 enable

VLAN mapping enabled on port 7/1.

Console>(enable)

Configuring VLAN Mapping on an Individual Port

Note Before using the set port vlan-mapping command, you must enable the port VLAN mapping by entering the set port vlan-mapping mod/port enable command.

Note The source VLAN is the trunk VLAN (external to the switch) and the translated VLAN is internal to the switch.

Enter the set port vlan-mapping mod/port source-vlan-id translated-vlan-id command to configure VLAN mapping on an individual port. This command causes the traffic on the source-vlan-id to be translated to the translated-vlan-id. All traffic that is internally tagged with the translated-vlan-id is tagged with the source-vlan-id before leaving the port. The VLAN translation occurs only if the port is trunking. This command accepts the full range of ports.

To configure VLAN mapping on an individual port, perform this task in privileged mode:

 
Task
Command

Step 1 

Enable the port VLAN mapping.

set port vlan-mapping mod/port {enable | disable}

Step 2 

Configure VLAN mapping on an individual port.

set port vlan-mapping mod/port source-vlan-id translated-vlan-id

Step 3 

Display VLAN mapping configuration.

show port vlan-mapping [mod | mod/port]

This example shows how to enable the port VLAN mapping and configure VLAN mapping on an individual port. In this example, module 7 is the 48-port 10/100/1000 switching module (WS-X6748-GE-TX). This module supports per-ASIC VLAN mapping; 1 ASIC supports 12 ports. 

Console>(enable) set port vlan-mapping 7/1 enable

VLAN mapping enabled on port 7/1.

Console>(enable) set port vlan-mapping 7/1 2002 3003

VLAN 2002 mapped to VLAN 3003 on ports 7.1. 7/1-12.

Console>(enable) show port vlan-mapping 7/1

Mod/Port Source VLAN Translated VLAN State       Max Allowed (Current) Entries

-------- ----------- --------------- ----------- -----------------------------

7/1      2002        3003            Enabled     128 (1)

Console>(enable)

In this example module 5 is the 1-port 10GBASE-E serial 10-Gigabit Ethernet module (WS-X6502-10GE). This module supports per-port VLAN mapping. 

Console>(enable) set port vlan-mapping 5/1 2002 3003

VLAN 2002 mapped to VLAN 3003 on port 5/1.

Console>(enable)

In this example, module 7 is the 48-port 10/100/1000 switching module (WS-X6748-GE-TX). This module supports per-ASIC VLAN mapping; 1 ASIC supports 12 ports. In this example, ports 7/1-4 are part of an EtherChannel. 

Console>(enable) set port vlan-mapping 7/1 2002 3003 

VLAN 2002 mapped to VLAN 3003 on ports 7/1-12.

Console>(enable)

In this example, module 7 and module 8 are the 48-port 10/100/1000 switching modules (WS-X6748-GE-TX). These modules support per-ASIC VLAN mapping; 1 ASIC supports 12 ports. In this example, ports 7/1-4 and ports 8/1-4 are part of an EtherChannel. 

Console>(enable) set port vlan-mapping 7/1 2002 3003 

VLAN 2002 mapped to VLAN 3003 on ports 7/1-12,8/1-12.

Console>(enable)

Clearing the VLAN Mapping

Enter the clear port vlan-mapping command to clear the VLAN mapping on an individual port, on all ports, or on a specific source VLAN ID. On some modules, VLAN mapping is supported on a per-ASIC basis; the mapping is not stored on a per-port basis. For these modules, entering the clear port vlan-mapping mod/port command clears the VLAN mapping on all ports on the ASIC. When you enter a source_vlan_id argument, only the VLAN mapping for that source VLAN is cleared from the VLAN mapping table of the specified port or ASIC (if ASIC-based port).

To clear VLAN mapping, perform this task in privileged mode:

Task
Command

Clear VLAN mapping.

clear port vlan-mapping mod/port all
clear port vlan-mapping mod/port [source-vlan-id]
clear port vlan-mapping all


This example shows how to clear the VLAN mapping from port 7/1: 

Console>(enable) clear port vlan-mapping 7/1 2002

VLAN mapping for VLAN 2002 removed from port 7/1-12.

Console>(enable)

Displaying the VLAN Mapping Information

Enter the show port vlan-mapping [mod | mod/port] command to display the VLAN mapping information.

To display VLAN mapping information, perform this task in normal mode:

Task
Command

Display the VLAN mapping information.

show port vlan-mapping [mod | mod/port]


This example shows how to display the VLAN mapping information for port 7/1: 

Console>(enable) show port vlan-mapping 7/1