Table of Contents

Configuring Virtual LANs

This chapter describes basic configuration tasks for Virtual LANs (VLANs) and includes the following sections:

About VLANs

VLANs enable network managers to group users logically rather than by physical location. A VLAN emulates a standard LAN, which allows data transfer and communication to occur without the traditional restraints placed on the network. It can also be considered a broadcast domain set up within a switch. With VLANs, switches can support more than one subnetwork (or VLAN) on each switch, and give routers and switches the opportunity to support multiple subnets on a single physical link. A group of devices on a LAN is configured so that the devices communicate as if they were attached to the same LAN segment. In actuality, the devices are located on different segments. Figure 8-1 shows an example of VLANs segmented into logically defined networks.

VLANs enable efficient traffic separation and provide excellent bandwidth utilization. VLANs also alleviate scaling issues by logically segmenting the physical LAN structure into different subnetworks so that packets are switched only between ports within the same VLAN. This can be very useful for security, broadcast containment, and accounting.

Layer 3 switching software supports a port-based VLAN on a trunk port, which is a port that carries the traffic of multiple VLANs. Each frame transmitted on a trunk link is tagged as belonging to only one VLAN.

Figure 8-2 shows three VLANs configured from a Layer 2 switch, which connects to a
Catalyst 8540 CSR through a trunk line.

VLAN Encapsulation

Layer 3 switching software supports VLAN frame encapsulation through the Inter-Switch Link (ISL) protocol and the 802.1Q standard.

To configure encapsulation over the EtherChannel, see the "About Encapsulation over EtherChannel" section.

Note   The four adjacent ports (such as 0 through 3, or 4 through 7) on a 10/100 interface must all use the same VLAN encapsulation; that is, either 802.1Q, or ISL.

Configuring VLANs for Routing or Bridging

VLANS can be configured for routing or bridging, depending on the type of traffic you are running. IP and IPX traffic can be routed. Non-IP/IPX traffic, such as LAT traffic, must be bridged. The following sections describe how to route and bridge traffic between VLANs with ISL and 802.1Q encapsulation.

Note   For information about configuring IP traffic, see the "Configuring IP Routing Protocols" section on. For information about configuring IPX traffic, see the "Configuring Novell IPX Routing" section on.

Maximum VLAN Bridge Group Values

The maximum VLAN bridge group values follow:

Configuring VLANs with ISL Encapsulation

Inter-Switch Link (ISL) is a Cisco protocol for interconnecting multiple switches and maintaining VLAN information as traffic travels between switches. This section describes how to configure VLANs with ISL encapsulation.

Routing IP Traffic Between VLANs with ISL Encapsulation

To route IP traffic between VLANs with ISL encapsulation, perform the following steps, beginning in global configuration mode.

Example

The following example shows how to configure three VLANs (VLAN 1, VLAN 2, VLAN 3) for IP routing with ISL encapsulation:

Note   When configuring ISL with IP, you cannot configure IP addresses on a subinterface unless the VLANs are already configured (that is, you must have already entered the encapsulation isl command). This is not the case with IPX; you can configure IPX networks on a subinterface even when the VLANs have not been configured.

Verifying the ISL Configuration (Routing IP Traffic Between VLANs)

To verify the ISL configuration, use the following EXEC command:

Example

The following example shows the resulting configuration, using the show running-config command:

Routing IPX Traffic Between VLANs with ISL Encapsulation

To route IPX traffic between VLANs with ISL encapsulation, perform the following steps, beginning in global configuration mode:

Example

The following example shows how to configure VLANs with ISL encapsulation and assign different IPX networks and encapsulation for each subinterface:

Verifying the ISL Configuration (Routing IPX Traffic Between VLANs)

To verify the ISL configuration, use the following EXEC command:

Example

The following example shows the resulting configuration, using the show running-config command:

Bridging Non-IP/IPX Traffic Between VLANs with ISL Encapsulation

To bridge non-IP/IPX traffic between VLANs with ISL encapsulation, perform the following steps, beginning in global configuration mode:

Example

The following example shows how to configure three VLANs (VLAN 1, VLAN 2, VLAN 3) and perform bridging with ISL encapsulation:

The following ping command confirms connectivity between the Catalyst 8540 CSR [C8540BldgA] in Building A and a SunSPARC workstation in building B [SunSPARCBldgB] with IP address 172.20.52.60:

The following ping command confirms connectivity between the Catalyst 8540 CSR in Building A and an Intel PC in building A with IP address 172.20.52.35:

The following traceroute command confirms connectivity and shows the hops between the Catalyst 8540 CSR in Building A and the Intel PC in building A with IP address 172.20.52.35:

The following traceroute command confirms connectivity and shows the hops between the Catalyst 8540 CSR in Building A and the Sun SPARC workstation in building B with IP address 172.20.52.60:

Note   For a complete configuration example for VLANs with ISL encapsulation, see the "Catalyst 8540 CSR with ISL, VLAN, and BVI with GEC" section.

Verifying the ISL Configuration (Bridging Non-IP/IPX Traffic Between VLANs)

To verify the ISL configuration, use the following EXEC command:

Example

The following example shows the resulting configuration, using the show running-config command:

Note   To monitor the VLANs once they are configured, use the commands described in the "Monitoring VLAN Operation" section on.

Configuring VLANs with 802.1Q Encapsulation

The IEEE 802.1Q standard provides a method for secure routing and bridging of data across a shared backbone. IEEE 802.1Q VLAN encapsulation uses an internal, or one level, packet tagging scheme to multiplex VLANs across a single physical link, while maintaining strict adherence to the individual VLAN domains.

On an IEEE 802.1Q trunk port, all transmitted and received frames are tagged except for those on the one VLAN configured as the PVID (port VLAN identifier) or native VLAN for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged.

Routing IP Traffic Between VLANs with 802.1Q Encapsulation

To route IP traffic between VLANs with 802.1Q encapsulation, perform the following steps, beginning in global configuration mode:

Example

The following example shows how to configure three VLANs (VLAN 1, VLAN 2, VLAN 3) for IP routing with 802.1Q encapsulation:

Note   When configuring 802.1Q with IP, you cannot configure IP addresses on a subinterface unless the VLANs are already configured (that is, you must have already entered the encapsulation dot1q command). This is not the case with IPX; you can configure IPX networks on a subinterface even when the VLANs have not been configured.

Verifying the 802.1Q Configuration (Routing IP Traffic Between VLANs)

To verify the 802.1Q configuration, use the following EXEC command:

Example

The following example shows the resulting configuration, using the show running-config command:

Routing IPX Traffic Between VLANs with 802.1Q Encapsulation

To route IPX traffic between VLANs with 802.1Q encapsulation, perform the following steps, beginning in global configuration mode:

Example

The following example shows how to configure VLANs with 802.1Q encapsulation and assign different IPX networks and encapsulation for each subinterface:

Verifying the 802.1Q Configuration (Routing IPX Traffic Between VLANs)

To verify the 802.1Q configuration, use the following EXEC command:

Example

The following example shows the resulting configuration, using the show running-config command:

Bridging Non-IP/IPX Traffic Between VLANs with 802.1Q Encapsulation

To bridge non-IP/IPX traffic between VLANs with 802.1Q encapsulation, perform the following steps, beginning in global configuration mode.

Example

The following example shows how to configure three VLANs (VLAN 1, VLAN 2, VLAN 3) and perform bridging with 802.1Q encapsulation:

Verifying the 802.1Q Configuration (Bridging Non-IP/IPX Traffic Between VLANs)

To verify the 802.1Q configuration, use the following EXEC command:

Example

The following example shows the resulting configuration, using the show running-config command:

Bridging Between Native and Non-Native VLANs with 802.1Q Encapsulation

To configure bridging between native and non-native VLANs, perform the following steps, beginning in global configuration mode:

	Command	Purpose
Step 1	Router(config)# interface gigabitethernet slot/subslot/interface.subinterface Router(config-subif)#	Enters subinterface configuration mode.
Step 2	Router(config-subif)# encap dot1q vlan-id native	Uses 802.1Q to encapsulate Ethernet frames sent from the subinterface with a header that maintains the specified native vlan-id between network nodes. Note    By default, VLAN 1 is the native VLAN, so it is not necessary to specify native when specifying the encapsulation for VLAN 1. To specify a different VLAN as the native VLAN, you must specify native when specifying the encapsulation. Note    If you are configuring VLAN routing, skip Step 3 and proceed to Step 4.
Step 3	Router(config-subif)# bridge-group number	Assigns the subinterface to a specified bridge group.
Step 4	Router(config-subif)# interface gigabitethernet slot/subslot/interface	Enters interface configuration mode to configure the Fast Ethernet main interface.
Step 5	Router(config-if)# bridge-group number	Assigns the main interface to a specified bridge group.
Step 6	Router(config-if)# exit	Returns to global configuration mode.
Step 7	Router(config)# bridge bridge-group protocol ieee	Specifies that the bridge group will use the IEEE Ethernet Spanning Tree Protocol.

Example

The following example shows how to configure the bridging between native and non-native 802.1Q VLANs:

Monitoring VLAN Operation

Once the VLANs are configured on the switch router, you can monitor their operation using the following command: