The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the asymmetric VLAN mapping feature for Cisco Connected Grid switches. This chapter includes the following sections:
|
|
|
---|---|---|
Cisco 2500 Series Connected Grid Switches Configuration Guides |
The asymmetric VLAN mapping feature for the Cisco CGS 2520 provides a method for restricting traffic on VLAN trunk ports. The feature lets you specify lists of VLANs that are allowed to forward traffic on the trunk port in the ingress direction, egress direction, or in both directions.
This feature is useful in a utility substation environment where a VLAN trunk is connected between a Cisco CGS 2520 switch and an intelligent electronic device (IED). The trunk port on the Cisco CGS 2520 can be configured to allow ingress traffic for a given VLAN, such as generic object oriented substation events (GOOSE) messages from the IED, and the trunk port can be configured to allow traffic for specific VLAN IDs in the egress direction, allowing the IED to subscribe to GOOSE messages with those VLAN IDs. All other VLAN traffic on the trunk port can be blocked.
In the example shown in Figure 4-1, there are six VLANs (2, 3, 4, 5, 6, 7) configured on a Cisco CGS 2520 switch. Using the asymmetric VLAN mapping feature on a trunk port, packets tagged with VLANs 2 and 3 can only enter the system through that interface, packets tagged with VLANs 4 and 5 can only go out of the system (but cannot enter the system), and packets tagged with VLANs 6 and 7 can both enter and exit the system. Any other tagged packets are dropped at the interface level where this feature is configured.
Figure 4-1 Asymmetric VLAN Mapping Between a Cisco CGS 2520 and an IED
These are the guidelines for configuring asymmetric VLAN mapping:
The asymmetric VLAN mapping feature is configured on interfaces facing IEDs, so all other Layer 2 control protocols, such as Spanning Tree BPDUs, CDP, and VTP packets should not be exchanged between the interface and an attached IED.
When the asymmetric VLAN mapping feature is enabled on an interface, CDP, STP, and VTP are disabled and cannot be configured on the interface until any configuration statements for asymmetric VLAN mapping are removed. In addition, the no switchport and switchport mode access configuration statements are not allowed when configuration statements for asymmetric VLAN mapping are present on the interface.
When the asymmetric VLAN mapping feature is configured for an interface, the VLAN mapping feature (VLAN ID translation) and the allowed VLAN feature cannot be configured for that interface.
|
|
---|---|
Beginning in privileged EXEC mode, follow these steps to configure asymmetric VLAN mapping:
|
|
|
---|---|---|
Verify that the VLANs for which you are configuring mapping rules exist on the switch. If not, create the VLANs on the switch. |
||
Specify the interface to be configured as the trunk interface, and enter interface configuration mode. The type can be fastethernet, gigabitethernet, or tengigabitethernet. |
||
Configure the interface as an NNI. Asymmetric VLAN mapping is supported only on NNI ports. |
||
switchport trunk allowed asymmetric-vlan bidirectional { add | except | none | remove } vlan-list |
Specifies which of the VLANs configured on the switch are allowed to send traffic through the trunk port in both the ingress and egress directions. The add keyword adds VLANs to the current list. The except keyword indicates all VLANs except those specified by vlan-list. The none keyword specifies none of the VLANs. The remove keyword removes VLANs from the current list. The vlan-list parameter is either a single VLAN number from 1 to 4094; a range of VLANs described by two VLAN numbers, the lower one first, separated by a hyphen; or a comma-separated list of VLANs. Do not enter any spaces between comma-separated VLANs or in hyphen-specified ranges. |
|
switchport trunk allowed asymmetric-vlan ingress { add | except | none | remove } vlan-list |
Specifies which of the VLANs configured on the switch are allowed to send traffic through the trunk port in the ingress direction; that is, from the IED to the switch. Traffic coming into the trunk port from all other VLANs is blocked. See step 5 for the description of the add, except, none, remove, and vlan-list parameters. |
|
switchport trunk allowed asymmetric-vlan egress { add | except | none | remove } vlan-list |
Specifies which of the VLANs configured on the switch are allowed to send traffic through the trunk port in the egress direction; that is, from the switch to the IED. Traffic from all other VLANs is blocked from exiting the trunk port. See step 5 for the description of the add, except, none, remove, and vlan-list parameters. |
|
Disable VTP. VTP cannot be configured on the same interface where asymmetric VLAN mapping is configured. |
||
Disable CDP. CDP cannot be configured on the same interface where asymmetric VLAN mapping is configured. |
||
The following example shows how to configure asymmetric VLAN mapping for a Fast Ethernet port connected to an IED. The switch has six VLANs configured on it. A trunk port is configured on the Fast Ethernet port. Traffic for VLANs 6 and 7 is allowed in both the ingress and egress direction on the trunk port; traffic for VLANs 2 and 3 is allowed from the IED to the switch; traffic for VLANs 4 and 5 is allowed from the switch to the IED. Traffic from any other VLANs is blocked at the port.
|
|
---|---|
Display the asymmetric VLAN mapping configuration in summary |