The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To configure a WLAN interface or an interface group, use the client vlan command. To disable the WLAN interface, use the no form of this command.
client vlan interface-id-name-or-group-name
no client vlan
interface--id-name-or-group-name |
Interface ID, name, or VLAN group name. |
The default interface is configured.
WLAN configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
You must disable the WLAN before using this command. See Related Commands section for more information on how to disable a WLAN.
This example shows how to enable a client VLAN on a WLAN:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# wlan wlan1 Switch(config-wlan)# client vlan client-vlan1 Switch(config-wlan)# end
This example shows how to disable a client VLAN on a WLAN:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# wlan wlan1 Switch(config-wlan)# no client vlan Switch(config-wlan)# end
To clear the protocol counters in protocol tunnel ports, use the clear l2protocol-tunnel counters command in privileged EXEC mode.
clear l2protocol-tunnel counters [ interface-id ]
(Optional) The interface (physical interface or port channel) for which protocol counters are to be cleared. |
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Use this command to clear protocol tunnel counters on the switch or on the specified interface.
This example shows how to clear Layer 2 protocol tunnel counters on an interface:
Switch# clear l2protocol-tunnel counters gigabitethernet1/0/3
Command | Description |
Enables tunneling of Layer 2 protocols on an access port, IEEE 802.1Q tunnel port, or a port channel. | |
Displays information about Layer 2 protocol tunnel ports. |
To clear the VLAN Membership Policy Server (VMPS) statistics maintained by the VLAN Query Protocol (VQP) client, use the clear vmps statistics command in privileged EXEC mode.
clear vmps statistics
This command has no arguments or keywords.
None
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:
Switch# clear vmps statistics
You can verify that information was deleted by entering the show vmps statistics privileged EXEC command.
Command | Description |
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers. |
To clear the VLAN Trunking Protocol (VTP) and pruning counters, use the clear vtp counters command in privileged EXEC mode.
clear vtp counters
This command has no arguments or keywords.
None
Privileged EXEC
Release |
Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
This example shows how to clear the VTP counters:
Switch# clear vtp counters
You can verify that information was deleted by entering the show vtp counters privileged EXEC command.
Command | Description |
Displays general information about VTP management domain, status, and counters. |
To enable debugging of the VLAN manager software, use the debug platform vlan command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug platform vlan { error | mvid | rpc }
no debug platform vlan { error | mvid | rpc }
error |
Displays VLAN error debug messages. |
mvid |
Displays mapped VLAN ID allocations and free debug messages. |
rpc |
Displays remote procedure call (RPC) debug messages. |
Debugging is disabled.
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The undebug platform vlan command is the same as the no debug platform vlan command.
This example shows how to display VLAN error debug messages:
Switch# debug platform vlan error
To enable debugging of VLAN manager activities, use the debug sw-vlan command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug sw-vlan { badpmcookies | cfg-vlan { bootup | cli } | events | ifs | mapping | notification | packets | redundancy | registries | vtp }
no debug sw-vlan { badpmcookies | cfg-vlan { bootup | cli } | events | ifs | mapping | notification | packets | redundancy | registries | vtp }
badpmcookies |
Displays debug messages for VLAN manager incidents of bad port manager cookies. |
cfg-vlan |
Displays VLAN configuration debug messages. |
bootup |
Displays messages when the switch is booting up. |
cli |
Displays messages when the command-line interface (CLI) is in VLAN configuration mode. |
events |
Displays debug messages for VLAN manager events. |
ifs |
Displays debug messages for the VLAN manager IOS file system (IFS). See debug sw-vlan ifs for more information. |
mapping |
Displays debug messages for VLAN mapping. |
notification |
Displays debug messages for VLAN manager notifications. See debug sw-vlan notification for more information. |
packets |
Displays debug messages for packet handling and encapsulation processes. |
redundancy |
Displays debug messages for VTP VLAN redundancy. |
registries |
Displays debug messages for VLAN manager registries. |
vtp |
Displays debug messages for the VLAN Trunking Protocol (VTP) code. See debug sw-vlan vtp for more information. |
Debugging is disabled.
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The undebug sw-vlan command is the same as the no debug sw-vlan command.
This example shows how to display debug messages for VLAN manager events:
Switch# debug sw-vlan events
Command | Description |
Enables debugging of the VLAN manager IOS file system (IFS) error tests. | |
Enables debugging of VLAN manager notifications. | |
Enables debugging of the VTP code. | |
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain. | |
Displays general information about VTP management domain, status, and counters. |
To enable debugging of the VLAN manager IOS file system (IFS) error tests, use the debug sw-vlan ifs command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug sw-vlan ifs { open { read | write } | read { 1 | 2 | 3 | 4 } | write }
no debug sw-vlan ifs { open { read | write } | read { 1 | 2 | 3 | 4 } | write }
open read |
Displays VLAN manager IFS file-read operation debug messages. |
open write |
Displays VLAN manager IFS file-write operation debug messages. |
read |
Displays file-read operation debug messages for the specified error test (1, 2, 3, or 4). |
write |
Displays file-write operation debug messages. |
Debugging is disabled.
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The undebug sw-vlan ifs command is the same as the no debug sw-vlan ifs command.
When selecting the file read operation, Operation 1 reads the file header, which contains the header verification word and the file version number. Operation 2 reads the main body of the file, which contains most of the domain and VLAN information. Operation 3 reads type length version (TLV) descriptor structures. Operation 4 reads TLV data.
This example shows how to display file-write operation debug messages:
Switch# debug sw-vlan ifs write
Command | Description |
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain. |
To enable debugging of VLAN manager notifications, use the debug sw-vlan notification command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug sw-vlan notification { accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange }
no debug sw-vlan notification { accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange }
accfwdchange |
Displays debug messages for VLAN manager notification of aggregated access interface spanning-tree forward changes. |
allowedvlancfgchange |
Displays debug messages for VLAN manager notification of changes to the allowed VLAN configuration. |
fwdchange |
Displays debug messages for VLAN manager notification of spanning-tree forwarding changes. |
linkchange |
Displays debug messages for VLAN manager notification of interface link-state changes. |
modechange |
Displays debug messages for VLAN manager notification of interface mode changes. |
pruningcfgchange |
Displays debug messages for VLAN manager notification of changes to the pruning configuration. |
statechange |
Displays debug messages for VLAN manager notification of interface state changes. |
Debugging is disabled.
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The undebug sw-vlan notification command is the same as the no debug sw-vlan notification command.
This example shows how to display debug messages for VLAN manager notification of interface mode changes:
Switch# debug sw-vlan notification
Command | Description |
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain. |
To enable debugging of the VLAN Trunking Protocol (VTP) code, use the debug sw-vlan vtp command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug sw-vlan vtp { events | packets | pruning [ packets | xmit ] | redundancy | xmit }
no debug sw-vlan vtp { events | packets | pruning | redundancy | xmit }
events |
Displays debug messages for general-purpose logic flow and detailed VTP messages generated by the VTP_LOG_RUNTIME macro in the VTP code. |
packets |
Displays debug messages for the contents of all incoming VTP packets that have been passed into the VTP code from the Cisco IOS VTP platform-dependent layer, except for pruning packets. |
pruning |
Displays debug messages generated by the pruning segment of the VTP code. |
packets |
(Optional) Displays debug messages for the contents of all incoming VTP pruning packets that have been passed into the VTP code from the Cisco IOS VTP platform-dependent layer. |
xmit |
(Optional) Displays debug messages for the contents of all outgoing VTP packets that the VTP code requests the Cisco IOS VTP platform-dependent layer to send. |
redundancy |
Displays debug messages for VTP redundancy. |
xmit |
Displays debug messages for the contents of all outgoing VTP packets that the VTP code requests the Cisco IOS VTP platform-dependent layer to send, except for pruning packets. |
Debugging is disabled.
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The undebug sw-vlan vtp command is the same as the no debug sw-vlan vtp command.
If no additional parameters are entered after the pruning keyword, VTP pruning debugging messages appear. They are generated by the VTP_PRUNING_LOG_NOTICE, VTP_PRUNING_LOG_INFO, VTP_PRUNING_LOG_DEBUG, VTP_PRUNING_LOG_ALERT, and VTP_PRUNING_LOG_WARNING macros in the VTP pruning code.
This example shows how to display debug messages for VTP redundancy:
Switch# debug sw-vlan vtp redundancy
Command | Description |
Displays general information about VTP management domain, status, and counters. |
To create or access a dynamic switch virtual interface (SVI) and to enter interface configuration mode, use the interface vlan command in global configuration mode. To delete an SVI, use the no form of this command.
interface vlan vlan-id
no interface vlan vlan-id
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
SVIs are created the first time you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id corresponds to the VLAN-tag associated with data frames on an IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port.
Note | When you create an SVI, it does not become active until it is associated with a physical port. |
If you delete an SVI using the no interface vlan vlan-id command, it is no longer visible in the output from the show interfaces privileged EXEC command.
Note | You cannot delete the VLAN 1 interface. |
You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but the previous configuration is gone.
The interrelationship between the number of SVIs configured on a switch or a switch stack and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables.
You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.
This example shows how to create a new SVI with VLAN ID 23 and enter interface configuration mode:
Switch(config)# interface vlan 23 Switch(config-if)#
Command | Description |
show interfaces | Displays the administrative and operational status of all interfaces or a specified interface. |
To enable tunneling of Layer 2 protocols on an access port, IEEE 802.1Q tunnel port, or a port channel, use the l2protocol-tunnel command in interface configuration mode on the switch stack or on a standalone switch. Use the no form of this command to disable tunneling on the interface.
l2protocol-tunnel [ drop-threshold | shutdown-threshold ] [ value ] [ cdp | stp | vtp ] [ lldp ] [ point-to-point | [ pagp | lacp | udld ] ]
no l2protocol-tunnel [ drop-threshold | shutdown-threshold ] [ value ] [ cdp | stp | vtp ] [ lldp ] [ point-to-point | [ pagp | lacp | udld ] ]
drop-threshold |
(Optional) Sets a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets. |
shutdown-threshold |
(Optional) Sets a shutdown threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface is shut down. |
value |
A threshold in packets per second to be received for encapsulation before the interface shuts down, or the threshold before the interface drops packets. The range is 1 to 4096. The default is no threshold. |
cdp |
(Optional) Enables tunneling of CDP, specifies a shutdown threshold for CDP, or specifies a drop threshold for CDP. |
stp |
(Optional) Enables tunneling of STP, specifies a shutdown threshold for STP, or specifies a drop threshold for STP. |
vtp |
(Optional) Enables tunneling or VTP, specifies a shutdown threshold for VTP, or specifies a drop threshold for VTP. |
lldp |
(Optional) Enables tunneling of LLDP packets. |
point-to-point |
(Optional) Enables point-to point tunneling of PAgP, LACP, and UDLD packets. |
pagp |
(Optional) Enables point-to-point tunneling of PAgP, specifies a shutdown threshold for PAgP, or specifies a drop threshold for PAgP. |
lacp |
(Optional) Enables point-to-point tunneling of LACP, specifies a shutdown threshold for LACP, or specifis a drop threshold for LACP. |
udld |
(Optional) Enables point-to-point tunneling of UDLD, specifies a shutdown threshold for UDLD, or specifies a drop threshold for UDLD. |
The default is that no Layer 2 protocol packets are tunneled.
The default is no shutdown threshold for the number of Layer 2 protocol packets.
The default is no drop threshold for the number of Layer 2 protocol packets.
Interface configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
You can enable tunneling for Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. You can also enable point-to-point tunneling for Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), or UniDirectional Link Detection (UDLD) packets.
You must enter this command, with or without protocol types, to tunnel Layer 2 packets.
If you enter this command for a port channel, all ports in the channel must have the same configuration.
Layer 2 protocol tunneling across a service-provider network ensures that Layer 2 information is propagated across the network to all customer locations. When protocol tunneling is enabled, protocol packets are encapsulated with a well-known Cisco multicast address for transmission across the network. When the packets reach their destination, the well-known MAC address is replaced by the Layer 2 protocol MAC address.
You can enable Layer 2 protocol tunneling for CDP, STP, and VTP individually or for all three protocols.
In a service-provider network, you can use Layer 2 protocol tunneling to enhance the creation of EtherChannels by emulating a point-to-point network topology. When protocol tunneling is enabled on the service-provider switch for PAgP or LACP, remote customer switches receive the protocol data units (PDUs) and can negotiate automatic creation of EtherChannels.
To enable tunneling of PAgP, LACP, and UDLD packets, you must have a point-to-point network topology. To decrease the link-down detection time, you should also enable UDLD on the interface when you enable tunneling of PAgP or LACP packets.
You can enable point-to-point protocol tunneling for PAgP, LACP, and UDLD individually or for all three protocols.
Caution | PAgP, LACP, and UDLD tunneling is only intended to emulate a point-to-point topology. An erroneous configuration that sends tunneled packets to many ports could lead to a network failure. |
Enter the shutdown-threshold keyword to control the number of protocol packets per second that are received on an interface before it shuts down. When no protocol option is specified with the keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a drop threshold on the interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.
When the shutdown threshold is reached, the interface is error-disabled. If you enable error recovery by entering the errdisable recovery cause l2ptguard global configuration command, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out. If the error recovery function is not enabled for l2ptguard, the interface stays in the error-disabled state until you enter the shutdown and no shutdown interface configuration commands.
Enter the drop-threshold keyword to control the number of protocol packets per second that are received on an interface before it drops packets. When no protocol option is specified with a keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a shutdown threshold on the interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.
When the drop threshold is reached, the interface drops Layer 2 protocol packets until the rate at which they are received is below the drop threshold.
The configuration is saved in NVRAM.
For more information about Layer 2 protocol tunneling, see the software configuration guide for this release.
This example shows how to enable protocol tunneling for CDP packets and to configure the shutdown threshold as 50 packets per second:
Switch(config-if)# l2protocol-tunnel cdp Switch(config-if)# l2protocol-tunnel shutdown-threshold cdp 50
This example shows how to enable protocol tunneling for STP packets and to configure the drop threshold as 400 packets per second:
Switch(config-if)# l2protocol-tunnel stp Switch(config-if)# l2protocol-tunnel drop-threshold stp 400
This example shows how to enable point-to-point protocol tunneling for PAgP and UDLD packets and to configure the PAgP drop threshold as 1000 packets per second:
Switch(config-if)# l2protocol-tunnel point-to-point pagp Switch(config-if)# l2protocol-tunnel point-to-point udld Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000
Command | Description |
show errdisable recovery | Displays the error-disabled recovery timer information. |
Configures class of service (CoS) value for all tunneled Layer 2 protocol packets. | |
Displays information about Layer 2 protocol tunnel ports. |
To configure class of service (CoS) value for all tunneled Layer 2 protocol packets, use the l2protocol-tunnel cos global configuration command. To return to the default setting, use the no form of this command.
l2protocol-tunnel cos value
no l2protocol-tunnel cos
value |
CoS priority value for tunneled Layer 2 protocol packets. If a CoS value is configured for data packets for the interface, the default is to use this CoS value. If no CoS value is configured for the interface, the default is 5. The range is 0 to 7, with 7 being the highest priority. |
The default is to use the CoS value configured for data on the interface. If no CoS value is configured, the default is 5 for all tunneled Layer 2 protocol packets.
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
When enabled, the tunneled Layer 2 protocol packets use this CoS value.
The value is saved in NVRAM.
This example shows how to configure a Layer-2 protocol-tunnel CoS value of 7:
Switch(config)# l2protocol-tunnel cos 7
Command | Description |
Displays information about Layer 2 protocol tunnel ports. |
To configure private VLANs and to configure the association between private VLAN primary and secondary VLANs, use the private-vlan VLAN configuration command on the switch stack or on a standalone switch. Use the no form of this command to return the VLAN to normal VLAN configuration.
private-vlan { association [ add | remove ] secondary-vlan-list | community | isolated | primary }
no private-vlan { association | community | isolated | primary }
association |
Creates an association between the primary VLAN and a secondary VLAN. |
add | Associates a secondary VLAN to a primary VLAN. |
remove | Clears the association between a secondary VLAN and a primary VLAN. |
secondary-vlan-list |
One or more secondary VLANs to be associated with a primary VLAN in a private VLAN. |
community | Designates the VLAN as a community VLAN. |
isolated | Designates the VLAN as an isolated VLAN. |
primary | Designates the VLAN as a primary VLAN. |
The default is to have no private VLANs configured.
VLAN configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Before configuring private VLANs, you must disable VTP (VTP mode transparent). After you configure a private VLAN, you should not change the VTP mode to client or server.
VTP does not propagate private VLAN configurations. You must manually configure private VLANs on all switches in the Layer 2 network to merge their Layer 2 databases and to prevent flooding of private VLAN traffic.
You cannot include VLAN 1 or VLANs 1002 to 1005 in the private VLAN configuration. Extended VLANs (VLAN IDs 1006 to 4094) can be configured in private VLANs.
You can associate a secondary (isolated or community) VLAN with only one primary VLAN. A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it.
A community VLAN carries traffic among community ports and from community ports to the promiscuous ports on the corresponding primary VLAN.
An isolated VLAN is used by isolated ports to communicate with promiscuous ports. It does not carry traffic to other community ports or isolated ports with the same primary VLAN domain.
A primary VLAN is the VLAN that carries traffic from a gateway to customer end stations on private ports.
Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.
The private-vlan commands do not take effect until you exit from VLAN configuration mode.
Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive.
Do not configure a private VLAN as a Remote Switched Port Analyzer (RSPAN) VLAN.
Do not configure a private VLAN as a voice VLAN.
Do not configure fallback bridging on switches with private VLANs.
Although a private VLAN contains more than one VLAN, only one STP instance runs for the entire private VLAN. When a secondary VLAN is associated with the primary VLAN, the STP parameters of the primary VLAN are propagated to the secondary VLAN.
For more information about private VLAN interaction with other features, see the software configuration guide for this release.
This example shows how to configure VLAN 20 as a primary VLAN, VLAN 501 as an isolated VLAN, and VLANs 502 and 503 as community VLANs, and to associate them in a private VLAN:
Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# private-vlan primary Switch(config-vlan)# exit Switch(config)# vlan 501 Switch(config-vlan)# private-vlan isolated Switch(config-vlan)# exit Switch(config)# vlan 502 Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 503 Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# private-vlan association 501-503 Switch(config-vlan)# end
You can verify your setting by entering the show vlan private-vlan or show interfaces status privileged EXEC command.
To create a mapping between the primary and the secondary VLANs so that both VLANs share the same primary VLAN switched virtual interface (SVI), use the private-vlan mapping interface configuration command on a switch virtual interface (SVI). Use the no form of this command to remove private VLAN mappings from the SVI.
private-vlan mapping [ add | remove ] secondary-vlan-list
no private-vlan mapping
add |
(Optional) Maps the secondary VLAN to the primary VLAN SVI. |
remove | (Optional) Removes the mapping between the secondary VLAN and the primary VLAN SVI. |
secondary-vlan-list | One or more secondary VLANs to be mapped to the primary VLAN SVI. |
No private VLAN SVI mapping is configured.
Interface configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The switch must be in VTP transparent mode when you configure private VLANs.
The SVI of the primary VLAN is created at Layer 3.
Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.
The secondary-vlan-list argument cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private VLAN ID or a hyphenated range of private VLAN IDs. The list can contain one isolated VLAN and multiple community VLANs.
Traffic that is received on the secondary VLAN is routed by the SVI of the primary VLAN.
A secondary VLAN can be mapped to only one primary SVI. If you configure the primary VLAN as a secondary VLAN, all SVIs specified in this command are brought down.
If you configure a mapping between two VLANs that do not have a valid Layer 2 private VLAN association, the mapping configuration does not take effect.
This example shows how to map the interface of VLAN 20 to the SVI of VLAN 18:
Switch# configure terminal Switch# interface vlan 18 Switch(config-if)# private-vlan mapping 20 Switch(config-vlan)# end
This example shows how to permit routing of secondary VLAN traffic from secondary VLANs 303 to 305 and 307 through VLAN 20 SVI:
Switch# configure terminal Switch# interface vlan 20 Switch(config-if)# private-vlan mapping 303-305, 307 Switch(config-vlan)# end
You can verify your settings by entering the show interfaces private-vlan mapping privileged EXEC command.
Command | Description |
Displays private VLAN mapping information for the VLAN switch virtual interfaces (SVIs). |
To display information about IEEE 802.1Q tunnel ports, use the show dot1q-tunnel in EXEC mode.
show dot1q-tunnel [ interface interface-id ]
interface interface-id |
(Optional) Specifies the interface for which to display IEEE 802.1Q tunneling information. Valid interfaces include physical ports and port channels. |
None
User EXEC
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The following are examples of output from the show dot1q-tunnel command:
Switch# show dot1q-tunnel
dot1q-tunnel mode LAN Port(s)
-----------------------------
Gi1/0/1
Gi1/0/2
Gi1/0/3
Gi1/0/6
Po2
Switch# show dot1q-tunnel interface gigabitethernet1/0/1
dot1q-tunnel mode LAN Port(s)
-----------------------------
Gi1/0/1
Command | Description |
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain. | |
switchport mode | Configures the VLAN membership mode of a port. |
To display private VLAN mapping information for the VLAN switch virtual interfaces (SVIs), use the show interfaces private-vlan mapping command in user EXEC or privileged EXEC mode.
show interfaces [ interface-id ] private-vlan mapping
interface-id |
(Optional) ID of the interface for which to display private VLAN mapping information. |
None
User EXEC
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
This example shows how to display the information about the private VLAN mapping:
Switch#show interfaces private-vlan mapping
Interface Secondary VLAN Type
--------- -------------- -----------------
vlan2 301 community
vlan3 302 community
Command | Description |
Creates a mapping between the primary and the secondary VLANs so that both VLANs share the same primary VLAN switched virtual interface (SVI). |
To display information about Layer 2 protocol tunnel ports, use the show l2protocol-tunnel in EXEC mode.
show l2protocol-tunnel [ interface interface-id ] summary
interface interface-id |
(Optional) Specifies the interface for which protocol tunneling information appears. Valid interfaces are physical ports and port channels; the port channel range is 1 to 48. |
summary |
(Optional) Displays only Layer 2 protocol summary information. |
None
User EXEC
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
After enabling Layer 2 protocol tunneling on an access or IEEE 802.1Q tunnel port by using the l2protocol-tunnel interface configuration command, you can configure some or all of these parameters:
If you enter the show l2protocol-tunnel interface command, only information about the active ports on which all the parameters are configured appears.
If you enter the show l2protocol-tunnel summary command, only information about the active ports on which some or all of the parameters are configured appears.
This is an example of output from the show l2protocol-tunnel command:
Switch> show l2protocol-tunnel COS for Encapsulated Packets: 5 Drop Threshold for Encapsulated Packets: 0 Port Protocol Shutdown Drop Encapsulation Decapsulation Drop Threshold Threshold Counter Counter Counter ---------- -------- --------- --------- ------------- ------------- ------------- Gi3/0/3 --- ---- ---- ---- ---- ---- --- ---- ---- ---- ---- ---- --- ---- ---- ---- ---- ---- pagp ---- ---- 0 242500 lacp ---- ---- 24268 242640 udld ---- ---- 0 897960 Gi3/0/4 --- ---- ---- ---- ---- ---- --- ---- ---- ---- ---- ---- --- ---- ---- ---- ---- ---- pagp 1000 ---- 24249 242700 lacp ---- ---- 24256 242660 udld ---- ---- 0 897960 Gi6/0/1 cdp ---- ---- 134482 1344820 --- ---- ---- ---- ---- ---- --- ---- ---- ---- ---- ---- pagp 1000 ---- 0 242500 lacp 500 ---- 0 485320 udld 300 ---- 44899 448980 Gi6/0/2 cdp ---- ---- 134482 1344820 --- ---- ---- ---- ---- ---- --- ---- ---- ---- ---- ---- pagp ---- 1000 0 242700 lacp ---- ---- 0 485220 udld 300 ---- 44899 448980
This is an example of output from the show l2protocol-tunnel summary command:
Switch> show l2protocol-tunnel summary COS for Encapsulated Packets: 5 Drop Threshold for Encapsulated Packets: 0 Port Protocol Shutdown Drop Status Threshold Threshold (cdp/stp/vtp) (cdp/stp/vtp) (pagp/lacp/udld) (pagp/lacp/udld) ------- ------------- ---------------- ---------------- ---------- Gi3/0/2 pagp lacp udld ----/----/---- ----/----/---- up Gi4/0/3 pagp lacp udld 1000/ 500/---- ----/----/---- up Gi9/0/1 pagp ---- ---- ----/----/---- 1000/----/---- down Gi9/0/2 pagp ---- ---- ----/----/---- 1000/----/---- down
Command | Description |
Clears the protocol counters in protocol tunnel ports. | |
Enables tunneling of Layer 2 protocols on an access port, IEEE 802.1Q tunnel port, or a port channel. | |
Configures class of service (CoS) value for all tunneled Layer 2 protocol packets. |
To display platform-dependent VLAN information, use the show platform vlan privileged EXEC command.
show platform vlan { misc | mvid | prune | refcount | rpc { receive | transmit } }
misc |
Displays miscellaneous VLAN module information. |
mvid |
Displays the mapped VLAN ID (MVID) allocation information. |
prune |
Displays the stack or platform-maintained pruning database. |
refcount |
Displays the VLAN lock module-wise reference counts. |
rpc |
Displays remote procedure call (RPC) messages. |
receive |
Displays received information. |
transmit |
Displays sent information. |
None
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Use this command only when you are working directly with your technical support representative while troubleshooting a problem. Do not use this command unless your technical support representative asks you to do so.
This example shows how to display remote procedure call (RPC) messages:
Switch# show platform vlan rpc
To display the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) on the switch, use the show vlan command in user EXEC mode.
show vlan [ brief | dot1q tag native | group | id vlan-id | internal usage | mtu | name vlan-name | private-vlan [ type ] | remote-span | summary ]
brief |
(Optional) Displays one line for each VLAN with the VLAN name, status, and its ports. |
dot1q tag native |
(Optional) Displays the IEEE 802.1Q native VLAN tagging status. |
group |
(Optional) Displays information about VLAN groups. |
id vlan-id |
(Optional) Displays information about a single VLAN identified by the VLAN ID number. For vlan-id, the range is 1 to 4094. |
internal usage |
(Optional) Displays a list of VLANs being used internally by the switch. These VLANs are always from the extended range (VLAN IDs 1006 to 4094), and you cannot create VLANs with these IDS by using the vlan global configuration command until you remove them from internal use. |
mtu |
(Optional) Displays a list of VLANs and the minimum and maximum transmission unit (MTU) sizes configured on ports in the VLAN. |
name vlan-name |
(Optional) Displays information about a single VLAN identified by the VLAN name. The VLAN name is an ASCII string from 1 to 32 characters. |
private-vlan |
(Optional) Displays information about configured private VLANs, including primary and secondary VLAN IDs, type (community, isolated, or primary) and ports belonging to the private VLAN. This keyword is only supported if your switch is running the IP services feature set. |
type |
(Optional) Displays only private VLAN ID and type. |
remote-span |
(Optional) Displays information about Remote SPAN (RSPAN) VLANs. |
summary |
(Optional) Displays VLAN summary information. |
Note | The ifindex keyword is not supported, even though it is visible in the command-line help string. |
None
User EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
In the show vlan mtu command output, the MTU_Mismatch column shows whether all the ports in the VLAN have the same MTU. When yes appears in the column, it means that the VLAN has ports with different MTUs, and packets that are switched from a port with a larger MTU to a port with a smaller MTU might be dropped. If the VLAN does not have an SVI, the hyphen (-) symbol appears in the SVI_MTU column. If the MTU-Mismatch column displays yes, the names of the ports with the MinMTU and the MaxMTU appear.
If you try to associate a private VLAN secondary VLAN with a primary VLAN before you define the secondary VLAN, the secondary VLAN is not included in the show vlan private-vlan command output.
In the show vlan private-vlan type command output, a type displayed as normal means a VLAN that has a private VLAN association but is not part of the private VLAN. For example, if you define and associate two VLANs as primary and secondary VLANs and then delete the secondary VLAN configuration without removing the association from the primary VLAN, the VLAN that was the secondary VLAN is shown as normal in the display. In the show vlan private-vlan output, the primary and secondary VLAN pair is shown as nonoperational.
This is an example of output from the show vlan command. See the table that follows for descriptions of the fields in the display.
Switch> show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Gi1/0/25
Gi1/0/26, Gi1/0/27, Gi1/0/28
Gi1/0/29, Gi1/0/30, Gi1/0/31
Gi1/0/32, Gi1/0/33, Gi1/0/34
Gi1/0/35, Gi1/0/36, Gi1/0/37
Gi1/0/38, Gi1/0/39, Gi1/0/40
Gi1/0/41, Gi1/0/42, Gi1/0/43
Gi1/0/44, Gi1/0/45, Gi1/0/46
Gi1/0/47, Gi1/0/48
2 VLAN0002 active
40 vlan-40 active
300 VLAN0300 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
40 enet 100040 1500 - - - - - 0 0
300 enet 100300 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
2000 enet 102000 1500 - - - - - 0 0
3000 enet 103000 1500 - - - - - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
2000,3000
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
Field |
Description |
---|---|
VLAN |
VLAN number. |
Name |
Name, if configured, of the VLAN. |
Status |
Status of the VLAN (active or suspend). |
Ports |
Ports that belong to the VLAN. |
Type |
Media type of the VLAN. |
SAID |
Security association ID value for the VLAN. |
MTU |
Maximum transmission unit size for the VLAN. |
Parent |
Parent VLAN, if one exists. |
RingNo |
Ring number for the VLAN, if applicable. |
BrdgNo |
Bridge number for the VLAN, if applicable. |
Stp |
Spanning Tree Protocol type used on the VLAN. |
BrdgMode |
Bridging mode for this VLAN—possible values are source-route bridging (SRB) and source-route transparent (SRT); the default is SRB. |
Trans1 |
Translation bridge 1. |
Trans2 |
Translation bridge 2. |
Remote SPAN VLANs |
Identifies any RSPAN VLANs that have been configured. |
Primary/Secondary/Type/Ports |
Includes any private VLANs that have been configured, including the primary VLAN ID, the secondary VLAN ID, the type of secondary VLAN (community or isolated), and the ports that belong to it. |
This is an example of output from the show vlan dot1q tag native command:
Switch> show vlan dot1q tag native
dot1q native vlan tagging is disabled
This is an example of output from the show vlan private-vlan command:
Switch> show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
10 501 isolated Gi3/0/3
10 502 community Gi2/0/11
10 503 non-operational3 -
20 25 isolated Gi1/0/13, Gi1/0/20, Gi1/0/22, Gi1/0/1, Gi2/0/13, Gi2/0/22, Gi3/0/13, Gi3/0/14, Gi3/0/20, Gi3/0/1
20 30 community Gi1/0/13, Gi1/0/20, Gi1/0/21, Gi1/0/1, Gi2/0/13, Gi2/0/20, Gi3/0/14, Gi3/0/20, Gi3/0/21, Gi3/0/1
20 35 community Gi1/0/13, Gi1/0/20, Gi1/0/23, Gi1/0/33. Gi1/0/1, Gi2/0/13, Gi3/0/14, Gi3/0/20. Gi3/0/23, Gi3/0/33, Gi3/0/1
20 55 non-operational
2000 2500 isolated Gi1/0/5, Gi1/0/10, Gi2/0/5, Gi2/0/10, Gi2/0/15
This is an example of output from the show vlan private-vlan type command:
Switch> show vlan private-vlan type
Vlan Type
---- -----------------
10 primary
501 isolated
502 community
503 normal
This is an example of output from the show vlan summary command:
Switch> show vlan summary
Number of existing VLANs : 45
Number of existing VTP VLANs : 45
Number of existing extended VLANS : 0
This is an example of output from the show vlan internal usage command. It shows that VLANs 1025 and 1026 are being used as internal VLANs for Gigabit Ethernet routed ports 23 and 24 on stack member 1. If you want to use one of these VLAN IDs, you must first shut down the routed port, which releases the internal VLAN, and then create the extended-range VLAN. When you start up the routed port, another internal VLAN number is assigned to it.
Switch> show vlan internal usage
VLAN Usage
---- -------------
1025 GigabitEthernet1/0/23
1026 GigabitEthernet1/0/24
This is an example of output from the show vlan id command:
Switch# show vlan id 2
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
2 VLAN0200 active Gi1/0/7, Gi1/0/8
2 VLAN0200 active Gi2/0/1, Gi2/0/2
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
2 enet 100002 1500 - - - - - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Disabled
Command | Description |
switchport mode | Configures the VLAN membership mode of a port. |
Adds a VLAN and enters the VLAN configuration mode. |
To display the VLAN Query Protocol (VQP) version, reconfirmation interval, retry count, VLAN Membership Policy Server (VMPS) IP addresses, and the current and primary servers, use the show vmps command in EXEC mode.
show vmps [ statistics ]
statistics |
(Optional) Displays VQP client-side statistics and counters. |
None
User EXEC
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
This is an example of output from the show vmps command:
Switch> show vmps
VQP Client Status:
--------------------
VMPS VQP Version: 1
Reconfirm Interval: 60 min
Server Retry Count: 3
VMPS domain server:
Reconfirmation status
---------------------
VMPS Action: other
This is an example of output from the show vmps statistics command. The table that follows describes each field in the display.
Switch> show vmps statistics
VMPS Client Statistics
----------------------
VQP Queries: 0
VQP Responses: 0
VMPS Changes: 0
VQP Shutdowns: 0
VQP Denied: 0
VQP Wrong Domain: 0
VQP Wrong Version: 0
VQP Insufficient Resource: 0
Field |
Description |
---|---|
VQP Queries |
Number of queries sent by the client to the VMPS. |
VQP Responses |
Number of responses sent to the client from the VMPS. |
VMPS Changes |
Number of times that the VMPS changed from one server to another. |
VQP Shutdowns |
Number of times the VMPS sent a response to shut down the port. The client disables the port and removes all dynamic addresses on this port from the address table. You must administratively reenable the port to restore connectivity. |
VQP Denied |
Number of times the VMPS denied the client request for security reasons. When the VMPS response denies an address, no frame is forwarded to or from the workstation with that address (broadcast or multicast frames are delivered to the workstation if the port has been assigned to a VLAN). The client keeps the denied address in the address table as a blocked address to prevent more queries from being sent to the VMPS for each new packet received from this workstation. The client ages the address if no new packets are received from this workstation on this port within the aging time period. |
VQP Wrong Domain |
Number of times the management domain in the request does not match the one for the VMPS. Any previous VLAN assignments of the port are not changed. This response means that the server and the client have not been configured with the same VTP management domain. |
VQP Wrong Version |
Number of times the version field in the query packet contains a value that is higher than the version supported by the VMPS. The VLAN assignment of the port is not changed. The switches send only VMPS Version 1 requests. |
VQP Insufficient Resource |
Number of times the VMPS is unable to answer the request because of a resource availability problem. If the retry limit has not yet been reached, the client repeats the request with the same server or with the next alternate server, depending on whether the per-server retry count has been reached. |
Command | Description |
Clears the VLAN Membership Policy Server (VMPS) statistics maintained by the VQP client. | |
Changes the reconfirmation interval for the VQP client. | |
Configures the per-server retry count for the VLAN Query Protocol (VQP) client. | |
Configures the primary VLAN Membership Policy Server (VMPS) and up to three secondary servers. |
To display general information about the VLAN Trunking Protocol (VTP) management domain, status, and counters, use the show vtp command in EXEC mode.
show vtp { counters | devices [ conflicts ] | interface [ interface-id ] | password | status }
counters |
Displays the VTP statistics for the switch. |
devices |
Displays information about all VTP version 3 devices in the domain. This keyword applies only if the switch is not running VTP version 3. |
conflicts |
(Optional) Displays information about VTP version 3 devices that have conflicting primary servers. This command is ignored when the switch is in VTP transparent or VTP off mode. |
interface |
Displays VTP status and configuration for all interfaces or the specified interface. |
interface-id |
(Optional) Interface for which to display VTP status and configuration. This can be a physical interface or a port channel. |
password |
Displays the configured VTP password (available in privileged EXEC mode only). |
status |
Displays general information about the VTP management domain status. |
None
User EXEC
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
When you enter the show vtp password command when the switch is running VTP version 3, the display follows these rules:
This is an example of output from the show vtp devices command. A Yes in the Conflict column indicates that the responding server is in conflict with the local server for the feature; that is, when two switches in the same domain do not have the same primary server for a database.
Switch# show vtp devices Retrieving information from the VTP domain. Waiting for 5 seconds. VTP Database Conf switch ID Primary Server Revision System Name lict ------------ ---- -------------- -------------- ---------- ---------------------- VLAN Yes 00b0.8e50.d000 000c.0412.6300 12354 main.cisco.com MST No 00b0.8e50.d000 0004.AB45.6000 24 main.cisco.com VLAN Yes 000c.0412.6300=000c.0412.6300 67 qwerty.cisco.com
This is an example of output from the show vtp counters command. The table that follows describes each field in the display.
Switch> show vtp counters
VTP statistics:
Summary advertisements received : 0
Subset advertisements received : 0
Request advertisements received : 0
Summary advertisements transmitted : 0
Subset advertisements transmitted : 0
Request advertisements transmitted : 0
Number of config revision errors : 0
Number of config digest errors : 0
Number of V1 summary errors : 0
VTP pruning statistics:
Trunk Join Transmitted Join Received Summary advts received from
non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
Gi1/0/47 0 0 0
Gi1/0/48 0 0 0
Gi2/0/1 0 0 0
Gi3/0/2 0 0 0
Field |
Description |
---|---|
Summary advertisements received |
Number of summary advertisements received by this switch on its trunk ports. Summary advertisements contain the management domain name, the configuration revision number, the update timestamp and identity, the authentication checksum, and the number of subset advertisements to follow. |
Subset advertisements received |
Number of subset advertisements received by this switch on its trunk ports. Subset advertisements contain all the information for one or more VLANs. |
Request advertisements received |
Number of advertisement requests received by this switch on its trunk ports. Advertisement requests normally request information on all VLANs. They can also request information on a subset of VLANs. |
Summary advertisements transmitted |
Number of summary advertisements sent by this switch on its trunk ports. Summary advertisements contain the management domain name, the configuration revision number, the update timestamp and identity, the authentication checksum, and the number of subset advertisements to follow. |
Subset advertisements transmitted |
Number of subset advertisements sent by this switch on its trunk ports. Subset advertisements contain all the information for one or more VLANs. |
Request advertisements transmitted |
Number of advertisement requests sent by this switch on its trunk ports. Advertisement requests normally request information on all VLANs. They can also request information on a subset of VLANs. |
Number of configuration revision errors |
Number of revision errors. Whenever you define a new VLAN, delete an existing one, suspend or resume an existing VLAN, or modify the parameters on an existing VLAN, the configuration revision number of the switch increments. Revision errors increment whenever the switch receives an advertisement whose revision number matches the revision number of the switch, but the MD5 digest values do not match. This error means that the VTP password in the two switches is different or that the switches have different configurations. These errors indicate that the switch is filtering incoming advertisements, which causes the VTP database to become unsynchronized across the network. |
Number of configuration digest errors |
Number of MD5 digest errors. Digest errors increment whenever the MD5 digest in the summary packet and the MD5 digest of the received advertisement calculated by the switch do not match. This error usually means that the VTP password in the two switches is different. To solve this problem, make sure the VTP password on all switches is the same. These errors indicate that the switch is filtering incoming advertisements, which causes the VTP database to become unsynchronized across the network. |
Number of V1 summary errors |
Number of Version 1 errors. Version 1 summary errors increment whenever a switch in VTP V2 mode receives a VTP Version 1 frame. These errors indicate that at least one neighboring switch is either running VTP Version 1 or VTP Version 2 with V2-mode disabled. To solve this problem, change the configuration of the switches in VTP V2-mode to disabled. |
Join Transmitted |
Number of VTP pruning messages sent on the trunk. |
Join Received |
Number of VTP pruning messages received on the trunk. |
Summary Advts Received from non-pruning-capable device |
Number of VTP summary messages received on the trunk from devices that do not support pruning. |
This is an example of output from the show vtp status command. The table that follows describes each field in the display.
Switch> show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2037.06ce.3580
Configuration last modified by 192.168.1.1 at 10-10-12 04:34:02
Local updater ID is 192.168.1.1 on interface LIIN0 (first layer3 interface found
)
Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
Configuration Revision : 2
MD5 digest : 0xA0 0xA1 0xFE 0x4E 0x7E 0x5D 0x97 0x41
0x89 0xB9 0x9B 0x70 0x03 0x61 0xE9 0x27
Field |
Description |
||
---|---|---|---|
VTP Version capable |
Displays the VTP versions that are capable of operating on the switch. |
||
VTP Version running |
Displays the VTP version operating on the switch. By default, the switch implements Version 1 but can be set to Version 2. |
||
VTP Domain Name |
Name that identifies the administrative domain for the switch. |
||
VTP Pruning Mode |
Displays whether pruning is enabled or disabled. Enabling pruning on a VTP server enables pruning for the entire management domain. Pruning restricts flooded traffic to those trunk links that the traffic must use to access the appropriate network devices. |
||
VTP Traps Generation |
Displays whether VTP traps are sent to a network management station. |
||
Device ID |
Displays the MAC address of the local device. |
||
Configuration last modified |
Displays the date and time of the last configuration modification. Displays the IP address of the switch that caused the configuration change to the database. |
||
VTP Operating Mode |
Displays the VTP operating mode, which can be server, client, or transparent. Server—A switch in VTP server mode is enabled for VTP and sends advertisements. You can configure VLANs on it. The switch guarantees that it can recover all the VLAN information in the current VTP database from NVRAM after reboot. By default, every switch is a VTP server.
Client—A switch in VTP client mode is enabled for VTP, can send advertisements, but does not have enough nonvolatile storage to store VLAN configurations. You cannot configure VLANs on it. When a VTP client starts up, it does not send VTP advertisements until it receives advertisements to initialize its VLAN database. Transparent—A switch in VTP transparent mode is disabled for VTP, does not send or learn from advertisements sent by other devices, and cannot affect VLAN configurations on other devices in the network. The switch receives VTP advertisements and forwards them on all trunk ports except the one on which the advertisement was received. |
||
Maximum VLANs Supported Locally |
Maximum number of VLANs supported locally. |
||
Number of Existing VLANs |
Number of existing VLANs. |
||
Configuration Revision |
Current configuration revision number on this switch. |
||
MD5 Digest |
A 16-byte checksum of the VTP configuration. |
This is an example of output from the show vtp status command for a switch running VTP version 3:
Switch# show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : Cisco
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 0cd9.9624.dd80
Feature VLAN:
--------------
VTP Operating Mode : Off
Number of existing VLANs : 11
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 1005
Feature MST:
--------------
VTP Operating Mode : Transparent
Feature UNKNOWN:
--------------
VTP Operating Mode : Transparent
Command | Description |
Clears the VLAN Trunking Protocol (VTP) and pruning counters. |
To configure an interface as either a host private-VLAN port or a promiscuous private-VLAN port, use the switchport mode private-vlan command in interface configuration mode. To reset the mode to the appropriate default for the device, use the no form of this command.
switchport mode private-vlan { host | promiscuous }
no switchport mode private-vlan
host |
Configures the interface as a private-VLAN host port. Host ports belong to private-VLAN secondary VLANs and are either community ports or isolated ports, depending on the VLAN to which they belong. |
promiscuous |
Configures the interface as a private-VLAN promiscuous port. Promiscuous ports are members of private-VLAN primary VLANs. |
None
Interface configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A private-VLAN host or promiscuous port cannot be a Switched Port Analyzer (SPAN) destination port. If you configure a SPAN destination port as a private-VLAN host or promiscuous port, the port becomes inactive.
Do not configure private VLAN on ports with these other features:
While a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive
A private-VLAN port cannot be a secure port and should not be configured as a protected port.
For more information about private-VLAN interaction with other features, see the software configuration guide for this release.
We strongly recommend that you enable spanning tree Port Fast and bridge-protocol-data-unit (BPDU) guard on isolated and community host ports to prevent STP loops due to misconfigurations and to speed up STP convergence.
If you configure a port as a private-VLAN host port and you do not configure a valid private-VLAN association by using the switchport private-vlan host-association command, the interface becomes inactive.
If you configure a port as a private-VLAN promiscuous port and you do not configure a valid private VLAN mapping by using theswitchport private-vlan mapping command, the interface becomes inactive.
This example shows how to configure an interface as a private-VLAN host port and associate it to primary VLAN 20. The interface is a member of secondary isolated VLAN 501 and primary VLAN 20.
Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# switchport mode private-vlan host Switch (config-if)# switchport private-vlan host-association 20 501 Switch (config-if)# end
This example shows how to configure an interface as a private-VLAN promiscuous port and map it to a private VLAN. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it.
Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# switchport mode private-vlan promiscuous Switch (config-if)# switchport private-vlan mapping 20 501-503 Switch (config-if)# end
To set a port priority for the incoming untagged frames or the priority of frames received by the IP phone connected to the specified port, use the switchport priority extend command in interface configuration mode. To return to the default setting, use the no form of this command.
switchport priority extend { cos value | trust }
no switchport priority extend
cos value |
Sets the IP phone port to override the IEEE 802.1p priority received from the PC or the attached device with the specified class of service (CoS) value. The range is 0 to 7. Seven is the highest priority. The default is 0. |
trust |
Sets the IP phone port to trust the IEEE 802.1p priority received from the PC or the attached device. |
The default port priority is set to a CoS value of 0 for untagged frames received on the port.
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
When voice VLAN is enabled, you can configure the switch to send the Cisco Discovery Protocol (CDP) packets to instruct the IP phone how to send data packets from the device attached to the access port on the Cisco IP Phone. You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration to the Cisco IP Phone. (CDP is enabled by default globally and on all switch interfaces.)
You should configure voice VLAN on switch access ports. You can configure a voice VLAN only on Layer 2 ports.
Before you enable voice VLAN, we recommend that you enable quality of service (QoS) on the switch by entering the mls qos global configuration command and configure the port trust state to trust by entering the mls qos trust cos interface configuration command.
This example shows how to configure the IP phone connected to the specified port to trust the received IEEE 802.1p priority:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport priority extend trust
You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.
To set the trunk characteristics when the interface is in trunking mode, use the switchport trunk command in interface configuration mode. To reset a trunking characteristic to the default, use the no form of this command.
switchport trunk { allowed vlan vlan-list | native vlan vlan-id | pruning vlan vlan-list }
no switchport trunk { allowed vlan | native vlan | pruning vlan }
allowed vlan vlan-list |
Sets the list of allowed VLANs that can receive and send traffic on this interface in tagged format when in trunking mode. See the Usage Guidelines for the vlan-list choices. |
native vlan vlan-id | Sets the native VLAN for sending and receiving untagged traffic when the interface is in IEEE 802.1Q trunking mode. The range is 1 to 4094. |
pruning vlan vlan-list | Sets the list of VLANs that are eligible for VTP pruning when in trunking mode. See the Usage Guidelines for the vlan-list choices. |
VLAN 1 is the default native VLAN ID on the port.
The default for all VLAN lists is to include all VLANs.
Interface configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The vlan-list format is all | none | [add | remove | except] vlan-atom ,vlan-atom...:
Note | You can add extended-range VLANs to the allowed VLAN list, but not to the pruning-eligible VLAN list. |
Note | You can remove extended-range VLANs from the allowed VLAN list, but you cannot remove them from the pruning-eligible list. |
Native VLANs:
Allowed VLAN:
Trunk pruning:
This example shows how to configure VLAN 3 as the default for the port to send all untagged traffic:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport trunk native vlan 3
This example shows how to add VLANs 1, 2, 5, and 6 to the allowed list:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport trunk allowed vlan add 1,2,5,6
This example shows how to remove VLANs 3 and 10 to 15 from the pruning-eligible list:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport trunk pruning vlan remove 3,10-15
You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.
Command | Description |
show interfaces | Displays the administrative and operational status of all interfaces or a specified interface. |
switchport mode | Configures the VLAN membership mode of a port. |
To configure voice VLAN on the port, use the switchport voice vlan command in interface configuration mode. To return to the default setting, use the no form of this command.
switchport voice vlan { vlan-id | dot1p | none | untagged }
no switchport voice vlan
vlan-id |
The VLAN to be used for voice traffic. The range is 1 to 4094. By default, the IP phone forwards the voice traffic with an IEEE 802.1Q priority of 5. |
dot1p |
Configures the telephone to use IEEE 802.1p priority tagging and uses VLAN 0 (the native VLAN). By default, the Cisco IP phone forwards the voice traffic with an IEEE 802.1p priority of 5. |
none | Does not instruct the IP telephone about the voice VLAN. The telephone uses the configuration from the telephone key pad. |
untagged | Configures the telephone to send untagged voice traffic. This is the default for the telephone. |
The default is not to automatically configure the telephone (none).
The telephone default is not to tag frames.
Interface configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
You should configure voice VLAN on Layer 2 access ports.
You must enable Cisco Discovery Protocol (CDP) on the switch port connected to the Cisco IP phone for the switch to send configuration information to the phone. CDP is enabled by default globally and on the interface.
Before you enable voice VLAN, we recommend that you enable quality of service (QoS) on the switch by entering the mls qos global configuration command and configure the port trust state to trust by entering the mls qos trust cos interface configuration command.
When you enter a VLAN ID, the IP phone forwards voice traffic in IEEE 802.1Q frames, tagged with the specified VLAN ID. The switch puts IEEE 802.1Q voice traffic in the voice VLAN.
When you select dot1p, none, or untagged, the switch puts the indicated voice traffic in the access VLAN.
In all configurations, the voice traffic carries a Layer 2 IP precedence value. The default is 5 for voice traffic.
When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to 2. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but not on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the Cisco IP phone.
If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.
You cannot configure static secure MAC addresses in the voice VLAN.
A voice-VLAN port cannot be a private-VLAN port.
The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.
This example shows how to configure VLAN 2 as the voice VLAN for the port:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport voice vlan 2
You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.
Command | Description |
show interfaces | Displays the administrative and operational status of all interfaces or a specified interface. |
Sets a port priority for the incoming untagged frames or the priority of frames received by the IP phone connected to the specified port. |
To add a VLAN and to enter the VLAN configuration mode, use the vlan command in global configuration mode. To delete the VLAN, use the no form of this command.
vlan vlan-id
no vlan vlan-id
vlan-id |
ID of the VLAN to be added and configured. The range is 1 to 4094. You can enter a single VLAN ID, a series of VLAN IDs separated by commas, or a range of VLAN IDs separated by hyphens. |
None
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
You can use the vlan vlan-id global configuration command to add normal-range VLANs (VLAN IDs 1 to 1005) or extended-range VLANs (VLAN IDs 1006 to 4094). Configuration information for normal-range VLANs is always saved in the VLAN database, and you can display this information by entering the show vlan privileged EXEC command. With VTP version 1 and 2, extended-range VLANs are not recognized by VTP and are not added to the VLAN database. With VTP version 1 and version 2, before adding extended-range VLANs, you must use the vtp transparent global configuration command to put the switch in VTP transparent mode. When VTP mode is transparent, VTP mode and domain name and all VLAN configurations are saved in the running configuration, and you can save them in the switch startup configuration file.
VTP version 3 supports propagation of extended-range VLANs and you can create them in VTP server or client mode. VTP versions 1 and 2 propagate only VLANs 1 to 1005.
When you save the VLAN and VTP configurations in the startup configuration file and reboot the switch, the configuration is selected as follows:
With VTP version 1 and version 2, if you try to create an extended-range VLAN when the switch is not in VTP transparent mode, the VLAN is rejected, and you receive an error message.
If you enter an invalid VLAN ID, you receive an error message and do not enter VLAN configuration mode.
Entering the vlan command with a VLAN ID enables VLAN configuration mode. When you enter the VLAN ID of an existing VLAN, you do not create a new VLAN, but you can modify VLAN parameters for that VLAN. The specified VLANs are added or modified when you exit the VLAN configuration mode. Only the shutdown command (for VLANs 1 to 1005) takes effect immediately.
Note | Although all commands are visible, the only VLAN configuration commands that are supported on extended-range VLANs are mtu mtu-size, private-vlan, and remote-span. For extended-range VLANs, all other characteristics must remain at the default state. |
These configuration commands are available in VLAN configuration mode. The no form of each command returns the characteristic to its default state:
Note | The switch supports only Ethernet ports. You configure only FDDI and Token Ring media-specific characteristics for VLAN Trunking Protocol (VTP) global advertisements to other switches. These VLANs are locally suspended. |
Media Type |
Valid Syntax |
---|---|
Ethernet |
name vlan-name, media ethernet, state {suspend | active}, said said-value, mtu mtu-size, remote-span, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id |
FDDI |
name vlan-name, media fddi, state {suspend | active}, said said-value, mtu mtu-size, ring ring-number, parent parent-vlan-id, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id |
FDDI-NET |
name vlan-name, media fd-net , state {suspend | active}, said said-value, mtu mtu-size, bridge bridge-number, stp type {ieee | ibm | auto}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id If VTP v2 mode is disabled, do not set the stp type to auto. |
Token Ring |
VTP v1 mode is enabled. name vlan-name, media tokenring, state {suspend | active}, said said-value, mtu mtu-size, ring ring-number, parent parent-vlan-id, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id |
Token Ring concentrator relay function (TrCRF) |
VTP v2 mode is enabled. name vlan-name, media tokenring, state {suspend | active}, said said-value, mtu mtu-size, ring ring-number, parent parent-vlan-id, bridge type {srb | srt}, are are-number, ste ste-number, backupcrf {enable | disable}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id |
Token Ring-NET |
VTP v1 mode is enabled. name vlan-name, media tr-net, state {suspend | active}, said said-value, mtu mtu-size, bridge bridge-number, stp type {ieee | ibm}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id |
Token Ring bridge relay function (TrBRF) |
VTP v2 mode is enabled. name vlan-name, media tr-net, state {suspend | active}, said said-value, mtu mtu-size, bridge bridge-number, stp type {ieee | ibm | auto}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id |
The following table describes the rules for configuring VLANs:
Configuration |
Rule |
---|---|
VTP v2 mode is enabled, and you are configuring a TrCRF VLAN media type. |
Specify a parent VLAN ID of a TrBRF that already exists in the database. Specify a ring number. Do not leave this field blank. Specify unique ring numbers when TrCRF VLANs have the same parent VLAN ID. Only one backup concentrator relay function (CRF) can be enabled. |
VTP v2 mode is enabled, and you are configuring VLANs other than TrCRF media type. |
Do not specify a backup CRF. |
VTP v2 mode is enabled, and you are configuring a TrBRF VLAN media type. |
Specify a bridge number. Do not leave this field blank. |
VTP v1 mode is enabled. |
No VLAN can have an STP type set to auto. This rule applies to Ethernet, FDDI, FDDI-NET, Token Ring, and Token Ring-NET VLANs. |
Add a VLAN that requires translational bridging (values are not set to zero). |
The translational bridging VLAN IDs that are used must already exist in the database. The translational bridging VLAN IDs that a configuration points to must also contain a pointer to the original VLAN in one of the translational bridging parameters (for example, Ethernet points to FDDI, and FDDI points to Ethernet). The translational bridging VLAN IDs that a configuration points to must be different media types than the original VLAN (for example, Ethernet can point to Token Ring). If both translational bridging VLAN IDs are configured, these VLANs must be different media types (for example, Ethernet can point to FDDI and Token Ring). |
This example shows how to add an Ethernet VLAN with default media characteristics. The default includes a vlan-name of VLAN xxxx, where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number. The default media is ethernet; the state is active. The default said-value is 100000 plus the VLAN ID; the mtu-size variable is 1500; the stp-type is ieee. When you enter the exit VLAN configuration command, the VLAN is added if it did not already exist; otherwise, this command does nothing.
This example shows how to create a new VLAN with all default characteristics and enter VLAN configuration mode:
Switch(config)# vlan 200 Switch(config-vlan)# exit Switch(config)#
This example shows how to create a new extended-range VLAN with all the default characteristics, to enter VLAN configuration mode, and to save the new VLAN in the switch startup configuration file:
Switch(config)# vtp mode transparent Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config
You can verify your setting by entering the show vlan privileged EXEC command.
Command | Description |
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain. |
To enable tagging of native VLAN frames on all IEEE 802.1Q trunk ports, use the vlan dot1q tag native command in global configuration mode. To return to the default setting, use the no form of this command.
vlan dot1q tag native
no vlan dot1q tag native
This command has no arguments or keywords.
The IEEE 802.1Q native VLAN tagging is disabled.
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
When enabled, native VLAN packets going out of all IEEE 802.1Q trunk ports are tagged.
When disabled, native VLAN packets going out of all IEEE 802.1Q trunk ports are not tagged.
You can use this command with the IEEE 802.1Q tunneling feature. This feature operates on an edge switch of a service-provider network and expands VLAN space by using a VLAN-in-VLAN hierarchy and tagging the tagged packets. You must use IEEE 802.1Q trunk ports for sending packets to the service-provider network. However, packets going through the core of the service-provider network might also be carried on IEEE 802.1Q trunks. If the native VLANs of an IEEE 802.1Q trunks match the native VLAN of a tunneling port on the same switch, traffic on the native VLAN is not tagged on the sending trunk port. This command ensures that native VLAN packets on all IEEE 802.1Q trunk ports are tagged.
For more information about IEEE 802.1Q tunneling, see the software configuration guide for this release.
This example shows how to enable IEEE 802.1Q tagging on native VLAN frames:
Switch# configure terminal Switch (config)# vlan dot1q tag native Switch (config)# end
You can verify your settings by entering the show vlan dot1q tag native privileged EXEC command.
Command | Description |
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain. |
To change the reconfirmation interval for the VLAN Query Protocol (VQP) client, use the vmps reconfirm global configuration command. To return to the default setting, use the no form of this command.
vmps reconfirm interval
no vmps reconfirm
interval |
Reconfirmation interval for VQP client queries to the VLAN Membership Policy Server (VMPS) to reconfirm dynamic VLAN assignments. The range is 1 to 120 minutes. |
The default reconfirmation interval is 60 minutes.
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
You can verify your setting by entering the show vmps privileged EXEC command and examining information in the Reconfirm Interval row.
This example shows how to set the VQP client to reconfirm dynamic VLAN entries every 20 minutes:
Switch(config)# vmps reconfirm 20
Command | Description |
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers. | |
Immediately sends VQP queries to reconfirm all dynamic VLAN assignments with the VMPS. |
To immediately send VLAN Query Protocol (VQP) queries to reconfirm all dynamic VLAN assignments with the VLAN Membership Policy Server (VMPS), use the vmps reconfirm privileged EXEC command.
vmps reconfirm
This command has no arguments or keywords.
None
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
You can verify your setting by entering the show vmps privileged EXEC command and examining the VMPS Action row of the Reconfirmation Status section. The show vmps command shows the result of the last time the assignments were reconfirmed either because the reconfirmation timer expired or because the vmps reconfirm command was entered.
This example shows how to immediately send VQP queries to the VMPS:
Switch# vmps reconfirm
Command | Description |
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers. | |
Changes the reconfirmation interval for the VQP client. |
To configure the per-server retry count for the VLAN Query Protocol (VQP) client, use the vmps retry command in global configuration mode. Use the no form of this command to return to the default setting.
vmps retry count
no vmps retry
count |
Number of attempts to contact the VLAN Membership Policy Server (VMPS) by the client before querying the next server in the list. The range is 1 to 10. |
The default retry count is 3.
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
This example shows how to set the retry count to 7:
Switch(config)# vmps retry 7
You can verify your setting by entering the show vmps privileged EXEC command and examining information in the Server Retry Count row.
Command | Description |
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers. |
To configure the primary VLAN Membership Policy Server (VMPS) and up to three secondary servers, use the vmps server command in global configuration mode. Use the no form of this command to remove a VMPS server.
vmps server { hostname | ip address } [ primary ]
no vmps server { hostname | ip address } [ primary ]
hostname |
Hostname of the primary or secondary VMPS servers. If you specify a hostname, the Domain Name System (DNS) server must be configured. |
ip address |
IP address of the primary or secondary VMPS servers. |
primary | (Optional) Decides whether primary or secondary VMPS servers are being configured. |
No primary or secondary VMPS servers are defined.
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The first server entered is automatically selected as the primary server whether or not primary is entered. The first server address can be overridden by using primary in a subsequent command.
If a member switch in a cluster configuration does not have an IP address, the cluster does not use the VMPS server configured for that member switch. Instead, the cluster uses the VMPS server on the command switch, and the command switch proxies the VMPS requests. The VMPS server treats the cluster as a single switch and uses the IP address of the command switch to respond to requests.
When using the no form without specifying the IP address, all configured servers are deleted. If you delete all servers when dynamic access ports are present, the switch cannot forward packets from new sources on these ports because it cannot query the VMPS.
This example shows how to configure the server with IP address 191.10.49.20 as the primary VMPS server. The servers with IP addresses 191.10.49.21 and 191.10.49.22 are configured as secondary servers:
Switch(config)# vmps server 191.10.49.20 primary Switch(config)# vmps server 191.10.49.21 Switch(config)# vmps server 191.10.49.22
This example shows how to delete the server with IP address 191.10.49.21:
Switch(config)# no vmps server 191.10.49.21
You can verify your setting by entering the show vmps privileged EXEC command and examining information in the VMPS Domain Server row.
Command | Description |
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers. |
To set or modify the VLAN Trunking Protocol (VTP) configuration characteristics, use the vtp command in global configuration mode. To remove the settings or to return to the default settings, use the no form of this command.
vtp { domain domain-name | file filename | interface interface-name [ only ] | mode { client | off | server | transparent } [ mst | unknown | vlan ] | password password [ hidden | secret ] | pruning | version number }
no vtp { file | interface | mode [ client | off | server | transparent ] [ mst | unknown | vlan ] | password | pruning | version }
domain domain-name |
Specifies the VTP domain name, an ASCII string from 1 to 32 characters that identifies the VTP administrative domain for the switch. The domain name is case sensitive. |
file filename |
Specifies the Cisco IOS file system file where the VTP VLAN configuration is stored. |
interface interface-name |
Specifies the name of the interface providing the VTP ID updated for this device. |
only |
(Optional) Uses only the IP address of this interface as the VTP IP updater. |
mode |
Specifies the VTP device mode as client, server, or transparent. |
client |
Places the switch in VTP client mode. A switch in VTP client mode is enabled for VTP, and can send advertisements, but does not have enough nonvolatile storage to store VLAN configurations. You cannot configure VLANs on a VTP client. VLANs are configured on another switch in the domain that is in server mode. When a VTP client starts up, it does not send VTP advertisements until it receives advertisements to initialize its VLAN database. |
off |
Places the switch in VTP off mode. A switch in VTP off mode functions the same as a VTP transparent device except that it does not forward VTP advertisements on trunk ports. |
server |
Places the switch in VTP server mode. A switch in VTP server mode is enabled for VTP and sends advertisements. You can configure VLANs on the switch. The switch can recover all the VLAN information in the current VTP database from nonvolatile storage after reboot. |
transparent |
Places the switch in VTP transparent mode. A switch in VTP transparent mode is disabled for VTP, does not send advertisements or learn from advertisements sent by other devices, and cannot affect VLAN configurations on other devices in the network. The switch receives VTP advertisements and forwards them on all trunk ports except the one on which the advertisement was received. When VTP mode is transparent, the mode and domain name are saved in the switch running configuration file, and you can save them in the switch startup configuration file by entering the copy running-config startup config privileged EXEC command. |
mst |
(Optional) Sets the mode for the multiple spanning tree (MST) VTP database (only VTP Version 3). |
unknown |
(Optional) Sets the mode for unknown VTP databases (only VTP Version 3). |
vlan |
(Optional) Sets the mode for VLAN VTP databases. This is the default (only VTP Version 3). |
password password |
Sets the administrative domain password for the generation of the 16-byte secret value used in MD5 digest calculation to be sent in VTP advertisements and to validate received VTP advertisements. The password can be an ASCII string from 1 to 32 characters. The password is case sensitive. |
hidden |
(Optional) Specifies that the key generated from the password string is saved in the VLAN database file. When the hidden keyword is not specified, the password string is saved in clear text. When the hidden password is entered, you need to reenter the password to issue a command in the domain. This keyword is supported only in VTP Version 3. |
secret |
(Optional) Allows the user to directly configure the password secret key (only VTP Version 3). |
pruning |
Enables VTP pruning on the switch. |
version number |
Sets the VTP Version to Version 1, Version 2, or Version 3. |
The default filename is flash:vlan.dat.
The default mode is server mode and the default database is VLAN.
In VTP Version 3, for the MST database, the default mode is transparent.
No domain name or password is defined.
No password is configured.
Pruning is disabled.
The default version is Version 1.
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
When you save VTP mode, domain name, and VLAN configurations in the switch startup configuration file and reboot the switch, the VTP and VLAN configurations are selected by these conditions:
The vtp file filename cannot be used to load a new database; it renames only the file in which the existing database is stored.
Follow these guidelines when configuring a VTP domain name:
Follow these guidelines when setting VTP mode:
Follow these guidelines when setting a VTP password:
Follow these guidelines when setting VTP pruning:
Follow these guidelines when setting the VTP version:
You cannot save password, pruning, and version configurations in the switch configuration file.
This example shows how to rename the filename for VTP configuration storage to vtpfilename:
Switch(config)# vtp file vtpfilename
This example shows how to clear the device storage filename:
Switch(config)# no vtp file vtpconfig
Clearing device storage filename.
This example shows how to specify the name of the interface providing the VTP updater ID for this device:
Switch(config)# vtp interface gigabitethernet
This example shows how to set the administrative domain for the switch:
Switch(config)# vtp domain OurDomainName
This example shows how to place the switch in VTP transparent mode:
Switch(config)# vtp mode transparent
This example shows how to configure the VTP domain password:
Switch(config)# vtp password ThisIsOurDomainsPassword
This example shows how to enable pruning in the VLAN database:
Switch(config)# vtp pruning
Pruning switched ON
This example shows how to enable Version 2 mode in the VLAN database:
Switch(config)# vtp version 2
You can verify your settings by entering the show vtp status privileged EXEC command.
Command | Description |
Displays general information about VTP management domain, status, and counters. | |
Enables or disables VTP on an interface. |
To enable the VLAN Trunking Protocol (VTP) on a per-port basis, use the vtp command in interface configuration mode. To disable VTP on the interface, use the no form of this command.
vtp
no vtp
This command has no arguments or keywords.
None
Interface configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Enter this command only on interfaces that are in trunking mode.
This example shows how to enable VTP on an interface:
Switch(config-if)# vtp
This example shows how to disable VTP on an interface:
Switch(config-if)# no vtp
Command | Description |
Configures the trunk characteristics when an interface is in trunking mode. | |
Globally configures VTP domain name, password, pruning, version, and mode. |
To configure a switch as the VLAN Trunking Protocol (VTP) primary server, use the vtp primary command in privileged EXEC mode.
vtp primary [ mst | vlan ] [force]
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A VTP primary server updates the database information and sends updates that are honored by all devices in the system. A VTP secondary server can only back up the updated VTP configurations received from the primary server to NVRAM.
By default, all devices come up as secondary servers. Primary server status is needed only for database updates when the administrator issues a takeover message in the domain. You can have a working VTP domain without any primary servers.
Primary server status is lost if the device reloads or domain parameters change.
Note | This command is supported only when the switch is running VTP Version 3. |
This example shows how to configure the switch as the primary VTP server for VLANs:
Switch# vtp primary vlan Setting device to VTP TRANSPARENT mode.
You can verify your settings by entering the show vtp status privileged EXEC command.
Command | Description |
Displays general information about VTP management domain, status, and counters. | |
Globally configures VTP domain name, password, pruning, version, and mode. |