- Release 15.4SY Supervisor Engine 6T Software Configuration Guide
- Preface
- Product Overview
- Command-Line Interfaces
- Smart Port Macros
- Virtual Switching Systems (VSS)
- Enhanced Fast Software Upgrade (eFSU)
- Fast Software Upgrades
- Stateful Switchover (SSO)
- Non-Stop Forwarding (NSF)
- RPR Supervisor Engine Redundancy
- Interface Configuration
- UniDirectional Link Detection (UDLD)
- Instant Access
- EnergyWise
- Power Management
- Environmental Monitoring
- Online Diagnostics
- Onboard Failure Logging (OBFL)
- Switch Fabric Functionality
- Cisco IP Phone Support
- Power over Ethernet
- Layer 2 LAN Port Configuration
- Flex Links
- EtherChannels
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- Spanning Tree Protocols (STP, MST)
- Optional STP Features
- IP Unicast Layer 3 Switching
- Policy Based Routing (PBR)
- Layer 3 Interface Configuration
- Unidirectional Ethernet (UDE) and unidirectional link routing (UDLR)
- Multiprotocol Label Switching (MPLS)
- MPLS VPN Support
- Ethernet over MPLS (EoMPLS)
- L2VPN Advanced VPLS (A-VPLS)
- Ethernet Virtual Connections (EVC)
- Layer 2 over Multipoint GRE (L2omGRE)
- Campus Fabric
- IPv4 Multicast Layer 3 Features
- IPv4 Multicast IGMP Snooping
- IPv4 PIM Snooping
- IPv4 Multicast VLAN Registration (MVR)
- IPv4 IGMP Filtering
- IPv4 Router Guard
- IPv4 Multicast VPN Support
- IPv6 Multicast Layer 3 Features
- IPv6 MLD Snooping
- NetFlow Hardware Support
- System Event Archive (SEA)
- Backplane Platform Monitoring
- Local SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- PFC QoS Guidelines and Restrictions
- PFC QoS Overview
- PFC QoS Classification, Marking, and Policing
- PFC QoS Policy Based Queueing
- PFC QoS Global and Interface Options
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast and Multicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
- Online Diagnostic Tests
- Prerequisites for VLANs
- Restrictions for VLANs
- Information About VLANs
- Default Settings for VLANs
- How to Configure VLANs
Virtual Local Area Networks (VLANs)
- Prerequisites for VLANs
- Restrictions for VLANs
- Information About VLANs
- Default Settings for VLANs
- How to Configure VLANs
Note ● For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11846/prod_command_reference_list.html
- Cisco IOS Release 15.4SY supports only Ethernet interfaces. Cisco IOS Release 15.4SY does not support any WAN features or commands.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Prerequisites for VLANs
The following recommendations apply to Fabric Extender (FEX) VLANs:
Restrictions for VLANs
- If the switch is in VTP server or transparent mode (see the “How to Configure VTP” section), you can configure VLANs in global and config-vlan configuration modes. When you configure VLANs in global and config-vlan configuration modes, the VLAN configuration is saved in the vlan.dat files. To display the VLAN configuration, enter the show vlan command.
If the switch is in VLAN transparent mode, use the copy running-config startup-config command to save the VLAN configuration to the startup-config file. After you save the running configuration as the startup configuration, use the show running-config and show startup-config commands to display the VLAN configuration.
- When the switch boots, if the VTP domain name and the VTP mode in the startup-config file and vlan.dat files do not match, the switch uses the configuration in the vlan.dat file.
- You can configure extended-range VLANs only in global configuration mode.
- Supervisor engine redundancy does not support nondefault VLAN data file names or locations. Do not enter the vtp file file_name command on a switch that has a redundant supervisor engine.
- Before installing a redundant supervisor engine, enter the no vtp file command to return to the default configuration.
- Before you can create a VLAN, the switch must be in VTP server mode or VTP transparent mode. For information on configuring VTP, see Chapter25, “VLAN Trunking Protocol (VTP)”
- The VLAN configuration is stored in the vlan.dat file, which is stored in nonvolatile memory. You can cause inconsistency in the VLAN database if you manually delete the vlan.dat file.
- To do a complete backup of your configuration, include the vlan.dat file in the backup.
Information About VLANs
VLAN Overview
A VLAN is a group of end stations with a common set of requirements, independent of physical location. VLANs have the same attributes as a physical LAN but allow you to group end stations even if they are not located physically on the same LAN segment.
VLANs are usually associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Traffic between VLANs must be routed. LAN port VLAN membership is assigned manually on an port-by-port basis.
VLAN Ranges
Note You must enable the extended system ID to use 4094 VLANs (see the “Information about the Bridge ID” section).
Cisco IOS Release 15.4SY supports 4094 VLANs in accordance with the IEEE 802.1Q standard. These VLANs are organized into several ranges; you use each range slightly differently. Some of these VLANs are propagated to other switches in the network when you use the VLAN Trunking Protocol (VTP). The extended-range VLANs are not propagated, so you must configure extended-range VLANs manually on each network device.
Table 26-1 describes the VLAN ranges.
The following information applies to VLAN ranges:
- Layer 3 LAN ports, WAN interfaces and subinterfaces, and some software features use internal VLANs in the extended range. You cannot use an extended range VLAN that has been allocated for internal use.
- To display the VLANs used internally, enter the show vlan internal usage command. With earlier releases, enter the show vlan internal usage and show cwan vlans commands.
- You can configure ascending internal VLAN allocation (from 1006 and up) or descending internal VLAN allocation (from 4094 and down).
- You must enable the extended system ID to use extended range VLANs (see the “Information about the Bridge ID” section).
Default Settings for VLANs
– Other VLANs: “VLAN vlan_ID ”
- 802.10 SAID: 10 vlan_ID ; range: 100001–104094
- MTU size: 1500; range: 1500–18190
- Translational bridge 1: 0; range: 0–1005
- Translational bridge 2: 0; range: 0–1005
- VLAN state: active: active, suspend
- Pruning eligibility:
How to Configure VLANs
- Configurable VLAN Parameters
- VLAN Locking
- Creating or Modifying an Ethernet VLAN
- Assigning a Layer 2 LAN Interface to a VLAN
- Configuring the Internal VLAN Allocation Policy
- Configuring VLAN Translation
- Saving VLAN Information
Configurable VLAN Parameters
Note ● Ethernet VLAN 1 uses only default values.
- Except for the VLAN name, Ethernet VLANs 1006 through 4094 use only default values.
- You can configure the VLAN name for Ethernet VLANs 1006 through 4094.
You can configure the following parameters for VLANs 2 through 1001:
- VLAN name
- VLAN type (Ethernet, FDDI, FDDI network entity title [NET], TrBRF, or TrCRF)
- VLAN state (active or suspended)
- Security Association Identifier (SAID)
- Bridge identification number for TrBRF VLANs
- Ring number for FDDI and TrCRF VLANs
- Parent VLAN number for TrCRF VLANs
- Spanning Tree Protocol (STP) type for TrCRF VLANs
VLAN Locking
The VLAN locking feature provides an extra level of verification to ensure that you have configured the intended VLAN. When VLAN locking is enabled, you need to specify the VLAN name when you change a port from one VLAN to another. This feature affects switchport commands (in interface configuration mode) that specify the VLANs or private VLANs for access and trunk ports.
For additional information about how to configure access and trunk ports with VLAN locking enabled, see the “How to Configure LAN Interfaces for Layer 2 Switching” section.
For additional information about how to configure ports in private VLANs with VLAN locking enabled, see the “How to Configure Private VLANs” section.
By default, the VLAN locking is disabled. To enable VLAN locking, perform this task:
|
|
---|---|
Creating or Modifying an Ethernet VLAN
User-configured VLANs have unique IDs from 1 to 4094, except for reserved VLANs (see Table 26-1). Enter the vlan command with an unused ID to create a VLAN. Enter the vlan command for an existing VLAN to modify the VLAN (you cannot modify an existing VLAN that is being used by a Layer 3 port or a software feature).
See the “Default Settings for VLANs” section for the list of default parameters that are assigned when you create a VLAN. If you do not specify the VLAN type with the media keyword, the VLAN is an Ethernet VLAN.
To create or modify a VLAN, perform this task:
When you create or modify an Ethernet VLAN, note the following information:
- Because Layer 3 ports and some software features require internal VLANs allocated from 1006 and up, configure extended-range VLANs starting with 4094.
- You can configure extended-range VLANs only in global configuration mode. You cannot configure extended-range VLANs in VLAN database mode.
- Layer 3 ports and some software features use extended-range VLANs. If the VLAN you are trying to create or modify is being used by a Layer 3 port or a software feature, the switch displays a message and does not modify the VLAN configuration.
When deleting VLANs, note the following information:
- You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.
- When you delete a VLAN, any LAN ports configured as access ports assigned to that VLAN become inactive. The ports remain associated with the VLAN (and inactive) until you assign them to a new VLAN.
This example shows how to create an Ethernet VLAN in global configuration mode and verify the configuration:
Assigning a Layer 2 LAN Interface to a VLAN
A VLAN created in a management domain remains unused until you assign one or more LAN ports to the VLAN.
Note Make sure you assign LAN ports to a VLAN of the appropriate type. Assign Ethernet ports to Ethernet-type VLANs.
To assign one or more LAN ports to a VLAN, complete the procedures in the “How to Configure LAN Interfaces for Layer 2 Switching” section.
Configuring the Internal VLAN Allocation Policy
For more information about VLAN allocation, see the “VLAN Ranges” section.
Note The internal VLAN allocation policy is applied only following a reload.
To configure the internal VLAN allocation policy, perform this task:
When you configure the internal VLAN allocation policy, note the following information:
- Enter the ascending keyword to allocate internal VLANs from 1006 and up.
- Enter the descending keyword to allocate internal VLAN from 4094 and down.
This example shows how to configure descending as the internal VLAN allocation policy:
Configuring VLAN Translation
- VLAN Translation Guidelines and Restrictions
- Configuring VLAN Translation on a Trunk Port
- Enabling VLAN Translation on Other Ports in a Port Group
Note ● To avoid spanning tree loops, be careful not to misconfigure the VLAN translation feature.
- On trunk ports, you can translate one VLAN number to another VLAN number, which transfers all traffic received in one VLAN to the other VLAN.
VLAN Translation Guidelines and Restrictions
When translating VLANs, follow these guidelines and restrictions:
- A VLAN translation configuration is inactive if it is applied to ports that are not Layer 2 trunks.
- Do not configure translation of ingress native VLAN traffic on an 802.1Q trunk. Because 802.1Q native VLAN traffic is untagged, it cannot be recognized for translation. You can translate traffic from other VLANs to the native VLAN of an 802.1Q trunk.
- Do not remove the VLAN to which you are translating from the trunk.
- The VLAN translation configuration applies to all ports in a port group. VLAN translation is disabled by default on all ports in a port group. Enable VLAN translation on ports as needed.
- Cisco IOS Release 15.4SY supports only IEEE 802.1Q trunking.
|
|
Port Groups |
per Port Group |
per Port Group |
---|---|---|---|---|
See the Release Notes. |
||||
Note To configure a port as a trunk, see the “Configuring a Layer 2 Switching Port as a Trunk” section.
*Following are the different combinations based on the operational port mode on Supervisor Engine 6T:
Configuring VLAN Translation on a Trunk Port
To translate VLANs on a trunk port, perform this task:
This example shows how to map VLAN 1649 to VLAN 755 Gigabit Ethernet port 5/2:
This example shows how to verify the configuration:
Enabling VLAN Translation on Other Ports in a Port Group
To enable VLAN translation on other ports in a port group, perform this task:
|
|
|
---|---|---|
This example shows how to enable VLAN translation on a port:
Saving VLAN Information
The VLAN database is stored in the vlan.dat file. You should create a backup of the vlan.dat file in addition to backing up the running-config and startup-config files. If you replace the existing supervisor engine, copy the startup-config file as well as the vlan.dat file to restore the system. The vlan.dat file is read on bootup and you will have to reload the supervisor engine after uploading the file. To view the file location, use the dir vlan.dat command. To copy the file (binary), use the copy vlan.dat tftp command.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum