VLANs

Virtual Local Area Network

A VLAN (Virtual Local Area Network) is a type of logical network that

  • segments switched networks by function, team, or application without regard to the physical locations of the users

  • forwards packets (unicast, broadcast, multicast) only among end stations in the same VLAN, and

  • maintains its own bridge Management Information Base (MIB) for isolation and control.

VLANs have the same attributes as physical LANs. However, you can group end stations even if they are not physically located on the same LAN segment. Each VLAN is considered a logical network. To send packets to stations outside the VLAN, use a router or a controller that supports fallback bridging.

VLANs are often associated with IP subnets. For example, all the end stations in a particular IP subnet belong to the same VLAN. Assign controller interfaces to VLANs manually to use interface-based (static) VLAN membership.

Supported VLANs

The controller supports VLANs in VTP client, server, and transparent modes. VLANs are identified by a number from 1 to 4094.

  • VLAN 1 is the default VLAN and is created during system initialization.

  • All of the VLANs except 1002 to 1005 are available for user configuration.

VLAN port membership modes

A VLAN port membership mode is a configuration method that

  • determines how a switch port associates with one or more VLANs

  • specifies the type of VLAN traffic the port can carry, and

  • controls whether VLAN membership is assigned manually or dynamically.

To assign a port to a VLAN, set the membership mode. The membership mode determines which type of traffic the port carries and how many VLANs the port can join. When a port belongs to a VLAN, the controller manages the port addresses for each VLAN.

Table 1. Port Membership Modes and Characteristics

Membership Mode

VLAN Membership Characteristics

VTP Characteristics

Static-access

A static-access port can belong to one VLAN and is manually assigned to that VLAN.

VTP is not required. Set the VTP mode to transparent if you do not want VTP to propagate information globally. Participation in VTP requires at least one trunk port on the controller connected to a trunk port on a second controller.

Trunk IEEE 802.1Q) :

  • IEEE 802.1Q— Industry-standard trunking encapsulation.

A trunk port is a member of all VLANs by default, including extended-range VLANs, but membership can be limited by configuring the allowed-VLAN list.

VTP maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs across the network. VTP exchanges VLAN configuration messages with other controllers over trunk links.


Note

If a client VLAN has both a primary and a secondary subnet, you cannot assign a static IP address on the secondary subnet.

Consider this SVI configuration example:

interface VlanX

ip address a.b.c.254 255.255.255.0 secondary

ip address a.d.e.254 255.255.255.0

In this scenario, you can't allocate the secondary subnet for clients with static IP addresses.

VLAN configuration files

When you configure VLAN IDs 1 to 1005, your settings are saved to the vlan.dat file (VLAN database). To display these configurations, enter the show vlan privileged EXEC command. The vlan.dat file is stored in flash memory. If the VTP mode is transparent, your configurations are also saved in the controller running configuration file.

Use interface configuration mode to define the port membership mode and to add or remove ports from VLANs. The results of your commands are saved to the running-configuration file. To display the running configuration, enter the show running-config privileged EXEC command. When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the controller, the system chooses its configuration based on several criteria.

  • If the VTP mode is transparent in the startup configuration and the VLAN database and domain name match those in the startup configuration file, the device ignores the VLAN database. In this situation, the controller uses the VTP and VLAN configurations from the startup configuration file. The VLAN database revision number does not change.

  • If the VTP mode or domain name in the startup configuration does not match the VLAN database, the device uses the domain name, VTP mode, and VLAN IDs 1 to 1005 configuration from the VLAN database.

  • In VTP versions 1 and 2, if you set the VTP mode to server, the device uses the domain name and VLAN configuration for VLAN IDs 1 to 1005 from the VLAN database. VTP version 3 supports VLANs 1006 to 4094.


Note

Delete the vlan.dat file and the configuration files before you reset the switch configuration with the write erase command. This step ensures the switch reboots correctly when you reset it.

Normal-range VLAN configuration guidelines

These guidelines help you create or change normal-range VLANs in your network.

  • Normal-range VLANs use numbers from 1 to 1001.

  • VLAN configurations for VLANs 1 to 1005 are always saved in the VLAN database. In transparent VTP mode, both VTP and VLAN configurations are also saved in the running configuration file.

  • If your controller works in VTP server mode or VTP transparent mode, you can add, change, or remove VLANs 2 to 1001 in the VLAN database. VLAN ID 1, as well as VLANs 1002 to 1005, are automatically created. You cannot remove these VLANs.

  • The system does not save extended-range VLANs that you create in VTP transparent mode, and these VLANs are not shared across the network. VTP version 3, when in server mode, allows you to share extended-range VLANs (VLANs 1006 to 4094) in the database.

If clients cannot connect to the controller because of a VLAN failure, you have these options:

  • Configure ip4 dhcp required in the policy profile to make the client start a DHCP request.

  • Set up the RADIUS server to send VLAN group information, including the client's static IP VLAN, so the client can use a static IP address.

  • Configure 'aaa-override vlan fallback' in the policy profile to make the controller look for the client's static IP VLAN in other VLAN groups. The client can join the network if its static IP VLAN is listed in the VLAN group set under the policy profile.

Extended-range VLAN configuration guidelines

Extended-range VLANs are VLANs with IDs from 1006 to 4094.

Follow these guidelines when creating extended-range VLANs:

  • Extended-range VLAN IDs are not saved in the VLAN database. VTP does not recognize these VLANs unless your device uses VTP version three.

  • Do not include extended-range VLANs in the pruning eligible range.

  • For VTP version 1 or 2, set the VTP mode to transparent in global configuration mode. Save this configuration to the startup configuration so that your device boots in VTP transparent mode. Save the configuration to avoid losing the extended-range VLAN configuration when the device resets.

Prerequisites for VLANs

These are the prerequisites and considerations for configuring VLANs:

  • To configure VLAN through the GUI, change the number of available Virtual Terminal (VTY) sessions to 50. The Web UI processes HTTP requests using VTY lines. If several connections are open, the device's default limit of 15 VTY lines can be exceeded. Increase the number of VTY lines to 50 before using the Web UI.


    Note
    To increase the number of VTY lines on your device, enter these configuration commands. 
    
Device# configure terminal
Device(config)# service tcp-keepalives in
Device(config)# service tcp-keepalives out
                                
Device# configure terminal
Device(config)# line vty 16-50

    Note

    The maximum number of SSH VTY sessions supported on the standby controller is eight.

  • Decide if you will use VLAN Trunking Protocol (VTP) to manage global VLAN configuration for your network before creating VLANs.

  • Create the VLAN on the device before adding it to a VLAN group.

Restrictions for VLANs

These are the restrictions for VLANs:

  • You cannot delete a wireless management interface if its associated VLAN interface has already been deleted. To prevent this issue, delete the wireless management interface before deleting the VLAN interface.

  • The device supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.

  • When no client VLAN is configured for a policy profile, the AP native VLAN is used.

  • The behavior of VLAN 1 changes depending on the AP mode. The device handles VLAN scenarios as described here:

    • Local mode AP : If you use vlan-name , clients are assigned to VLAN 1. If you use vlan-id 1, clients are assigned to the wireless management interface.

    • FlexConnect mode AP : If you use vlan-name , clients are assigned to VLAN 1. If you use vlan-id 1, clients are assigned to the native VLAN defined in the flex profile.

    By default, the policy profile assigns vlan-id 1 so that clients can use the wireless management VLAN.

  • You cannot use the same VLAN on the same SSID for both local switching and central switching.

Configuring normal-range VLANs

Summary

Configuring normal-range VLANs lets administrators create or modify VLANs within the standard allowed range. It also lets them assign key properties and ensures proper Layer 2 network segmentation. The process requires setting necessary parameters and using recommended practices to maintain VLAN database integrity. The process includes several key components.

  • The network administrator manages VLAN creation, modification, and deletion.

  • The switch VLAN database stores and applies VLAN configurations.

  • VLAN parameters include attributes such as VLAN ID, name, type, state, and associations which define each VLAN.

Workflow

Normal-range VLANs are VLANs with IDs from 1 to 1005. Proper configuration is essential for network segmentation and security. It also helps maintain a reliable switching environment. The process consists of several stages:

  1. Access the VLAN database: The administrator uses the switch’s VLAN configuration mode to begin changes.
  2. Identify or create the VLAN: Select an existing VLAN or specify a new VLAN ID within the normal range (1-1005).
  3. Set VLAN parameters: Assign a VLAN name, choose a VLAN type (Ethernet, Token Ring Bridge Relay Function [TrBRF], or Token Ring Concentrator Relay Function [TrCRF]), and set the VLAN state (active or suspended).
  4. Validate the VLAN settings: Confirm that the VLAN was created or modified as expected, using appropriate verification commands.
  5. Maintain VLAN database integrity: Avoid deleting the vlan.dat file manually because this can cause inconsistencies. Always use standard switch commands to modify or remove VLAN configurations.

Create or modify an Ethernet VLAN (CLI)

Configure a new Ethernet VLAN or update an existing one using commands on the controller.

Before you begin

With VTP version 1 and 2, the controller in VTP transparent mode allows you to assign VLAN IDs greater than 1006. However, these VLANs are not added to the VLAN database.

The controller supports only Ethernet interfaces.

Procedure

Step 1

Enter a VLAN ID to access VLAN configuration mode. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN.

Example:

Device(config)# vlan 20

Note

 

The valid VLAN ID range for this command is between 1 to 4094.

Step 2

Enter a name for the VLAN.

Example:

Device(config-vlan)# name test20

If you do not enter a name for the VLAN, the system appends the vlan-id value with leading zeros to the word VLAN.

Step 3

Configure the VLAN media type.

Example:

Device(config-vlan)# media {ethernet | fd-net | trn-net}

Step 4

Verify your entries.

Example:

Device# show vlan {name test20 | id 20}

Assign static-access ports to a VLAN (GUI)

Assign static-access ports to a specific VLAN from the user interface using the GUI.

Procedure

Step 1

Choose Configuration > Layer2 > VLAN > VLAN.

Step 2

Click the VLAN tab.

Step 3

To assign Port Members, select the desired interfaces in the Available list. Then, use the arrow to move them to the Associated list.

Step 4

Click Update & Apply to Device.

Assign static-access ports to a VLAN (CLI)

Assign Layer 2 switch ports to a specific VLAN for network segmentation using commands.

You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP (VTP transparent mode). For more information on static-access ports, see VLAN Port Membership Modes.

If you assign an interface to a VLAN that does not exist, the new VLAN is created.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Enter the interface to be added to the VLAN.

Example:

Device(config)# interface gigabitethernet2/0/1

Step 3

Define the VLAN membership mode for the port (Layer 2 access port).

Example:

Device(config-if)# switchport mode access

Step 4

Assign the port to a VLAN.

Example:

Device(config-if)# switchport access vlan 2

The valid VLAN IDs range is between 1 to 4094.

Step 5

Return to the privileged EXEC mode.

Example:

Device(config-if)# end

Step 6

Verify the VLAN membership mode of the interface.

Example:

Device# show running-config interface interface-id

Step 7

Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display.

Example:

Device# show interfaces gigabitethernet2/0/1 switchport

Extended-range VLANs

Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are permitted in any switchport command that accepts VLAN IDs.

  • With VTP version 1 or 2, extended-range VLAN configurations are not stored in the VLAN database. However, if VTP mode is set to transparent, the configurations are stored in the controller running configuration file, and you can also save them in the startup configuration file.

  • For VTP version 3, extended-range VLANs are stored in the VLAN database.

Create an extended-range VLAN (GUI)

Add an extended-range VLAN to your network to support larger scaling or specialized network segmentation using the GUI.

Procedure

Step 1

Choose Configuration > Layer2 > VLAN.

Step 2

In the VLAN page, click ADD.

Step 3

Enter the extended range VLAN ID in the VLAN ID field.

The extended range is between range is 1006 and 4094.

Step 4

Enter a VLAN name in the Name field.

Step 5

Save the configuration.

Create an extended-range VLAN (CLI)

Create an extended-range VLAN on a device using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Enter an extended-range VLAN ID and enter the VLAN configuration mode.

Example:

Device(config)# vlan 2000

The range is between 1006 to 4094.

Step 3

Verify that the VLAN has been created.

Example:

Device# show vlan id 2000

Monitor VLANs

Table 2. Privileged EXEC show commands

Command

Purpose

show interfaces [ vlan vlan-id ]

Displays characteristics for all interfaces or for the specified VLAN configured on the controller.

show vlan [ access-map name | brief | group | id vlan-id | ifindex | mtu | name name | summary ]

Displays parameters for all VLANs or the specified VLAN on the controller. These command options are available:

  • brief —Displays VTP VLAN status in brief.

  • group —Displays the VLAN group with its name and the connected VLANs that are available.

  • id —Displays VTP VLAN status by identification number.

  • ifindex —Displays SNMP ifIndex.

  • mtu —Displays VLAN MTU information.

  • name —Displays the VTP VLAN information by specified name.

  • summary —Displays a summary of VLAN information.