Configuring VLANs
The Menu interface enables configuration and display of port-based VLANs only. The CLI configures and displays port-based and protocol-based VLANs.
In the factory default state, the switch is enabled for up to 16 VLANs, all ports belong to the default primary VLAN and are in the same broadcast/multicast domain. You can reconfigure the switch to support up to 512 VLANs.
Per-port static VLAN configuration options example
This example shows the options available to assign individual ports to a static VLAN.
GVRP, if configured, affects these options and the VLAN behavior on the switch.
Per-port VLAN configuration options
Parameter | Effect on port participation in designated VLAN |
---|---|
Tagged |
Allows the port to join multiple VLANs. |
Untagged |
For example, if the switch is configured with the default VLAN plus three protocol-based VLANs that include IPX, then port 1 can be an untagged member of the default VLAN and one of the protocol-based VLANS. |
No or Auto |
No :When the switch is
not GVRP-enabled; prevents the port from joining that VLAN. |
Forbid |
Prevents the port from joining the VLAN, even if GVRP is enabled on the switch. |
Using the Menu to configure port-based VLAN parameters
NOTE: The Menu interface configures and displays only port-based VLANs. The CLI configures and displays port-based and protocol-based VLANs (see Using the CLI to configure port-based and protocol-based VLAN parameters. | |
In the factory default state, support is enabled for up to 256 VLANs. (You can reconfigure the switch to support up to 2048 (vids up to 4094) VLANs.) Also, in the default configuration, all ports on the switch belong to the default VLAN and are in the same broadcast/multicast domain. (The default VLAN is also the default Primary VLAN; see The primary VLAN.) In addition to the default VLAN, you can configure additional static VLANs by adding new VLAN names and VIDs, and then assigning one or more ports to each VLAN. (The maximum of 2048 VLANs includes the default VLAN, all additional static VLANs you configure, and any dynamic VLANs the switch creates if you enable GVRP; see GVRP.) Each port can be assigned to multiple VLANs by using VLAN tagging; see VLAN tagging rules.)
Changing VLAN support settings (Menu)
The following procedure provides instructions for changing the maximum number of VLANs to support, changing the primary VLAN selection and enabling or disabling dynamic VLANs.
From the Main Menu select: 2. Switch Configuration —> 8. VLAN Menu … —> 1. VLAN Support
You see the following screen:
Press E (for Edit) and then do one or more of the following:
To designate a different VLAN as the Primary VLAN, select the Primary VLAN field and use the space bar to select from the existing options. The Primary VLAN must be a static, port-based VLAN.
To enable or disable dynamic VLAgNs, select the GVRP Enabled field and use the Space bar to toggle between options. For GVRP information, see GVRP.
NOTE: For optimal switch memory utilization, set the number of VLANs at the number you will likely be using or a few more. If you need more VLANs later, you can increase this number, but a switch reboot will be required at that time.
Press Enter and then S to save the VLAN support configuration and return to the VLAN Menu screen.
If you changed the value for Maximum VLANs to support, an asterisk appears next to the VLAN Support option; see VLAN menu screen indicating the need to reboot the switch.
If you changed the VLAN Support option, you must reboot the switch before the maximum VLANs change takes effect. You can go on to configure other VLAN parameters first, but you must reboot the switch when you finish.
If you did not change the VLAN Support option, a reboot is not necessary.
Press 0 to return to the Main Menu.
Adding or editing VLAN names (Menu)
Use this procedure to add a new VLAN or to edit the name of an existing VLAN.
From the Main Menu, select 2. Switch Configuration —> 8. VLAN Menu … —> 2. VLAN Names
If multiple VLANs are not yet configured, you will see a screen similar to The default VLAN names screen.
Press A (for Add).
You will be prompted for a new VLAN name and VLAN ID:
802.1Q VLAN ID : 1 Name : _ Type a VID (VLAN ID number). This can be any number from 2 to 4094 that is not already being used by another VLAN (the switch reserves 1 for the default VLAN).
NOTE: A VLAN must have the same VID in every switch in which you configure that same VLAN. GVRP dynamically extends VLANs with correct VID numbering to other switches; see GVRP .
Press ↓ key to move the cursor to the Name line and enter the VLAN name, using up to 12 characters with no spaces. Press Enter.
NOTE: Do not use the following characters in VLAN names: @, #:, $, ^, &, *, ( and ).
Press S (for Save).
The VLAN Names screen appears with the new VLAN listed.
Repeat steps 2 through 5 to add more VLANs.
You can add VLANs until you reach the number specified in the Maximum VLANs to support field on the VLAN Support screen. This includes any VLANs added dynamically due toGVRP operation.
Return to the VLAN Menu to assign ports to the new VLAN, as described in Adding or changing a VLAN port assignment (Menu).
Adding or changing a VLAN port assignment (Menu)
Ports not specifically assigned to a VLAN are automatically in the default VLAN.
From the Main Menu select: 2. Switch Configuration —> 8. VLAN Menu … —> 3. VLAN Port Assignment
You will see a screen similar to the following:
NOTE: The "VLAN Port Assignment" screen displays up to 32 static, port-based VLANs in ascending order, by VID. If the switch configuration includes more than 32 such VLANs, use the following CLI command to list data on VLANs having VIDs numbered sequentially higher than the first 32.
show vlans
[
|<vid>
ports
[<port-list>
]]To change a port's VLAN assignment:
Press E (for Edit).
Use the arrow keys to select a VLAN assignment you want to change.
Press the Space bar to make your assignment selection (No, Tagged, Untagged , or Forbid. For information on VLAN tags, see 802.1Q VLAN tagging.
If you are finished assigning ports to VLANs, press Enter and then S (for Save) to activate the changes and return to the Configuration menu. (The console then returns to the VLAN menu.)
Return to the Main menu.
NOTE: For GVRP Operation: If you enable GVRP on the switch, No converts to Auto, which allows the VLAN to dynamically join an advertised VLAN that has the same VID.
For ports A4 and A5 to belong to both DEFAULT_VLAN
and VLAN-22 and ports A6 and A7 to belong only to VLAN-22, use the
settings in The default VLAN names screen. This example assumes that the default
GVRP setting is disabled
and that you do not plan
to enable GVRP later.
Using the CLI to configure port-based and protocol-based VLAN parameters
In the factory default state, all ports on the switch belong to the port-based default VLAN (DEFAULT_VLAN; VID=1) and are in the same broadcast/multicast domain.
The default VLAN is also the Primary VLAN. For more on this topic, see The primary VLAN.)
You can configure up to 255 additional static VLANs by adding new VLAN names and then assigning one or more ports to each VLAN.
The switch accepts a maximum of 2048 VLANs with VIDs numbered up to 4094. This must include the default VLAN and any dynamic VLANs the switch creates if you enable GVRP (see GVRP).
NOTE: Each port can be assigned to multiple VLANs by using VLAN tagging. See VLAN tagging rules. | |
Creating a new static VLAN (port-based or protocol-based) (CLI)
The vlan
command
operates in the global configuration context to configure a static
VLAN and/or take the CLI to a specified VLAN's context.<vid>
Syntax:
vlan
vid
| <ascii-name-string>
[no] vlan
<vid>
If
does not exist in the switch, this command creates a port-based VLAN with the specified
<vid>
<vid>
If the command does not include options, the CLI, moves to the newly created VLAN context.
If an optional name is not specified, the switch assigns a name in the default format
VLAN
n, wheren
is theassigned to the VLAN.
<vid>
If the VLAN exists and you enter either the
or the
<vid>
,the CLI moves to the specified VLAN's context.
<ascii-name-string>
The
no
form of the command deletes the VLAN as follows:If one or more ports belong only to the VLAN to be deleted, the CLI notifies you that these ports will be moved to the default VLAN and prompts you to continue the deletion. For member ports that also belong to another VLAN, there is no move prompt.
protocol
[ ipx
|ipv4
|ipv6
|arp
|appletalk
|sna
|netbeui
]
Configures a static, protocol VLAN of the specified type.
If multiple protocols are configured in the VLAN, the
no
form removes the specified protocolIf a protocol VLAN is configured with only one protocol type and you use the
no
form of this command to remove that protocol, the switch changes the protocol VLAN to a port-based VLAN (if the VLAN does not have an untagged member port).If an untagged member port exists on the protocol VLAN, you must either convert the port to a tagged member or remove the port from the VLAN before removing the last protocol type from the VLAN.
NOTE: If you create an IPv4 protocol VLAN, you must assign the ARP protocol option to it to provide IP address resolution. Otherwise, IP packets are not deliverable. A Caution message appears in the CLI if you configure IPv4 in a protocol VLAN that does not already include the ARP protocol option. The same message appears if you add or delete another protocol in the same VLAN.
name
<ascii-name-string>
When included in a
vlan
command to create a new static VLAN, this command specifies a non-default VLAN name. Also used to change the current name of an existing VLAN.
NOTE: Avoid spaces and the following characters in the
entry:
<ascii-name-string>
@
,#:
,$
,^
,&
,*
,(
and)
. To include a blank space in a VLAN name, enclose the name in single or double quotes.
voice
Designates a VLAN for VoIP use. For more on this topic, see Using voice VLANs.
NOTE: You can use these options from the configuration level by beginning the command with
vlan
, or from the context level of the specific VLAN by just entering the command option.<vid>
Creating a new port-based static VLAN
The following example shows how to create a new port-based, static VLAN with a VID of 100 using the following steps:
To create the new VLAN, type the
vlan 100
command.To show the VLANs currently configured in the switch, type the
show vlans
command.
If the Management VLAN field (Primary
VLAN : DEFAULT_VLAN Management VLAN
shown in the display
information below) is empty, a Secure Management VLAN is not configured
in the switch. For more information on configuring a secure management
VLAN, see The secure Management VLAN.
switch(config)#: vlan 100 switch(config)#: show vlans Status and Counters - VLAN Information Maximum VLANs to support : 8 Primary VLAN : DEFAULT_VLAN Management VLAN : VLAN ID Name Status Voice Jumbo ------- -------------------- ------------ ----- ----- 1 DEFAULT_VLAN Port-based No No 100 VLAN100 Port-based No No
Changing the VLAN context level
To go to a different VLAN context level, such as to the default VLAN:
switch (vlan-100)#: vlan default_vlan switch(vlan-1) _
Configuring or changing static VLAN per-port settings (CLI)
Syntax:
[no]
vlan
<vid>
This command, used with the options listed below, changes the name of an existing static VLAN and the per-port VLAN membership settings.
NOTE: You can use these options from the configuration
level by beginning the command with | |
tagged
<port-list>
Configures the indicated port as Tagged for the specified VLAN. The
no
version sets the port to either No or (if GVRP is enabled) to Auto.
untagged
<port-list>
Configures the indicated port as Untagged for the specified VLAN. The
no
version sets the port to either No or (if GVRP is enabled) to Auto.
forbid
<port-list>
Used in port-based VLANs, configures
as forbidden, to become a member of the specified VLAN, as well as other actions. Does not operate with option not allowed protocol VLANs. The
<port-list>
no
version sets the port to eitherNo
or (if GVRP is enabled) toAuto
. See GVRP.
auto
<port-list>
Available if GVRP is enabled on the switch. Returns the per-port settings for the specified VLAN to
Auto
operation.Auto
is the default per-port setting for a static VLAN if GVRP is running on the switch. For information on dynamic VLAN and GVRP operation, see GVRP.
Changing the VLAN name and set ports to tagged
Suppose that there is a VLAN named VLAN100 with
a VID of 100 and all ports are set to No for
this VLAN. To change the VLAN name to Blue_Team
and
set ports A1 - A5 to Tagged, use the following commands:
switch(config)#: vlan 100 name Blue_Team switch(config)#: vlan 100 tagged a1-a5
Moving the context level
To move to the vlan 100
context
level and execute the same commands:
switch(config)#: vlan 100 switch(vlan-100)#: name Blue_Team switch(vlan-100)#: tagged a1-a5
Changing tagged ports
Similarly, to change the tagged ports in the
above examples to No
(or Auto
,
if GVRP is enabled), use either of the following commands.
At the global config level, use:
switch(config)#: no vlan 100 tagged a1-a5
- or -
At the VLAN 100 context level, use:
switch(vlan-100)#: no tagged a1-a5
Converting a dynamic VLAN to a static VLAN (CLI)
Syntax:
static-vlan
<vlan-id>
Converts a dynamic, port-based VLAN membership to static, port-based VLAN membership (allows port-based VLANs only).
For this command,
refers to the VID of the dynamic VLAN membership. Use
<vlan-id>
show vlan
to help identify the VID.This command requires that GVRP is running on the switch and a port is currently a dynamic member of the selected VLAN.
After you convert a dynamic VLAN to static, you must configure the switch's per-port participation in the VLAN in the same way that you would for any static VLAN. For GVRP and dynamic VLAN operation, see GVRP.
Deleting a static VLAN (CLI)
Syntax:
no vlan
<vid>
CAUTION: Before deleting a static VLAN, reassign all ports in the VLAN to another VLAN. | |
Deleting a static VLAN
Following VLAN Names screen with a new VLAN added, if ports B1-B5 belong to both VLAN 2 and VLAN 3 and ports B6-B10 belong to VLAN 3, deleting VLAN 3 causes the CLI to prompt you to approve moving ports B6 - B10 to VLAN 1 (the default VLAN). (Ports B1-B5 are not moved because they still belong to another VLAN.)
switch(config)#: no vlan 3
The following ports will be moved to the default VLAN:
B6-B10
Do you want to continue?
[y/n] Y
switch(config)#::
Deleting multiple VLANs
Enables the user to add or delete interfaces
from multiple tagged or untagged VLANs or SVLANs using a single command.
Interfaces can be added or deleted up to 256 VLANs at a time. If more
than 256 VLANs are specified, an error displays. The forbid
command
option prevents specified ports from becoming members of specified
VLANs or SVLANs when used with GVRP. The command is executed in the
interface context.
Syntax
[no]
interface <port-list> <tagged | untagged | forbid> <vlan | svlan <vlan-id-list>>
The specified interfaces are added to existing VLANs or SVLANs. If a VLAN or SVLAN does not exist, an error message displays.
The [no] option removes the specified interfaces from the specified VLANs or SVLANs.
The forbid option prevents an interface from becoming a member of the specified VLANs or SVLANs. It is executed in interface context.
Removing an interface from several VLANs
The vlan-id-list
includes
a comma-separated list of VLAN IDs and/or VLAN ID ranges.
To remove interface 1 from VLANs 1, 3, 5, 6, 7, 8, 9, 10
switch(config)#: no interface 1,6,7-10 tagged vlan 1,3,5-10
Using IP enable/disable for all VLANs
You can administratively disable the IP address on specified VLANs with static IP addresses without removing the Layer 3 configuration. The switch can be pre-configured as a backup router, then quickly transition from backup to active by re-enabling Layer 3 routing on one or more VLANs. While the switch is in “backup” mode, it will still be performing Layer 2 switching.
A MIB object will be toggled to make Layer 3 routing active or inactive on a VLAN.
Interaction with other features
This feature affects management access to the switch as follows:
IP—SNMP, Telnet, SSH, HTTP, TFTP, SCP, SFTP
Routing—RIP, OSPF, PIM, VRRP
When the disable layer3
command
is configured on a VLAN, the behavior is as if no IP address were
configured for that VLAN. There is no other change in behavior.
Syntax:
[
no
] disable layer3 vlan
<vid>
<vid range>
In config context, turns off Layer 3 routing for the specified VLAN or VLANs. When executed in vlan context, turns off Layer 3 routing for that VLAN.
The
no
form turns on Layer 3 routing for the specified VLAN or VLANs.
The show ip
command displays disabled
in
the IP Config column if Layer 3 has been disabled, or if the VLAN
has no IP configuration. You can tell which is the case by viewing
the remaining columns; if there is no IP configuration, the remaining
columns are blank.
Displaying a VLAN disabled for Layer 3
switch(config)#: show ip Internet (IP) Service IP Routing : Disabled Default Gateway : 172.22.16.1 Default TTL : 64 Arp Age : 20 Domain Suffix : DNS server : VLAN | IP Config IP Address Subnet Mask Proxy ARP -------------------- + ---------- --------------- --------------- --------- DEFAULT_VLAN | DHCP/Bootp 172.22.18.100 255.255.248.0 No No VLAN3 | Disabled 172.17.17.17 255.255.255.0 No No VLAN6 | Disabled VLAN7 | Manual 10.7.7.1 255.255.255.0 No No
For IPv6, the Layer 3 Status
field
displays the status of Layer 3 on that VLAN.
Displaying IPv6 Layer 3 status for a VLAN
switch(config)#: show ipv6 Internet (IPv6) Service IPv6 Routing : Disabled Default Gateway : ND DAD : Enabled DAD Attempts : 3 Vlan Name : DEFAULT_VLAN IPv6 Status : Disabled Layer 3 Status : Enabled Vlan Name : layer3_off_vlan IPv6 Status : Disabled Layer 3 Status : Disabled Address | Address Origin | IPv6 Address/Prefix Length Status ---------- + ------------------------------------------- ----------- manual | abcd::1234/32 tentative autoconfig | fe80::218:71ff:febd:ee00/64 tentative
Interactions with DHCP
Disabling Layer 3 functionality and DHCP are mutually exclusive, with DHCP taking precedence over disable layer3 on a VLAN. The following interactions occur:
If the
disable layer3
command is executed when DHCP is already configured, no disabling of the VLAN occurs. This error message displays: “Layer 3 cannot be disabled on a VLAN that has DHCP enabled.”From the CLI: If
disable layer3
is configured already and an attempt is made to configure DHCP, DHCP takes precedence and will be set. The warning message displays: “Layer 3 has also been enabled on this VLAN since it is required for DHCP.”From the CLI: When disabling a range of VLAN IDs, this warning message displays: “Layer 3 will not be disabled for any LANs that have DHCP enabled.”
From SNMP: If the
disable layer3
command is executed when DHCP is already configured, no disabling of the VLAN occurs. An INCONSISTENT_VALUE error is returned.From SNMP: If
disable layer3
is configured already and an attempt is made to configure DHCP, DHCP takes precedence and will be set.
Changing the Primary VLAN (CLI)
For more information on Primary VLANs, see The primary VLAN.
Syntax:
To change the Primary VLAN (CLI), use the following command:
primary-vlan vid
<ascii-name-string>
In the default VLAN configuration, the port-based default VLAN (
DEFAULT_VLAN
) is the Primary VLAN. This command reassigns the Primary VLAN function to an existing, port-based, static VLAN.The switch cannot reassign the Primary VLAN function to a protocol VLAN.
If you reassign the Primary VLAN to a non-default VLAN, to delete the Primary VLAN from the switch, you must assign the Primary VLAN to another port-based static VLAN.
To identify the current Primary VLAN and list the available VLANs and their respective VIDs, use
show vlans
.
Reassigning, renaming and displaying the VLAN command sequence
The following example shows how to reassign the Primary VLAN to VLAN 22 (first command line), rename the VLAN 22-Primary (second command line) and then display the result (third command line):
switch(config)#: primary-vlan 22 switch(config)#: vlan 22 name 22-Primary switch(config)#: show vlans Status and Counters - VLAN Information Maximum VLANs to support : 8 Primary VLAN : 22-Primary Management VLAN : VLAN ID Name Status Voice Jumbo ------- -------------------- ------------ ----- ----- 1 DEFAULT_VLAN Static No No 22 22-Primary Static No No
Configuring a secure Management VLAN (CLI)
Preparation
Determine a VID and VLAN name suitable for your Management VLAN.
Plan your topology to use switches that support Management VLANs. See The secure Management VLAN.
Include only the following ports:
Ports to which you will connect authorized management stations, such as Port A7 in Management VLAN control in a LAN.
Ports on one switch that you will use to extend the Management VLAN to ports on other switches, such as ports A1 and Management VLAN control in a LAN.
Half-duplex repeaters dedicated to connecting management stations to the Management VLAN can also be included in this topology. Any device connected to a half-duplex repeater in the Management VLAN will also have Management VLAN access.
Configure the Management VLAN on the selected switch ports.
Test the Management VLAN from all of the management stations authorized to use it, including any SNMP-based network management stations. Also test any Management VLAN links between switches.
NOTE: If you configure a Management VLAN on a switch
using a Telnet connection through a port not in the Management VLAN,
you will lose management contact with the switch if you log off your
Telnet connection or execute | |
Configuring an existing VLAN as the Management VLAN (CLI)
Syntax:
[no]
management-vlan [
<vlan-id>
|<vlan-name>
]Configures an existing VLAN as the Management VLAN.
The
no
form disables the Management VLAN and returns the switch to its default management operation.Default: Disabled. In this case, the VLAN returns to standard VLAN operation.
Switch configuration
You have configured a VLAN named My_VLAN
with
a VID of 100 and want to configure the switch to do the following:
Use
My_VLAN
as a Management VLAN (tagged, in this case) to connect port A1 on switch "A" to a management station. The management station includes a network interface card with 802.1Q tagged VLAN capability.Use port A2 to extend the Management VLAN to port B1 which is already configured as a tagged member of
My_VLAN
, on an adjacent switch that supports the Management VLAN feature.
switch (config)#: management-vlan 100 switch (config)#: vlan 100 tagged a1 switch (config)#: vlan 100 tagged a2
Obtaining an IP address using DHCP (CLI)
Use DHCP to obtain an IPv4 address for your Management VLAN or a client on that VLAN. The following examples illustrate when an IP address will be received from the DHCP server.
DHCP server on a Management VLAN
If Blue_VLAN is configured as the Management VLAN and the DHCP server is also on Blue_VLAN, Blue_VLAN receives an IP address. Because DHCP Relay does not forward onto or off the Management VLAN, devices on Red_VLAN cannot get an IP address from the DHCP server on Blue_VLAN (Management VLAN) and Red_VLAN does not receive an IP address.
DHCP server on a different VLAN from the Management VLAN
If Red_VLAN is configured as the Management VLAN and the DHCP server is on Blue_VLAN, Blue_VLAN receives an IP address but Red_VLAN does not.
No Management VLANs configured
If no Management VLAN is configured, both Blue_VLAN and Red_VLAN receive IP addresses.
A client on a different Management VLAN from the DHCP server
If Red_VLAN is configured as the Management VLAN and the client is on Red_VLAN, but the DHCP server is on Blue_VLAN, the client will not receive an IP address.
A DHCP server and client on the Management VLAN
If Blue_VLAN is configured as the Management VLAN, the client is on Blue_VLAN and the DHCP server is on Blue_VLAN, the client receives an IP address.
Disabling the Management feature (CLI)
You can disable the Secure Management feature without deleting the VLAN.
Disabling the secure management feature
The following commands disable the Secure Management feature in the above example:
switch (config)#: no management-vlan 100 switch (config)#: no management-vlan my_vlan
For more information, see The secure Management VLAN.
Changing the number of VLANs allowed on the switch (CLI)
Syntax:
The default VLAN number is 1.
max-vlans
<1-512>
Default number of VLANs: 16
If GVRP is enabled, this setting includes any dynamic VLANs on the switch. As part of implementing a new setting, you must execute a
write memory
command to save the new value to the startup-config file and then reboot the switch.
NOTE: If multiple VLANs exist on the switch, you cannot reset the maximum number of VLANs to a value smaller than the current number of VLANs.
The following example shows the command sequence
for changing the number of VLANs allowed to 10. You can execute the
commands to write memory
and boot
at
another time.
Changing the number of allowed VLANs
switch(config)#: max-vlans 10
This command will take effect after saving the configuration
and rebooting the system.
switch(config)#: write memory
switch(config)#: boot
Device will he rebooted, do you want to continue [y/n]? Y