Configuring VLANs

Configuring Normal-Range VLANs

Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.)

      When the switch is in VTP transparent mode and the enhanced software image is installed, you can also create extended-range VLANs (VLANs with IDs from 1006 to 4094), but these VLANs are not saved in the VLAN database. 

Configurations for VLAN IDs 1 to 1005 are written to the file vlan.dat (VLAN database), and you can display them by entering the show vlan privileged EXEC command. The vlan.dat file is stored in nonvolatile RAM (NVRAM).

You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs. The results of these commands are written to the running-configuration file, and you can display the file by entering the show running-config privileged EXEC command.

You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in the VLAN database:

•VLAN ID

•VLAN name

•VLAN type (Ethernet, Fiber Distributed Data Interface [FDDI], FDDI network entity title [NET], TrBRF, or TrCRF, Token Ring, Token Ring-Net)

•VLAN state (active or suspended)

•Maximum transmission unit (MTU) for the VLAN

•Security Association Identifier (SAID)

•Bridge identification number for TrBRF VLANs

•Ring number for FDDI and TrCRF VLANs

•Parent VLAN number for TrCRF VLANs

•Spanning Tree Protocol (STP) type for TrCRF VLANs

•VLAN number to use when translating from one VLAN type to another

   This section does not provide configuration details for most of these parameters. For information on the commands and parameters that control VLAN configuration, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This section includes information about these topics about normal-range VLANs:

•Token Ring VLANs

•Configuration Guidelines for Normal-Range VLANs

•VLAN Configuration Mode Options

•Saving VLAN Configuration

•Default Ethernet VLAN Configuration

•Creating or Modifying an Ethernet VLAN

•Deleting a VLAN

•Assigning Static-Access Ports to a VLAN

Token Ring VLANs

Although the Catalyst 2950 switches do not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches. Switches running VTP version 2 advertise information about these Token Ring VLANs:

•Token Ring TrBRF VLANs

•Token Ring TrCRF VLANs

For more information on configuring Token Ring VLANs, refer to the Catalyst 5000 Series Software Configuration Guide.

Configuration Guidelines for Normal-Range VLANs

Follow these guidelines when creating and modifying normal-range VLANs in your network:

• See Table 13-1 for the maximum number of supported VLANs per switch model. On a switch supporting 250 VLANs, if VTP reports that there are 254 active VLANs, four of the active VLANs (1002 to 1005) are reserved for Token Ring and FDDI.

•Normal-range VLANs are identified with a number between 1 and 1001. VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs.

•VLAN configuration for VLANs 1 to 1005 are always saved in the VLAN database. If VTP mode is transparent, VTP and VLAN configuration is also saved in the switch running configuration file.

•The switch also supports VLAN IDs 1006 through 4094 in VTP transparent mode (VTP disabled) when the enhanced software image is installed. These are extended-range VLANs and configuration options are limited. Extended-range VLANs are not saved in the VLAN database.

•Before you can create a VLAN, the switch must be in VTP server mode or VTP transparent mode. If the switch is a VTP server, you must define a VTP domain or VTP will not function.

•Catalyst 2950 switches do not support Token Ring or FDDI media. The switch does not forward FDDI, FDDI-Net, TrCRF, or TrBRF traffic, but it does propagate the VLAN configuration through VTP.

•The switch supports 64 spanning-tree instances. If a switch has more active VLANs than supported spanning-tree instances, spanning tree can be enabled on 64 VLANs and is disabled on the remaining VLANs. If you have already used all available spanning-tree instances on a switch, adding another VLAN anywhere in the VTP domain creates a VLAN on that switch that is not running spanning-tree. If you have the default allowed list on the trunk ports of that switch (which is to allow all VLANs), the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.

If the number of VLANs on the switch exceeds 64, we recommend that you configure the IEEE 802.1S Multiple STP (MSTP) on your switch to map multiple VLANs to a single STP instance. For more information about MSTP.

VLAN Configuration Mode Options

You can configure normal-range VLANs (with VLAN IDs 1 to 1005) by using these two configuration modes:

•VLAN Configuration in config-vlan Mode

You access config-vlan mode by entering the vlan vlan-id global configuration command.

•VLAN Configuration in VLAN Configuration Mode

You access VLAN configuration mode by entering the vlan database privileged EXEC command.

VLAN Configuration in config-vlan Mode

To access config-vlan mode, enter the vlan global configuration command with a VLAN ID. Enter a new VLAN ID to create a VLAN or with an existing VLAN ID to modify the VLAN. You can use the default VLAN configuration (Table 13-3) or enter multiple commands to configure the VLAN. For more information about commands available in this mode, refer to the vlan global configuration command description in the Catalyst 2950 Desktop Switch Command Reference for this release. When you have finished the configuration, you must exit config-vlan mode for the configuration to take effect. To display the VLAN configuration, enter the show vlan privileged EXEC command.

You must use this config-vlan mode when creating extended-range VLANs (VLAN IDs greater than 1005).

VLAN Configuration in VLAN Configuration Mode

To access VLAN configuration mode, enter the vlan database privileged EXEC command. Then enter the vlan command with a new VLAN ID to create a VLAN or with an existing VLAN ID to modify the VLAN. You can use the default VLAN configuration (Table 13-3) or enter multiple commands to configure the VLAN. For more information about keywords available in this mode, refer to the vlan VLAN configuration command description in the Catalyst 2950 Desktop Switch Command Reference for this release. When you have finished the configuration, you must enter apply or exit for the configuration to take effect. When you enter the exit command, it applies all commands and updates the VLAN database. VTP messages are sent to other switches in the VTP domain, and the privileged EXEC mode prompt appears.

Saving VLAN Configuration

The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If VTP mode is transparent, they are also saved in the switch running configuration file and you can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file. You can use the show running-config vlan privileged EXEC command to display the switch running configuration file. To display the VLAN configuration, enter the show vlan privileged EXEC command.

When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is determined as follows:

•If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.

•If the VTP mode or domain name in the startup configuration does not match the VLAN database, the domain name and VTP mode and configuration for the first 1005 VLANs use the VLAN database information.

•If VTP mode is server, the domain name and VLAN configuration for the first 1005 VLANs use the VLAN database information

•If the switch is running IOS release 12.1(9)EA1 or later and you use an older startup configuration file to boot up the switch, the configuration file does not contain VTP or VLAN information, and the switch uses the VLAN database configurations.

•If the switch is running an IOS release earlier than 12.1(9)EA1 and you use a startup configuration file from IOS release 12.1(9)EA1 or later to boot up the switch, the image on the switch does not recognize the VLAN and VTP configurations in the startup configuration file, so the switch uses the VLAN database configuration.

           If the startup configuration file contains extended-range VLAN configuration, this information will be lost when the system boots up.

           

           Default Ethernet VLAN Configuration

Table 13-3 shows the default configuration for Ethernet VLANs.

      The switch supports Ethernet interfaces exclusively. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to other switches.

Table 13-3 Ethernet VLAN Defaults and Ranges 

Parameter	Default	Range
VLAN ID	1	1-4094 when the enhanced software image is installed and 1 to 1005 when the standard software image is installed. Note Extended-range VLANs (VLAN IDs 1006 to 4094) are not saved in the VLAN database.
VLAN name	VLANxxxx, where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number	No range
802.10 SAID	100001 (100000 plus the VLAN ID)	1-4294967294
MTU size	1500	1500-18190
Translational bridge 1	0	0-1005
Translational bridge 2	0	0-1005
VLAN state	active	active, suspend

Creating or Modifying an Ethernet VLAN

Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN.

      When the switch is in VTP transparent mode and the enhanced software image is installed, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.

       For the list of default parameters that are assigned when you add a VLAN, 

Beginning in privileged EXEC mode, follow these steps to use config-vlan mode to create or modify an Ethernet VLAN:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	vlan vlan-id	Enter a VLAN ID, and enter config-vlan mode. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify a VLAN. Note The available VLAN ID range for this command is 1 to 1005 when the standard software image is installed and 1 to 4094 when the enhanced software image is installed; do not enter leading zeros. For information about adding VLAN IDs greater than 1005 (extended-range VLANs).
Step 3	name vlan-name	(Optional) Enter a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4.
Step 4	mtu mtu-size	(Optional) Change the MTU size (or other VLAN characteristic).
Step 5	end	Return to privileged EXEC mode.
Step 6	show vlan{name vlan-name | idvlan-id}	Verify your entries.
Step 7	copy running-config startup config	(Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database. This saves the configuration in the switch startup configuration file.

To return the VLAN name to the default settings, use the no vlan name or no vlan mtu config-vlan commands.

This example shows how to use config-vlan mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database:

Switch# configure terminal

Switch(config)# vlan 20

Switch(config-vlan)# name test20

Switch(config-vlan)# end

Beginning in privileged EXEC mode, follow these steps to use VLAN configuration mode to create or modify an Ethernet VLAN:

	Command	Purpose
Step 1	vlan database	Enter VLAN configuration mode.
Step 2	vlan vlan-idname vlan-name	Add an Ethernet VLAN by assigning a number to it. The range is 1 to 1001; do not enter leading zeros. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4.
Step 3	vlan vlan-idmtu mtu-size	(Optional) To modify a VLAN, identify the VLAN and change a characteristic, such as the MTU size.
Step 4	exit	Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode.
Step 5	show vlan{name vlan-name | id vlan-id}	Verify your entries.
Step 6	copy running-config startup config	(Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database. This saves the configuration in the switch startup configuration file.

To return the VLAN name to the default settings, use the no vlan vlan-id name or no vlan vlan-id mtu VLAN configuration command.

This example shows how to use VLAN configuration mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database:

Switch# vlan database

Switch(vlan)# vlan 20 name test20

Switch(vlan)# exit

APPLY completed.

Exiting....

Switch# 

Deleting a VLAN

When you delete a VLAN from a switch that is in VTP server mode, the VLAN is removed from the VLAN database for all switches in the VTP domain. When you delete a VLAN from a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch.

You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.

         When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN.

Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch by using global configuration mode:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	no vlan vlan-id	Remove the VLAN by entering the VLAN ID.
Step 3	end	Return to privileged EXEC mode.
Step 4	show vlan brief	Verify the VLAN removal.
Step 5	copy running-config startup config	(Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database. This saves the configuration in the switch startup configuration file.

To delete a VLAN by using VLAN configuration mode, use the vlan database privileged EXEC command to enter VLAN configuration mode and the no vlan vlan-id VLAN configuration command.

Assigning Static-Access Ports to a VLAN

You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information (VTP is disabled). If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the member switch.

Beginning in privileged EXEC mode, follow these steps to assign a port to a VLAN in the VLAN database:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode
Step 2	interface interface-id	Enter the interface to be added to the VLAN.
Step 3	switchport mode access	Define the VLAN membership mode for the port (Layer 2 access port).
Step 4	switchport access vlan vlan-id	Assign the port to a VLAN. Valid VLAN IDs are 1 to 4094; do not enter leading zeros.
Step 5	end	Return to privileged EXEC mode.
Step 6	show running-config interfaceinterface-id	Verify the VLAN membership mode of the interface.
Step 7	show interfaces interface-idswitchport	Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display.
Step 8	copy running-config startup-config	(Optional) Save your entries in the configuration file.

To return an interface to its default configuration, use the default interface interface-id interface configuration command.

This example shows how to configure Fast Ethernet interface 0/1 as an access port in VLAN 2:

Switch# configure terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# interface fastethernet0/1 

Switch(config-if)# switchport mode access 

Switch(config-if)# switchport access vlan 2

Switch(config-if)# end 

Switch#

These examples show how to verify the configuration:

Switch# show running-config interface fastethernet0/1

Building configuration...

Current configuration : 74 bytes

!

interface FastEthernet0/12

 switchport access vlan 2

 switchport mode access

end

Switch# show interfaces fastethernet0/1 switchport 

Name: Fa0/1

Switchport: Enabled

Administrative Mode: static access

Operational Mode: down

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Access Mode VLAN: 2 (VLAN0002)

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Protected: false

Voice VLAN: none (Inactive)

Appliance trust: none