VLANs

Chapter 5
Configuring Virtual LANs (VLANs)
This chapter describes how to configure Virtual LANs (VLANs) on a ServerIron ADX.
The Overview section provides basic information about VLAN options available on a ServerIron ADX. Following
this section, other sections provide configuration procedures and examples.
To display configuration information for VLANs, see Displaying VLAN Information on page 5-36.
Overview
This section describes the ServerIron ADX VLAN features. Configuration procedures and examples appear in
later sections of this chapter.
Types of VLANs Supported

You can configure the following types of VLANs on a ServerIron ADX.
Layer 2 port-based VLAN a set of physical ports that share a common, exclusive Layer 2 broadcast domain
IP subnet VLANs a subset of ports in a port-based VLAN that share a common, exclusive subnet broadcast
domain for a specified IP subnet
When a ServerIron ADX device receives a packet on a port that is a member of a VLAN, the device forwards the
packet based on the following VLAN hierarchy:
If the port belongs to an IP subnet VLAN and the packet belongs to the corresponding IP subnet, the device
forwards the packet to all the ports within that IP subnet VLAN.
If the packet cannot be forwarded based on either of the VLAN membership types listed above, but the packet
can be forwarded at Layer 2, the device forwards the packet on all the ports within the receiving ports portbased VLAN.
Layer 2 Port-Based VLANs

You can configure port-based VLANs on a ServerIron ADX. A port-based VLAN is a subset of ports on a
ServerIron ADX that constitutes a Layer 2 broadcast domain.
By default, all the ports on a ServerIron ADX are members of the default VLAN. Thus, all the ports on the
ServerIron ADX constitute a single Layer 2 broadcast domain. You can configure multiple port-based VLANs.
When you configure a port-based VLAN, the device automatically removes the ports you add to the VLAN from
the default VLAN.
June, 2009
2009 Brocade Communications Systems Inc
5-1
ServerIron ADX Switching and Routing Guide
Figure 5.1 on page 5-2 shows an example of a ServerIron ADX on which a Layer 2 port-based VLAN has been
configured.
Figure 5.1
Brocade device containing user-defined Layer 2 port-based VLAN
DEFAULT-VLAN
VLAN ID = 1
Layer 2 Port-based VLAN
User-configured port-based VLAN
When you add a port-based VLAN,

the device removes all the ports in the
new VLAN from DEFAULT-VLAN.
A port can belong to only one port-based VLAN, unless you apply 802.1q tagging to the port. 802.1q tagging
allows the port to add a four-byte tag field, which contains the VLAN ID, to each packet sent on the port. You also
can configure port-based VLANs that span multiple devices by tagging the ports within the VLAN. The tag
enables each device that receives the packet to determine the VLAN the packet belongs to. 802.1q tagging
applies only to Layer 2 VLANs, not to Layer 3 VLANs.
Since each port-based VLAN is a separate Layer 2 broadcast domain, by default each VLAN runs a separate
instance of the Spanning Tree Protocol (STP).
Layer 2 traffic is bridged within a port-based VLAN and Layer 2 broadcasts are sent to all the ports within the
VLAN.
Integrated Switch Routing (ISR)

The Integrated Switch Routing (ISR) feature enables VLANs configured on ServerIron ADX Layer 3 Switches to
route Layer 3 traffic from one IP subnet to another. Normally, to route traffic from one IP subnet VLAN to another,
you would need to forward the traffic to an external router. The VLANs provide Layer 3 broadcast domains for
these protocols but do not in themselves provide routing services for these protocols. This is true even if the
source and destination IP subnets, are on the same device.
ISR eliminates the need for an external router by allowing you to route between VLANs using virtual routing
interfaces (ves). A virtual routing interface is a logical port on which you can configure Layer 3 routing
5-2
June, 2009
parameters. You configure a separate virtual routing interface on each VLAN that you want to be able to route
from or to. For example, if you configure two IP subnet VLANs on a Layer 3 Switch, you can configure a virtual
routing interface on each VLAN, then configure IP routing parameters for the subnets. Thus, the Layer 3 Switch
forwards IP subnet broadcasts within each VLAN at Layer 2 but routes Layer 3 traffic between the VLANs using
the virtual routing interfaces.
NOTE: The Layer 3 Switch uses the lowest MAC address on the device (the MAC address of port 1 or 1/1) as the
MAC address for all ports within all virtual routing interfaces you configure on the device.
The routing parameters and the syntax for configuring them are the same as when you configure a physical
interface for routing.
All the ports within an IP Subnet VLAN must be in the same port-based VLAN. The IP Subnet VLAN cannot have
ports in multiple port-based VLANs, unless the ports in the port-based VLAN to which you add the IP Subnet
VLAN are 802.1q tagged.
You can configure multiple IP Subnet VLANs within the same port-based VLAN. In addition, a port within a portbased VLAN can belong to multiple VLANs. For example, if you have a port-based VLAN that contains ports 1
10, you can configure port 5 as a member of more than one IP Subnet.
IP Subnet VLANs
For IP, you can provide more granular broadcast control by instead creating the following types of VLAN:
IP subnet VLAN An IP subnet broadcast domain for a specific IP subnet.
The ServerIron ADX routes packets between VLANs at Layer 3. To configure an IP subnet VLAN to route, you
must add a virtual routing interface to the VLAN, then configure the appropriate routing parameters on the virtual
routing interface.
NOTE: The Layer 3 Switch routes packets between VLANs of the same protocol. The Layer 3 Switch cannot
route from one protocol to another.
Default VLAN
By default, all the ports on a ServerIron ADX are in a single port-based VLAN. This VLAN is called DEFAULTVLAN and is VLAN number 1.
June, 2009
5-3
Figure 5.2 on page 5-4 shows an example of the default Layer 2 port-based VLAN.
Figure 5.2
Default Layer 2 port-based VLAN
DEFAULT-VLAN
VLAN ID = 1
Layer 2 Port-based VLAN
By default, all ports belong to a single

port-based VLAN, DEFAULT-VLAN.
Thus, all ports belong to a single
Layer 2 broadcast domain.
When you configure a port-based VLAN, one of the configuration items you provide is the ports that are in the
VLAN. When you configure the VLAN, the ServerIron ADX automatically removes the ports that you place in the
VLAN from DEFAULT-VLAN. By removing the ports from the default VLAN, the ServerIron ADX ensures that each
port resides in only one Layer 2 broadcast domain.
NOTE: Information for the default VLAN is available only after you define another VLAN.
Some network configurations may require that a port be able to reside in two or more Layer 2 broadcast domains
(port-based VLANs). In this case, you can enable a port to reside in multiple port-based VLANs by tagging the
port. See the following section.
If your network requires that you use VLAN ID 1 for a user-configured VLAN, you can reassign the default VLAN to
another valid VLAN ID. See Assigning a Different VLAN ID to the Default VLAN on page 5-11.
802.1q Tagging
802.1q tagging is an IEEE standard that allows a networking device to add information to a Layer 2 packet in order
to identify the VLAN membership of the packet. A ServerIron ADX tags a packet by adding a four-byte tag to the
packet. The tag contains the tag value, which identifies the data as a tag, and also contains the VLAN ID of the
VLAN from which the packet is sent.
5-4
The default tag value is 8100 (hexadecimal). This value comes from the 802.1q specification. You can
change this tag value on a global basis on a ServerIron ADX if needed to be compatible with other vendors
equipment.
June, 2009
The VLAN ID is determined by the VLAN on which the packet is being forwarded.
Figure 5.3 on page 5-5 shows the format of packets with and without the 802.1q tag. The tag format is vendorspecific. To use the tag for VLANs configured across multiple devices, make sure all the devices support the same
tag format.
Figure 5.3
Packet containing an 802.1QVLAN tag
Untagged Packet Format

6 bytes
6 bytes
2 bytes
Up to 1500 bytes
4 bytes
Destination
Address
Source
Address
Type
Field
Data
Field
CRC
6 bytes
6 bytes
2 bytes
Up to 1496 bytes
4 bytes
Destination
Address
Source
Address
Length
Field
Data
Field
CRC
Ethernet II
IEEE 802.3
802.1q Tagged Packet Format

6 bytes
6 bytes
2 bytes
4 bytes
2 bytes
Destination
Address
Source
Address
Type
802.1q
Field
Tag
Type
Field
Data
Field
6 bytes
6 bytes
2 bytes
4 bytes
2 bytes
Destination
Address
Source
Address
Length
802.1q
Field
Tag
Length
Field
Octet 1
Octet 2
Up to 1500 bytes
Up to 1500 bytes
Up to 1496 bytes
Up to 1496 bytes
1 2 3 4 5 6 7 8
Tag Protocol Id (TPID) 802.1p
Data
Field
Data
Field
Data
Field
4 bytes
CRC
4 bytes
CRC II Ethernet II with 802.1q tag

Ethernet
4 bytes
4 bytes
CRC
CRC
IEEE
802.3
IEEE 802.3 with 802.1q tag
Octet 4
VLAN ID (12 bits)
(3 bits)
NOTE: You cannot configure a port to be a member of the default port-based VLAN and another port-based
VLAN at the same time. Once you add a port to a port-based VLAN, the port is no longer a member of the default
VLAN. The port returns to the default VLAN only if you delete the other VLAN(s) that contains the port.
If you configure a VLAN that spans multiple devices, you need to use tagging only if a port connecting one of the
devices to the other is a member of more than one port-based VLAN. If a port connecting one device to the other
is a member of only a single port-based VLAN, tagging is not required.
If you use tagging on multiple devices, each device must be configured for tagging and must use the same tag
value. In addition, the implementation of tagging must be compatible on the devices. The tagging on all Brocade
devices is compatible with other Brocade devices.
June, 2009
5-5
Figure 5.4 on page 5-6 shows an example of two devices that have the same Layer 2 port-based VLANs
configured across them. Notice that only one of the VLANs requires tagging.
Figure 5.4
VLANs configured across multiple devices
User-configured port-based VLAN

T = 802.1Q tagged port
Segment 1
Segment 2
Segment 1
Segment 2
Tagging is required for the ports

on Segment 1 because the ports
are in multiple port-based VLANs.
Tagging is not required for the ports

on Segment 2 because each port is
in only one port-based VLAN.
Without tagging, a device receiving

VLAN traffic from the other device
would not be sure which VLAN the
traffic is for.
Spanning Tree Protocol (STP)

The default state of STP depends on the device type:
STP is disabled by default on Brocade Layer 3 Switches.
STP is enabled by default on Brocade Layer 2 Switches.
Also by default, each port-based VLAN has a separate instance of STP. Thus, when STP is globally enabled,
each port-based VLAN on the device runs a separate spanning tree.
You can enable or disable STP on the following levels:
Globally Affects all ports on the device.

NOTE: If you configure a port-based VLAN on the device, the VLAN has the same STP state as the default
STP state on the device. Thus, on Layer 2 Switches, new VLANs have STP enabled by default. On Layer 3
Switches, new VLANs have STP disabled by default. You can enable or disable STP in each VLAN
separately. In addition, you can enable or disable STP on individual ports.
Port-based VLAN Affects all ports within the specified port-based VLAN.
STP is a Layer 2 protocol. Thus, you cannot enable or disable STP for individual protocol VLANs or for IP subnet
VLANs. The STP state of a port-based VLAN containing these other types of VLANs determines the STP state for
all the Layer 2 broadcasts within the port-based VLAN. This is true even though Layer 3 protocol broadcasts are
sent on Layer 2 within the VLAN.
It is possible that STP will block one or more ports in a IP subnet VLAN that uses a virtual routing interface to route
to other VLANs. For IP subnet VLANs, even though some of the physical ports of the virtual routing interface are
blocked, the virtual routing interface can still route so long as at least one port in the virtual routing interfaces
protocol VLAN is not blocked by STP.
If you enable Single STP (SSTP) on the device, the ports in all VLANs on which STP is enabled become members
of a single spanning tree. The ports in VLANs on which STP is disabled are excluded from the single spanning
tree.
5-6
June, 2009
For more information, see Configuring Spanning Tree Protocol (STP) and IronSpan Features on page 6-1.
Virtual Routing Interfaces

A virtual routing interface is a logical routing interface that Brocade Layer 3 Switches use to route Layer 3 protocol
traffic between protocol VLANs.
Brocade devices send Layer 3 traffic at Layer 2 within a VLAN. However, Layer 3 traffic from one VLAN to another
must be routed.
If you want the device to be able to send Layer 3 traffic from one VLAN to another, you must configure a virtual
routing interface on each VLAN, then configure routing parameters on the virtual routing interfaces. For example,
to enable a Layer 3 Switch to route IP traffic from one VLAN to another, you must configure a virtual routing
interface on each VLAN, then configure the appropriate IP routing parameters on each of the virtual routing
interfaces.
Figure 5.5 on page 5-7 shows an example of IP subnet VLANs that use virtual routing interfaces for routing.
Figure 5.5
Use virtual routing interfaces for routing between IP subnet VLANs
User-configured IP subnet VLAN
VE = virtual interface
(VE stands for Virtual Ethernet)
VE 3
VE 1
VE 4
VE 2
Layer 2 and Layer 3 traffic within a VLAN

is bridged at Layer 2.
Layer 3 traffic between IP subnet VLANs
is routed using virtual interfaces (VE).
To route to one another, each IP subnet
VLAN must have a virtual interface.
VLAN and Virtual Routing Interface Groups

To simplify configuration, you can configure VLAN groups and virtual routing interface groups. When you create a
VLAN group, the VLAN parameters you configure for the group apply to all the VLANs within the group.
Additionally, you can easily associate the same IP subnet interface with all the VLANs in a group by configuring a
virtual routing interface group with the same ID as the VLAN group.
June, 2009
5-7
For configuration information, see Configuring VLAN Groups and Virtual Routing Interface Groups on page 5-24.
Dynamic, Static, and Excluded Port Membership

When you add ports to an IP subnet VLAN, you can add them dynamically or statically:
Dynamic ports
Static ports
You also can explicitly exclude ports.
Dynamic Ports
Dynamic ports are added to a VLAN when you create the VLAN. However, if a dynamically added port does not
receive any traffic for the VLANs IP subnet within ten minutes, the port is removed from the VLAN. However, the
port remains a candidate for port membership. Thus, if the port receives traffic for the VLANs IP subnet, the
ServerIron ADX adds the port back to the VLAN.
After the port is added back to the VLAN, the port can remain an active member of the VLAN up to 20 minutes
without receiving traffic for the VLANs protocol. If the port ages out, it remains a candidate for VLAN membership
and is added back to the VLAN when the VLAN receives protocol traffic. At this point, the port can remain in the
VLAN up to 20 minutes without receiving traffic for the VLANs IP subnet, and so on.
Unless you explicitly add a port statically or exclude a port, the port is a dynamic port and thus can be an active
member of the VLAN, depending on the traffic it receives.
Figure 5.6 on page 5-8 shows an example of a VLAN with dynamic ports. Dynamic ports not only join and leave
the VLAN according to traffic, but also allow some broadcast packets of the specific protocol to leak through the
VLAN. See Broadcast Leaks on page 5-9.
Figure 5.6
VLAN with dynamic portsall ports are active when you create the VLAN
A = active port
C = candidate port
When you add ports dynamically,
all the ports are added when you add
the VLAN.
5-8
June, 2009
Ports in a new IP subnet VLAN that do not receive traffic for the VLANs protocol age out after 20 minutes and
become candidate ports. Figure 5.7 on page 5-9 shows what happens if a candidate port receives traffic for the
VLANs protocol.
Figure 5.7
VLAN with dynamic portscandidate ports become active again if they receive protocol traffic
Ports that time out remain candidates for

membership in the VLAN and become active
again if they receive traffic for the VLANs
IP subnet range.
When a candidate port rejoins a VLAN,
the timeout for that port becomes 20 minutes.
Thus, the port remains an active member of
the VLAN even if it does not receive traffic
for 20 minutes. After that, the port becomes
a candidate port again.
Static Ports
Static ports are permanent members of the IP subnet VLAN. The ports remain active members of the VLAN
regardless of whether the ports receive traffic for the VLANs protocol. You must explicitly identify the port as a
static port when you add it to the VLAN. Otherwise, the port is dynamic and is subject to aging out.
Excluded Ports
If you want to prevent a port in a port-based VLAN from ever becoming a member of an IP subnet VLAN
configured in the port-based VLAN, you can explicitly exclude the port. You exclude the port when you configure
the IP subnet VLAN.
Excluded ports do not leak broadcast packets. See Broadcast Leaks on page 5-9.
Broadcast Leaks
A dynamic port becomes a member of a Layer 3 protocol VLAN when traffic from the VLAN's protocol is received
on the port. After this point, the port remains an active member of the protocol VLAN, unless the port does not
receive traffic from the VLAN's protocol for 20 minutes. If the port does not receive traffic for the VLAN's protocol
for 20 minutes, the port ages out and is no longer an active member of the VLAN.
To enable a host that has been silent for awhile to send and receive packets, the dynamic ports that are currently
members of the Layer 3 protocol VLAN "leak" Layer 3 broadcast packets to the ports that have aged out. When a
host connected to one of the aged out ports responds to a leaked broadcast, the port is added to the protocol
VLAN again.
To "leak" Layer 3 broadcast traffic, an active port sends 1/8th of the Layer 3 broadcast traffic to the inactive (aged
out) ports.
Static ports do not age out and do not leak broadcast packets.
June, 2009
5-9
Super Aggregated VLANs

You can aggregate multiple VLANs within another VLAN. This feature allows you to construct Layer 2 paths and
channels. This feature is particularly useful for Virtual Private Network (VPN) applications in which you need to
provide a private, dedicated Ethernet connection for an individual client to transparently reach its subnet across
multiple networks.
For an application example and configuration information, see Configuring Super Aggregated VLANs on page 527.
Trunk Group Ports and VLAN Membership

A trunk group is a set of physical ports that are configured to act as a single physical interface. Each trunk groups
port configuration is based on the configuration of the lead port, which is the lowest numbered port in the group.
If you add a trunk groups lead port to a VLAN, all of the ports in the trunk group become members of that VLAN.
Summary of VLAN Configuration Rules

A hierarchy of VLANs exists between the Layer 2 and Layer 3 protocol-based VLANs:
Port-based VLANs are at the lowest level of the hierarchy.
IP subnet VLANs are at the top of the hierarchy.
As a ServerIron ADX receives packets, the VLAN classification starts from the highest level VLAN first. Therefore,
if an interface is configured as a member of both a port-based VLAN and an IP subnet VLAN, IP packets coming
into the interface are classified as members of the IP subnet VLAN because that VLAN is higher in the VLAN
hierarchy.
Multiple VLAN Membership Rules
A port can belong to multiple, unique, overlapping IP subnet VLANs without VLAN tagging.
A port can belong to multiple, overlapping Layer 2 port-based VLANs only if the port is a tagged port. Packets
sent out of a tagged port use an 802.1q-tagged frame.
When both port and IP subnet VLANs are configured on a given device, all IP subnet VLANs must be strictly
contained within a port-based VLAN. An IP subnet VLAN cannot include ports from multiple port-based
VLANs. This rule is required to ensure that port-based VLANs remain loop-free Layer 2 broadcast domains.
Multiple IP subnet VLANs are configurable within each port-based VLAN on the Layer 2 Switch.
Removing a configured port-based VLAN from a Foundry Networks Layer 2 Switch or Layer 3 Switch
automatically removes any protocol-based VLAN, IP subnet VLAN, AppleTalk cable VLAN, or IPX network
VLAN, or any Virtual Ethernet router interfaces defined within the Port-based VLAN.
Routing Between VLANs (Layer 3 Switches Only)

Brocade Layer 3 Switches can locally route IP between VLANs defined within a single router. All other routable
protocols or protocol VLANs (for example, DecNet) must be routed by another external router capable of routing
the protocol.
Virtual Routing Interfaces (Layer 3 Switches Only)

You need to configure virtual routing interfaces if an IP subnet VLAN needs to route IP packets to another portbased VLAN on the same router. A virtual routing interface can be associated with the ports in only a single portbased VLAN. Virtual router interfaces must be defined at the highest level of the VLAN hierarchy.
If you do not need to further partition the port-based VLAN by defining separate Layer 3 VLANs, you can define a
single virtual routing interface at the port-based VLAN level and enable IP routing on a single virtual routing
interface.
Bridging and Routing the Same Protocol Simultaneously

5 - 10
June, 2009
on the Same Device (Layer 3 Switches Only)

Some configurations may require simultaneous switching and routing of the same single protocol across different
sets of ports on the same router. When IP routing is enabled on a Brocade Layer 3 Switch, you can route these
protocols on specific interfaces while bridging them on other interfaces. In this scenario, you can create two
separate backbones for the same protocol, one bridged and one routed.
To bridge IP at the same time these protocols are being routed, you need to configure an IP subnet VLAN and not
assign a virtual routing interface to the VLAN. Packets for these protocols are bridged or switched at Layer 2
across ports on the router that are included in the Layer 3 VLAN. If these VLANs are built within port-based
VLANs, they can be tagged across a single set of backbone fibers to create separate Layer 2 switched and Layer
3 routed backbones for the same protocol on a single physical backbone.
Routing Between VLANs Using Virtual Routing Interfaces (Layer 3 Switches

Only)
Brocade calls the ability to route between VLANs with virtual routing interfaces Integrated Switch Routing (ISR).
There are some important concepts to understand before designing an ISR backbone.
Virtual router interfaces can be defined on port-based, IP subnet VLANs.
To create any type of VLAN on a Brocade Layer 3 Switch, Layer 2 forwarding must be enabled. When Layer 2
forwarding is enabled, the Layer 3 Switch becomes a Switch on all ports for all non-routable protocols.
If the router interfaces for IP are configured on physical ports, then routing occurs independent of the Spanning
Tree Protocol (STP). However, if the router interfaces are defined for any type VLAN, they are virtual routing
interfaces and are subject to the rules of STP.
If your backbone is consisted of virtual routing interfaces all within the same STP domain, it is a bridged backbone,
not a routed one. This means that the set of backbone interfaces that are blocked by STP will be blocked for
routed protocols as well. The routed protocols will be able to cross these paths only when the STP state of the link
is FORWARDING. This problem is easily avoided by proper network design.
When designing an ISR network, pay attention to your use of virtual routing interfaces and the spanning-tree
domain. If Layer 2 switching of your routed protocols (IP) is not required across the backbone, then the use of
virtual routing interfaces can be limited to edge switch ports within each router. Full backbone routing can be
achieved by configuring routing on each physical interface that connects to the backbone. Routing is independent
of STP when configured on a physical interface.
If your ISR design requires that you switch IP at Layer 2 while simultaneously routing the same protocol over a
single backbone, then create multiple port-based VLANs and use VLAN tagging on the backbone links to separate
your Layer 2 switched and Layer 3 routed networks.
There is a separate STP domain for each port-based VLAN. Routing occurs independently across port-based
VLANs or STP domains. You can define each end of each backbone link as a separate tagged port-based VLAN.
Routing will occur independently across the port-based VLANs. Because each port-based VLANs STP domain is
a single point-to-point backbone connection, you are guaranteed to never have an STP loop. STP will never block
the virtual router interfaces within the tagged port-based VLAN, and you will have a fully routed backbone.
Dynamic Port Assignment (Layer 2 Switches and Layer 3 Switches)

All switch ports are dynamically assigned to any Layer 3 VLAN on Brocade Layer 2 Switches and any non-routable
VLAN on Brocade Layer 3 Switches. To maintain explicit control of the VLAN, you can explicitly exclude ports
when configuring any Layer 3 VLAN on a Brocade Layer 2 Switch or any non-routable Layer 3 VLAN on a Brocade
Layer 3 Switch.
If you do not want the ports to have dynamic membership, you can add them statically. This eliminates the need to
explicitly exclude the ports that you do not want to participate in a particular Layer 3 VLAN.
Assigning a Different VLAN ID to the Default VLAN

When you enable port-based VLANs, all ports in the system are added to the default VLAN. By default, the
default VLAN ID is VLAN 1. The default VLAN is not configurable. If you want to use the VLAN ID VLAN 1 as
a configurable VLAN, you can assign a different VLAN ID to the default VLAN.
June, 2009
5 - 11
To reassign the default VLAN to a different VLAN ID, enter the following command:
ServerIron(config)# default-vlan-id 4095
Syntax: [no] default-vlan-d <vlan-id>
You must specify a valid VLAN ID that is not already in use. For example, if you have already defined VLAN 10, do
not try to use 10 as the new VLAN ID for the default VLAN. Valid VLAN IDs are numbers from 1 4096.
NOTE: Changing the default VLAN name does not change the properties of the default VLAN. Changing the
name allows you to use the VLAN ID 1 as a configurable VLAN.
NOTE: VLAN ID 4094 is reserved for use by Single STP.
Assigning Trunk Group Ports

When a lead trunk group port is assigned to a VLAN, all other members of the trunk group are automatically
added to that VLAN. A lead port is the first port of a trunk group port range; for example, 1 in 1 4 or 5 in
5 8. See Trunk Group Rules on page 4-3 for more information.
Configuring Port-Based VLANs

Port-based VLANs allow you to provide separate spanning tree protocol (STP) domains or broadcast domains on
a port-by-port basis.
This section describes how to perform the following tasks for port-based VLANs using the CLI:
Create a VLAN.
Delete a VLAN.
Modify a VLAN.
Assign a higher priority to the VLAN.
Change a VLANs priority.
Enable or disable STP on the VLAN.
EXAMPLE:
Figure 5.8 on page 5-13 shows a simple port-based VLAN configuration using a single Brocade Layer 2 Switch.
All ports within each VLAN are untagged. One untagged port within each VLAN is used to connect the Layer 2
Switch to a Layer 3 Switch (in this example, a NetIron) for Layer 3 connectivity between the two port-based
VLANs.
5 - 12
June, 2009
Figure 5.8
Port-based VLANs 222 and 333
ServerIron ADX
interface e 1
IP Subnet 1
VLAN 222
Ports 1 - 8
Port 1
interface e 2
IP Subnet 2
Port 9
VLAN 333
Ports 9 - 16
ServerIron
ADX
Ports 2 - 8
IP Subnet 1
Ports 9 - 16
IP Subnet 2
To create the two port-based VLANs shown in Figure 5.8 on page 5-13, use the following method.
ServerIron(config)# vlan 222
ServerIron(config-vlan-222)#
by port
untag e 1 to 8
vlan 333 by port
untag e 9 to 16
Syntax: vlan <vlan-id> by port

Syntax: untagged ethernet <portnum> [to <portnum> | ethernet <portnum>]
EXAMPLE:
Figure 5.9 on page 5-14 shows a more complex port-based VLAN configuration using multiple Layer 2 Switches
and IEEE 802.1q VLAN tagging. The backbone link connecting the three Layer 2 Switches is tagged. One
untagged port within each port-based VLAN on ServerIron-A connects each separate network wide Layer 2
broadcast domain to the router for Layer 3 forwarding between broadcast domains. The STP priority is configured
to force ServerIron-A to be the root bridge for VLANs RED and BLUE. The STP priority on ServerIron-B is
configured so that ServerIron-B is the root bridge for VLANs GREEN and BROWN.
June, 2009
5 - 13
Figure 5.9
More complex port-based VLAN
Router
IP Subnet1
IP Subnet2
Port 17
Port 18
IP Subnet3
Port 19
IP Subnet4
Port 20
ServerIron-A
= STP Blocked VLAN
ROOT BRIDGE
FOR
VLAN - BLUE
VLAN - RED
VLAN 2 VLAN 3 VLAN 4 VLAN 5

Port 1-4 Port 5-8 Port 9-12 Port 13-16
IP Sub1 IP Sub2 IP Sub3 IP Sub4
ServerIron-B
ROOT BRIDGE
FOR
VLAN - BROWN
VLAN - GREEN
ServerIron
FastIron Workgroup
Link
Activity
Link
Activity
Console
Power
11
13
15
10
12
14
16
FDX
100
Link / Act
FDX
100
Link / Act
FDX
100
Link / Act
FDX
100
Link / Act
FDX
100
Link / Act
FDX
100
Link / Act
17
19
21
23
18
20
22
24


Router
To configure the Port-based VLANs on the ServerIron ADX Layer 2 Switches in Figure 5.9 on page 5-14, use the
following method.
Configuring ServerIron ADX-A

Enter the following commands to configure ServerIron ADX-A:
ServerIron> enable
ServerIron# configure terminal
ServerIron(config)# hostname ServerIron-A
ServerIron-A(config)# vlan 2 name BROWN
ServerIron-A(config-vlan-2)# untag ethernet 1 to 4 ethernet 17
ServerIron-A(config-vlan-2)# tag ethernet 25 to 26
ServerIron-A(config-vlan-2)# spanning-tree
ServerIron-A(config-vlan-2)# vlan 3 name GREEN
ServerIron-A(config-vlan-3)# vlan 4 name BLUE
ServerIron-A(config-vlan-4)# spanning-tree priority 500
ServerIron-A(config-vlan-4)# vlan 5 name RED
ServerIron-A(config-vlan-5)# spanning-tree priority 500
ServerIron-A(config-vlan-5)# end
ServerIron-A# write memory
5 - 14
June, 2009
Configuring ServerIron ADX-B

Enter the following commands to configure ServerIron-B:
ServerIron> enable
ServerIron(config)# hostname ServerIron-B
ServerIron-B(config)# vlan 2 name BROWN
ServerIron-B(config-vlan-2)# untag ethernet 1 to 4
ServerIron-B(config-vlan-2)# tag ethernet 25 to 26
ServerIron-B(config-vlan-2)# spanning-tree
ServerIron-B(config-vlan-2)# spanning-tree priority 500
ServerIron-B(config-vlan-2)# vlan 3 name GREEN
ServerIron-B(config-vlan-3)# spanning-tree priority 500
ServerIron-B(config-vlan-3)# vlan 4 name BLUE
ServerIron-B(config-vlan-4)# vlan 5 name RED
ServerIron-B(config-vlan-5)# end
ServerIron-B# write memory
Configuring ServerIron ADX-C

Enter the following commands to configure ServerIron-C:
ServerIron> en
ServerIron(config)# hostname ServerIron-C
ServerIron-C(config)# vlan 2 name BROWN
ServerIron-C(config-vlan-2)# untag ethernet 1 to 4
ServerIron-C(config-vlan-2)# tag ethernet 25 to 26
ServerIron-C(config-vlan-2)# vlan 3 name GREEN
ServerIron-C(config-vlan-3)# vlan 4 name BLUE
ServerIron-C(config-vlan-4)# vlan 5 name RED
ServerIron-C(config-vlan-5)# end
ServerIron-C# write memory
Syntax: untagged ethernet | pos <portnum> [to <portnum> | ethernet <portnum>]
Syntax: tagged ethernet | pos <portnum> [to <portnum> | ethernet <portnum>]
Syntax: [no] spanning-tree
Syntax: spanning-tree [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value>
hello-time <value> maximum-age <time> priority <value>
Modifying a Port-Based VLAN

You can make the following modifications to a port-based VLAN:
Add or delete a VLAN port.
June, 2009
5 - 15
Change its priority.
Enable or disable STP.
Removing a Port-Based VLAN

Suppose you want to remove VLAN 5 from the example in Figure 5.9 on page 5-14. To do so, use the following
procedure.
1.
Access the global CONFIG level of the CLI on by entering the following commands:
ServerIron-A> enable
No password has been assigned yet...
ServerIron-A# configure terminal
ServerIron-A(config)#
2.
Enter the following command:

ServerIron-A(config)# no vlan 5
3.
Enter the following commands to exit the CONFIG level and save the configuration to the system-config file on
flash memory:
ServerIron-A(config)# end
FastIron-A#
4.
Repeat steps 1 3 on ServerIron-B.
Syntax: no vlan <vlan-id> by port
Removing a Port from a VLAN

Suppose you want to remove port 11 from VLAN 4 on ServerIron-A shown in Figure 5.9 on page 5-14. To do so,
use the following procedure.
1.
Access the global CONFIG level of the CLI on ServerIron-A by entering the following command:
2.
Access the level of the CLI for configuring port-based VLAN 4 by entering the following command:
ServerIron-A(config)# vlan 4
ServerIron-A(config-vlan-4)#
3.
Enter the following commands:

ServerIron-A(config-vlan-4)# no untag ethernet 11
deleted port ethe 11 from port-vlan 4.
4.
Enter the following commands to exit the VLAN CONFIG mode and save the configuration to the systemconfig file on flash memory:
ServerIron-A(config-vlan-4)# end
ServerIron-A#
5 - 16
June, 2009
Enable Spanning Tree on a VLAN

The spanning tree bridge and port parameters are configurable using one CLI command set at the Global
Configuration Level of each Port-based VLAN. Suppose you want to enable the IEEE 802.1d STP across VLAN 3.
To do so, use the following method.
NOTE: When port-based VLANs are not operating on the system, STP is set on a system-wide level at the
global CONFIG level of the CLI.
1.
Access the global CONFIG level of the CLI on ServerIron-A by entering the following commands:
2.
Access the level of the CLI for configuring port-based VLAN 3 by entering the following command:
ServerIron-A(config)# vlan 3
3.
From VLAN 3s configuration level of the CLI, enter the following command to enable STP on all tagged and
untagged ports associated with VLAN 3.
ServerIron-B(config-vlan-3)#
4.
Enter the following commands to exit the VLAN CONFIG mode and save the configuration to the systemconfig file on flash memory:
ServerIron-B(config-vlan-3)# end
ServerIron-B# write memory
ServerIron-B#
5.
Repeat steps 1 4.
NOTE: You do not need to configure values for the STP parameters. All parameters have default values as
noted below. Additionally, all values will be globally applied to all ports on the system or on the port-based VLAN
for which they are defined.
To configure a specific path-cost or priority value for a given port, enter those values using the key words in the
brackets [ ] shown in the syntax summary below. If you do not want to specify values for any given port, this
portion of the command is not required.
Syntax: [no] spanning-tree
Syntax: spanning-tree [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value>
hello-time <value> maximum-age <time> priority <value>
Bridge STP Parameters (applied to all ports within a VLAN)
Forward Delay the period of time a bridge will wait (the listen and learn period) before forwarding data
packets. Possible values: 4 30 seconds. Default is 15.
Maximum Age the interval a bridge will wait for receipt of a hello packet before initiating a topology change.
Possible values: 6 40 seconds. Default is 20.
Hello Time the interval of time between each configuration BPDU sent by the root bridge. Possible values:
1 10 seconds. Default is 2.
Priority a parameter used to identify the root bridge in a network. The bridge with the lowest value has the
June, 2009
5 - 17
highest priority and is the root. Possible values: 1 65,535. Default is 32,678.
Port Parameters (applied to a specified port within a VLAN)
Path Cost a parameter used to assign a higher or lower path cost to a port. Possible values: 1 65535.
Default is (1000/Port Speed) for Half-Duplex ports and is (1000/Port Speed)/2 for Full-Duplex ports.
Priority value determines when a port will be rerouted in relation to other ports. Possible values: 0 255.
Default is 128.
Configuring IP Subnet VLANs

This feature enables you to limit the amount of broadcast traffic end-stations, servers, and routers need to accept.
Configuration Example
Suppose you want to create three separate Layer 3 broadcast domains within a single Layer 2 STP broadcast
domain:
Three broadcast domains, one for each of three separate IP subnets
Also suppose you want a single router interface to be present within all of these separate broadcast domains,
without using IEEE 802.1q VLAN tagging or any proprietary form of VLAN tagging.
Figure 5.10 on page 5-18 shows this configuration.
Figure 5.10
Subnet based (Layer 3) VLANs
ServerIron ADX
Port 25
IP-Subnet1
IP-Subnet 2
IP Subnet 3
Port 25
ServerIron ADX
Ports 1-8, 25 Ports 9 16, 25

IP-Subnet 1 IP-Subnet 2
Ports 17-25
IP-Subnet 3
To configure the VLANs shown in Figure 5.10 on page 5-18, use the following procedure.
1.
To permanently assign ports 1 8 and port 25 to IP subnet VLAN 1.1.1.0, enter the following commands:
ServerIron> en
5 - 18
June, 2009

ServerIron# config t
ServerIron(config)#
ServerIron(config)# ip-subnet 1.1.1.0/24 name Green
ServerIron(config-ip-subnet)# no dynamic
ServerIron(config-ip-subnet)# static ethernet 1 to 8 ethernet 25
2.
To permanently assign ports 9 16 and port 25 to IP subnet VLAN 1.1.2.0, enter the following commands:
ServerIron(config-ip-subnet)# ip-subnet 1.1.2.0/24 name Yellow
ServerIron(config-ip-subnet)# static ethernet 9 to 16 ethernet 25
3.
To permanently assign ports 17 25 to IP subnet VLAN 1.1.3.0, enter the following commands:
ServerIron(config-ip-subnet)# ip-subnet 1.1.3.0/24 name Brown
ServerIron(config-ip-subnet)# static ethernet 17 to 25
Syntax: ip-subnet <ip-addr> <ip-mask> [name <string>]
Configuring an IP Subnet VLAN with Dynamic Ports

To configure an IP subnet VLAN with dynamic ports, the following method.
To configure port-based VLAN 10, then configure an IP subnet VLAN within the port-based VLAN with dynamic
ports, enter commands such as the following:
ServerIron(config)# vlan 10 by port name IP_VLAN
ServerIron(config-vlan-10)# untag ethernet 1/1 to 1/6
added untagged port ethe 1/1 to 1/6 to port-vlan 10.
ServerIron(config-vlan-10)# ip-subnet 1.1.1.0/24 name Mktg-LAN
ServerIron(config-vlan-10)# dynamic
ServerIron(config)# write memory
These commands create a port-based VLAN on chassis ports 1/1 1/6 named Mktg-LAN, configure an IP
subnet VLAN within the port-based VLAN, and then add ports from the port-based VLAN dynamically.
Syntax: vlan <vlan-id> by port [name <string>]
Syntax: untagged ethernet <portnum> to <portnum>
Or
Syntax: untagged ethernet <portnum> ethernet <portnum>
NOTE: Use the first untagged command for adding a range of ports. Use the second command for adding
separate ports (not in a range).
Syntax: ip-subnet <ip-addr> <ip-mask> [name <string>]
Or
Syntax: ip-subnet <ip-addr>/<mask-bits> [name <string>]
Syntax: dynamic
Configuring the Same IP Subnet Address on Multiple Port-Based

VLANs
For a Brocade device to route between port-based VLANs, you must add a virtual routing interface to each VLAN.
Generally, you also configure a unique IP subnet address on each virtual routing interface. For example, if you
have three port-based VLANs, you add a virtual routing interface to each VLAN, then add a separate IP subnet
June, 2009
5 - 19
address to each virtual routing interface. The IP address on each of the virtual routing interfaces must be in a
separate subnet. The Brocade device routes Layer 3 traffic between the subnets using the subnet addresses.
NOTE: Before using the method described in this section, see Configuring VLAN Groups and Virtual Routing
Interface Groups on page 5-24. You might be able to achieve the results you want using the methods in that
section instead.
Figure 5.11 on page 5-20 shows an example of this type of configuration.
Figure 5.11
Multiple port-based VLANs with separate protocol addresses
VLAN 2
VLAN 3
VLAN 4
BigIron
Switching Router
VLAN 2
VE 1
-IP 10.0.0.1/24
VLAN 3
VE 2
-IP 10.0.1.1/24
VLAN 4
VE 3
-IP 10.0.2.1/24
As shown in this example, each VLAN has a separate IP subnet address. If you need to conserve IP subnet
addresses, you can configure multiple VLANs with the same IP subnet address, as shown in Figure 5.12 on
page 5-21.
5 - 20
June, 2009
Figure 5.12
Multiple port-based VLANs with the same protocol address
VLAN 2
VLAN 3
VLAN 4
BigIron
Switching Router
VLAN 2
VE 1
-IP 10.0.0.1/24
VLAN 3
VE 2
-Follow VE 1
VLAN 4
VE 3
-Follow VE 1
Each VLAN still requires a separate virtual routing interface. However, all three VLANs now use the same IP
subnet address.
In addition to conserving IP subnet addresses, this feature allows containment of Layer 2 broadcasts to segments
within an IP subnet. For ISP environments where the same IP subnet is allocated to different customers, placing
each customer in a separate VLAN allows all customers to share the IP subnet address, while at the same time
isolating them from one anothers Layer 2 broadcasts.
NOTE: You can provide redundancy to an IP subnet address that contains multiple VLANs using a pair of
Brocade Layer 3 Switches configured for Brocades VRRP (Virtual Router Redundancy Protocol).
The Brocade device performs proxy Address Resolution Protocol (ARP) for hosts that want to send IP traffic to
hosts in other VLANs that are sharing the same IP subnet address. If the source and destination hosts are in the
same VLAN, the Brocade device does not need to use ARP.
If a host attached to one VLAN sends an ARP message for the MAC address of a host in one of the other
VLANs using the same IP subnet address, the Brocade device performs a proxy ARP on behalf of the other
host. The Brocade device then replies to the ARP by sending the virtual routing interface MAC address. The
Brocade device uses the same MAC address for all virtual routing interfaces.
When the host that sent the ARP then sends a unicast packet addressed to the virtual routing interfaces MAC
address, the device switches the packet on Layer 3 to the destination host on the VLAN.
June, 2009
5 - 21
NOTE: If the Brocade devices ARP table does not contain the requested host, the Brocade device forwards
the ARP request on Layer 2 to the same VLAN as the one that received the ARP request. Then the device
sends an ARP for the destination to the other VLANs that are using the same IP subnet address.
If the destination is in the same VLAN as the source, the Brocade device does not need to perform a proxy
ARP.
To configure multiple VLANs to use the same IP subnet address:
Configure each VLAN, including adding tagged or untagged ports.
Configure a separate virtual routing interface for each VLAN, but do not add an IP subnet address to more
than one of the virtual routing interfaces.
Configure the virtual routing interfaces that do not have the IP subnet address to follow the virtual routing
interface that does have the address.
To configure the VLANs shown in Figure 5.12 on page 5-21, you could enter the following commands.
by port
untag ethernet 1/1
tag ethernet 1/8
router-interface ve 1
Syntax: ip follow ve <num>

The commands above configure port-based VLAN 1. The VLAN has one untagged port (1/1) and a tagged port
(1/8). In this example, all three VLANs contain port 1/8 so the port must be tagged to allow the port to be in
multiple VLANs. You can configure VLANs to share a Layer 3 protocol interface regardless of tagging. A
combination of tagged and untagged ports is shown in this example to demonstrate that sharing the interface does
not change other VLAN features.
Notice that each VLAN still requires a unique virtual routing interface.
The following commands configure port-based VLANs 2 and 3.
vlan 2 by port
untag ethernet 1/2
tag ethernet 1/8
vlan 3 by port
untag ethernet 1/5 to 1/6
tag ethernet 1/8
The following commands configure an IP subnet address on virtual routing interface 1.

ServerIron(config-vlan-3)# interface ve 1
ServerIron(config-vif-1)# ip address 10.0.0.1/24
The following commands configure virtual routing interfaces 2 and 3 to follow the IP subnet address configured
on virtual routing interface 1.
ServerIron(config-vif-1)#
interface
ip follow
interface
ip follow
ve
ve
ve
ve
2
1
3
1
Using Separate ACLs on IP Follower Virtual Routing Interfaces

NOTE: This section applies to flow-based ACLs only.
5 - 22
June, 2009
The IP follower feature allows multiple virtual routing interfaces to share the same IP address. One virtual routing
interface has the IP address and the other virtual routing interfaces are configured to follow the virtual routing
interface that has the address.
By default, the follower interfaces are secured by the ACLs that are applied to the interface that has the address.
In fact, an ACL applied to a follower interface is ignored. For example, if you configure virtual routing interfaces 1,
2, and 3, and configure interfaces 2 and 3 to follow interface 1, then the ACLs applied to interface 1 also apply to
interfaces 2 and 3. Any ACLs applied separately to interface 2 or 3 are ignored.
You can enable a follower virtual routing interface to use the ACLs you apply to it instead of using the ACLs applied
to the interface that has the address. For example, you can enable virtual routing interface 2 to use its own ACLs
instead of using interface 1s ACLs.
To enable a virtual routing interface to use its own ACLs instead of the ACLs of the interface it is following, enter
the following command at the configuration level for the interface:
ServerIron(config-vif-2)# no ip follow acl
Syntax: [no] ip follow acl
The following commands show a complete IP follower configuration. Virtual routing interfaces 2 and 3 have been
configured to share the IP address of virtual routing interface 1, but also have been configured to use their own
ACLs instead of virtual routing interface 1s ACLs.
ServerIron(config)# vlan 1 name primary_vlan
ServerIron(config-vlan-1)# untag ethernet 1/1
ServerIron(config-vlan-1)# tag ethernet 1/8
ServerIron(config-vlan-1)# router-interface ve 1
ServerIron(config-vlan-1)# exit
ServerIron(config)# interface ve 1
ServerIron(config-ve-1)# ip address 10.0.0.1/24
ServerIron(config-ve-1)# ip access-group 1 in
ServerIron(config-ve-1)# exit
ServerIron(config)# vlan 2 name followerA
ServerIron(config-vlan-2)# untag ethernet 1/2
ServerIron(config-ve-2)# ip follow ve 1
ServerIron(config-v2-2)# no ip follow acl
ServerIron(config-ve-2)# ip access-group 2 in
ServerIron(config)# vlan 3 name followerB
ServerIron(config-vlan-3)# untag ethernet 1/5 to 1/6
ServerIron(config-ve-3)# ip follow ve 1
ServerIron(config-ve-3)# no ip follow acl
ServerIron(config-ve-3)# ip access-group 3 out
Configuring a Virtual Routing Interface and Assigning an IP address

on a Port-based VLAN
In the following example, a ServerIron ADX uses the ISR functionality to Layer-2 switch packets within a VLAN
while allowing Layer 3 switching across VLANs from one IP subnet to another. In this example, two hosts
connected to port 4 and port 5 in the same IP subnet can directly send IP packets to each other via VLAN 10. Two
June, 2009
5 - 23
other hosts connected to port 4 and port 6 respectively and in IP subnets 10.10.10.0/24 and 20.20.20.0/24
respectively can send IP packets to each other via the virtual routing interfaces VE10 and VE20. In this situation,
the ServerIron ADX is Layer-3 routing the IP packets from one VLAN to another. This example is configured as
described in the following.
The following commands create a port-based VLAN and add two ports as tagged and untagged members
respectively:
ServerIron(config-vlan-10)# untag ethernet 4
ServerIron(config-vlan-10)# tag ethernet 5
The following commands create a virtual routing interface for VLAN 10 and configure an IP address on the virtual
routing interface.
The following commands create a second virtual routing interface for VLAN 20.
ServerIron(config-vlan-20)# untag ethernet 6
ServerIron(config-vlan-20)# tag ethernet 5
Configuring VLAN Groups and Virtual Routing Interface Groups

To simplify configuration when you have many VLANs with the same configuration, you can configure VLAN
groups and virtual routing interface groups.
When you create a VLAN group, the VLAN parameters you configure for the group apply to all the VLANs within
the group. Additionally, you can easily associate the same IP subnet interface with all the VLANs in a group by
configuring a virtual routing interface group with the same ID as the VLAN group.
The VLAN group feature allows you to create multiple port-based VLANs with identical port members. Since
the member ports are shared by all the VLANs within the group, you must add the ports as tagged ports. This
feature not only simplifies VLAN configuration but also allows you to have a large number of identically
configured VLANs in a startup-config file on the devices flash memory module. Normally, a startup-config file
with a large number of VLANs might not fit on the flash memory module. By grouping the identically
configured VLANs, you can conserve space in the startup-config file so that it fits on the flash memory
module.
The virtual routing interface group feature is useful when you want to configure the same IP subnet address
on all the port-based VLANs within a VLAN group. You can configure a virtual routing interface group only
after you configure a VLAN group with the same ID. The virtual routing interface group automatically applies
to the VLANs in the VLAN group that has the same ID and cannot be applied to other VLAN groups or to
individual VLANs.
You can create up to 32 VLAN groups and 32 virtual routing interface groups. A virtual routing interface group
always applies only to the VLANs in the VLAN group with the same ID.
NOTE: Depending on the size of the VLAN ID range you want to use for the VLAN group, you might need to
allocate additional memory for VLANs. On Layer 3 Switches, if you allocate additional memory for VLANs, you
also need to allocate the same amount of memory for virtual routing interfaces. This is true regardless of whether
you use the virtual routing interface groups. To allocate additional memory, see Allocating Memory for More
VLANs or Virtual Routing Interfaces on page 5-27.
5 - 24
June, 2009
Configuring a VLAN Group

To configure a VLAN group, use the following CLI method.
To configure a VLAN group, enter commands such as the following:
ServerIron(config)# vlan-group 1 vlan 2 to 1000
ServerIron(config-vlan-group-1)# tagged 1/1 to 1/2
The first command in this example begins configuration for VLAN group 1, and assigns VLANs 2 through 1000 to
the group. The second command adds ports 1/1 and 1/2 as tagged ports. Since all the VLANs in the group share
the ports, you must add the ports as tagged ports.
Syntax: vlan-group <num> vlan <vlan-id> to <vlan-id>
Syntax: tagged ethernet | pos <portnum> [to <portnum> | ethernet <portnum>]
The <num> parameter with the vlan-group command specifies the VLAN group ID and can be from 1 32. The
vlan <vlan-id> to <vlan-id> parameters specify a contiguous range (a range with no gaps) of individual VLAN IDs.
Specify the low VLAN ID first and the high VLAN ID second. The command adds all the specified VLANs to the
VLAN group.
NOTE: The devices memory must be configured to contain at least the number of VLANs you specify for the
higher end of the range. For example, if you specify 2048 as the VLAN ID at the high end of the range, you first
must increase the memory allocation for VLANs to 2048 or higher. Additionally, on Layer 3 Switches, if you
allocate additional memory for VLANs, you also need to allocate the same amount of memory for virtual routing
interfaces, before you configure the VLAN groups. This is true regardless of whether you use the virtual routing
interface groups. The memory allocation is required because the VLAN groups and virtual routing interface
groups have a one-to-one mapping. See Allocating Memory for More VLANs or Virtual Routing Interfaces on
page 5-27.
If a VLAN within the range you specify is already configured, the CLI does not add the group but instead displays
an error message. In this case, create the group by specifying a valid contiguous range. Then add more VLANs
to the group after the CLI changes to the configuration level for the group. See the following example.
You can add and remove individual VLANs or VLAN ranges from at the VLAN group configuration level. For
example, if you want to add VLANs 1001 and 1002 to VLAN group 1 and remove VLANs 900 through 1000, enter
the following commands:
ServerIron(config-vlan-group-1)# add-vlan 1001 to 1002
ServerIron(config-vlan-group-1)# remove-vlan 900 to 1000
Syntax: add-vlan <vlan-id> [to <vlan-id>]
Syntax: remove-vlan <vlan-id> [to <vlan-id>]
Displaying Information about VLAN Groups

To display VLAN group configuration information, enter the following command:
ServerIron# show vlan-group
vlan-group 1 vlan 2 to 20
tagged ethe 1/1 to 1/2
!
!
Syntax: show vlan-group [<group-id>]
This example shows configuration information for two VLAN groups, group 1 and group 2.
The <group-id> specifies a VLAN group. If you do not use this parameter, the configuration information for all the
configured VLAN groups is displayed.
June, 2009
5 - 25
Configuring a Virtual Routing Interface Group

A virtual routing interface group allows you to associate the same IP subnet interface with multiple port-based
VLANs. For example, if you associate a virtual routing interface group with a VLAN group, all the VLANs in the
group have the IP interface of the virtual routing interface group.
To configure a virtual routing interface group, use the following CLI method.
NOTE: When you configure a virtual routing interface group, all members of the group have the same IP subnet
address. This feature is useful in collocation environments where the device has many IP addresses and you
want to conserve the IP address space.
To configure a virtual routing interface group, enter commands such as the following:
ServerIron(config)# vlan-group 1
ServerIron(config-vlan-group-1)# group-router-interface
ServerIron(config-vlan-group-1)# exit
ServerIron(config)# interface group-ve 1
ServerIron(config-vif-group-1)# ip address 10.10.10.1/24
These commands enable VLAN group 1 to have a group virtual routing interface, then configure virtual routing
interface group 1. The software always associates a virtual routing interface group only with the VLAN group that
has the same ID. In this example, the VLAN group ID is 1, so the corresponding virtual routing interface group
also must have ID 1.
Syntax: group-router-interface
Syntax: interface group-ve <num>
Syntax: [no] ip address <ip-addr> <ip-mask> [secondary]
or
Syntax: [no] ip address <ip-addr>/<mask-bits> [secondary]
The router-interface-group command enables a VLAN group to use a virtual routing interface group. Enter this
command at the configuration level for the VLAN group. This command configures the VLAN group to use the
virtual routing interface group that has the same ID as the VLAN group. You can enter this command when you
configure the VLAN group for the first time or later, after you have added tagged ports to the VLAN and so on.
The <num> parameter in the interface group-ve <num> command specifies the ID of the VLAN group with which
you want to associate this virtual routing interface group. The VLAN group must already be configured and
enabled to use a virtual routing interface group. The software automatically associates the virtual routing interface
group with the VLAN group that has the same ID. You can associate a virtual routing interface group only with the
VLAN group that has the same ID.
The syntax and usage for the ip address command is the same as when you use the command at the interface
level to add an IP interface.
Displaying the VLAN Group and Virtual Routing Interface Group Information
To verify configuration of VLAN groups and virtual routing interface groups, display the running-config file. If you
have saved the configuration to the startup-config file, you also can verify the configuration by displaying the
startup-config file. The following example shows the running-config information for the VLAN group and virtual
routing interface group configured in the previous examples. The information appears in the same way in the
startup-config file.
ServerIron(config)# show running-config
lines not related to the VLAN group omitted...
add-vlan 1001 to 1002
router-interface-group
5 - 26
June, 2009
lines not related to the virtual routing interface group omitted...

interface group-ve 1
ip address 10.10.10.1 255.255.255.0
NOTE: If you have enabled display of subnet masks in CIDR notation, the IP address information is shown as
follows: 10.10.10.1/24.
Allocating Memory for More VLANs or Virtual Routing Interfaces

A ServerIron ADX can support up to 4095 VLANs and 4095 virtual routing interfaces.
The number of VLANs and virtual routing interfaces supported on your product depends on the device lists the
default and configurable maximum numbers of VLANs and virtual routing interfaces for Layer 3 Switches and
Layer 2 Switches. Unless otherwise noted, the values apply to both types of switches.
Increasing the Number of VLANs You Can Configure

To increase the size of the VLAN table, which determines how many VLANs you can configure, use either of the
following methods.
NOTE: Although you can specify up to 4095 VLANs, you can configure only 4094 VLANs. VLAN ID 4094 is
reserved for use by the Single Spanning Tree feature.
To increase the maximum number of VLANs you can configure, enter commands such as the following at the
global CONFIG level of the CLI:
ServerIron(config)# system-max vlan 2048
ServerIron(config)# end
ServerIron# reload
Syntax: system-max vlan <num>
The <num> parameter indicates the maximum number of VLANs.
Increasing the Number of Virtual Routing Interfaces You Can Configure

To increase the size of the virtual routing interface table, which determines how many virtual routing interfaces you
can configure, the following method.
To increase the maximum number of virtual routing interfaces you can configure, enter commands such as the
following at the global CONFIG level of the CLI:
ServerIron(config)# system-max virtual-interface 4095
ServerIron(config)# end
ServerIron# reload
Syntax: system-max virtual-interface <num>
The <num> parameter indicates the maximum number of virtual routing interfaces.
Configuring Super Aggregated VLANs

You can aggregate multiple VLANs within another VLAN. This feature allows you to construct Layer 2 paths and
channels. This feature is particularly useful for Virtual Private Network (VPN) applications in which you need to
provide a private, dedicated Ethernet connection for an individual client to transparently reach its subnet across
multiple networks.
Conceptually, the paths and channels are similar to Asynchronous Transfer Mode (ATM) paths and channels. A
path contains multiple channels, each of which is a dedicated circuit between two end points. The two devices at
June, 2009
5 - 27
the end points of the channel appear to each other to be directly attached. The network that connects them is
transparent to the two devices.
You can aggregate up to 4094 VLANs within another VLAN. This provides a total VLAN capacity on one Brocade
device of 16,760,836 channels (4094 * 4094).
The devices connected through the channel are not visible to devices in other channels. Therefore, each client
has a private link to the other side of the channel.
The feature allows point-to-point and point-to-multipoint connections.
Figure 5.13 on page 5-28 shows a conceptual picture of the service that aggregated VLANs provide. Aggregated
VLANs provide a path for multiple client channels. The channels do not receive traffic from other channels. Thus,
each channel is a private link.
Figure 5.13
Conceptual Model of the Super Aggregated VLAN Application

Client 1
. . .
Client 3
. . .
Client 5
Client 1
192.168.1.69/24
Path = a single VLAN into which

client VLANs are aggregated
Channel = a client VLAN nested

inside a Path
sub-net
192.168.1.0/24
Each client connected to the edge device is in its own port-based VLAN, which is like an ATM channel. All the
clients VLANs are aggregated by the edge device into a single VLAN for connection to the core. The single VLAN
that aggregates the clients VLANs is like an ATM path.
The device that aggregates the VLANs forwards the aggregated VLAN traffic through the core. The core can
consist of multiple devices that forward the aggregated VLAN traffic. The edge device at the other end of the core
separates the aggregated VLANs into the individual client VLANs before forwarding the traffic. The edge devices
forward the individual client traffic to the clients. For the clients perspective, the channel is a direct point-to-point
link.
Figure 5.14 on page 5-29 shows an example application that uses aggregated VLANs. This configuration
includes the client connections shown in Figure 5.13 on page 5-28.
5 - 28
June, 2009
Figure 5.14
Example Super Aggregated VLAN Application

Client 1
Port 1/1
VLAN 101
. . .
Client 3
Port 1/3
VLAN 103
. . .
Client 6
Port 1/1
VLAN 101
Client 5
Port 1/5
VLAN 105
Client 1
192.168.1.69/24
. . .
Client 8
Port 1/3
VLAN 103
. . .
Client 10
Port 1/5
VLAN 105
209.157.2.12/24
Ports 1/1 - 1/5
Untagged
Ports 1/1 - 1/5

Untagged
Device A
Tag Type 8100
Port 2/1
Tagged
Port 2/1
Tagged
Port 3/1
Untagged
Device B
Tag Type 8100
Port 3/2
Untagged
Device C
Tag Type 9100
VLAN Aggregation
Enabled
Port 4/1
Tagged
Port 4/1
Tagged
Device D
Tag Type 9100
VLAN Aggregation
Enabled
Port 3/1
Untagged
Port 3/2
Untagged
Port 2/1
Tagged
Port 2/1
Tagged
Device E
Tag Type 8100
Ports 1/1 - 1/5

Untagged
Ports 1/1 - 1/5

Untagged
Device F
Tag Type 8100
192.168.1.129/24
In this example, a collocation service provides private channels for multiple clients. Although the same devices
are used for all the clients, the VLANs ensure that each client receives its own Layer 2 broadcast domain,
separate from the broadcast domains of other clients. For example, client 1 cannot ping client 5.
The clients at each end of a channel appear to each other to be directly connected and thus can be on the same
subnet and use network services that require connection to the same subnet. In this example, client 1 is in subnet
192.168.1.0/24 and so is the device at the other end of client 1s channel.
Since each VLAN configured on the core devices is an aggregate of multiple client VLANs, the aggregated VLANs
greatly increase the number of clients a core device can accommodate.
This example shows a single link between the core devices. However, you can use a trunk group to add link-level
redundancy.
Configuring Aggregated VLANs

To configure aggregated VLANs, perform the following tasks:
On each edge device, configure a separate port-based VLAN for each client connected to the edge device. In
each client VLAN:
June, 2009
Add the port connected to the client as an untagged port.
5 - 29
Add the port connected to the core device (the device that will aggregate the VLANs) as a tagged port.
This port must be tagged because all the client VLANs share the port as an uplink to the core device.
On each core device:
Enable VLAN aggregation. This support allows the core device to add an additional tag to each Ethernet
frame that contains a VLAN packet from the edge device. The additional tag identifies the aggregate
VLAN (the path). However, the additional tag can cause the frame to be longer than the maximum
supported frame size. The larger frame support allows Ethernet frames up to 1530 bytes long.
NOTE: Enable the VLAN aggregation option only on the core devices.
Configure a VLAN tag type (tag ID) that is different than the tag type used on the edge devices. If you
use the default tag type (8100) on the edge devices, set the tag type on the core devices to another
value, such as 9100. The tag type must be the same on all the core devices. The edge devices also
must have the same tag type but the type must be different from the tag type on the core devices.
NOTE: You can enable the Spanning Tree Protocol (STP) on the edge devices or the core devices, but not both.
If you enable STP on the edge devices and the core devices, STP will prevent client traffic from travelling through
the core to the other side.
Configuring Aggregated VLANs on an Edge Device

To configure the aggregated VLANs on device A in Figure 5.14 on page 5-29, enter the following commands:
ServerIron(config)# vlan 101 by port
ServerIron(config-vlan-101)# tagged ethernet 2/1
ServerIron(config-vlan-101)# untagged ethernet 1/1
Syntax: [no] vlan <vlan-id> [by port]
Syntax: [no] tagged ethernet <portnum> [to <portnum> | ethernet <portnum>]
Syntax: [no] untagged ethernet <portnum> [to <portnum> | ethernet <portnum>]
Use the tagged command to add the port that the device uses for the uplink to the core device. Use the
untagged command to add the ports connected to the individual clients.
Configuring Aggregated VLANs on a Core Device

To configure aggregated VLANs on a core device, use the following method.
To configure the aggregated VLANs on device C in Figure 5.14 on page 5-29, enter the following commands:
ServerIron(config)# tag-type 9100
5 - 30
June, 2009
ServerIron(config)# aggregated-vlan
Syntax: [no] tag-type <num>
Syntax: [no] aggregated-vlan
The <num> parameter specifies the tag type can be a hexadecimal value from 0 ffff. The default is 8100.
Complete CLI Examples

The following sections show all the Aggregated VLAN configuration commands on the devices in Figure 5.14 on
page 5-29.
NOTE: In these examples, the configurations of the edge devices (A, B, E, and F) are identical. The
configurations of the core devices (C and D) also are identical. The aggregated VLAN configurations of the edge
and core devices on one side must be symmetrical (in fact, a mirror image) to the configurations of the devices on
the other side. For simplicity, the example in Figure 5.14 on page 5-29 is symmetrical in terms of the port
numbers. This allows the configurations for both sides of the link to be the same. If your configuration does not
use symmetrically arranged port numbers, the configurations should not be identical but must use the correct port
numbers.
Commands for Device A

ServerIronA(config)# vlan 101 by port
ServerIronA(config-vlan-101)# tagged ethernet 2/1
ServerIronA(config-vlan-101)# untagged ethernet 1/1
ServerIronA(config-vlan-101)# exit
ServerIronA(config)# write memory
Commands for Device B

The commands for configuring device B are identical to the commands for configuring device A. Notice that you
can use the same channel VLAN numbers on each device. The devices that aggregate the VLANs into a path can
distinguish between the identically named channel VLANs based on the ID of the path VLAN.
ServerIronB(config)# vlan 101 by port
ServerIronB(config-vlan-101)# tagged ethernet 2/1
June, 2009
5 - 31
ServerIronB(config-vlan-101)# untagged ethernet 1/1

ServerIronB(config-vlan-101)# exit
ServerIronB(config)# write memory
Commands for Device C

Since device C is aggregating channel VLANs from devices A and B into a single path, you need to change the tag
type and enable VLAN aggregation.
ServerIronC(config)# tag-type 9100
ServerIronC(config)# aggregated-vlan
ServerIronC(config)# vlan 101 by port
ServerIronC(config-vlan-101)# tagged ethernet 4/1
ServerIronC(config-vlan-101)# untagged ethernet 3/1
ServerIronC(config-vlan-101)# exit
ServerIronC(config)# vlan 102 by port
ServerIronC(config-vlan-102)# tagged ethernet 4/1
ServerIronC(config-vlan-102)# untagged ethernet 3/2
ServerIronC(config-vlan-102)# exit
ServerIronC(config)# write memory
Commands for Device D

Device D is at the other end of path and separates the channels back into individual VLANs. The tag type must be
the same as tag type configured on the other core device (Device C). In addition, VLAN aggregation also must be
enabled.
ServerIronD(config)# tag-type 9100
ServerIronD(config)# aggregated-vlan
ServerIronD(config)# vlan 101 by port
ServerIronD(config-vlan-101)# tagged ethernet 4/1
ServerIronD(config-vlan-101)# untagged ethernet 3/1
ServerIronD(config-vlan-101)# exit
ServerIronD(config)# vlan 102 by port
ServerIronD(config-vlan-102)# tagged ethernet 4/1
ServerIronD(config-vlan-102)# untagged ethernet 3/2
ServerIronD(config-vlan-102)# exit
ServerIronD(config)# write memory
Commands for Device E

Since the configuration in Figure 5.14 on page 5-29 is symmetrical, the commands for configuring device E are
identical to the commands for configuring device A.
ServerIronE(config)# vlan 101 by port
ServerIronE(config-vlan-101)# tagged ethernet 2/1
5 - 32
June, 2009
ServerIronE(config-vlan-101)# untagged ethernet 1/1

ServerIronE(config-vlan-101)# exit
ServerIronE(config)# write memory
Commands for Device F

The commands for configuring device F are identical to the commands for configuring device E. In this example,
since the port numbers on each side of the configuration in Figure 5.14 on page 5-29 are symmetrical, the
configuration of device F is also identical to the configuration of device A and device B.
ServerIronF(config)# vlan 101 by port
ServerIronF(config-vlan-101)# tagged ethernet 2/1
ServerIronF(config-vlan-101)# untagged ethernet 1/1
ServerIronF(config-vlan-101)# exit
ServerIronF(config)# write memory
Dual-Mode VLAN Ports

Configuring a tagged port as a dual-mode port allows it to accept and transmit both tagged traffic and untagged
traffic at the same time. A dual-mode port accepts and transmits frames belonging to VLANs configured for the
port, as well as frames belonging to the default VLAN (that is, untagged traffic).
For example, in Figure 5.15 on page 5-34, port 2/11 is a dual-mode port belonging to VLAN 20. Traffic for VLAN
20, as well as traffic for the default VLAN, flows from a hubs to this port. The dual-mode feature allows traffic for
VLAN 20 and untagged traffic to go through the port at the same time.
June, 2009
5 - 33
Figure 5.15
Dual-mode VLAN port example

VLAN 20
Traffic
Untagged
Traffic
Hub
Port 2/11
Tagged, VLAN 20
dual-mode
Port 2/9
Tagged, VLAN 20
VLAN 20
Traffic
Port 2/10
Untagged
Untagged
Traffic
To enable the dual-mode feature on port 2/11 in Figure 5.15 on page 5-34:
ServerIron(config-vlan-20)# tagged e 2/11
ServerIron(config-vlan-20)# tagged e 2/9
ServerIron(config-vlan-20)# int e 2/11
ServerIron(config-if-e100-2/11)# dual-mode
ServerIron(config-if-e100-2/11)# exit
Syntax: [no] dual-mode
You can configure a dual-mode port to transmit traffic for a specified VLAN (other than the DEFAULT-VLAN) as
untagged, while transmitting traffic for other VLANs as tagged. Figure 5.16 on page 5-34 illustrates this
enhancement.
Figure 5.16
Specifying a default VLAN ID for a dual-mode port

VLAN 10
Untagged
Traffic
VLAN 10
Untagged
Traffic
Dual-mode Port 2/11

Default VLAN ID 10
Tagged, VLAN 20
Port 2/10
Untagged, VLAN 10
Hub
Port 2/9
Tagged, VLAN 20
VLAN 20
Tagged
Traffic
VLAN 20
Tagged
Traffic
In Figure 5.16 on page 5-34, tagged port 2/11 is a dual-mode port belonging to VLANs 10 and 20. The default
VLAN assigned to this dual-mode port is 10. This means that the port transmits tagged traffic on VLAN 20 (and all
other VLANs to which the port belongs) and transmits untagged traffic on VLAN 10.
5 - 34
June, 2009
The dual-mode feature allows tagged traffic for VLAN 20 and untagged traffic for VLAN 10 to go through port 2/11
at the same time. A dual-mode port transmits only untagged traffic on its default VLAN (that is, either VLAN 1, or
a user-specified VLAN ID), and only tagged traffic on all other VLANs.
The following commands configure VLANs 10 and 20 in Figure 5.16 on page 5-34. Tagged port 2/11 is added to
VLANs 10 and 20, then designated a dual-mode port whose specified default VLAN is 10. In this configuration,
port 2/11 transmits only untagged traffic on VLAN 10 and only tagged traffic on VLAN 20.
by port
untagged e 2/10
tagged e 2/11
exit
by port
tagged e 2/9
tagged e 2/11
exit
ServerIron(config)# int e 2/11

ServerIron(config-if-e100-2/11)# dual-mode 10
ServerIron(config-if-e100-2/11)# exit
Syntax: [no] dual-mode [<vlan-id>]
Notes:
If you do not specify a <vlan-id> in the dual mode command, the ports default VLAN is set to 1. The port
transmits untagged traffic on the DEFAULT-VLAN.
The dual-mode feature is disabled by default. Only tagged ports can be configured as dual-mode ports.
In trunk group, either all of the ports must be dual-mode, or none of them can be.
The show vlan command displays a separate row for dual-mode ports on each VLAN. For example:
ServerIron(config)# show vlan
Total PORT-VLAN entries: 3
Maximum PORT-VLAN entries: 16
legend: [S=Slot]
PORT-VLAN
Untagged
Untagged
Untagged
Tagged
Uplink
DualMode
PORT-VLAN
Untagged
Tagged
Uplink
DualMode
PORT-VLAN
Untagged
Tagged
Uplink
DualMode
June, 2009
1, Name DEFAULT-VLAN, Priority level0, Spanning

Ports: (S1) 1 2 3 4 5 6 7 8
Ports: (S2) 1 2 3 4 5 6 7 8 12 13 14 15
Ports: (S2) 20 21 22 23 24
Ports: None
Ports: None
Ports: None
10, Name [None], Priority level0, Spanning tree
Ports: (S2) 10
Ports: None
Ports: None
Ports: (S2) 11
20, Name [None], Priority level0, Spanning tree
Ports: None
Ports: (S2) 9
Ports: None
Ports: (S2) 11
tree Off
16 17 18 19
Off
Off
5 - 35
Displaying VLAN Information

After you configure the VLANs, you can verify the configuration using the following methods.
NOTE: If a VLAN name begins with GVRP_VLAN_, the VLAN was created by the GARP VLAN Registration
Protocol (GVRP). If a VLAN name begins with STATIC_VLAN_, the VLAN was created by GVRP and then was
converted into a statically configured VLAN.
Displaying System-Wide VLAN Information

Use one of the following methods to display VLAN information for all the VLANs configured on the device.
Enter the following command at any CLI level. This example shows the display for the IP subnet and IPX network
VLANs configured in the examples in Configuring an IP Subnet VLAN with Dynamic Ports on page 5-19.
ServerIron(config)# show vlans
legend: [S=Slot]
PORT-VLAN
Untagged
Untagged
Untagged
Untagged
Tagged
1, Name DEFAULT-VLAN, Priority level0, Spanning tree Off

Ports: (S2) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Ports: (S2) 17 18 19 20 21 22 23 24
Ports: (S4) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Ports: (S4) 17 18 19 20 21 22 23 24
Ports: None
PORT-VLAN 10, Name IP_VLAN, Priority level0, Spanning tree Off

Untagged Ports: (S1) 1 2 3 4 5 6
Tagged Ports: None
IP-subnet VLAN 1.1.1.0 255.255.255.0, Dynamic port enabled
Name: Mktg-LAN
Static ports: None
Exclude ports: None
Dynamic ports: (S1) 1 2 3 4 5 6
PORT-VLAN 20, Name IPX_VLAN, Priority level0, Spanning tree Off
Untagged Ports: (S2) 1 2 3 4 5 6
Tagged Ports: None
IPX-network VLAN 0000ABCD, frame type ethernet_ii, Dynamic port enabled
Name: Eng-LAN
Static ports: None
Exclude ports: None
Dynamic ports: (S2) 1 2 3 4 5 6
Syntax: show vlans [<vlan-id> | ethernet <portnum> | pos <portnum>]
The <vlan-id> parameter specifies a VLAN for which you want to display the configuration information.
The ethernet <portnum> | pos <portnum> parameter specifies a port. If you use this parameter, the command
lists all the VLAN memberships for the port.
Displaying VLAN Information for Specific Ports

Use one of the following methods to display VLAN information for specific ports.
5 - 36
June, 2009
To display VLAN information for all the VLANs of which port 7/1 is a member, enter the following command:
ServerIron(config)# show vlans e 7/1
legend: [S=Slot]
PORT-VLAN 100, Name [None], Priority level0, Spanning tree Off
Untagged Ports: (S7) 1 2 3 4
Tagged Ports: None
IP-subnet VLAN 207.95.11.0 255.255.255.0, Dynamic port disabled
Static ports: (S7) 1 2
Exclude ports: None
Dynamic ports: None
Syntax: show vlans [<vlan-id> | ethernet <portnum> ]
The <vlan-id> parameter specifies a VLAN for which you want to display the configuration information.
The ethernet <portnum> parameter specifies a port. If you use this parameter, the command lists all the VLAN
memberships for the port.
Using show run to Display VLAN Information

.You can use the show running-config command to display information for VLANs and VLAN groups. The show
running-config command displays VLANs in the order they were configured on the device. Device running
Enterprise software release 08.0.00 and later displays VLANs in numerical order (for example, VLAN 100, VLAN
200, and so on in the show running-config output.
June, 2009
5 - 37
5 - 38
June, 2009

VLANs

Uploaded by

Copyright:

Available Formats

VLANs

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VLANs

Uploaded by

Copyright:

Available Formats

Chapter 5

Configuring Virtual LANs (VLANs)

Types of VLANs Supported

Layer 2 Port-Based VLANs

2009 Brocade Communications Systems Inc

ServerIron ADX Switching and Routing Guide

Brocade device containing user-defined Layer 2 port-based VLAN

User-configured port-based VLAN

When you add a port-based VLAN,

Integrated Switch Routing (ISR)

2009 Brocade Communications Systems Inc

Configuring Virtual LANs (VLANs)

IP subnet VLAN An IP subnet broadcast domain for a specific IP subnet.

2009 Brocade Communications Systems Inc

ServerIron ADX Switching and Routing Guide

Default Layer 2 port-based VLAN

By default, all ports belong to a single

2009 Brocade Communications Systems Inc

Configuring Virtual LANs (VLANs)

Packet containing an 802.1QVLAN tag

Untagged Packet Format

802.1q Tagged Packet Format

Tag Protocol Id (TPID) 802.1p

CRC II Ethernet II with 802.1q tag

IEEE 802.3 with 802.1q tag

VLAN ID (12 bits)

2009 Brocade Communications Systems Inc

ServerIron ADX Switching and Routing Guide

VLANs configured across multiple devices

User-configured port-based VLAN

Tagging is required for the ports

Tagging is not required for the ports

Without tagging, a device receiving

Spanning Tree Protocol (STP)

STP is disabled by default on Brocade Layer 3 Switches.

STP is enabled by default on Brocade Layer 2 Switches.

Globally Affects all ports on the device.

2009 Brocade Communications Systems Inc

Configuring Virtual LANs (VLANs)

Virtual Routing Interfaces

Use virtual routing interfaces for routing between IP subnet VLANs

User-configured IP subnet VLAN

Layer 2 and Layer 3 traffic within a VLAN

VLAN and Virtual Routing Interface Groups

2009 Brocade Communications Systems Inc

ServerIron ADX Switching and Routing Guide

Dynamic, Static, and Excluded Port Membership

You also can explicitly exclude ports.

2009 Brocade Communications Systems Inc

Configuring Virtual LANs (VLANs)

Ports that time out remain candidates for

2009 Brocade Communications Systems Inc

ServerIron ADX Switching and Routing Guide

Super Aggregated VLANs

Trunk Group Ports and VLAN Membership

Summary of VLAN Configuration Rules

Port-based VLANs are at the lowest level of the hierarchy.

IP subnet VLANs are at the top of the hierarchy.

Multiple VLAN Membership Rules