B 1610 Vlan 9500 CG

VLAN Configuration Guide, Cisco IOS XE Gibraltar 16.10.
x (Catalyst
9500 Switches)
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2018 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 Configuring VTP 1
Finding Feature Information 1

Prerequisites for VTP 1
Restrictions for VTP 2
Information About VTP 2
VTP 2
VTP Domain 2
VTP Modes 3
VTP Advertisements 4
VTP Version 2 5
VTP Version 3 5
VTP Pruning 6
VTP and Device Stacks 7
VTP Configuration Guidelines 8
VTP Configuration Requirements 8
VTP Settings 8
Domain Names for Configuring VTP 8
Passwords for the VTP Domain 9
VTP Version 9
How to Configure VTP 10
Configuring VTP Mode 10
Configuring a VTP Version 3 Password 12
Configuring a VTP Version 3 Primary Server 13
Enabling the VTP Version 14
Enabling VTP Pruning 16
Configuring VTP on a Per-Port Basis 17
VLAN Configuration Guide, Cisco IOS XE Gibraltar 16.10.x (Catalyst 9500 Switches)
iii
Contents
Adding a VTP Client to a VTP Domain 18
Monitoring VTP 20
Configuration Examples for VTP 21
Example: Configuring a Switch as the Primary Server 21
Where to Go Next 21
Additional References 22
Feature History and Information for VTP 23
CHAPTER 2 Configuring VLANs 25
Prerequisites for VLANs 25

Restrictions for VLANs 25
Information About VLANs 26
Logical Networks 26
Supported VLANs 27
VLAN Port Membership Modes 27
VLAN Configuration Files 28
Normal-Range VLAN Configuration Guidelines 29
Extended-Range VLAN Configuration Guidelines 30
How to Configure VLANs 30
How to Configure Normal-Range VLANs 30
Creating or Modifying an Ethernet VLAN 31
Deleting a VLAN 33
Assigning Static-Access Ports to a VLAN 34

How to Configure Extended-Range VLANs 36
Creating an Extended-Range VLAN 36
Monitoring VLANs 38
Feature History and Information for VLANs 39
CHAPTER 3 Configuring VLAN Trunks 41

Prerequisites for VLAN Trunks 41
Restrictions for VLAN Trunks 42
Information About VLAN Trunks 43
iv
Contents
Trunking Overview 43
Trunking Modes 43
Layer 2 Interface Modes 43
Allowed VLANs on a Trunk 44
Load Sharing on Trunk Ports 44
Network Load Sharing Using STP Priorities 44
Network Load Sharing Using STP Path Cost 45
Feature Interactions 45
How to Configure VLAN Trunks 45
Configuring an Ethernet Interface as a Trunk Port 46
Configuring a Trunk Port 46
Defining the Allowed VLANs on a Trunk 48
Changing the Pruning-Eligible List 49
Configuring the Native VLAN for Untagged Traffic 51
Configuring Trunk Ports for Load Sharing 52

Configuring Load Sharing Using STP Port Priorities 52
Configuring Load Sharing Using STP Path Cost 56
Where to Go Next 59
Feature History and Information for VLAN Trunks 60
CHAPTER 4 Configuring Voice VLANs 61

Prerequisites for Voice VLANs 61
Restrictions for Voice VLANs 62
Information About Voice VLAN 62
Voice VLANs 62
Cisco IP Phone Voice Traffic 62
Cisco IP Phone Data Traffic 62
Voice VLAN Configuration Guidelines 63
How to Configure Voice VLAN 64
Configuring Cisco IP Phone Voice Traffic 64
Configuring the Priority of Incoming Data Frames 66
Monitoring Voice VLAN 67
v
Contents
Where to Go Next 67
Feature History and Information for Voice VLAN 69
CHAPTER 5 Configuring Private VLANs 71

Prerequisites for Private VLANs 71
Restrictions for Private VLANs 71
Information About Private VLANs 72
Private VLAN Domains 72
Secondary VLANs 73
Private VLANs Ports 73
Private VLANs in Networks 74
IP Addressing Scheme with Private VLANs 75
Private VLANs Across Multiple Devices 75
Private-VLAN Interaction with Other Features 76
Private VLANs and Unicast, Broadcast, and Multicast Traffic 76
Private VLANs and SVIs 76
Private VLANs and Device Stacks 77
Private VLAN with Dynamic Mac Address 77
Private VLAN with Static Mac Address 77
Private VLAN Interaction with VACL/QOS 77
Private VLANs and HA Support 78
Private-VLAN Configuration Guidelines 78

Default Private-VLAN Configurations 78
Secondary and Primary VLAN Configuration 78
Private VLAN Port Configuration 80
How to Configure Private VLANs 81
Configuring Private VLANs 81
Configuring and Associating VLANs in a Private VLAN 82
Configuring a Layer 2 Interface as a Private VLAN Host Port 85
Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port 87
Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface 89
Monitoring Private VLANs 90
vi
Contents
Configuration Examples for Private VLANs 91

Example: Configuring and Associating VLANs in a Private VLAN 91
Example: Configuring an Interface as a Host Port 91
Example: Configuring an Interface as a Private VLAN Promiscuous Port 92
Example: Mapping Secondary VLANs to a Primary VLAN Interface 92
Example: Monitoring Private VLANs 93
Where to Go Next 93
CHAPTER 6 Configuring Layer 3 Subinterfaces 95
Restrictions for Configuring Layer 3 Subinterfaces 95

Information About Layer 3 Subinterfaces 96
How to Configure Layer 3 Subinterfaces 97
Example: Configuring Layer 3 Subinterfaces 97
Feature Information for Layer 3 Subinterfaces 98
vii
Contents
viii
CHAPTER 1
Configuring VTP
• Finding Feature Information, on page 1
• Prerequisites for VTP, on page 1
• Restrictions for VTP, on page 2
• Information About VTP, on page 2
• How to Configure VTP, on page 10
• Monitoring VTP, on page 20
• Configuration Examples for VTP, on page 21
• Where to Go Next, on page 21
• Additional References, on page 22
• Feature History and Information for VTP, on page 23
Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to https://cfnng.cisco.com/. An account on Cisco.com is not required.
Prerequisites for VTP

Before you create VLANs, you must decide whether to use the VLAN Trunking Protocol (VTP) in your
network. Using VTP, you can make configuration changes centrally on one or more devices and have those
changes automatically communicated to all the other devices in the network. Without VTP, you cannot send
information about VLANs to other devices.
VTP is designed to work in an environment where updates are made on a single device and are sent through
VTP to other devices in the domain. It does not work well in a situation where multiple updates to the VLAN
database occur simultaneously on devices in the same domain, which would result in an inconsistency in the
VLAN database.
1
Configuring VTP
Restrictions for VTP
You can enable or disable VTP per port by entering the [no] vtp interface configuration command. When
you disable VTP on trunking ports, all VTP instances for that port are disabled. You cannot set VTP to off
for the MST database and on for the VLAN database on the same port.
When you globally set VTP mode to off, it applies to all the trunking ports in the system. However, you can
specify on or off on a per-VTP instance basis. For example, you can configure the device as a VTP server for
the VLAN database but with VTP off for the MST database.
Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port is
configured on the device or device stack and that this trunk port is connected to the trunk port of another
device. Otherwise, the device cannot receive any VTP advertisements.
Restrictions for VTP
Caution Before adding a VTP client device to a VTP domain, always verify that its VTP configuration revision number
is lower than the configuration revision number of the other devices in the VTP domain. Devices in a VTP
domain always use the VLAN configuration of the device with the highest VTP configuration revision number.
If you add a device that has a revision number higher than the revision number in the VTP domain, it can
erase all VLAN information from the VTP server and VTP domain.
Information About VTP

VTP
VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the
addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and
configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect
VLAN-type specifications, and security violations.
VTP functionality is supported across the stack, and all devices in the stack maintain the same VLAN and
VTP configuration inherited from the active device. When a device learns of a new VLAN through VTP
messages or when a new VLAN is configured by the user, the new VLAN information is communicated to
all devices in the stack.
When a device joins the stack or when stacks merge, the new devices get VTP information from the active
device.
VTP Domain
A VTP domain (also called a VLAN management domain) consists of one device or several interconnected
devices under the same administrative responsibility sharing the same VTP domain name. A device can be
in only one VTP domain. You make global VLAN configuration changes for the domain.
By default, the device is in the VTP no-management-domain state until it receives an advertisement for a
domain over a trunk link (a link that carries the traffic of multiple VLANs) or until you configure a domain
name. Until the management domain name is specified or learned, you cannot create or modify VLANs on a
VTP server, and VLAN information is not propagated over the network.
2
Configuring VTP
VTP Modes
If the device receives a VTP advertisement over a trunk link, it inherits the management domain name and
the VTP configuration revision number. The device then ignores advertisements with a different domain name
or an earlier configuration revision number.
When you make a change to the VLAN configuration on a VTP server, the change is propagated to all devices
in the VTP domain. VTP advertisements are sent over all IEEE trunk connections, including IEEE 802.1Q.
VTP dynamically maps VLANs with unique names and internal index associates across multiple LAN types.
Mapping eliminates excessive device administration required from network administrators.
If you configure a device for VTP transparent mode, you can create and modify VLANs, but the changes are
not sent to other devices in the domain, and they affect only the individual device. However, configuration
changes made when the device is in this mode are saved in the device running configuration and can be saved
to the device startup configuration file.
VTP Modes
Table 1: VTP Modes
VTP Mode Description
VTP server In VTP server mode, you can create, modify, and
delete VLANs, and specify other configuration
parameters (such as the VTP version) for the entire
VTP domain. VTP servers advertise their VLAN
configurations to other devices in the same VTP
domain and synchronize their VLAN configurations
with other devices based on advertisements received
over trunk links.
VTP server is the default mode.
In VTP server mode, VLAN configurations are saved
in NVRAM. If the device detects a failure while
writing a configuration to NVRAM, VTP mode
automatically changes from server mode to client
mode. If this happens, the device cannot be returned
to VTP server mode until the NVRAM is functioning.
VTP client A VTP client functions like a VTP server and

transmits and receives VTP updates on its trunks, but
you cannot create, change, or delete VLANs on a VTP
client. VLANs are configured on another device in
the domain that is in server mode.
In VTP versions 1 and 2 in VTP client mode, VLAN
configurations are not saved in NVRAM. In VTP
version 3, VLAN configurations are saved in NVRAM
in client mode.
3
Configuring VTP
VTP Advertisements
VTP Mode Description
VTP transparent VTP transparent devices do not participate in VTP.

A VTP transparent device does not advertise its
VLAN configuration and does not synchronize its
VLAN configuration based on received
advertisements. However, in VTP version 2 or version
3, transparent devices do forward VTP advertisements
that they receive from other devices through their
trunk interfaces. You can create, modify, and delete
VLANs on a device in VTP transparent mode.
In VTP versions 1 and 2, the device must be in VTP
transparent mode when you create private VLANs
and when they are configured, you should not change
the VTP mode from transparent to client or server
mode. VTP version 3 also supports private VLANs
in client and server modes. When private VLANs are
configured, do not change the VTP mode from
transparent to client or server mode.
When the device is in VTP transparent mode, the VTP
and VLAN configurations are saved in NVRAM, but
they are not advertised to other devices. In this mode,
VTP mode and domain name are saved in the device
running configuration, and you can save this
information in the device startup configuration file
by using the copy running-config startup-config
privileged EXEC command.
In a device stack, the running configuration and the
saved configuration are the same for all devices in a
stack.
VTP off A device in VTP off mode functions in the same

manner as a VTP transparent device, except that it
does not forward VTP advertisements on trunks.
VTP Advertisements
Each device in the VTP domain sends periodic global configuration advertisements from each trunk port to
a reserved multicast address. Neighboring devices receive these advertisements and update their VTP and
VLAN configurations as necessary.
Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port is
configured on the switch stack and that this trunk port is connected to the trunk port of another switch.
Otherwise, the switch cannot receive any VTP advertisements.
VTP advertisements distribute this global domain information:
• VTP domain name
• VTP configuration revision number
4
Configuring VTP
VTP Version 2
• Update identity and update timestamp

• MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN
• Frame format
VTP advertisements distribute this VLAN information for each configured VLAN:
• VLAN IDs (including IEEE 802.1Q)
• VLAN name
• VLAN type
• VLAN state
• Additional VLAN configuration information specific to the VLAN type
In VTP version 3, VTP advertisements also include the primary server ID, an instance number, and a start
index.
VTP Version 2
If you use VTP in your network, you must decide which version of VTP to use. By default, VTP operates in
version 1.
VTP version 2 supports these features that are not supported in version 1:
• Token Ring support—VTP version 2 supports Token Ring Bridge Relay Function (TrBRF) and Token
Ring Concentrator Relay Function (TrCRF) VLANs.
• Unrecognized Type-Length-Value (TLV) support—A VTP server or client propagates configuration
changes to its other trunks, even for TLVs it is not able to parse. The unrecognized TLV is saved in
NVRAM when the device is operating in VTP server mode.
• Version-Dependent Transparent Mode—In VTP version 1, a VTP transparent device inspects VTP
messages for the domain name and version and forwards a message only if the version and domain name
match. Although VTP version 2 supports only one domain, a VTP version 2 transparent device forwards
a message only when the domain name matches.
• Consistency Checks—In VTP version 2, VLAN consistency checks (such as VLAN names and values)
are performed only when you enter new information through the CLI or SNMP. Consistency checks are
not performed when new information is obtained from a VTP message or when information is read from
NVRAM. If the MD5 digest on a received VTP message is correct, its information is accepted.
VTP Version 3
VTP version 3 supports these features that are not supported in version 1 or version 2:
• Enhanced authentication—You can configure the authentication as hidden or secret. When hidden, the
secret key from the password string is saved in the VLAN database file, but it does not appear in plain
text in the configuration. Instead, the key associated with the password is saved in hexadecimal format
in the running configuration. You must reenter the password if you enter a takeover command in the
domain. When you enter the secret keyword, you can directly configure the password secret key.
5
Configuring VTP
VTP Pruning
• Support for extended range VLAN (VLANs 1006 to 4094) database propagation—VTP versions 1 and
2 propagate only VLANs 1 to 1005.
Note VTP pruning still applies only to VLANs 1 to 1005, and VLANs 1002 to 1005
are still reserved and cannot be modified.
• Private VLAN support.

• Support for any database in a domain—In addition to propagating VTP information, version 3 can
propagate Multiple Spanning Tree (MST) protocol database information. A separate instance of the VTP
protocol runs for each application that uses VTP.
• VTP primary server and VTP secondary servers—A VTP primary server updates the database information
and sends updates that are honored by all devices in the system. A VTP secondary server can only back
up the updated VTP configurations received from the primary server to its NVRAM.
By default, all devices come up as secondary servers. You can enter the vtp primary privileged EXEC
command to specify a primary server. Primary server status is only needed for database updates when
the administrator issues a takeover message in the domain. You can have a working VTP domain without
any primary servers. Primary server status is lost if the device reloads or domain parameters change,
even when a password is configured on the device.
• With VTP version 3 in server mode the VLAN configuration is saved into vlan.dat file. VLAN
configuration is not saved in NVRAM as is the case in the transparent mode. While taking a backup of
the switch configuration, you also have to take a backup of the vlan.dat file.
Note VTP versions 1 and 2 are capable of publishing only standard VLANs (VLANs
1 to 1001) and extended VLANs (VLANs 1006 to 4094) are stored locally in the
flash drive or the running configuration. VTP version 3 is capable of publishing
extended VLANs to the entire VTP domain and extended VLANs are not stored
locally.
VTP Pruning
VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the
traffic must use to reach the destination devices. Without VTP pruning, a device floods broadcast, multicast,
and unknown unicast traffic across all trunk links within a VTP domain even though receiving devices might
discard them. VTP pruning is disabled by default.
VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in the pruning-eligible
list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are
pruning eligible device trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues.
VTP pruning is supported in all VTP versions.
Figure 1: Flooding Traffic without VTP Pruning
VTP pruning is disabled in the switched network. Port 1 on Device A and Port 2 on Device D are assigned
to the Red VLAN. If a broadcast is sent from the host connected to Device A, Device A floods the broadcast
and every device in the network receives it, even though Devices C, E, and F have no ports in the Red VLAN.
6
Configuring VTP
VTP and Device Stacks
Figure 2: Optimized Flooded Traffic VTP Pruning
VTP pruning is enabled in the switched network. The broadcast traffic from Device A is not forwarded to
Devices C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Device
B and Port 4 on Device D).
With VTP versions 1 and 2, when you enable pruning on the VTP server, it is enabled for the entire VTP
domain. In VTP version 3, you must manually enable pruning on each device in the domain. Making VLANs
pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on
all devices in the VTP domain).
VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs
that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from
these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also
pruning-ineligible.
VTP and Device Stacks

VTP configuration is the same in all members of a device stack. When the device stack is in VTP server,
client, or transparent mode, all devices in the stack carry the same VTP configuration.
• When a device joins the stack, it inherits the VTP and VLAN properties of the active switch.
• All VTP updates are carried across the stack.
• When VTP mode is changed in a device in the stack, the other devices in the stack also change VTP
mode, and the device VLAN database remains consistent.
7
Configuring VTP
VTP Configuration Guidelines
VTP version 3 functions the same on a standalone device or a stack except when the device stack is the primary
server for the VTP database. In this case, the MAC address of the active switch is used as the primary server
ID. If the active device reloads or is powered off, a new active switch is elected.
• If you do not configure the persistent MAC address feature, when the new active device is elected, it
sends a takeover message using the current stack MAC address.
Note By default the persistent MAC address is on.
VTP Configuration Guidelines

VTP Configuration Requirements
When you configure VTP, you must configure a trunk port so that the device can send and receive VTP
advertisements to and from other devices in the domain.
VTP versions 1 and 2 do not support private VLANs. VTP version 3 does support private VLANs. If you
configure private VLANs, the device must be in VTP transparent mode. When private VLANs are configured
on the device, do not change the VTP mode from transparent to client or server mode.
VTP Settings
The VTP information is saved in the VTP VLAN database. When VTP mode is transparent, the VTP domain
name and mode are also saved in the device running configuration file, and you can save it in the device
startup configuration file by entering the copy running-config startup-config privileged EXEC command.
You must use this command if you want to save VTP mode as transparent, even if the device resets.
When you save VTP information in the device startup configuration file and reboot the device, the device
configuration is selected as follows:
• If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP domain
name from the VLAN database matches that in the startup configuration file, the VLAN database is
ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used. The
VLAN database revision number remains unchanged in the VLAN database.
• If the VTP mode or domain name in the startup configuration do not match the VLAN database, the
domain name and VTP mode and configuration for VLAN IDs 1 to 1005 use the VLAN database
information.
Domain Names for Configuring VTP

When configuring VTP for the first time, you must always assign a domain name. You must configure all
devices in the VTP domain with the same domain name. Devices in VTP transparent mode do not exchange
VTP messages with other devices, and you do not need to configure a VTP domain name for them.
Note If the NVRAM and DRAM storage is sufficient, all devices in a VTP domain should be in VTP server mode.
8
Configuring VTP
Passwords for the VTP Domain
Caution Do not configure a VTP domain if all devices are operating in VTP client mode. If you configure the domain,
it is impossible to make changes to the VLAN configuration of that domain. Make sure that you configure at
least one device in the VTP domain for VTP server mode.
Passwords for the VTP Domain

You can configure a password for the VTP domain, but it is not required. If you do configure a domain
password, all domain devices must share the same password and you must configure the password on each
device in the management domain. Devices without a password or with the wrong password reject VTP
advertisements.
If you configure a VTP password for a domain, a device that is booted without a VTP configuration does not
accept VTP advertisements until you configure it with the correct password. After the configuration, the device
accepts the next VTP advertisement that uses the same password and domain name in the advertisement.
If you are adding a new device to an existing network with VTP capability, the new device learns the domain
name only after the applicable password has been configured on it.
Caution When you configure a VTP domain password, the management domain does not function properly if you do
not assign a management domain password to each device in the domain.
VTP Version
Follow these guidelines when deciding which VTP version to implement:
• All devices in a VTP domain must have the same domain name, but they do not need to run the same
VTP version.
• A VTP version 2-capable device can operate in the same VTP domain as a device running VTP version
1 if version 2 is disabled on the version 2-capable device (version 2 is disabled by default).
• If a device running VTP version 1, but capable of running VTP version 2, receives VTP version 3
advertisements, it automatically moves to VTP version 2.
• If a device running VTP version 3 is connected to a device running VTP version 1, the VTP version 1
device moves to VTP version 2, and the VTP version 3 device sends scaled-down versions of the VTP
packets so that the VTP version 2 device can update its database.
• A device running VTP version 3 cannot move to version 1 or 2 if it has extended VLANs.
• Do not enable VTP version 2 on a device unless all of the devices in the same VTP domain are
version-2-capable. When you enable version 2 on a device, all of the version-2-capable devices in the
domain enable version 2. If there is a version 1-only device, it does not exchange VTP information with
devices that have version 2 enabled.
• Cisco recommends placing VTP version 1 and 2 devices at the edge of the network because they do not
forward VTP version 3 advertisements.
• If there are TrBRF and TrCRF Token Ring networks in your environment, you must enable VTP version
2 or version 3 for Token Ring VLAN switching to function properly. To run Token Ring and Token
Ring-Net, disable VTP version 2.
9
Configuring VTP
How to Configure VTP
• VTP version 1 and version 2 do not propagate configuration information for extended range VLANs
(VLANs 1006 to 4094). You must configure these VLANs manually on each device. VTP version 3
supports extended-range VLANs and support for extended range VLAN database propagation.
• When a VTP version 3 device trunk port receives messages from a VTP version 2 device, it sends a
scaled-down version of the VLAN database on that particular trunk in VTP version 2 format. A VTP
version 3 device does not send VTP version 2-formatted packets on a trunk unless it first receives VTP
version 2 packets on that trunk port.
• When a VTP version 3 device detects a VTP version 2 device on a trunk port, it continues to send VTP
version 3 packets, in addition to VTP version 2 packets, to allow both kinds of neighbors to coexist on
the same trunk.
• A VTP version 3 device does not accept configuration information from a VTP version 2 or version 1
device.
• Two VTP version 3 regions can only communicate in transparent mode over a VTP version 1 or version
2 region.
• Devices that are only VTP version 1 capable cannot interoperate with VTP version 3 devices.
• VTP version 1 and version 2 do not propagate configuration information for extended range VLANs
(VLANs 1006 to 4094). You must manually configure these VLANs on each device.
How to Configure VTP

Configuring VTP Mode
You can configure VTP mode as one of these:
• VTP server mode—In VTP server mode, you can change the VLAN configuration and have it propagated
throughout the network.
• VTP client mode—In VTP client mode, you cannot change its VLAN configuration. The client device
receives VTP updates from a VTP server in the VTP domain and then modifies its configuration
accordingly.
• VTP transparent mode—In VTP transparent mode, VTP is disabled on the device. The device does not
send VTP updates and does not act on VTP updates received from other device. However, a VTP
transparent device running VTP version 2 does forward received VTP advertisements on its trunk links.
• VTP off mode—VTP off mode is the same as VTP transparent mode except that VTP advertisements
are not forwarded.
When you configure a domain name, it cannot be removed; you can only reassign a device to a different
domain.
SUMMARY STEPS
1. enable
2. configure terminal
3. vtp domain domain-name
10
Configuring VTP
Configuring VTP Mode
4. vtp mode {client | server | transparent | off} {vlan | mst | unknown}

5. vtp password password
6. end
7. show vtp status
8. copy running-config startup-config
DETAILED STEPS
Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable
Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal
Step 3 vtp domain domain-name Configures the VTP administrative-domain name. The name
can be 1 to 32 characters. All devices operating in VTP
Example:
server or client mode under the same administrative
responsibility must be configured with the same domain
Device(config)# vtp domain eng_group
name.
This command is optional for modes other than server mode.
VTP server mode requires a domain name. If the device
has a trunk connection to a VTP domain, the device learns
the domain name from the VTP server in the domain.
You should configure the VTP domain before configuring
other VTP parameters.
Step 4 vtp mode {client | server | transparent | off} {vlan | mst Configures the device for VTP mode (client, server,
| unknown} transparent, or off).
Example: • vlan—The VLAN database is the default if none are
configured.
Device(config)# vtp mode server
• mst—The multiple spanning tree (MST) database.
• unknown—An unknown database type.
Step 5 vtp password password (Optional) Sets the password for the VTP domain. The
password can be 8 to 64 characters. If you configure a VTP
Example:
password, the VTP domain does not function properly if
you do not assign the same password to each device in the
Device(config)# vtp password mypassword
domain.
11
Configuring VTP
Configuring a VTP Version 3 Password

Step 6 end Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 7 show vtp status Verifies your entries in the VTP Operating Mode and the
VTP Domain Name fields of the display.
Example:
Device# show vtp status
Step 8 copy running-config startup-config (Optional) Saves the configuration in the startup
configuration file.
Example:
Only VTP mode and domain name are saved in the device
Device# copy running-config startup-config running configuration and can be copied to the startup
configuration file.
Configuring a VTP Version 3 Password

You can configure a VTP version 3 password on the device.
SUMMARY STEPS
1. enable
3. vtp version 3
4. vtp password password [hidden | secret]
5. end
6. show vtp password
DETAILED STEPS

Device> enable

Example:
12
Configuring VTP
Configuring a VTP Version 3 Primary Server

Step 3 vtp version 3 Enables VTP version 3 on the device. The default is VTP
version 1.
Example:
Device(config)# vtp version 3
Step 4 vtp password password [hidden | secret] (Optional) Sets the password for the VTP domain. The
password can be 8 to 64 characters.
Example:
• (Optional) hidden—Saves the secret key generated
Device(config)# vtp password mypassword hidden from the password string in the nvram:vlan.dat file. If
you configure a takeover by configuring a VTP
primary server, you are prompted to reenter the
password.
• (Optional) secret—Directly configures the password.
The secret password must contain 32 hexadecimal
characters.

Example:
Device(config)# end
Step 6 show vtp password Verifies your entries. The output appears like this:
Example: VTP password: 89914640C8D90868B6A0D8103847A733
Device# show vtp password
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Configuring a VTP Version 3 Primary Server

When you configure a VTP server as a VTP primary server, the takeover operation starts.
SUMMARY STEPS
1. vtp version 3
2. vtp primary [vlan | mst] [force]
13
Configuring VTP
Enabling the VTP Version
DETAILED STEPS

Step 1 vtp version 3 Enables VTP version 3 on the device. The default is VTP
version 1.
Example:
Step 2 vtp primary [vlan | mst] [force] Changes the operational state of a device from a secondary
server (the default) to a primary server and advertises the
Example:
configuration to the domain. If the device password is
configured as hidden, you are prompted to reenter the
Device# vtp primary vlan force
password.
• (Optional) vlan—Selects the VLAN database as the
takeover feature. This is the default.
• (Optional) mst—Selects the multiple spanning tree
(MST) database as the takeover feature.
• (Optional) force—Overwrites the configuration of any
conflicting servers. If you do not enter force, you are
prompted for confirmation before the takeover.

VTP version 2 and version 3 are disabled by default.
• When you enable VTP version 2 on a device , every VTP version 2-capable device in the VTP domain
enables version 2. To enable VTP version 3, you must manually configure it on each device .
• With VTP versions 1 and 2, you can configure the version only on devices in VTP server or transparent
mode. If a device is running VTP version 3, you can change to version 2 when the device is in client
mode if no extended VLANs exist, no private VLANs exist, and no hidden password was configured.
Caution VTP version 1 and VTP version 2 are not interoperable on devices in the same
VTP domain. Do not enable VTP version 2 unless every device in the VTP domain
supports version 2.
• In TrCRF and TrBRF Token Ring environments, you must enable VTP version 2 or VTP version 3 for
Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable
VTP version 2.
•
Caution In VTP version 3, both the primary and secondary servers can exist on an instance
in the domain.
14
Configuring VTP
SUMMARY STEPS
1. enable
3. vtp version {1 | 2 | 3}
4. end
5. show vtp status
DETAILED STEPS

Device> enable

Example:
Step 3 vtp version {1 | 2 | 3} Enables the VTP version on the device. The default is VTP
version 1.
Example:

Example:
Device(config)# end
Step 5 show vtp status Verifies that the configured VTP version is enabled.
Example:
Example:
15
Configuring VTP
Enabling VTP Pruning
Enabling VTP Pruning

Before you begin
VTP pruning is not designed to function in VTP transparent mode. If one or more devices in the network are
in VTP transparent mode, you should do one of these actions:
• Turn off VTP pruning in the entire network.
• Turn off VTP pruning by making all VLANs on the trunk of the device upstream to the VTP transparent
device pruning ineligible.
To configure VTP pruning on an interface, use the switchport trunk pruning vlan interface configuration
command. VTP pruning operates when an interface is trunking. You can set VLAN pruning-eligibility, whether
or not VTP pruning is enabled for the VTP domain, whether or not any given VLAN exists, and whether or
not the interface is currently trunking.
SUMMARY STEPS
1. enable
3. vtp pruning
4. end
5. show vtp status
DETAILED STEPS

Device> enable

Example:
Step 3 vtp pruning Enables pruning in the VTP administrative domain.

Example: By default, pruning is disabled. You need to enable pruning
on only one device in VTP server mode.
Device(config)# vtp pruning

Example:
16
Configuring VTP
Configuring VTP on a Per-Port Basis
Device(config)# end
Step 5 show vtp status Verifies your entries in the VTP Pruning Mode field of the
display.
Example:
Configuring VTP on a Per-Port Basis

With VTP version 3, you can enable or disable VTP on a per-port basis. You can enable VTP only on ports
that are in trunk mode. Incoming and outgoing VTP traffic are blocked, not forwarded.
SUMMARY STEPS
1. enable
3. interface interface-id
4. vtp
5. end
6. show running-config interface interface-id
7. show vtp status
DETAILED STEPS

Device> enable

Example:
Step 3 interface interface-id Identifies an interface, and enters interface configuration

mode.
Example:
Device(config)# interface gigabitethernet0/1
17
Configuring VTP
Adding a VTP Client to a VTP Domain

Step 4 vtp Enables VTP on the specified port.
Example:
Device(config-if)# vtp

Example:
Device(config)# end
Step 6 show running-config interface interface-id Verifies the change to the port.
Example:
Device# show running-config interface

gigabitethernet 1/0/1
Step 7 show vtp status Verifies the configuration.

Example:

Follow these steps to verify and reset the VTP configuration revision number on a device before adding it to
a VTP domain.
Before you begin

Before adding a VTP client to a VTP domain, always verify that its VTP configuration revision number is
lower than the configuration revision number of the other devices in the VTP domain. Devices in a VTP
domain always use the VLAN configuration of the device with the highest VTP configuration revision number.
With VTP versions 1 and 2, adding a device that has a revision number higher than the revision number in
the VTP domain can erase all VLAN information from the VTP server and VTP domain. With VTP version
3, the VLAN information is not erased.
You can use the vtp mode transparent global configuration command to disable VTP on the device and then
to change its VLAN information without affecting the other devices in the VTP domain.
SUMMARY STEPS
1. enable
2. show vtp status
18
Configuring VTP
5. end
6. show vtp status
9. end
10. show vtp status
DETAILED STEPS

Device> enable
Step 2 show vtp status Checks the VTP configuration revision number.
Example: If the number is 0, add the device to the VTP domain.
If the number is greater than 0, follow these substeps:
• Write down the domain name.
• Write down the configuration revision number.
• Continue with the next steps to reset the device
configuration revision number.

Example:
Step 4 vtp domain domain-name Changes the domain name from the original one displayed
in Step 1 to a new name.
Example:
Device(config)# vtp domain domain123
Step 5 end Returns to privileged EXEC mode. The VLAN information

on the device is updated and the configuration revision
Example:
number is reset to 0.
Device(config)# end
Step 6 show vtp status Verifies that the configuration revision number has been
reset to 0.
Example:
19
Configuring VTP
Monitoring VTP

Example:
Step 8 vtp domain domain-name Enters the original domain name on the device
Example:
Device(config)# vtp domain domain012
Step 9 end Returns to privileged EXEC mode. The VLAN information

on the device is updated.
Example:
Device(config)# end
Step 10 show vtp status (Optional) Verifies that the domain name is the same as
in Step 1 and that the configuration revision number is 0.
Example:
Monitoring VTP
This section describes commands used to display and monitor the VTP configuration.
You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision,
and the number of VLANs. You can also display statistics about the advertisements sent and received by the
device.
Table 2: VTP Monitoring Commands
Command Purpose
show vtp counters Displays counters about VTP messages that have been
sent and received.
show vtp devices [conflict] Displays information about all VTP version 3 devices
in the domain. Conflicts are VTP version 3 devices
with conflicting primary servers. The show vtp
devices command does not display information when
the device is in transparent or off mode.
20
Configuring VTP
Configuration Examples for VTP
Command Purpose
show vtp interface [interface-id] Displays VTP status and configuration for all
interfaces or the specified interface.
show vtp password Displays the VTP password. The form of the password
displayed depends on whether or not the hidden
keyword was entered and if encryption is enabled on
the device.
show vtp status Displays the VTP device configuration information.
Configuration Examples for VTP

Example: Configuring a Switch as the Primary Server
This example shows how to configure a device as the primary server for the VLAN database (the default)
when a hidden or secret password was configured:
Device# vtp primary vlan

Enter VTP password: mypassword
This switch is becoming Primary server for vlan feature in the VTP domain
VTP Database Conf Switch ID Primary Server Revision System Name

------------ ---- -------------- -------------- -------- --------------------
VLANDB Yes 00d0.00b8.1400=00d0.00b8.1400 1 stp7
Do you want to continue (y/n) [n]? y
Where to Go Next
After configuring VTP, you can configure the following:
• VLANs
• VLAN trunking
• Voice VLANs
• Private VLANs
21
Configuring VTP
Additional References
Related Documents
Related Topic Document Title

For complete syntax and usage information for the Command Reference (Catalyst 9500 Series
commands used in this chapter. Switches)
Additional configuration commands and procedures. Command Reference (Catalyst 9500 Series
Switches)
Error Message Decoder
Description Link
To help you research and resolve system https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi
error messages in this release, use the Error
Message Decoder tool.
Standards and RFCs
Standard/RFC Title
RFC 1573 Evolution of the Interfaces Group of MIB-II
RFC 1757 Remote Network Monitoring Management
RFC 2021 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2
MIBs
MIB MIBs Link

All the supported MIBs for this To locate and download MIBs for selected platforms, Cisco IOS releases,
release. and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
22
Configuring VTP
Feature History and Information for VTP
Technical Assistance
Description Link
The Cisco Support website provides extensive online resources, including http://www.cisco.com/support
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.

Release Modification
Cisco IOS XE Everest 16.5.1a This feature was introduced.
23
Configuring VTP
24
CHAPTER 2
Configuring VLANs
• Prerequisites for VLANs, on page 25
• Restrictions for VLANs, on page 25
• Information About VLANs, on page 26
• How to Configure VLANs, on page 30
• Monitoring VLANs, on page 38
• Feature History and Information for VLANs, on page 39
Prerequisites for VLANs

The following are prerequisites and considerations for configuring VLANs:
• Before you create VLANs, you must decide whether to use VLAN Trunking Protocol (VTP) to maintain
global VLAN configuration for your network.
• If you plan to configure many VLANs on the device and to not enable routing, you can set the Switch
Database Management (SDM) feature to the VLAN template, which configures system resources to
support the maximum number of unicast MAC addresses.
• A VLAN should be present in the device to be able to add it to the VLAN group.
Restrictions for VLANs

The following are restrictions for VLANs:
• The number of Spanning Tree Protocol (STP) virtual ports in the per-VLAN spanning-tree (PVST) or
rapid PVST mode is based on the number of trunks, multiplied by the number of active VLANs, plus
the number of access ports.
STP virtual ports = trunks * active VLANs on trunk + number of non-trunk ports.
Consider the following examples:
• If a switch has 40 trunk ports (100 active VLANs on each trunk) and 8 access ports, the number of
STP virtual ports on this switch would be: 40 * 100 + 8 = 4,008.
25
Configuring VLANs
Information About VLANs
• If a switch has 8 trunk ports (200 active VLANs on each trunk) and 40 access ports, the number of
STP virtual ports on this switch would be: 8 * 200 + 40 = 1,640
For information about the supported scalability of STP virtual ports, see the Cisco Catalyst 9500 Series
Switches Data Sheet.
• The device supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
• The interface VLAN already has an MAC address assigned by default. You can override the interface
VLAN MAC address by using thee mac-address command. If this command is configured on a single
SVI or router port that requires Layer 3 injected packets, all other SVIs or routed ports on the device also
must be configured with the same first four most significant bits (4MSB) of the MAC address. For
example, if you set the MAC address of any SVI to xxxx.yyyy.zzzz, set the MAC address of all other
SVIs to start with xxxx.yyyy. If Layer 3 injected packets are not used, this restriction does not apply.
Note This applies to all Layer 3 ports, SVIs, and routed ports. This does not apply to
GigabitEthernet0/0 port.
• When deploying Cisco StackWise Virtual, ensure that VLAN ID 4094 is not used anywhere on the
network. All inter-chassis system control communication between stack members is carried over the
reserved VLAN ID 4094 from the global range.
• Once a range of interfaces has been bundled, any VLAN interface configuration change must be done
only on a port channel. Otherwise, the interfaces will get suspended.
Information About VLANs

The following sections provides information about VLANs:
Logical Networks
A VLAN is a switched network that is logically segmented by function, project team, or application, without
regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you can
group end stations even if they are not physically located on the same LAN segment. Any device port can
belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end
stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do
not belong to the VLAN must be forwarded through a router or a device supporting fallback bridging. In a
switch stack, VLANs can be formed with ports across the stack. Because a VLAN is considered a separate
logical network, it contains its own bridge Management Information Base (MIB) information and can support
its own implementation of spanning tree.
26
Configuring VLANs
Supported VLANs
Figure 3: VLANs as Logically Defined Networks
VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet
belong to the same VLAN. Interface VLAN membership on the device is assigned manually on an
interface-by-interface basis. When you assign device interfaces to VLANs by using this method, it is known
as interface-based, or static, VLAN membership.
Traffic between VLANs must be routed.
The device can route traffic between VLANs by using device virtual interfaces (SVIs). An SVI must be
explicitly configured and assigned an IP address to route traffic between VLANs.
Supported VLANs
The device supports VLANs in VTP client, server, and transparent modes. VLANs are identified by a number
from 1 to 4094. VLAN 1 is the default VLAN and is created during system initialization.
You can configure up to 4094 VLANs on the device. However, not all VLANs can be active simultaneously.
In the MSTP mode, you can configure 1000 active VLANs at any point in time.
VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. All of the VLANs except
1002 to 1005 are available for user configuration.
There are 3 VTP versions: VTP version 1, version 2, and version 3. All VTP versions support both normal
and extended range VLANs, but only with VTP version 3, does the device propagate extended range VLAN
configuration information. When extended range VLANs are created in VTP versions 1 and 2, their
configuration information is not propagated. Even the local VTP database entries on the device are not updated,
but the extended range VLANs configuration information is created and stored in the running configuration
file.
VLAN Port Membership Modes

You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic
the port carries and the number of VLANs to which it can belong.
27
Configuring VLANs
VLAN Configuration Files
When a port belongs to a VLAN, the device learns and manages the addresses associated with the port on a
per-VLAN basis.
Table 3: Port Membership Modes and Characteristics
Membership Mode VLAN Membership Characteristics VTP Characteristics
Static-access A static-access port can belong to VTP is not required. If you do not
one VLAN and is manually want VTP to globally propagate
assigned to that VLAN. information, set the VTP mode to
transparent. To participate in VTP,
there must be at least one trunk port
on the device or the device stack
connected to a trunk port of a
second device or device stack.
Trunk (IEEE 802.1Q) : A trunk port is a member of all VTP is recommended but not
VLANs by default, including required. VTP maintains VLAN
• IEEE 802.1Q—
extended-range VLANs, but configuration consistency by
Industry-standard trunking
membership can be limited by managing the addition, deletion,
encapsulation.
configuring the allowed-VLAN list. and renaming of VLANs on a
You can also modify the network-wide basis. VTP
pruning-eligible list to block exchanges VLAN configuration
flooded traffic to VLANs on trunk messages with other devices over
ports that are included in the list. trunk links.
Voice VLAN A voice VLAN port is an access VTP is not required; it has no effect
port attached to a Cisco IP Phone, on a voice VLAN.
configured to use one VLAN for
voice traffic and another VLAN for
data traffic from a device attached
to the phone.
VLAN Configuration Files

Configurations for VLAN IDs 1 to 1005 are written to the vlan.dat file (VLAN database), and you can display
them by entering the show vlan privileged EXEC command. The vlan.dat file is stored in flash memory. If
the VTP mode is transparent, they are also saved in the device running configuration file.
In a device stack, the whole stack uses the same vlan.dat file and running configuration. On some devices,
the vlan.dat file is stored in flash memory on the active device.
You use the interface configuration mode to define the port membership mode and to add and remove ports
from VLANs. The results of these commands are written to the running-configuration file, and you can display
the file by entering the show running-config privileged EXEC command.
When you save VLAN and VTP information (including extended-range VLAN configuration information)
in the startup configuration file and reboot the device, the device configuration is selected as follows:
• If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain
name from the VLAN database matches that in the startup configuration file, the VLAN database is
ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used. The
VLAN database revision number remains unchanged in the VLAN database.
28
Configuring VLANs
Normal-Range VLAN Configuration Guidelines
• If the VTP mode or domain name in the startup configuration does not match the VLAN database, the
domain name and VTP mode and configuration for the VLAN IDs 1 to 1005 use the VLAN database
information.
• In VTP versions 1 and 2, if VTP mode is server, the domain name and VLAN configuration for VLAN
IDs 1 to 1005 use the VLAN database information. VTP version 3 also supports VLANs 1006 to 4094.
Note Ensure that you delete the vlan.dat file along with the configuration files before you reset the switch
configuration using write erase command. This ensures that the switch reboots correctly on a reset.
Normal-Range VLAN Configuration Guidelines

Normal-range VLANs are VLANs with IDs from 1 to 1005.
Follow these guidelines when creating and modifying normal-range VLANs in your network:
• Normal-range VLANs are identified with a number between 1 and 1001. VLAN numbers 1002 through
1005 are reserved for Token Ring and FDDI VLANs.
• VLAN configurations for VLANs 1 to 1005 are always saved in the VLAN database. If the VTP mode
is transparent, VTP and VLAN configurations are also saved in the device running configuration file.
• If the device is in VTP server or VTP transparent mode, you can add, modify or remove configurations
for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created
and cannot be removed.)
• Before you can create a VLAN, the device must be in VTP server mode or VTP transparent mode. If the
device is a VTP server, you must define a VTP domain or VTP will not function.
• The device does not support Token Ring or FDDI media. The device does not forward FDDI, FDDI-Net,
TrCRF, or TrBRF traffic, but it does propagate the VLAN configuration through VTP.
• A fixed number of spanning tree instances are supported on the device (See the Cisco Catalyst 9500
Series Switches Data Sheet for the lastest information.) If the device has more active VLANs than the
supported number of spaning tree instances, spanning tree is still enabled only on the supported number
of VLANs and disabled on all remaining VLANs.
If you have already used all available spanning-tree instances on a device, adding another VLAN anywhere
in the VTP domain creates a VLAN on that device that is not running spanning-tree. If you have the
default allowed list on the trunk ports of that device (which is to allow all VLANs), the new VLAN is
carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new
VLAN that would not be broken, particularly if there are several adjacent devices that all have run out
of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of
devices that have used up their allocation of spanning-tree instances.
If the number of VLANs on the device exceeds the number of supported spanning-tree instances, we
recommend that you configure the IEEE 802.1s Multiple STP (MSTP) on your device to map multiple
VLANs to a single spanning-tree instance.
• When a device in a stack learns a new VLAN or deletes or modifies an existing VLAN (either through
VTP over network ports or through the CLI), the VLAN information is communicated to all stack
members.
29
Configuring VLANs
Extended-Range VLAN Configuration Guidelines
• When a device joins a stack or when stacks merge, VTP information (the vlan.dat file) on the new device
will be consistent with the active device.
Extended-Range VLAN Configuration Guidelines

Extended-range VLANs are VLANs with IDs from 1006 to 4094.
Follow these guidelines when creating extended-range VLANs:
• VLAN IDs in the extended range are not saved in the VLAN database and are not recognized by VTP
unless the device is running VTP version 3.
• You cannot include extended-range VLANs in the pruning eligible range.
• For VTP version 1 or 2, you can set the VTP mode to transparent in global configuration mode. You
should save this configuration to the startup configuration so that the device boots up in VTP transparent
mode. Otherwise, you lose the extended-range VLAN configuration if the device resets. If you create
extended-range VLANs in VTP version 3, you cannot convert to VTP version 1 or 2.
How to Configure VLANs

The following sections provide information about configuring Normal-Range VLANs and Extended-Range
VLANs:
How to Configure Normal-Range VLANs

You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in
the VLAN database:
• VLAN ID
• VLAN name
• VLAN type
• Ethernet
• Fiber Distributed Data Interface [FDDI]
• FDDI network entity title [NET]
• TrBRF or TrCRF
• Token Ring
• Token Ring-Net
• VLAN state (active or suspended)

• Security Association Identifier (SAID)
• Bridge identification number for TrBRF VLANs
• Ring number for FDDI and TrCRF VLANs
30
Configuring VLANs
Creating or Modifying an Ethernet VLAN
• Parent VLAN number for TrCRF VLANs

• Spanning Tree Protocol (STP) type for TrCRF VLANs
• VLAN number to use when translating from one VLAN type to another
You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. If you
want to modify the VLAN configuration, follow the procedures in this section.
Before you begin

With VTP version 1 and 2, if the device is in VTP transparent mode, you can assign VLAN IDs greater than
1006, but they are not added to the VLAN database.
The device supports only Ethernet interfaces. Because FDDI and Token Ring VLANs are not locally supported,
you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to
other devices.
Although the device does not support Token Ring connections, a remote device with Token Ring connections
could be managed from one of the supported devices. Devices running VTP Version 2 advertise information
about these Token Ring VLANs:
• Token Ring TrBRF VLANs
• Token Ring TrCRF VLANs
SUMMARY STEPS
2. vlan vlan-id
3. name vlan-name
4. media { ethernet | fd-net | fddi | tokenring | trn-net }
5. end
6. end
7. show vlan {name vlan-name | id vlan-id}
DETAILED STEPS

Example:
Step 2 vlan vlan-id Enters a VLAN ID, and enters VLAN configuration mode.
Enter a new VLAN ID to create a VLAN, or enter an
Example:
existing VLAN ID to modify that VLAN.
Device(config)# vlan 20
31
Configuring VLANs

Note The available VLAN ID range for this command
is 1 to 4094.
Step 3 name vlan-name (Optional) Enters a name for the VLAN. If no name is
entered for the VLAN, the default is to append the vlan-id
Example:
value with leading zeros to the word VLAN. For example,
VLAN0004 is a default VLAN name for VLAN 4.
Device(config-vlan)# name test20
The following additional VLAN configuration command
options are available:
• are—Sets the maximum number of All Router
Explorer (ARE) hops for the VLAN.
• backupcrf—Enables or disables the backup
concentrator relay function (CRF) mode for the VLAN.
• bridge—Sets the value of the bridge number for the
FDDI net or Token Ring net type VLANs.
• exit—Applies changes, bumps the revision number,
and exits.
• media—Sets the media type of the VLAN.
• no—Negates the command or default.
• parent—Sets the value of the ID for the parent VLAN
for FDDI or Token Ring type VLANs.
• remote-span—Configures a remote SPAN VLAN.
• ring—Sets the ring number value for FDDI or Token
Ring type VLANs.
• said—Sets the IEEE 802.10 SAID value.
• shutdown—Shuts down the VLAN switching.
• state—Sets the operational VLAN state to active or
suspended.
• ste—Sets the maximum number of Spanning Tree
Explorer (STE) hops for the VLAN.
• stp—Sets the Spanning Tree characteristics of the
VLAN.
You cannot shut down or suspend the state for the default
VLAN or VLANs 1006 to 4094
Step 4 media { ethernet | fd-net | fddi | tokenring | trn-net } Configures the VLAN media type. Command options
include:
Example:
• ethernet—Sets the VLAN media type as Ethernet.
32
Configuring VLANs
Deleting a VLAN

• fd-net—Sets the VLAN media type as FDDI net.
Device(config-vlan)# media ethernet
• fddi—Sets the VLAN media type as FDDI.
• tokenring—Sets the VLAN media type as Token Ring.
• trn-net—Sets the VLAN media type as Token Ring
net.

Example:
Device(config)# end

Example:
Device(config)# end
Step 7 show vlan {name vlan-name | id vlan-id} Verifies your entries.

Example:
Device# show vlan name test20 id 20
Deleting a VLAN
When you delete a VLAN from a device that is in VTP server mode, the VLAN is removed from the VLAN
database for all devices in the VTP domain. When you delete a VLAN from a device that is in VTP transparent
mode, the VLAN is deleted only on that specific device or a device stack.
You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token
Ring VLANs 1002 to 1005.
Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with
the VLAN (and thus inactive) until you assign them to a new VLAN.
SUMMARY STEPS
1. enable
3. no vlan vlan-id
4. end
5. show vlan brief
33
Configuring VLANs
Assigning Static-Access Ports to a VLAN
DETAILED STEPS

Example: Enter your password if prompted.
Device> enable

Example:
Step 3 no vlan vlan-id Removes the VLAN by entering the VLAN ID.
Example:
Device(config)# no vlan 4

Example:
Device(config)# end
Step 5 show vlan brief Verifies the VLAN removal.

Example:
Device# show vlan brief
Example:

You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration
information by disabling VTP (VTP transparent mode).
For the Cisco Catalyst 9500 Series Switches, if you are assigning a port on a cluster member device to a
VLAN, first use the rcommand privileged EXEC command to log in to the cluster member switch.
If you assign an interface to a VLAN that does not exist, the new VLAN is created.
34
Configuring VLANs
SUMMARY STEPS
1. enable
4. switchport mode access
5. switchport access vlan vlan-id
6. end
7. show running-config interface interface-id
8. show interfaces interface-id switchport
DETAILED STEPS

Device> enable
Step 2 configure terminal Enters global configuration mode

Example:
Step 3 interface interface-id Enters the interface to be added to the VLAN.

Example:
Device(config)# interface gigabitethernet2/0/1
Step 4 switchport mode access Defines the VLAN membership mode for the port (Layer
2 access port).
Example:
Device(config-if)# switchport mode access
Step 5 switchport access vlan vlan-id Assigns the port to a VLAN. Valid VLAN IDs are 1 to
4094.
Example:
Device(config-if)# switchport access vlan 2

Example:
35
Configuring VLANs
How to Configure Extended-Range VLANs
Device(config-if)# end
Step 7 show running-config interface interface-id Verifies the VLAN membership mode of the interface.
Example:

gigabitethernet2/0/1
Step 8 show interfaces interface-id switchport Verifies your entries in the Administrative Mode and the
Access Mode VLAN fields of the display.
Example:
Device# show interfaces gigabitethernet2/0/1

switchport
Example:
How to Configure Extended-Range VLANs

Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers.
The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs.
With VTP version 1 or 2, extended-range VLAN configurations are not stored in the VLAN database, but
because VTP mode is transparent, they are stored in the device running configuration file, and you can save
the configuration in the startup configuration file. Extended-range VLANs created in VTP version 3 are stored
in the VLAN database.
You can change only the MTU size, private VLAN, and the remote SPAN configuration state on extended-range
VLANs; all other characteristics must remain at the default state.
Creating an Extended-Range VLAN
SUMMARY STEPS
1. enable
3. vlan vlan-id
4. remote-span
5. exit
6. end
7. show vlan id vlan-id
36
Configuring VLANs
Creating an Extended-Range VLAN
DETAILED STEPS

Device> enable

Example:
Step 3 vlan vlan-id Enters an extended-range VLAN ID and enters VLAN

configuration mode. The range is 1006 to 4094.
Example:

Device(config-vlan)#
Step 4 remote-span (Optional) Configures the VLAN as the RSPAN VLAN.

Example:
Device(config-vlan)# remote-span
Step 5 exit Returns to configuration mode.

Example:
Device(config-vlan)# exit
Device(config)#

Example:
Device(config)# end
Step 7 show vlan id vlan-id Verifies that the VLAN has been created.
Example:
Device# show vlan id 2000
Example:
37
Configuring VLANs
Monitoring VLANs
Monitoring VLANs
Table 4: Privileged EXEC show Commands
Command Purpose
show interfaces [vlan vlan-id] Displays characteristics for all interfaces or for the specified VLAN
configured on the device .
show vlan [ access-map name | Displays parameters for all VLANs or the specified VLAN on the
brief | dot1q { tag native } | filter device. The following command options are available:
[ access-map | vlan ] | group [
• access-map—Displays the VLAN access-maps.
group-name name ] | id vlan-id |
ifindex | mtu | name name | • brief—Displays VTP VLAN status in brief.
private-vlan remote-span |
summary ] • dot1q—Displays the dot1q parameters.
• filter—Displays VLAN filter information.
• group—Displays the VLAN group with its name and the connected
VLANs that are available.
• id—Displays VTP VLAN status by identification number.
• ifindex—Displays SNMP ifIndex.
• mtu—Displays VLAN MTU information.
• name—Displays the VTP VLAN information by specified name.
• private-vlan—Displays private VLAN information.
• remote-span–Displays the remote SPAN VLANs.
• summary—Displays a summary of VLAN information.
Note The private-vlan command option that appears in the device

CLI is not supported.
38
Configuring VLANs
Related Documents

Standards and RFCs
Standard/RFC Title
Feature History and Information for VLANs

39
Configuring VLANs
Feature History and Information for VLANs
40
CHAPTER 3
Configuring VLAN Trunks
• Prerequisites for VLAN Trunks, on page 41
• Restrictions for VLAN Trunks, on page 42
• Information About VLAN Trunks, on page 43
• How to Configure VLAN Trunks, on page 45
• Feature History and Information for VLAN Trunks, on page 60

Prerequisites for VLAN Trunks

The IEEE 802.1Q trunks impose these limitations on the trunking strategy for a network:
• In a network of Cisco devices connected through IEEE 802.1Q trunks, the devices maintain one
spanning-tree instance for each VLAN allowed on the trunks. Non-Cisco devices might support one
spanning-tree instance for all VLANs.
When you connect a Cisco device to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco device
combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the
non-Cisco IEEE 802.1Q device. However, spanning-tree information for each VLAN is maintained by
Cisco devices separated by a cloud of non-Cisco IEEE 802.1Q devices. The non-Cisco IEEE 802.1Q
cloud separating the Cisco devices is treated as a single trunk link between the devices.
• Make sure the native VLAN for an IEEE 802.1Q trunk is the same on both ends of the trunk link. If the
native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree
loops might result.
41
Restrictions for VLAN Trunks
• Disabling spanning tree on the native VLAN of an IEEE 802.1Q trunk without disabling spanning tree
on every VLAN in the network can potentially cause spanning-tree loops. We recommend that you leave
spanning tree enabled on the native VLAN of an IEEE 802.1Q trunk or disable spanning tree on every
VLAN in the network. Make sure your network is loop-free before disabling spanning tree.
Restrictions for VLAN Trunks

The following are restrictions for VLAN trunks:
• A trunk port cannot be a secure port.
• Trunk ports can be grouped into EtherChannel port groups, but all trunks in the group must have the
same configuration. When a group is first created, all ports follow the parameters set for the first port to
be added to the group. If you change the configuration of one of these parameters, the device propagates
the setting that you entered to all ports in the group:
• Allowed-VLAN list.
• STP port priority for each VLAN.
• STP Port Fast setting.
• Trunk status:
If one port in a port group ceases to be a trunk, all ports cease to be trunks.
• If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not
enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not
changed.
• A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable IEEE
802.1x on a dynamic port, an error message appears, and IEEE 802.1x is not enabled. If you try to change
the mode of an IEEE 802.1x-enabled port to dynamic, the port mode is not changed.
• Dynamic Trunking Protocol (DTP) is not supported on tunnel ports.
• The device does not support Layer 3 trunks; you cannot configure subinterfaces or use the encapsulation
keyword on Layer 3 interfaces. The device does support Layer 2 trunks and Layer 3 VLAN interfaces,
which provide equivalent capabilities.
Because subinterfaces are not supported on Cisco Catalyst 9500 Series Switches, these cannot be used
as an Application Centric Infrastructure (ACI) Interpod Network (IPN) device. You also cannot use a
switch virtual interface (SVI) because Interpod spine switches reuse the same MAC address; which
causes flapping of MAC address in the IPN Layer 2 network.
42
Information About VLAN Trunks
Information About VLAN Trunks

Trunking Overview
A trunk is a point-to-point link between one or more Ethernet device interfaces and another networking device
such as a router or a device. Ethernet trunks carry the traffic of multiple VLANs over a single link, and you
can extend the VLANs across an entire network.
The following trunking encapsulations are available on all Ethernet interfaces:
• IEEE 802.1Q— Industry-standard trunking encapsulation.
Trunking Modes
Ethernet trunk interfaces support different trunking modes. You can set an interface as trunking or nontrunking
or to negotiate trunking with the neighboring interface. To autonegotiate trunking, the interfaces must be in
the same VTP domain.
Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a Point-to-Point Protocol
(PPP). However, some internetworking devices might forward DTP frames improperly, which could cause
misconfigurations.
Layer 2 Interface Modes

Table 5: Layer 2 Interface Modes
Mode Function
switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates
to convert the link into a nontrunk link. The interface becomes a nontrunk
interface regardless of whether or not the neighboring interface is a trunk
interface.
switchport mode dynamic Makes the interface able to convert the link to a trunk link. The interface
auto becomes a trunk interface if the neighboring interface is set to trunk or desirable
mode. . The default switchport mode for all Ethernet interfaces is dynamic
auto for C9500-12Q-E, C9500-12Q-A, C9500-24Q-E, C9500-24Q-A,
C9500-40X-E, and C9500-40X-A models of the Cisco Catalyst 9500 Series
Switches.
switchport mode dynamic Makes the interface actively attempt to convert the link to a trunk link. The
desirable interface becomes a trunk interface if the neighboring interface is set to trunk,
desirable, or auto mode.
The default switchport mode for all Ethernet interfaces is dynamic desirable
for C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of
the Cisco Catalyst 9500 Series Switches
43
Allowed VLANs on a Trunk
Mode Function
switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the
neighboring link into a trunk link. The interface becomes a trunk interface even
if the neighboring interface is not a trunk interface.
switchport nonegotiate Prevents the interface from generating DTP frames. You can use this command
only when the interface switchport mode is access or trunk. You must manually
configure the neighboring interface as a trunk interface to establish a trunk link.
switchport mode Configures the private VLAN mode.

private-vlan
Allowed VLANs on a Trunk

By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4094, are
allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those
VLANs from passing over the trunk.
To reduce the risk of spanning-tree loops or storms, you can disable VLAN 1 on any individual VLAN trunk
port by removing VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface
continues to send and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port
Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.
If a trunk port with VLAN 1 disabled is converted to a nontrunk port, it is added to the access VLAN. If the
access VLAN is set to 1, the port will be added to VLAN 1, regardless of the switchport trunk allowed
setting. The same is true for any VLAN that has been disabled on the port.
A trunk port can become a member of a VLAN if the VLAN is enabled, if VTP knows of the VLAN, and if
the VLAN is in the allowed list for the port. When VTP detects a newly enabled VLAN and the VLAN is in
the allowed list for a trunk port, the trunk port automatically becomes a member of the enabled VLAN. When
VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port, the trunk port does not
become a member of the new VLAN.
Load Sharing on Trunk Ports

Load sharing divides the bandwidth supplied by parallel trunks connecting devices. To avoid loops, STP
normally blocks all but one parallel link between devices. Using load sharing, you divide the traffic between
the links according to which VLAN the traffic belongs.
You configure load sharing on trunk ports by using STP port priorities or STP path costs. For load sharing
using STP port priorities, both load-sharing links must be connected to the same device. For load sharing
using STP path costs, each load-sharing link can be connected to the same device or to two different devices.
Network Load Sharing Using STP Priorities

When two ports on the same device form a loop, the device uses the STP port priority to decide which port
is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the
port carries all the traffic for a given VLAN. The trunk port with the higher priority (lower values) for a VLAN
is forwarding traffic for that VLAN. The trunk port with the lower priority (higher values) for the same VLAN
remains in a blocking state for that VLAN. One trunk port sends or receives all traffic for the VLAN.
44
Network Load Sharing Using STP Path Cost
Network Load Sharing Using STP Path Cost

You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating
the path costs with different sets of VLANs, blocking different ports for different VLANs. The VLANs keep
the traffic separate and maintain redundancy in the event of a lost link.
Feature Interactions
Trunking interacts with other features in these ways:
• A trunk port cannot be a secure port.
• Trunk ports can be grouped into EtherChannel port groups, but all trunks in the group must have the
same configuration. When a group is first created, all ports follow the parameters set for the first port to
be added to the group. If you change the configuration of one of these parameters, the device propagates
the setting that you entered to all ports in the group:
• Allowed-VLAN list.
• STP port priority for each VLAN.
• STP Port Fast setting.
• Trunk status:
If one port in a port group ceases to be a trunk, all ports cease to be trunks.
• If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not
enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not
changed.
• A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable IEEE
802.1x on a dynamic port, an error message appears, and IEEE 802.1x is not enabled. If you try to change
the mode of an IEEE 802.1x-enabled port to dynamic, the port mode is not changed.
How to Configure VLAN Trunks

To avoid trunking misconfigurations, configure interfaces connected to devices that do not support DTP to
not forward DTP frames, that is, to turn off DTP.
• If you do not intend to trunk across those links, use the switchport mode access interface configuration
command to disable trunking.
• To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport
nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate
DTP frames.
45
Configuring an Ethernet Interface as a Trunk Port
Configuring an Ethernet Interface as a Trunk Port

Configuring a Trunk Port
Because trunk ports send and receive VTP advertisements, to use VTP you must ensure that at least one trunk
port is configured on the device and that this trunk port is connected to the trunk port of a second device.
Otherwise, the device cannot receive any VTP advertisements.
Before you begin

The default switchport mode for all Ethernet interfaces is dynamic auto for C9500-12Q-E, C9500-12Q-A,
C9500-24Q-E, C9500-24Q-A, C9500-40X-E, and C9500-40X-A models of the Cisco Catalyst 9500 Series
Switches.
The default switchport mode for all Ethernet interfaces is dynamic desirable for C9500-32C, C9500-32QC,
C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches
SUMMARY STEPS
1. enable
4. switchport mode {dynamic {auto | desirable} | trunk}
5. switchport access vlan vlan-id
6. switchport trunk native vlan vlan-id
7. end
9. show interfaces interface-id trunk
DETAILED STEPS

Device> enable

Example:
Step 3 interface interface-id Specifies the port to be configured for trunking, and enters
interface configuration mode.
Example:
46
Configuring a Trunk Port
Step 4 switchport mode {dynamic {auto | desirable} | trunk} Configures the interface as a Layer 2 trunk (required only
if the interface is a Layer 2 access port or tunnel port or to
Example:
specify the trunking mode).
Device(config-if)# switchport mode dynamic • dynamic auto—Sets the interface to a trunk link if
desirable the neighboring interface is set to trunk or desirable
mode. This is the default.
• dynamic desirable—Sets the interface to a trunk link
if the neighboring interface is set to trunk, desirable,
or auto mode.
• trunk—Sets the interface in permanent trunking
mode and negotiate to convert the link to a trunk link
even if the neighboring interface is not a trunk
interface.
Step 5 switchport access vlan vlan-id (Optional) Specifies the default VLAN, which is used if
the interface stops trunking.
Example:
Device(config-if)# switchport access vlan 200
Step 6 switchport trunk native vlan vlan-id Specifies the native VLAN for IEEE 802.1Q trunks.
Example:
Device(config-if)# switchport trunk native vlan

200

Example:
Device(config)# end
Step 8 show interfaces interface-id switchport Displays the switch port configuration of the interface in
the Administrative Mode and the Administrative Trunking
Example:
Encapsulation fields of the display.
switchport
Step 9 show interfaces interface-id trunk Displays the trunk configuration of the interface.
Example:
Device# show interfaces gigabitethernet1/0/2 trunk
47
Defining the Allowed VLANs on a Trunk
Example:
Defining the Allowed VLANs on a Trunk

VLAN 1 is the default VLAN on all trunk ports in all Cisco devices, and it has previously been a requirement
that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable
VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements)
is sent or received on VLAN 1.
SUMMARY STEPS
1. enable
4. switchport mode trunk
5. switchport trunk allowed vlan { word | add | all | except | none | remove} vlan-list
6. end
DETAILED STEPS

Device> enable

Example:
Step 3 interface interface-id Specifies the port to be configured, and enters interface
configuration mode.
Example:
Device(config)# interface gigabitethernet 1/0/1
48
Changing the Pruning-Eligible List

Step 4 switchport mode trunk Configures the interface as a VLAN trunk port.
Example:
Device(config-if)# switchport mode trunk
Step 5 switchport trunk allowed vlan { word | add | all | except (Optional) Configures the list of VLANs allowed on the
| none | remove} vlan-list trunk.
Example: The vlan-list parameter is either a single VLAN number
from 1 to 4094 or a range of VLANs described by two
Device(config-if)# switchport trunk allowed vlan VLAN numbers, the lower one first, separated by a hyphen.
remove 2 Do not enter any spaces between comma-separated VLAN
parameters or in hyphen-specified ranges.
All VLANs are allowed by default.

Example:
Device(config)# end
Step 7 show interfaces interface-id switchport Verifies your entries in the Trunking VLANs Enabled field
of the display.
Example:
Device# show interfaces gigabitethernet 1/0/1

switchport
Example:

The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning
must be enabled for this procedure to take effect.
SUMMARY STEPS
1. enable
4. switchport trunk pruning vlan {add | except | none | remove} vlan-list [,vlan [,vlan [,,,]]
5. end
49
DETAILED STEPS

Device> enable

Example:
Step 3 interface interface-id Selects the trunk port for which VLANs should be pruned,
and enters interface configuration mode.
Example:
Device(config)# interface gigabitethernet0/1
Step 4 switchport trunk pruning vlan {add | except | none | Configures the list of VLANs allowed to be pruned from
remove} vlan-list [,vlan [,vlan [,,,]] the trunk.
For explanations about using the add, except, none, and
remove keywords, see the command reference for this
release.
Separate non-consecutive VLAN IDs with a comma and
no spaces; use a hyphen to designate a range of IDs. Valid
IDs are 2 to 1001. Extended-range VLANs (VLAN IDs
1006 to 4094) cannot be pruned.
VLANs that are pruning-ineligible receive flooded traffic.
The default list of VLANs allowed to be pruned contains
VLANs 2 to 1001.

Example:
Device(config)# end
Step 6 show interfaces interface-id switchport Verifies your entries in the Pruning VLANs Enabled field
of the display.
Example:

switchport
50
Configuring the Native VLAN for Untagged Traffic

Example:
Configuring the Native VLAN for Untagged Traffic

A trunk port configured with IEEE 802.1Q tagging can receive both tagged and untagged traffic. By default,
the device forwards untagged traffic in the native VLAN configured for the port. The native VLAN is VLAN
1 by default.
The native VLAN can be assigned any VLAN ID.
If a packet has a VLAN ID that is the same as the outgoing port native VLAN ID, the packet is sent untagged;
otherwise, the device sends the packet with a tag.
SUMMARY STEPS
1. enable
4. switchport trunk native vlan vlan-id
5. end
DETAILED STEPS

Device> enable

Example:
Step 3 interface interface-id Defines the interface that is configured as the IEEE 802.1Q
trunk, and enters interface configuration mode.
Example:
51
Configuring Trunk Ports for Load Sharing

Step 4 switchport trunk native vlan vlan-id Configures the VLAN that is sending and receiving
untagged traffic on the trunk port.
Example:
For vlan-id, the range is 1 to 4094.
Device(config-if)# switchport trunk native vlan 12

Example:
Step 6 show interfaces interface-id switchport Verifies your entries in the Trunking Native Mode VLAN
field.
Example:

switchport
Example:
Configuring Trunk Ports for Load Sharing

Configuring Load Sharing Using STP Port Priorities
If your device is a member of a device stack, you must use the spanning-tree [vlan vlan-id] cost cost interface
configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface
configuration command to select an interface to put in the forwarding state. Assign lower cost values to
interfaces that you want selected first and higher cost values that you want selected last.
These steps describe how to configure a network with load sharing using STP port priorities.
SUMMARY STEPS
1. enable
4. vtp mode server
5. end
6. show vtp status
7. show vlan
52
11. end
13. Repeat the above steps on Device A for a second port in the device or device stack.
14. Repeat the above steps on Device B to configure the trunk ports that connect to the trunk ports configured
on Device A.
15. show vlan
18. spanning-tree vlan vlan-range port-priority priority-value
19. exit
21. spanning-tree vlan vlan-range port-priority priority-value
22. end
23. show running-config
DETAILED STEPS

Device> enable
Step 2 configure terminal Enters global configuration mode on Device A.

Example:
Step 3 vtp domain domain-name Configures a VTP administrative domain.

Example: The domain name can be 1 to 32 characters.
Device(config)# vtp domain workdomain
Step 4 vtp mode server Configures Device A as the VTP server.

Example:
Device(config)# vtp mode server

Example:
53
Device(config)# end
Step 6 show vtp status Verifies the VTP configuration on both Device A and
Device B.
Example:
In the display, check the VTP Operating Mode and the
Device# show vtp status VTP Domain Name fields.
Step 7 show vlan Verifies that the VLANs exist in the database on Device
A.
Example:
Device# show vlan

Example:
Step 9 interface interface-id Defines the interface to be configured as a trunk, and enters
Example:
Step 10 switchport mode trunk Configures the port as a trunk port.

Example:

Example:
Step 12 show interfaces interface-id switchport Verifies the VLAN configuration.

Example:

switchport
Step 13 Repeat the above steps on Device A for a second port in

the device or device stack.
54

Step 14 Repeat the above steps on Device B to configure the trunk
ports that connect to the trunk ports configured on Device
A.
Step 15 show vlan When the trunk links come up, VTP passes the VTP and
VLAN information to Device B. This command verifies
Example:
that Device B has learned the VLAN configuration.
Device# show vlan

Example:
Step 17 interface interface-id Defines the interface to set the STP port priority, and enters
Example:
Step 18 spanning-tree vlan vlan-range port-priority Assigns the port priority for the VLAN range specified.
priority-value Enter a port priority value from 0 to 240. Port priority
values increment by 16.
Example:
Device(config-if)# spanning-tree vlan 8-10

port-priority 16
Step 19 exit Returns to global configuration mode.

Example:
Device(config-if)# exit
Step 20 interface interface-id Defines the interface to set the STP port priority, and enters
Example:
Step 21 spanning-tree vlan vlan-range port-priority Assigns the port priority for the VLAN range specified.
priority-value Enter a port priority value from 0 to 240. Port priority
values increment by 16.
Example:
Device(config-if)# spanning-tree vlan 3-6

port-priority 16
55
Configuring Load Sharing Using STP Path Cost

Example:
Step 23 show running-config Verifies your entries.

Example:
Device# show running-config
Example:

These steps describe how to configure a network with load sharing using STP path costs.
SUMMARY STEPS
1. enable
5. exit
6. Repeat Steps 2 through 4 on a second interface in Device A or in Device A stack.
7. end
9. show vlan
12. spanning-tree vlan vlan-range cost cost-value
13. end
14. Repeat Steps 9 through 13 on the other configured trunk interface on Device A, and set the spanning-tree
path cost to 30 for VLANs 8, 9, and 10.
15. exit
56
DETAILED STEPS

Device> enable

Example:
Step 3 interface interface-id Defines the interface to be configured as a trunk, and enters
Example:
Step 4 switchport mode trunk Configures the port as a trunk port.

Example:

Example:
Device(config-if)# exit
Step 6 Repeat Steps 2 through 4 on a second interface in Device

A or in Device A stack.
Example:
Device(config)# end
Step 8 show running-config Verifies your entries. In the display, make sure that the
interfaces are configured as trunk ports.
Example:
57

Step 9 show vlan When the trunk links come up, Device A receives the VTP
information from the other devices. This command verifies
Example:
that Device A has learned the VLAN configuration.
Device# show vlan

Example:
Step 11 interface interface-id Defines the interface on which to set the STP cost, and
enters interface configuration mode.
Example:
Step 12 spanning-tree vlan vlan-range cost cost-value Sets the spanning-tree path cost to 30 for VLANs 2 through
4.
Example:
Device(config-if)# spanning-tree vlan 2-4 cost 30
Step 13 end Returns to global configuration mode.

Example:
Step 14 Repeat Steps 9 through 13 on the other configured trunk

interface on Device A, and set the spanning-tree path cost
to 30 for VLANs 8, 9, and 10.
Step 15 exit Returns to privileged EXEC mode.
Example:
Device(config)# exit
Step 16 show running-config Verifies your entries. In the display, verify that the path
costs are set correctly for both trunk interfaces.
Example:
Example:
58
Where to Go Next
Where to Go Next
After configuring VLAN trunks, you can configure the following:
• VLANs
• Voice VLANs
• Private VLANs
Related Documents

For complete syntax and usage information for the Command Reference (Catalyst 9300 Series Switches)
commands used in this chapter.
Command Reference (Catalyst 9500 Series Switches)
Description Link
Standards and RFCs
Standard/RFC Title
59
Feature History and Information for VLAN Trunks
MIBs
MIB MIBs Link

Description Link
ID and password.
Feature History and Information for VLAN Trunks

Cisco IOS XE Everest 16.5.1a This command was introduced.
60
CHAPTER 4
Configuring Voice VLANs
• Prerequisites for Voice VLANs, on page 61
• Restrictions for Voice VLANs, on page 62
• Information About Voice VLAN, on page 62
• How to Configure Voice VLAN, on page 64
• Monitoring Voice VLAN, on page 67
• Feature History and Information for Voice VLAN, on page 69

Prerequisites for Voice VLANs

The following are the prerequisites for voice VLANs:
• Voice VLAN configuration is only supported on device access ports; voice VLAN configuration is not
supported on trunk ports.
Note Trunk ports can carry any number of voice VLANs, similar to regular VLANs.
The configuration of voice VLANs is not supported on trunk ports.
• Before you enable voice VLAN, enable QoS on the device by entering the trust device cisco-phone
interface configuration command. If you use the auto QoS feature, these settings are automatically
configured.
61
Restrictions for Voice VLANs
• You must enable CDP on the device port connected to the Cisco IP Phone to send the configuration to
the phone. (CDP is globally enabled by default on all device interfaces.)
Restrictions for Voice VLANs

You cannot configure static secure MAC addresses in the voice VLAN.
Information About Voice VLAN

Voice VLANs
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the device is
connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2
class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone
call can deteriorate if the data is unevenly sent, the device supports quality of service (QoS) based on IEEE
802.1p CoS. QoS uses classification and scheduling to send network traffic from the device in a predictable
manner.
The Cisco 7960 IP Phone is a configurable device, and you can configure it to forward traffic with an IEEE
802.1p priority. You can configure the device to trust or override the traffic priority assigned by a Cisco
IP Phone.
Cisco IP Phone Voice Traffic

You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and
another VLAN for data traffic from a device attached to the phone. You can configure access ports on the
device to send Cisco Discovery Protocol (CDP) packets that instruct an attached phone to send voice traffic
to the device in any of these ways:
• In the voice VLAN tagged with a Layer 2 CoS priority value
• In the access VLAN tagged with a Layer 2 CoS priority value
• In the access VLAN, untagged (no Layer 2 CoS priority value)
Note In all configurations, the voice traffic carries a Layer 3 IP precedence value (the default is 5 for voice traffic
and 3 for voice control traffic).
Cisco IP Phone Data Traffic

The device can also process tagged data traffic (traffic in IEEE 802.1Q or IEEE 802.1p frame types) from the
device attached to the access port on the Cisco IP Phone. You can configure Layer 2 access ports on the device
to send CDP packets that instruct the attached phone to configure the phone access port in one of these modes:
62
Voice VLAN Configuration Guidelines
• In trusted mode, all traffic received through the access port on the Cisco IP Phone passes through the
phone unchanged.
• In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames received through the access port
on the Cisco IP Phone receive a configured Layer 2 CoS value. The default Layer 2 CoS value is 0.
Untrusted mode is the default.
Note Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless
of the trust state of the access port on the phone.
Voice VLAN Configuration Guidelines

• Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting
the device to a Cisco IP Phone can carry mixed traffic. You can configure a port to decide how the Cisco
IP Phone carries voice traffic and data traffic.
• The voice VLAN should be present and active on the device for the IP phone to correctly communicate
on the voice VLAN. Use the show vlan privileged EXEC command to see if the VLAN is present (listed
in the display). If the VLAN is not listed, create the voice VLAN.
• The Power over Ethernet (PoE) devices are capable of automatically providing power to Cisco pre-standard
and IEEE 802.3af-compliant powered devices if they are not being powered by an AC power source.
• The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice
VLAN, the Port Fast feature is not automatically disabled.
• If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the
same IP subnet. These conditions indicate that they are in the same VLAN:
• They both use IEEE 802.1p or untagged frames.
• The Cisco IP Phone uses IEEE 802.1p frames, and the device uses untagged frames.
• The Cisco IP Phone uses untagged frames, and the device uses IEEE 802.1p frames.
• The Cisco IP Phone uses IEEE 802.1Q frames, and the voice VLAN is the same as the access VLAN.
• The Cisco IP Phone and a device attached to the phone cannot communicate if they are in the same
VLAN and subnet but use different frame types because traffic in the same subnet is not routed (routing
would eliminate the frame type difference).
• Voice VLAN ports can also be these port types:
• Dynamic access port.
• IEEE 802.1x authenticated port.
Note If you enable IEEE 802.1x on an access port on which a voice VLAN is configured
and to which a Cisco IP Phone is connected, the phone loses connectivity to the
device for up to 30 seconds.
63
How to Configure Voice VLAN
• Protected port.
• A source or destination port for a SPAN or RSPAN session.
• Secure port.
Note When you enable port security on an interface that is also configured with a voice
VLAN, you must set the maximum allowed secure addresses on the port to two
plus the maximum number of secure addresses allowed on the access VLAN.
When the port is connected to a Cisco IP Phone, the phone requires up to two
MAC addresses. The phone address is learned on the voice VLAN and might
also be learned on the access VLAN. Connecting a PC to the phone requires
additional MAC addresses.
How to Configure Voice VLAN

Configuring Cisco IP Phone Voice Traffic
You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the
way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a
specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic
a higher priority and forward all voice traffic through the native (access) VLAN. The Cisco IP Phone can also
send untagged voice traffic or use its own configuration to send voice traffic in the access VLAN. In all
configurations, the voice traffic carries a Layer 3 IP precedence value (the default is 5).
SUMMARY STEPS
3. trust device cisco-phone
4. switchport voice vlan {vlan-id | dot1p | none | untagged}
5. end
6. Use one of the following:
• show interfaces interface-id switchport
• show running-config interface interface-id
DETAILED STEPS

Example:
64
Configuring Cisco IP Phone Voice Traffic
Step 2 interface interface-id Specifies the interface connected to the phone, and enters
Example:
Step 3 trust device cisco-phone Configures the interface to trust incoming traffic packets
for the Cisco IP phone.
Example:
Device(config-if)# trust device cisco-phone
Step 4 switchport voice vlan {vlan-id | dot1p | none | untagged} Configures the voice VLAN.
Example: • vlan-id—Configures the phone to forward all voice
traffic through the specified VLAN. By default, the
Device(config-if)# switchport voice vlan dot1p Cisco IP Phone forwards the voice traffic with an IEEE
802.1Q priority of 5. Valid VLAN IDs are 1 to 4094.
• dot1p—Configures the device to accept voice and data
IEEE 802.1p priority frames tagged with VLAN ID 0
(the native VLAN). By default, the device drops all
voice and data traffic tagged with VLAN 0. If
configured for 802.1p the Cisco IP Phone forwards
the traffic with an IEEE 802.1p priority of 5.
• none—Allows the phone to use its own configuration
to send untagged voice traffic.
• untagged—Configures the phone to send untagged
voice traffic.

Example:
Step 6 Use one of the following: Verifies your voice VLAN entries or your QoS and voice
VLAN entries.
• show interfaces interface-id switchport
• show running-config interface interface-id
Example:

switchport
or
65
Configuring the Priority of Incoming Data Frames

gigabitethernet1/0/1
Example:
Configuring the Priority of Incoming Data Frames

You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE
802.1Q or IEEE 802.1p frames), you can configure the device to send CDP packets to instruct the phone how
to send data packets from the device attached to the access port on the Cisco IP Phone. The PC can generate
packets with an assigned CoS value. You can configure the phone to not change (trust) or to override (not
trust) the priority of frames arriving on the phone port from connected devices.
Follow these steps to set the priority of data traffic received from the non-voice port on the Cisco IP Phone:
SUMMARY STEPS
1. enable
4. switchport priority extend {cos value | trust}
5. end
DETAILED STEPS

Device> enable

Example:
Step 3 interface interface-id Specifies the interface connected to the Cisco IP Phone,
and enters interface configuration mode.
Example:
66
Monitoring Voice VLAN
Step 4 switchport priority extend {cos value | trust} Sets the priority of data traffic received from the Cisco IP
Phone access port:
Example:
• cos value—Configures the phone to override the
Device(config-if)# switchport priority extend trust priority received from the PC or the attached device
with the specified CoS value. The value is a number
from 0 to 7, with 7 as the highest priority. The default
priority is cos 0.
• trust—Configures the phone access port to trust the
priority received from the PC or the attached device.

Example:
Step 6 show interfaces interface-id switchport Verifies your entries.

Example:

switchport
Example:
Monitoring Voice VLAN

To display voice VLAN configuration for an interface, use the show interfaces interface-id switchport
privileged EXEC command.
Where to Go Next
After configuring voice VLANs, you can configure the following:
• VLANs
• VLAN Trunking
• VTP
67
• Private VLANs
Related Documents

For complete syntax and usage information for the Command Reference (Catalyst 9500 Series Switches)
commands used in this chapter.
Command Reference (Catalyst 9300 Series Switches)
Description Link
Standards and RFCs
Standard/RFC Title
MIBs
MIB MIBs Link

68
Feature History and Information for Voice VLAN
Description Link
ID and password.

69
70
CHAPTER 5
Configuring Private VLANs
• Prerequisites for Private VLANs, on page 71
• Restrictions for Private VLANs, on page 71
• Information About Private VLANs, on page 72
• How to Configure Private VLANs, on page 81
• Monitoring Private VLANs, on page 90
• Configuration Examples for Private VLANs, on page 91

Prerequisites for Private VLANs

Private vlans are supported in transparent mode for VTP 1, 2 and 3. Private VLANS are also supported on
server mode with VTP 3.
Restrictions for Private VLANs
Note In some cases, the configuration is accepted with no error messages, but the commands have no effect.
• Do not configure fallback bridging on the device with private VLANs.
71
Information About Private VLANs
• Do not configure a remote SPAN (RSPAN) VLAN as a primary or a secondary VLAN of a private-VLAN.
• Do not configure private VLAN ports on interfaces configured for these other features:
• Dynamic-access port VLAN membership
• Dynamic Trunking Protocol (DTP)
• IPv6 Security Group (SG)
• Port Aggregation Protocol (PAgP)
• Link Aggregation Control Protocol (LACP)
• Multicast VLAN Registration (MVR)
• Voice VLAN
• Web Cache Communication Protocol (WCCP)
• You can configure IEEE 802.1x port-based authentication on a private-VLAN port, but do not configure
802.1x with port security, voice VLAN, or per-user ACL on private-VLAN ports.
• A private-VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a SPAN
destination port as a private-VLAN port, the port becomes inactive.
• If you configure a static MAC address on a promiscuous port in the primary VLAN, you need not add
the same static address to all associated secondary VLANs. Similarly, if you configure a static MAC
address on a host port in a secondary VLAN, you need not add the same static MAC address to the
associated primary VLAN. Also, when you delete a static MAC address from a private-VLAN port, you
do not have to remove all instances of the configured MAC address from the private VLAN.
Note Dynamic MAC addresses learned in the secondary VLAN of a private VLAN
are replicated to the primary VLANs. All MAC entries are learnt on secondary
VLANs, even if the traffic ingresses from primary VLAN. If a MAC address is
dynamically learnt in the primary VLAN, it is not replicated in the associated
secondary VLANs.
• Configure Layer 3 VLAN interfaces (switch value interfaces) only for primary VLANs.
• Private VLAN configured with MACsec or Virtual Private LAN Services (VPLS) or Cisco
Software-Defined Access solution on the same VLAN does not work.
Information About Private VLANs

Private VLAN Domains
The private VLAN feature addresses two problems that service providers face when using VLANs:
72
Secondary VLANs
• When running the Network Essentials or Network Advantage, the device supports up to 4094 active
VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the
service provider can support.
• To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can
result in wasting the unused IP addresses, and cause IP address management problems.
Figure 4: Private VLAN Domain
Using private VLANs addresses the scalability problem and provides IP address management benefits for
service providers and Layer 2 security for customers. Private VLANs partition a regular VLAN domain into
subdomains. A subdomain is represented by a pair of VLANs: a primary VLAN and a secondary VLAN. A
private VLAN can have multiple VLAN pairs, one pair for each subdomain. All VLAN pairs in a private
VLAN share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another.
Secondary VLANs
There are two types of secondary VLANs:
• Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2
level.
• Community VLANs—Ports within a community VLAN can communicate with each other but cannot
communicate with ports in other communities at the Layer 2 level.
Private VLANs Ports

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private VLAN ports
are access ports that are one of these types:
• Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces,
including the community and isolated host ports that belong to the secondary VLANs associated with
the primary VLAN.
73
Private VLANs in Networks
• Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete
Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports.
Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received
from an isolated port is forwarded only to promiscuous ports.
• Community—A community port is a host port that belongs to a community secondary VLAN. Community
ports communicate with other ports in the same community VLAN and with promiscuous ports. These
interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports
within their private VLAN.
Note Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.
Primary and secondary VLANs have these characteristics:

• Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a
member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the
promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.
• Isolated VLAN —A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary
VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the
gateway.
• Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the
community ports to the promiscuous port gateways and to other host ports in the same community. You
can configure multiple community VLANs in a private VLAN.
A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs.
Layer 3 gateways are typically connected to the device through a promiscuous port. With a promiscuous port,
you can connect a wide range of devices as access points to a private VLAN. For example, you can use a
promiscuous port to monitor or back up all the private VLAN servers from an administration workstation.
Private VLANs in Networks

In a switched environment, you can assign an individual private VLAN and associated IP subnet to each
individual or common group of end stations. The end stations need to communicate only with a default gateway
to communicate outside the private VLAN.
You can use private VLANs to control access to end stations in these ways:
• Configure selected interfaces connected to end stations as isolated ports to prevent any communication
at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication
between the servers.
• Configure interfaces connected to default gateways and selected end stations (for example, backup
servers) as promiscuous ports to allow all end stations access to a default gateway.
You can extend private VLANs across multiple devices by trunking the primary, isolated, and community
VLANs to other devices that support private VLANs. To maintain the security of your private VLAN
configuration and to avoid other use of the VLANs configured as private VLANs, configure private VLANs
on all intermediate devices, including devices that have no private VLAN ports.
74
IP Addressing Scheme with Private VLANs
IP Addressing Scheme with Private VLANs

Assigning a separate VLAN to each customer creates an inefficient IP addressing scheme:
• Assigning a block of addresses to a customer VLAN can result in unused IP addresses.
• If the number of devices in the VLAN increases, the number of assigned address might not be large
enough to accommodate them.
These problems are reduced by using private VLANs, where all members in the private VLAN share a common
address space, which is allocated to the primary VLAN. Hosts are connected to secondary VLANs, and the
DHCP server assigns them IP addresses from the block of addresses allocated to the primary VLAN. Subsequent
IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary
VLAN. When new devices are added, the DHCP server assigns them the next available address from a large
pool of subnet addresses.
Private VLANs Across Multiple Devices

Figure 5: Private VLANs Across Switches
As with regular VLANs, private VLANs can span multiple devices. A trunk port carries the primary VLAN
and secondary VLANs to a neighboring device. The trunk port treats the private VLAN as any other VLAN.
A feature of private VLANs across multiple devices is that traffic from an isolated port in Device A does not
reach an isolated port on Device B.
Private VLANs are supported in transparent mode for VTP 1, 2 and 3. Private vlan is also supported on server
mode for VTP 3. If we have a server client setup using VTP 3, private vlans configured on the server should
be reflected on the client.
75
Private-VLAN Interaction with Other Features
Private-VLAN Interaction with Other Features

Private VLANs and Unicast, Broadcast, and Multicast Traffic
In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but
devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private VLANs,
the promiscuous ports are members of the primary VLAN, while the host ports belong to secondary VLANs.
Because the secondary VLAN is associated to the primary VLAN, members of the these VLANs can
communicate with each other at the Layer 2 level.
In a regular VLAN, broadcasts are forwarded to all ports in that VLAN. Private VLAN broadcast forwarding
depends on the port sending the broadcast:
• An isolated port sends a broadcast only to the promiscuous ports or trunk ports.
• A community port sends a broadcast to all promiscuous ports, trunk ports, and ports in the same community
VLAN.
• A promiscuous port sends a broadcast to all ports in the private VLAN (other promiscuous ports, trunk
ports, isolated ports, and community ports).
Multicast traffic is routed or bridged across private VLAN boundaries and within a single community VLAN.
Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different
secondary VLANs.
Private VLAN multicast forwarding supports the following:
• Sender can be outside the VLAN and the Receivers can be inside the VLAN domain.
• Sender can be inside the VLAN and the Receivers can be outside the VLAN domain.
• Sender and Receiver can both be in the same community vlan.
Private VLANs and SVIs

In a Layer 3 device, a device virtual interface (SVI) represents the Layer 3 interface of a VLAN. Layer 3
devices communicate with a private VLAN only through the primary VLAN and not through secondary
VLANs. Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3
VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured
as a secondary VLAN.
• If you try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed
until you disable the SVI.
• If you try to create an SVI on a VLAN that is configured as a secondary VLAN and the secondary VLAN
is already mapped at Layer 3, the SVI is not created, and an error is returned. If the SVI is not mapped
at Layer 3, the SVI is created, but it is automatically shut down.
When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the
primary VLAN is propagated to the secondary VLAN SVIs. For example, if you assign an IP subnet to the
primary VLAN SVI, this subnet is the IP subnet address of the entire private VLAN.
76
Private VLANs and Device Stacks
Private VLANs and Device Stacks

Private VLANs can operate within the device stack, and private-VLAN ports can reside on different stack
members. However, the following changes to the stack can impact private-VLAN operation:
• If a stack contains only one private-VLAN promiscuous port and the stack member that contains that
port is removed from the stack, host ports in that private VLAN lose connectivity outside the private
VLAN.
• If a stack's active switch that contains the only private-VLAN promiscuous port in the stack fails or
leaves the stack and a new active switch is elected, host ports in a private VLAN that had its promiscuous
port on the old active switch lose connectivity outside of the private VLAN.
• If two stacks merge, private VLANs on the winning stack are not affected, but private-VLAN configuration
on the losing device is lost when that device reboots.
Private VLAN with Dynamic Mac Address

The Mac addresses learnt in the secondary VLAN are replicated to the primary VLAN and not vice-versa.
This saves the hardware l2 cam space. The primary VLAN is always used for forwarding lookups in both
directions.
Dynamic MAC addresses learned in Primary VLAN of a private VLAN are then, if required, replicated in
the secondary VLANs. For example, if a mac-address is dynamically received on the secondary VLAN, it
will be learnt as part of primary VLAN. In case of isolated VLANs, a blocked entry for the same mac will be
added to secondary VLAN in the mac address table. So, mac learnt on host ports in secondary domain are
installed as blocked type entries. All mac entries are learnt on secondary VLANs, even if the traffic ingresses
from primary VLAN.
However, if a mac-address is dynamically learnt in the primary VLAN it will not get replicated in the associated
secondary VLANS.
Private VLAN with Static Mac Address

Users are not required to replicate the Static Mac Address CLI for private VLAN hosts as compare to legacy
model.
Example:
• In the legacy model, if the user configures a static mac address, they need to add same mac static
mac-address in the associated VLAN too. For example, if mac-address A is user configured on port 1/0/1
in VLAN 101, where VLAN 101 is a secondary VLAN and VLAN 100 is a primary VLAN, then the
user has to configure
mac-address static A vlan 101 interface G1/0/1
• In this device, the user does not need to replicate the mac address to the associated VLAN. For the above
example, user has to configure only
Private VLAN Interaction with VACL/QOS

Private VLANs are bidirectional in case of this device, as compared to “Unidirectional” in other platforms.
77
Private VLANs and HA Support
After layer-2 forward lookup, proper egress VLAN mapping happens and all the egress VLAN based feature
processing happens in the egress VLAN context.
When a frame in Layer-2 is forwarded within a private VLAN, the VLAN map is applied at the ingress side
and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private-VLAN
map is applied at the ingress side. Similarly, when the frame is routed from an external port to a Private VLAN,
the private-VLAN is applied at the egress side. This is applicable to both bridged and routed traffic.
Bridging:
• For upstream traffic from secondary VLAN to primary VLAN, the MAP of the secondary VLAN is
applied on the ingress side and the MAP of the primary VLAN is applied on the egress side.
• For downstream traffic from primary VLAN to secondary VLAN, the MAP of the primary VLAN is
applied in the ingress direction and the MAP of the secondary VLAN is applied in the egress direction.
Routing
If we have two private VLAN domains - PV1 (sec1, prim1) and PV2 (sec2, prim2). For frames routed from
PV1 to PV2:
• The MAP of sec1 and L3 ACL of prim1 is applied in the ingress port.
• The MAP of sec2 and L3 ACL of prim2 is applied in the egress port.
For packets going upstream or downstream from isolated host port to promiscuous port, the isolated VLAN’s
VACL is applied in the ingress direction and primary VLAN’s VACL is applied in the egress direction. This
allows user to configure different VACL for different secondary VLAN in a same primary VLAN domain.
Note 2-way community VLAN is now not required as the private VLANS on this device are always bi-directional.
Private VLANs and HA Support

PVLAN will work seamlessly with High Availability (HA) feature. The Private VLAN existing on the active
switch before switchover should be the same after switchover (new active switch should have similar PVLAN
configuration both on IOS side and FED side as that of the old primary).
Private-VLAN Configuration Guidelines

Default Private-VLAN Configurations
No private VLANs are configured.
Secondary and Primary VLAN Configuration

Follow these guidelines when configuring private VLANs:
• Private VLANs are supported in transparent mode for VTP 1, 2 and 3. If the device is running VTP
version 1 or 2, you must set VTP to transparent mode. After you configure a private VLAN, you should
not change the VTP mode to client or server. VTP version 3 supports private VLANs in all modes.
78
Secondary and Primary VLAN Configuration
• With VTP version 1 or 2, after you have configured private VLANs, use the copy running-config startup
config privileged EXEC command to save the VTP transparent mode configuration and private-VLAN
configuration in the device startup configuration file. Otherwise, if the device resets, it defaults to VTP
server mode, which does not support private VLANs. VTP version 3 does support private VLANs.
• VTP version 1 and 2 do not propagate private-VLAN configuration. You must configure private VLANs
on each device where you want private-VLAN ports unless the devices are running VTP version 3, as
VTP3 propagate private vlans.
• You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. Extended
VLANs (VLAN IDs 1006 to 4094) can belong to private VLANs.
• A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An
isolated or community VLAN can have only one primary VLAN associated with it.
• Although a private VLAN contains more than one VLAN, only one Spanning Tree Protocol (STP)
instance runs for the entire private VLAN. When a secondary VLAN is associated with the primary
VLAN, the STP parameters of the primary VLAN are propagated to the secondary VLAN.
• When copying a PVLAN configuration from a tftp server and applying it on a running-config, the PVLAN
association will not be formed. You will need to check and ensure that the primary VLAN is associated
to all the secondary VLANs.
You can also use configure replace flash:config_file force instead of copy flash:config_file
running-config.
• You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the primary
VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary VLAN, the
configuration does not take effect if the primary VLAN is already configured.
• When you enable IP source guard on private-VLAN ports, you must enable DHCP snooping on the
primary VLAN.
• We recommend that you prune the private VLANs from the trunks on devices that carry no traffic in the
private VLANs.
• You can apply different quality of service (QoS) configurations to primary, isolated, and community
VLANs.
• Note the following considerations for sticky ARP:
• Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. These entries do not age out.
• The ip sticky-arp global configuration command is supported only on SVIs belonging to private
VLANs.
• The ip sticky-arp interface configuration command is only supported on:
• Layer 3 interfaces
• SVIs belonging to normal VLANs
• SVIs belonging to private VLANs
For more information about using the ip sticky-arp global configuration and the ip sticky-arp
interface configuration commands, see the command reference for this release.
79
Private VLAN Port Configuration
• You can configure VLAN maps on primary and secondary VLANs. However, we recommend that you
configure the same VLAN maps on private-VLAN primary and secondary VLANs.
• PVLANs are bidirectional. They can be applied at both the ingress and egress sides.
When a frame inLayer-2 is forwarded within a private VLAN, the VLAN map is applied at the ingress
side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the
private-VLAN map is applied at the ingress side. Similarly, when the frame is routed from an external
port to a Private VLAN, the private-VLAN is applied at the egress side.
Bridging
• For upstream traffic from secondary VLAN to primary VLAN, the MAP of the secondary VLAN
is applied on the ingress side and the MAP of the primary VLAN is applied on the egress side.
• For downstream traffic from primary VLAN to secondary VLAN, the MAP of the primary VLAN
is applied in the ingress direction and the MAP of the secondary VLAN is applied in the egress
direction.
Routing
If we have two private VLAN domains - PV1 (sec1, prim1) and PV2 (sec2, prim2). For frames routed
from PV1 to PV2:
• The MAP of sec1 and L3 ACL of prim1 is applied in the ingress port .
• The MAP of sec1 and L3 ACL of prim2 is applied in the egress port.
• For packets going upstream or downstream from isolated host port to promiscuous port, the isolated
VLAN’s VACL is applied in the ingress direction and primary VLAN’S VACL is applied in the
egress direction. This allows user to configure different VACL for different secondary VLAN in a
same primary VLAN domain.
To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the primary
and secondary VLANs.
• You can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary and
secondary VLAN Layer 3 traffic.
• Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at
Layer 3.
• Private VLANs support these Switched Port Analyzer (SPAN) features:
• You can configure a private-VLAN port as a SPAN source port.
• You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to separately monitor egress or ingress traffic.
Private VLAN Port Configuration

Follow these guidelines when configuring private VLAN ports:
• Use only the private VLAN configuration commands to assign ports to primary, isolated, or community
VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or community
VLANs are inactive while the VLAN is part of the private VLAN configuration. Layer 2 trunk interfaces
remain in the STP forwarding state.
80
How to Configure Private VLANs
• Do not configure ports that belong to a PAgP or LACP EtherChannel as private VLAN ports. While a
port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive.
• Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loops due to
misconfigurations and to speed up STP convergence. When enabled, STP applies the BPDU guard feature
to all Port Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on promiscuous
ports.
• If you delete a VLAN used in the private VLAN configuration, the private VLAN ports associated with
the VLAN become inactive.
• Private VLAN ports can be on different network devices if the devices are trunk-connected and the
primary and secondary VLANs have not been removed from the trunk.
How to Configure Private VLANs

To configure a private VLAN, perform these steps:
Note Private vlans are supported in transparent mode for VTP 1, 2 and 3. Private VLANS are also supported on
server mode with VTP 3.
SUMMARY STEPS
1. Set VTP mode to transparent.
2. Create the primary and secondary VLANs and associate them.
3. Configure interfaces to be isolated or community host ports, and assign VLAN membership to the host
port.
4. Configure interfaces as promiscuous ports, and map the promiscuous ports to the primary-secondary
VLAN pair.
5. If inter-VLAN routing will be used, configure the primary SVI, and map secondary VLANs to the primary.
6. Verify private-VLAN configuration.
DETAILED STEPS
Step 1 Set VTP mode to transparent.

Note Note: For VTP3, you can set mode to either server or transparent mode.
Step 2 Create the primary and secondary VLANs and associate them.
See the Configuring and Associating VLANs in a Private VLAN, on page 82
Note If the VLAN is not created already, the private-VLAN configuration process creates it.
Step 3 Configure interfaces to be isolated or community host ports, and assign VLAN membership to the host port.
81
Configuring and Associating VLANs in a Private VLAN
See the Configuring a Layer 2 Interface as a Private VLAN Host Port, on page 85
Step 4 Configure interfaces as promiscuous ports, and map the promiscuous ports to the primary-secondary VLAN pair.
See the Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port, on page 87
Step 5 If inter-VLAN routing will be used, configure the primary SVI, and map secondary VLANs to the primary.
See the Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface, on page 89
Step 6 Verify private-VLAN configuration.

The private-vlan commands do not take effect until you exit VLAN configuration mode.
To configure and associate VLANs in a Private VLAN, perform these steps:
SUMMARY STEPS
1. enable
3. vtp mode transparent
4. vlan vlan-id
5. private-vlan primary
6. exit
7. vlan vlan-id
8. private-vlan isolated
9. exit
10. vlan vlan-id
11. private-vlan community
12. exit
13. vlan vlan-id
14. private-vlan community
15. exit
16. vlan vlan-id
17. private-vlan association [add | remove] secondary_vlan_list
18. end
19. show vlan private-vlan [type] or show interfaces status
20. copy running-config startup config
DETAILED STEPS

82
Device> enable

Example:
Step 3 vtp mode transparent Sets VTP mode to transparent (disable VTP).
Example: Note For VTP3, you can set mode to either server or
transparent mode
Device(config)# vtp mode transparent
Step 4 vlan vlan-id Enters VLAN configuration mode and designates or creates
a VLAN that will be the primary VLAN. The VLAN ID
Example:
range is 2 to 1001 and 1006 to 4094.
Step 5 private-vlan primary Designates the VLAN as the primary VLAN.

Example:
Device(config-vlan)# private-vlan primary

Example:
Step 7 vlan vlan-id (Optional) Enters VLAN configuration mode and

designates or creates a VLAN that will be an isolated
Example:
VLAN. The VLAN ID range is 2 to 1001 and 1006 to
4094.
Step 8 private-vlan isolated Designates the VLAN as an isolated VLAN.

Example:
Device(config-vlan)# private-vlan isolated

Example:
83

designates or creates a VLAN that will be a community
Example:
4094.
Step 11 private-vlan community Designates the VLAN as a community VLAN.

Example:
Device(config-vlan)# private-vlan community

Example:

designates or creates a VLAN that will be a community
Example:
4094.
Step 14 private-vlan community Designates the VLAN as a community VLAN.

Example:

Example:
Step 16 vlan vlan-id Enters VLAN configuration mode for the primary VLAN
designated in Step 4.
Example:
Step 17 private-vlan association [add | remove] Associates the secondary VLANs with the primary VLAN.
secondary_vlan_list It can be a single private-VLAN ID or a hyphenated range
of private-VLAN IDs.
Example:
84
Configuring a Layer 2 Interface as a Private VLAN Host Port

• The secondary_vlan_list parameter cannot contain
Device(config-vlan)# private-vlan association
spaces. It can contain multiple comma-separated
501-503
items. Each item can be a single private-VLAN ID
or a hyphenated range of private-VLAN IDs.
• The secondary_vlan_list parameter can contain
multiple community VLAN IDs but only one isolated
VLAN ID.
• Enter a secondary_vlan_list, or use the add keyword
with a secondary_vlan_list to associate secondary
VLANs with a primary VLAN.
• Use the remove keyword with a secondary_vlan_list
to clear the association between secondary VLANs
and a primary VLAN.
• The command does not take effect until you exit
VLAN configuration mode.

Example:
Device(config)# end
Step 19 show vlan private-vlan [type] or show interfaces status Verifies the configuration.
Example:
Device# show vlan private-vlan
Step 20 copy running-config startup config Saves your entries in the device startup configuration file.
Example:

Follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary
and secondary VLANs:
Note Isolated and community VLANs are both secondary VLANs.
85
SUMMARY STEPS
1. enable
4. switchport mode private-vlan host
5. switchport private-vlan host-association primary_vlan_id secondary_vlan_id
6. end
7. show interfaces [interface-id] switchport
DETAILED STEPS

Device> enable

Example:
Step 3 interface interface-id Enters interface configuration mode for the Layer 2 interface
to be configured.
Example:
Step 4 switchport mode private-vlan host Configures the Layer 2 port as a private-VLAN host port.
Example:
Device(config-if)# switchport mode private-vlan

host
Step 5 switchport private-vlan host-association primary_vlan_id Associates the Layer 2 port with a private VLAN.
secondary_vlan_id
Note This is a required step to associate the PVLAN
Example: to a Layer 2 interface.
Device(config-if)# switchport private-vlan

host-association 20 501

Example:
86
Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port
Device(config)# end
Step 7 show interfaces [interface-id] switchport Verifies the configuration.

Example:

switchport
Example:

Follow these steps to configure a Layer 2 interface as a private VLAN promiscuous port and map it to primary
and secondary VLANs:
SUMMARY STEPS
1. enable
4. switchport mode private-vlan promiscuous
5. switchport private-vlan mapping primary_vlan_id {add | remove} secondary_vlan_list
6. end
7. show interfaces [interface-id] switchport
DETAILED STEPS

Device> enable
87

Example:
Step 3 interface interface-id Enters interface configuration mode for the Layer 2 interface
to be configured.
Example:
Step 4 switchport mode private-vlan promiscuous Configures the Layer 2 port as a private VLAN promiscuous
port.
Example:
Device(config-if)# switchport mode private-vlan

promiscuous
Step 5 switchport private-vlan mapping primary_vlan_id {add Maps the private VLAN promiscuous port to a primary
| remove} secondary_vlan_list VLAN and to selected secondary VLANs.
Example: • The secondary_vlan_list parameter cannot contain
spaces. It can contain multiple comma-separated items.
Device(config-if)# switchport private-vlan mapping Each item can be a single private VLAN ID or a
20 add 501-503 hyphenated range of private VLAN IDs.
with a secondary_vlan_list to map the secondary
VLANs to the private VLAN promiscuous port.
to clear the mapping between secondary VLANs and
the private VLAN promiscuous port.

Example:
Device(config)# end
Step 7 show interfaces [interface-id] switchport Verifies the configuration.

Example:

switchport
Example:
88
Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface
Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface

If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and
map secondary VLANs to the SVI.
Follow these steps to map secondary VLANs to the SVI of a primary VLAN to allow Layer 3 switching of
private VLAN traffic:
SUMMARY STEPS
1. enable
3. interface vlan primary_vlan_id
4. private-vlan mapping [add | remove] secondary_vlan_list
5. end
6. show interface private-vlan mapping
DETAILED STEPS

Device> enable

Example:
Step 3 interface vlan primary_vlan_id Enters interface configuration mode for the primary VLAN,
and configures the VLAN as an SVI. The VLAN ID range
Example:
is 2 to 1001 and 1006 to 4094.
Device(config)# interface vlan 20
89
Monitoring Private VLANs

Step 4 private-vlan mapping [add | remove] secondary_vlan_list Maps the secondary VLANs to the Layer 3 VLAN interface
of a primary VLAN to allow Layer 3 switching of private
Example:
VLAN ingress traffic.
Device(config-if)# private-vlan mapping 501-503 Note The private-vlan mapping interface
configuration command only affects private
VLAN traffic that is Layer 3 switched.
• The secondary_vlan_list parameter cannot contain
spaces. It can contain multiple comma-separated items.
Each item can be a single private-VLAN ID or a
hyphenated range of private-VLAN IDs.
with a secondary_vlan_list to map the secondary
VLANs to a primary VLAN.
to clear the mapping between secondary VLANs and
a primary VLAN.

Example:
Device(config)# end
Step 6 show interface private-vlan mapping Verifies the configuration.

Example:
Device# show interfaces private-vlan mapping
Example:
Monitoring Private VLANs

The following table displays the commands used to monitor private VLANs.
Table 6: Private VLAN Monitoring Commands
Command Purpose
show interfaces status Displays the status of interfaces, including the VLANs
to which they belongs.
90
Configuration Examples for Private VLANs
Command Purpose
show vlan private-vlan [type] Displays the private VLAN information for the
Device.
show interface switchport Displays private VLAN configuration on interfaces.
show interface private-vlan mapping Displays information about the private VLAN
mapping for VLAN SVIs.
Configuration Examples for Private VLANs

Example: Configuring and Associating VLANs in a Private VLAN
This example shows how to configure VLAN 20 as a primary VLAN, VLAN 501 as an isolated VLAN, and
VLANs 502 and 503 as community VLANs, to associate them in a private VLAN, and to verify the
configuration:

Device(config-vlan)# private-vlan primary
Device(config-vlan)# private-vlan isolated
Device(config-vlan)# private-vlan association 501-503
Device(config-vlan)# end
Primary Secondary Type
--------- -------------- -----------------
20 501 isolated
20 502 community
20 503 community
Example: Configuring an Interface as a Host Port

This example shows how to configure an interface as a private VLAN host port, associate it with a private
VLAN pair, and verify the configuration:

Device(config-if)# switchport mode private-vlan host
Device(config-if)# switchport private-vlan host-association 20 501
91
Example: Configuring an Interface as a Private VLAN Promiscuous Port
Device# show interfaces gigabitethernet1/0/22 switchport

Name: Gi1/0/22
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 20 501
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan:
20 501
<output truncated>
Example: Configuring an Interface as a Private VLAN Promiscuous Port

This example shows how to configure an interface as a private VLAN promiscuous port and map it to a private
VLAN. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it.

Device(config-if)# switchport mode private-vlan promiscous
Device(config-if)# switchport private-vlan mapping 20 add 501-503
Use the show vlan private-vlan or the show interface status privileged EXEC command to display primary
and secondary VLANs and private-VLAN ports on the Device.
Example: Mapping Secondary VLANs to a Primary VLAN Interface

This example shows how to map the interfaces fo VLANs 501 and 502 to primary VLAN 10, which permits
routing of secondary VLAN ingress traffic from private VLANs 501 and 502:

Device(config)# interface vlan 20
Device(config-if)# private-vlan mapping 501-503
Device# show interfaces private-vlan mapping
Interface Secondary VLAN Type
--------- -------------- -----------------
vlan20 501 isolated
vlan20 502 community
vlan20 503 community
92
Example: Monitoring Private VLANs
Example: Monitoring Private VLANs

This example shows output from the show vlan private-vlan command:

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
20 501 isolated Gi1/0/22, Gi1/0/2
20 502 community Gi1/0/2
20 503 community Gi1/0/2
Where to Go Next
You can configure the following:
• VTP
• VLANs
• VLAN trunking
• Voice VLANs
Related Documents

Standards and RFCs
Standard/RFC Title
RFC 1573 Evolution of the Interfaces Group
of MIB-II
RFC 1757 Remote Network Monitoring

Management Information Base
RFC 2021 Remote Network Monitoring

Management Information Base
Version 2 using SMIv2
93
MIBs
MIB MIBs Link

All the supported MIBs for this release. To locate and download MIBs for selected platforms,
Cisco IOS releases, and feature sets, use Cisco MIB
• BRIDGE-MIB (RFC1493)
Locator found at the following URL:
• CISCO-BRIDGE-EXT-MIB http://www.cisco.com/go/mibs
• CISCO-CDP-MIB
• CISCO-PAGP-MIB
• CISCO-PRIVATE-VLAN-MIB
• CISCO-LAG-MIB
• CISCO-L2L3-INTERFACE-CONFIG-MIB
• CISCO-MAC-NOTIFICATION-MIB
• CISCO-STP-EXTENSIONS-MIB
• CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB
• CISCO-VLAN-MEMBERSHIP-MIB
• CISCO-VTP-MIB
• IEEE8023-LAG-MIB
• IF-MIB (RFC 1573)
• RMON-MIB (RFC 1757)
• RMON2-MIB (RFC 2021)
94
CHAPTER 6
Configuring Layer 3 Subinterfaces
This module describes how to configure the dot1q VLAN subinterfaces on a Layer 3 interface, which forwards
IPv4 and IPv6 packets to another device using static or dynamic routing protocols. You can use Layer 3
interfaces for IP routing and inter-VLAN routing of Layer 2 traffic.
• Restrictions for Configuring Layer 3 Subinterfaces, on page 95
• Information About Layer 3 Subinterfaces, on page 96
• How to Configure Layer 3 Subinterfaces, on page 97
• Example: Configuring Layer 3 Subinterfaces, on page 97
• Feature Information for Layer 3 Subinterfaces, on page 98
Restrictions for Configuring Layer 3 Subinterfaces

• This feature is not supported on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the
Cisco Catalyst 9500 Series Switches.
• Subinterfaces cannot be created on Layer 3 EtherChannels.
• Subinterfaces are not supported on StackWise Virtual Link (SVL) .
• Subinterfaces with Software-Defined Access (SD-Access) and Multiprotocol Label Switching (MPLS)
are not supported.
• You cannot configure more than 4,000 Layer 3 VLAN interfaces. The sum of all the routed interfaces,
SVI interfaces and subinterfaces should be equal to 4000 or less.
• Do not configure encapsulation on the native VLAN of an IEEE 802.1Q trunk without the native keyword.
Always use the native keyword of the dot1q vlan command when the VLAN ID is the ID of the IEEE
802.1Q native VLAN.
• If you configure normal-range VLANs on subinterfaces, you cannot change the VLAN Trunking Protocol
(VTP) mode from Transparent.
95
Information About Layer 3 Subinterfaces
Information About Layer 3 Subinterfaces

A dot1q VLAN subinterface is a virtual Cisco IOS interface that is associated with a VLAN ID on a routed
physical interface. A parent interface is a physical port. Subinterfaces can be created only on Layer 3 physical
interfaces. A subinterface can be associated with different functionalities such as IP addressing, forwarding
policies, Quality of Service (QoS) policies, and security policies.
Subinterfaces divide the parent interface into two or more virtual interfaces on which you can assign unique
Layer 3 parameters such as IP addresses and dynamic routing protocols. The IP address for each subinterface
should be in a different subnet from any other subinterface on the parent interface.
You can create a subinterface with a name that consists of the parent interface name (for example,
HundredGigabitEthernet 1/0/33) followed by a period and then by a number that is unique for that subinterface.
For example, you can create a subinterface for HundredGigabitEthernet interface 1/0/33 named
HundredGigabitEthernet 1/0/33.1, where .1 indicates the subinterface.
One of the uses of subinterfaces is to provide unique Layer 3 interfaces to each VLAN that is supported by
the parent interface. In this scenario, the parent interface connects to a Layer 2 trunking port on another device.
You can configure a subinterface and associate the subinterface to a VLAN ID using 802.1Q trunking.
You can configure subinterfaces with any normal range or extended range VLAN ID in VLAN Trunking
Protocol (VTP) transparent mode. Because VLAN IDs 1 to 1005 are global in the VTP domain and can be
defined on other network devices in the VTP domain, you can use only extended range VLANs with
subinterfaces in VTP client or server mode. In VTP client or server mode, normal-range VLANs are excluded
from subinterfaces.
Use bridge groups on VLAN interfaces (also called fall-back bridging) to bridge nonrouted protocols. Bridge
groups on VLAN interfaces are supported on the route processor (RP) software.
You can configure the same VLAN ID on a Layer 2 VLAN or Layer 3 VLAN interface and on a Layer 3
subinterface.
The following features and protocols are supported on Layer 3 subinterfaces:
• Addressing and routing—IPv4 and IPv6.
• Unicast routing—Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP),
Routing Information Protocol (RIP), Border Gateway Protocol (BGP), and static routing.
• Multicast routing—Internet Group Management Protocol (IGMP), Protocol-Independent Multicast Sparse
Mode (PIM-SM), and Source Specific Multicast (SSM).
• First-Hop Redundancy Protocol (FHRP) protocols—Hot Standby Router Protocol (HSRP), Virtual Router
Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP).
• Bidirectional Forwarding Detection (BFD), Unicast Reverse Path Forwarding (uRPF), and Equal-Cost
Multipath (ECMP).
• Maximum transmission unit (MTU) and IPv4 fragmentation.
• Virtual routing and forwarding (VRF) lite.
• Router access control list and policy-based routing (PBR).
• Quality of Service (QoS)—Marking and policing.
96
How to Configure Layer 3 Subinterfaces
• Services—Network Address Translation (NAT) IPv4, Security Group Access Control List (SGACL)
enforcement, DHCP Server/Relay, SGT Exchange Protocol (SXP), and NetFlow.
How to Configure Layer 3 Subinterfaces

You can configure one or more subinterfaces on a routed interface. Configure the parent interface as a routed
interface.
SUMMARY STEPS
1. enable
3. interface {type switch / slot / port.subinterface}
4. encapsulation dot1q vlan-id [native]
5. end
DETAILED STEPS

Step 1 enable Enables privileged EXEC mode. Enter your password, if
prompted.
Example:
Device> enable

Example:
Step 3 interface {type switch / slot / port.subinterface} Selects an interface and enters subinterface configuration
mode. (To remove an interface, use the no form of this
Example:
command.)
Device(config)# interface HundredGigabitEthernet
1/0/33.201
Step 4 encapsulation dot1q vlan-id [native] Configures 802.1Q encapsulation for the subinterface. The
range is from 1 to 4000. (To remove 802.1Q encapsulation
Example:
for the subinterface, use the no form of this command.)
Device(config-subif)# encapsulation dot1q 33 native
Step 5 end Exits subinterface mode and returns to privileged EXEC

mode.
Example:
Device(config-subif)# end
Example: Configuring Layer 3 Subinterfaces

This example shows how to configure subinterfaces on layer 3 interfaces:
97
Device> enable
Device(config)# interface HundredGigabitEthernet 1/0/33.201
Device(config-subif)# encapsulation dot1q 33 native
Device(config-subif)# end
Related Documents

Description Link
ID and password.
Feature Information for Layer 3 Subinterfaces

The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
98
Table 7: Feature Information for Layer 3 Subinterfaces
Feature Name Releases Feature Information
Layer 3 Subinterfaces Cisco IOS XE Gibraltar Layer 3 interfaces forward IPv4 and IPv6 packets
16.10.1 to another device using static or dynamic routing
protocols. You can use Layer 3 interfaces for IP
routing and inter-VLAN routing of Layer 2 traffic.
This feature was introduced on Cisco Catalyst 9500
Series High Performance Switches.
Layer 3 Subinterfaces Cisco IOS XE Gibraltar This feature was introduced on Cisco Catalyst 9500
16.12.1 Series Switches.
EtherChannel and Cisco IOS XE Gibraltar These features were introduced on Layer 3
Multiprotocol Label 16.12.1 subinterfaces.
Switching
99
100

B 1610 Vlan 9500 CG

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

B 1610 Vlan 9500 CG

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

B 1610 Vlan 9500 CG

Uploaded by

Copyright:

Available Formats

VLAN Configuration Guide, Cisco IOS XE Gibraltar 16.10.

CHAPTER 1 Configuring VTP 1

Finding Feature Information 1

Configuring a VTP Version 3 Password 12

Configuring a VTP Version 3 Primary Server 13

Enabling the VTP Version 14

Enabling VTP Pruning 16

Configuring VTP on a Per-Port Basis 17

Adding a VTP Client to a VTP Domain 18

CHAPTER 2 Configuring VLANs 25

Prerequisites for VLANs 25

Assigning Static-Access Ports to a VLAN 34

CHAPTER 3 Configuring VLAN Trunks 41

Finding Feature Information 41

Defining the Allowed VLANs on a Trunk 48

Changing the Pruning-Eligible List 49

Configuring the Native VLAN for Untagged Traffic 51

Configuring Trunk Ports for Load Sharing 52

Configuring Load Sharing Using STP Path Cost 56

CHAPTER 4 Configuring Voice VLANs 61

Finding Feature Information 61

Configuring the Priority of Incoming Data Frames 66

Monitoring Voice VLAN 67

CHAPTER 5 Configuring Private VLANs 71

Finding Feature Information 71

Private VLAN with Static Mac Address 77

Private VLAN Interaction with VACL/QOS 77

Private VLANs and HA Support 78

Private-VLAN Configuration Guidelines 78

Configuration Examples for Private VLANs 91

CHAPTER 6 Configuring Layer 3 Subinterfaces 95

Restrictions for Configuring Layer 3 Subinterfaces 95

Finding Feature Information

Prerequisites for VTP

Restrictions for VTP

Information About VTP

VTP Mode Description

VTP client A VTP client functions like a VTP server and

VTP Mode Description

VTP transparent VTP transparent devices do not participate in VTP.

VTP off A device in VTP off mode functions in the same

• Update identity and update timestamp

• Private VLAN support.

Figure 2: Optimized Flooded Traffic VTP Pruning

VTP and Device Stacks

Note By default the persistent MAC address is on.

VTP Configuration Guidelines

Domain Names for Configuring VTP

Passwords for the VTP Domain

How to Configure VTP

4. vtp mode {client | server | transparent | off} {vlan | mst | unknown}

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Device# configure terminal

Command or Action Purpose

Device# show vtp status

Configuring a VTP Version 3 Password

Command or Action Purpose