Virtual LANs (VLANs)
This chapter describes Arista’s Virtual LANs (VLANs) implementation and MAC address tables.
sections in this chapter include:
VLAN Introduction
Arista switches support industry standard 802.1q VLANs. Arista eos provides tools to manage and extend VLANs throughout the data center network.
VLAN Conceptual Overview
VLAN Definition
A Virtual Local Area Network (VLAN) allows a group of devices to communicate as if they were in the same network regardless of their physical location. VLANs are Layer 2 structures based on the 802.1Q standard.
- VLAN number (1-4094): VLAN numbers uniquely identify the VLAN within a network. VLAN 1 exists by default; all other VLANs only exist after they are configured.
- VLAN name (optional): The VLAN name is a text string that describes the VLAN.
- VLAN state (active or suspended): The state specifies the VLAN transmission status within the switch. In the suspended state, VLAN traffic is blocked on all switch ports. The default state is active.
VLANs define Layer 2 broadcast domains in a Layer 2 network, in which each device can receive broadcast frames sent by any other within the domain. Switches accommodating multiple broadcast domains serve as multi-port bridges where each broadcast domain is a distinct virtual bridge. Traffic does not pass directly between different VLANs within a switch or between two switches.
VLAN Switching
Ethernet and port channel interfaces are configured as switched ports by default. Switched ports are configurable as members of one or more VLANs. Switched ports ignore all IP-level configuration commands, including IP address assignments.
VLAN Trunking and Trunk Groups
Trunking extends multiple VLANs beyond the switch through a common interface or port channel.
A trunk group is the set of physical interfaces that comprise the trunk and the collection of VLANs whose traffic is carried on the trunk. The traffic of a VLAN that belongs to one or more trunk groups is carried only on ports that are members of trunk groups to which the VLAN belongs, i.e., VLANs configured in a trunk group are pruned of all ports that are not associated with the trunk group. See the Trunk Ports example section for further details.
- Access ports carry traffic for one VLAN – the access VLAN. Access ports associate untagged frames with the access VLAN. Access ports drop tagged frames that are not tagged with the access VLAN.
- Trunk ports carry traffic for multiple VLANs. Tag frames specify the VLAN for which trunk ports process packets.
Q-in-Q Trunking
A Q-in-Q network is a multi-tier layer 2 VLAN network. A typical Q-in-Q network is composed of a service provider network (tier 1) where each node connects to a customer network (tier 2).
802.1ad is a networking standard that supports Q-in-Q networks by allowing multiple 802.1Q tags in an Ethernet frame.
- Inbound traffic (from customer switches): adds an s-VLAN tag, then forwards packets to the provider network.
- Outbound traffic (to customer switches): removes the s-VLAN tag, then forwards packets to the customer network.
TPID (Configurable Ethertypes)
By default, VLAN-tagged packets carry a Tag Protocol Identifier (TPID) of 0x8100. On some Arista platforms, however, the TPID of a switchport can be modified in accordance with IEEE 802.1ad to allow for the use of 802.1q TPIDs other than 0x8100. Well known and standard tags include:
- 0x88a8 service VLAN tag used in provider bridging.
- 0x9100 service VLAN tag used in provider bridging (common, but not standardized).
Other non-standard TPID values may also be configured for interoperability with legacy equipment or non-standard systems. Values range from 0x600 (1536) through 0xFFFF (65535).
Non-default TPID values are most commonly used for provider bridging on a network-to-network interface.
VLAN Routing
Each VLAN can be associated with a Switch Virtual Interface (SVI), also called a VLAN interface. The VLAN interface functions in a routed network (Layer 3) with an assigned IP subnet address. Connecting different VLANs requires Layer 3 networking.
VLAN Interfaces
A Switched Virtual Interface (SVI) connects to the VLAN segment on the switch to provide Layer 3 processing for packets from the VLAN. An SVI can be activated only after it is connected to a VLAN. SVIs are typically configured for a VLAN to a default gateway for a subnet to facilitate traffic routing with other subnets.
In a Layer 3 network, each VLAN SVI is associated with an IP subnet, with all stations in the subnet members of the VLAN. Traffic between different VLANs is routed when IP routing is enabled.
Internal VLANs
A routed port is an Ethernet or port channel interface that functions as a Layer 3 interface. Routed ports do not bridge frames nor switch VLAN traffic. Routed ports have IP addresses assigned to them and packets are routed directly to and from the port.
The switch allocates an internal VLAN for an interface when it is configured as a routed port. The internal VLAN is assigned a previously unused VLAN ID. The switch prohibits the subsequent configuration of VLANs and VLAN interfaces with IDs corresponding to allocated internal VLANs.
Support for Private VLAN
- Primary VLAN: Ports in the primary VLAN can send and or receive traffic from ports in all the corresponding PVLANs. There is only one primary VLAN in a private VLAN.
- Community VLAN: This is a secondary VLAN. Hosts in a community VLAN forward traffic to each other as well as ports in the primary VLAN. There are multiple community VLANs in a private VLAN.
- Isolated VLAN: This is a secondary VLAN. Hosts in an isolated VLAN only forward traffic to ports in the primary VLAN. Hosts within an isolated VLAN can not communicate with each other using bridging. There are multiple isolated VLANs in a private VLAN.
Limitations
On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R
- Private VLAN and Algomatch features are mutually exclusive. Disable algomatch with
the
hardware access-list mechanism tcam
command . Note that this requires a reload of the system to take effect. - L2 and L3 multicast traffic is not supported.
On All Platforms except 7300X3, CCS-720XP, DCS-7050X3
Private VLAN and IPv4/IPv6 uRPF features are mutually exclusive.
On All Platforms
- Tunnel termination on PVLAN ports is not supported.
- Ingress IPv4/IPv6 Racls on the primary VLAN are not honored for packets ingressing through ports in secondary VLANs.
- Only isolated private VLAN trunks and normal trunk ports are supported. It allows trunk ports to forward and receive traffic for all primary and or secondary VLANs. An isolated trunk translates traffic coming in on a primary VLANto the lowest valued secondary VLAN on the trunk port.
- Private VLAN is not supported on L2 subinterfaces.
- Hardware accelerated Sflow is not supported on Private VLAN ports.
- VLAN Mapping and or Translation is not supported with Private VLAN.
Show Commands
- Use the show vlan private-vlan command to display the
primary and secondary defined
VLANs:
switch# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------- ------------------------ 100 101 community Et1, Et6 100 102 isolated Et1, Et7, Et8 200 201 community Et10, Et9
- Use the show vlan 100,101,102,200,201 command to
diplay which interfaces are member of which
VLANs:
# show vlan 100,101,102,200,201 VLAN Name Status Ports ----- ------------- --------- ------------------------------- 100 VLAN0100 active Et1, Et6+, Et7+, Et8+ 101 VLAN0101 active Et1+, Et6 102 VLAN0102 active Et1+, Et7, Et8 200 VLAN0200 active Et10 201 VLAN0201 active Et10+, Et9 + indicates a private VLAN promoted port
Promoted ports are displayed to indicate they are part of the same broadcast domain as the indicated VLAN. Interfaces in a primary VLAN are included in the display of all its associated secondary VLANs. Interfaces in secondary VLANs are included in the display of both its primary VLAN and its own domain.
On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R
switch# show platform sand pvlan interfaces
Interface Secondary Primary State
VLAN VLAN
----------------- ---------- ---------- ---------
Ethernet6 101 100 enabled
Ethernet7 102 100 enabled
Ethernet8 102 100 enabled
Po1 102 100 enabled
Ethernet9 201 200 failed
Po2 202 200 failed
In this output, the Secondary VLAN column indicates the VLAN which is configured on the interface. The Primary VLAN column indicates the primary VLAN to which the secondary VLAN belongs to. The State field has three possible values - enabled, failed, configured. The enabled state indicates that the private VLAN is configured and enabled on that interface. The failed state indicates that the private VLAN configuration has failed for that interface The configured state indicates that private VLAN is configured on that interface but has not taken effect. When port channels are configured in a private VLAN, it is enabled only if entries for all the member interfaces are successfully programmed in the hardware. If the hardware entries for any one of the member interfaces fails, the entries for other member interfaces are also removed from the hardware and the state is marked as failed.
VLAN Translation
VLAN translation allows you to map packets from one VLAN to another. This can be carried out only on packets having a dot1q header (tagged frames). The translation rewrites the Vlan ID field (VID) in dot1q headers on packets passing through a switched port without changing any other fields.
VLAN translation also supports the ability to translate packets with a dot1q header to the internal VLAN for a routed port. The VLAN in the incoming packets is mapped to the internal VLAN of the routed port and packets egressing the routed port are encapsulated with a dot1q header for the specified VLAN. For egress packets, no priority information is added to the dot1q header and the priority from the incoming encapsulation will be retained.
When configuring the VLAN translation mode, consider the following:
- VLAN translation is only supported for tagged packets.
- BPDUs from STP, LLDP and other protocols are not affected by this mapping.
- VLAN translation is not applicable for access ports.
- Untagged packets entering the switch on the trunk native VLAN are not mapped.
- TPID and VLAN priority does not get re-written during the translation.
VLAN Configuration Procedures
Creating and Configuring VLANs
- Explicitly through the vlan command.
- Implicitly through the switchport access vlan command.
The switchport access vlan command generates a warning message when it creates a VLAN.
To create a VLAN, use the vlan command in global configuration mode. Valid VLAN numbers range between 1 and 4094. To create multiple VLANs, specify a range of VLAN numbers.
To edit an existing VLAN, enter the vlan command with the number of the existing VLAN.
- This command creates VLAN
45 and enters VLAN configuration
mode for the new
VLAN.
switch(config)# vlan 45 switch(config-vlan-45)#
- Use the name (VLAN configuration mode) command to
assign a name to a VLAN.
These commands assign the name Marketing to VLAN 45.
switch(config)# vlan 45 switch(config-vlan-45)# name Marketing switch(config-vlan-45)# show vlan 45 VLAN Name Status Ports ---- -------------------------------- --------- ------- 45 Marketing active Et1 switch(config-vlan-45)#
- To change the state of a VLAN, use the state command in VLAN
configuration mode. These commands suspend VLAN 45. VLAN traffic is blocked on all switch ports.
switch(config)# vlan 45 switch(config-vlan-45)# state suspend switch(config-vlan-45)# show vlan 45 VLAN Name Status Ports ---- -------------------------------- --------- ------ 45 Marketing suspended switch(config-vlan-45)#
- These commands activate VLAN
45.
switch(config)# vlan 45 switch(config-vlan-45)# state active switch(config-vlan-45)# show vlan 45 VLAN Name Status Ports ---- -------------------------------- --------- ------ 45 Marketing active Et1 switch(config-vlan-45)#
VLAN Policy
- Flood the Layer 2 miss packets on the VLAN
- Drop the Layer 2 miss packets
- Log the Layer 2 miss packets to the CPU (while still flooding them on the VLAN)
The default behavior is to flood the L2 miss packets on all ports of the VLAN.
VLAN policy configuration is supported on the Arista 7010, 7050 (excluding 7050SX3-48YC12, 7050CX3-32S, 7050QX2-32S, 7050SX2-72Q, 7050SX2-128, 7050TX2-128), 7060, 7250, and the 7300 series platforms.
- STP, LLDP, and LACP packets
- VLAN policy configurations on VXLAN-enabled VLAN
- On a VLAN if IGMP snooping is configured with Multicast miss action is set to drop, then all multicast packets received on that VLAN are dropped.
- These commands create a vlan 333 and then set the unicast
policy to ‘drop’ and the multicast policy to ‘log’ for the specific
vlan
333.
switch(config)# vlan 333 switch(config-vlan-333)# mac address forwarding unicast miss action drop switch(config-vlan-333)# mac address forwarding multicast miss action log
- These commands display the VLAN policy that was defined when vlan
333 is
created.
switch(config)# show vlan 333 mac address forwarding VLAN UcMissAction McMissAction ---- ------------ ------------ 333 flood flood
- These commands display the VLAN policy type that was defined when vlan
333 is configured with the ‘drop’ unicast policy and the
‘log’ multicast
policy.
switch(config)# show vlan 333 mac address forwarding VLAN UcMissAction McMissAction ---- ------------ ------------ 333 drop log switch(config)# show vlan mac address forwarding VLAN UcMissAction McMissAction ---- ------------ ------------ 1 flood flood 333 drop log
Configuring VLAN Switching
The following describe the configuration of VLAN ports.
Access Ports
Access ports carry traffic for one VLAN, as designated by a switchport access vlan command. Access ports associate untagged frames with the access VLAN. Tagged frames received by the interface are dropped unless they are tagged with the access VLAN.
To configure an interface group as an access port, use the switchport mode command.
- These commands configure
interface ethernet 1 as an access
port.
switch(config)# interface ethernet 1 switch(config-if-Et1)# switchport mode access switch(config-if-Et1)#
- To specify the port’s access VLAN, use the
switchport access vlan command.These commands configure vlan 15 as the access VLAN for interface ethernet 5.
switch(config)# interface ethernet 5 switch(config-if-Et5)# switchport access vlan 15 switch(config-if-Et5)#
- These commands configure interface Ethernet
1 through 3 as access ports that
process untagged frames as vlan 5
traffic.
switch(config)# interface Ethernet 1-3 switch(config-if-Et1-3)# switchport mode access switch(config-if-Et1-3)# switchport access vlan 5 switch(config-if-Et1-3)# show interfaces ethernet 1-3 vlans Port Untagged Tagged Et1 None 23,25 Et2 18 - Et3 None 14 switch(config-if-Et1-3)#
Trunk Ports
- The vlan trunk list specifies the VLANs for which the port handles tagged frames. The port drops any packets tagged for VLANs not in the VLAN list.
- The native vlan is the VLAN where the port switches untagged frames.
To configure an interface group as a trunk port, use the switchport mode command.
Example
switch(config)# interface ethernet 8
switch(config-if-Et8)# switchport mode trunk
switch(config-if-Et8)#
By default all VLANs are permitted on a port configured with ‘switchport mode trunk’. To limit the port’s VLAN trunk list, use the switchport trunk allowed vlan command. Only VLANs in the allowed list will be permitted.
- These commands configure VLAN 15,
20, 21,
22, 40, and
75 as the explicitly permitted VLAN trunk list
for ethernet interface
12-16.
switch(config)# interface ethernet 12-16 switch(config-if-Et12-16)# switchport trunk allowed vlan 15,20-22,40,75 switch(config-if-Et12-16)#
- These commands explicitly permit VLAN 100 through
120 to the VLAN trunk list for
interface ethernet
14.
switch(config)# interface ethernet 14 switch(config-if-Et14)# switchport trunk allowed vlan add 100-120 switch(config-if-Et14)#
- To specify the port’s native VLAN, use the switchport trunk native
vlan command.These commands configure vlan 12 as the native VLAN trunk for interface ethernet 10.
switch(config)# interface ethernet 10 switch(config-if-Et10)# switchport trunk native vlan 12 switch(config-if-Et10)#
- By default, ports send native VLAN traffic with untagged frames. The
switchport trunk native vlan command can also
configure the port to send native VLAN traffic with tag frames.These commands configure interface ethernet 10 to send native VLAN traffic as tagged.
switch(config)# interface ethernet 10 switch(config-if-Et10)# switchport trunk native vlan tag switch(config-if-Et10)#
- These commands configure interface ethernet 12 as a
trunk with vlan 15 as the native VLAN. The port’s
trunk list includes all VLANs except
201-300.
switch(config)# interface ethernet 12 switch(config-if-Et12)# switchport mode trunk switch(config-if-Et12)# switchport trunk native vlan 15 switch(config-if-Et12)# switchport trunk allowed vlan except 201-300 switch(config-if-Et12)#
- Assume that all ports on the switch are configured with switchport mode trunk
similar to Ethernet 1 and 2
shown
below:
! interface ethernet 1 switchport mode trunk ! interface ethernet 2 switchport mode trunk !
- Further assume that vlan 30 is not configured as part
of a trunk group.
switch# show vlan VLAN Name Status Ports ----- -------------------------------- --------- ---------- 1 default active Et1, Et2 30 vlan30 active Et1, Et2
-
Now configure vlan 30 as part of trunk group 30:
switch(config)# vlan 30 switch(config-vlan-30)# trunk group 30
- This updates the VLAN membership for vlan
30.
switch#show vlan VLAN Name Status Ports ----- -------------------------------- --------- ----------- 1 default active Et1, Et2 30 vlan30 active
Note: Vlan 30 is no longer on Et1, Et2 i.e. it has been ‘pruned’ due to the trunk group command in the vlan configuration. - To permit vlan 30 on Et1,
you need to associate the interface with the trunk group as
follows:
switch(config-if-Et1)# switchport trunk group 30 Now we see Et1 included in the vlan 30 list switch# show vlan VLAN Name Status Ports ----- -------------------------------- --------- ---------- 1 default active Et1, Et2 30 vlan30 active Et1
- The trunk group command is not additive to the allowed VLAN
command.
interface ethernet 1 switchport mode trunk switchport trunk allowed vlan 10 switchport trunk group trunk30 Vlan 30 will not be permitted on the interface as it is not listed in the allowed vlan list.
Dot1q Tunnel Ports
Dot1q (802.1Q) is a tunneling protocol that encapsulates traffic from multiple customer (c-tag) VLANs in an additional single outer service provider (s-tag) VLAN for transit across a larger network structure that includes traffic from all customers. Tunneling eliminates the service provider requirement that every VLAN be configured from multiple customers, avoiding overlapping address space issues.
Tunneling preserves the inner VLANs through the tunneled network; these inner VLANs are ignored by intermediate devices that make forwarding decisions based only on the outermost VLAN tag (S-Tag)
A dot1q-tunnel port sits at the edge of the tunneled network. Unlike regular access ports, a dot1q-tunnel port does not drop traffic that arrives with 802.1Q tags in place; it ignores existing 802.1Q information and associates arriving traffic (with or without 802.1Q headers) with a new tunnel VLAN ID.
Packets arriving at a tunnel port are encapsulated with an additional 802.1Q tag that can be trunked between multiple devices like any traditional VLAN. When exiting a dot1-tunnel port, the S-Tag is removed to revert the customer traffic to its original tagged or untagged state.
To configure an interface group as a dot1q tunnel port, use the switchport mode command.
Example
switch(config)# interface ethernet 12
switch(config-if-Et12)# switchport mode dot1q-tunnel
switch(config-if-Et12)#
To specify the dot1q-tunnel port’s access VLAN, use the switchport access vlan command. The port then handles all inbound traffic as untagged VLAN traffic.
Example
switch(config)# interface ethernet 12
switch(config-if-Et12)# switchport access vlan 60
switch(config-if-Et12)#
TPID Configuration
The default Tag Protocol IDentifier (TPID, also called dot1q ethertype) on all switch ports is 0x8100. To configure a different TPID on a port, use the switchport dot1q ethertype command. This feature is available only on 7280E and 7500E platforms.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# switchport mode dot1q-tunnel
switch(config-if-Et1)# interface ethernet 2
switch(config-if-Et2)# switchport mode trunk
switch(config-if-Et2)# switchport dot1q ethertype 0x9100
switch(config-if-Et2)#
In the above configuration, packets from Et1 to Et2 will undergo dot1q-tunneling (stacking of an additional dot1q tag), with an outer TPID of 0x9100 at egress, while packets with outer TPID 0x9100 going from Et2 to Et1 will have the outer tag removed at egress.
Layer 2 802.1Q Encapsulation
Layer 2 traffic encapsulation is enabled on the configuration mode interface for a specified VLAN through l2-protocol encapsulation dot1q vlan.
Example
switch(config)# interface ethernet 5/2
switch(config-if-Et5/2)# l2-protocol encapsulation dot1q vlan 200
Port VLAN Scaling on DCS-7160
Port VLAN scaling allows the user to configure a subset of ports in the scale mode. The switchport vlan forwarding command forwards packets between the ports belonging to VLAN in the interface configuration mode. Port-VLAN table is used for storing the configuration on a per port/VLAN combination. The scaling configuration is applicable on a per-port basis and supports a maximum of 128 ports.
- This command enables VLAN scaling on a port
with an interface ethernet
2.
switch# config terminal switch(config)# interface ethernet 2 switch(config-if-Et2)# switchport vlan forwarding accept all
- This command disables VLAN scaling on a
port.
switch# config switch(config)# interface ethernet 2 switch(config-if-Et2)# no switchport vlan forwarding accept all
Creating and Configuring VLAN Interfaces
The interface vlan command places the switch in VLAN-interface configuration mode for modifying an SVI. An SVI provides a management address point and Layer 3 processing for packets from all VLAN ports.
Example
switch# config t
switch(config)# interface vlan 12
switch(config-if-Vl12)#
Allocating Internal VLANs
The vlan internal order command specifies the VLANs that the switch allocates as internal VLANs when configuring routed ports and the order of their allocation. By default, the switch allocates VLANs in ascending order. The default allocation range is between VLAN 1006 and VLAN 4094.
The no switchport command converts an Ethernet or port channel interface into a routed port, disabling Layer 2 switching for the interface.
- This command configures the switch to allocate
internal VLANs in ascending order starting with
1006.
switch(config)# vlan internal order ascending switch(config)#
- This command configures the switch to allocate
internal VLANs in descending order starting with
4094.
switch(config)# vlan internal order descending switch(config)#
- This command configures the switch to allocate
internal VLANs in descending order from 4094 through
4000.
switch(config)# vlan internal order descending range 4000 4094 switch(config)#
Private VLAN Configuration
On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R
- On systems with algomatch hardware, the access-list mechanism must explicitly be set
to TCAM using the following command. Ignore this step when on non-algomatch hardware
based
systems.
switch(config)# hardware access-list mechanism tcam
- To enable the private VLAN feature, you must also enable the forwarding-ID
feature.
switch(config)# platform sand l2 forwarding-id sharing
On All Platforms
- Any regular VLAN can act as a primary without any extra configuration. The
only requirement is that the VLAN must be active. Use the following command
to configure a VLAN as active or
inactive:
switch(config)# vlan 100
switch(config)# no vlan 100
switch(config)# default vlan 100
- Configure VLANs as secondary inside the VLAN configuration
mode. Use the configuration to specify the primary VLAN as isolated and the
type of secondary VLAN:
switch(config)# vlan 20 switch(config-vlan-20)# private-vlan isolated primary vlan 10 switch(config)# vlan 30 switch(config-vlan-30)# private-vlan community primary vlan 10
- Interfaces are assigned to primary or secondary VLANs in the same way as
regular VLANs. It works with both access and trunk ports. The following
shows the standard switchport command configuring an access interface to the
secondary VLAN configured
before:
switch(config)# interface ethernet 1/1 switch(config-if-Et1/1)# switchport access vlan 20
- Trunk ports forward any traffic within the allowed VLANs configured on the
interface, whether they are primary or secondary VLANs. To configure trunk
ports to translate traffic from primary VLAN to secondary (this maps to the
lowest secondary VLAN if multiple are allowed) configure the following on
the trunk port:
switch(config)# interface ethernet 1/1 switch(config-if-Et1/1)# switchport trunk private-vlan secondary
Steps to Unconfigure
On all Platforms
- To unconfigure a private VLAN, use the following command. This reverts the
VLAN back to a regular VLAN. At this point, the broadcast domain for this
VLAN adjusts and all hosts start to be learned in the regular VLAN, as
opposed to the primary VLAN. The MAC table entries previously learned on the
primary VLAN are not used anymore for
forwarding.
switch(config-vlan-20)# no private-vlan
- To restore trunk port behavior to allow traffic on all primary and secondary
VLANs:
switch(config)# interface ethernet1/1 switch(config-if-Et1/1)# no switchport trunk private-vlan secondary
On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R
switch(config)# no platform sand l2 forwarding-id sharing
Note: This configuration needs the device to be rebooted to take effect.
Configuring VLAN Translation
VLAN translation changes the VLAN ID of specified packets entering or leaving a port. The following sections describe the configuration of VLAN translation.
Per-port VLAN Translation on Switched Ports
The switchport vlan translation command allows translation of the VLAN tag of traffic entering or exiting a switched port.
To use VLAN translation on a switched port, the port must be configured as a trunk port using the switchport mode command.
-
This command configures interface ethernet 5 as a trunk port.
switch(config)# interface ethernet 5 switch(config-if-Et5)# switchport mode trunk switch(config-if-Et5)#
-
By default, the translation is bidirectional: packets ingressing an interface through vlan A are internally mapped to vlan B; vlan B packets egressing the same interface are mapped to vlan A.
- These commands map interface ethernet 5
traffic with dot1q tag 50 to bridging
vlan
60.
switch(config)# interface ethernet 5 switch(config-if-Et5)# switchport vlan translation 50 60 switch(config-if-Et5)#
- These commands provides multiple 1:1 VLAN mappings under an
interface.
switch(config)# interface ethernet 5 switch(config-if-Et5)# switchport vlan translation 50 60 switch(config-if-Et5)# switchport vlan translation 61 71 switch(config-if-Et5)# switchport vlan translation 62 72 switch(config-if-Et5)#
- These commands translate only incoming
packets.
switch(config)# interface ethernet 5 switch(config-if-Et5)# switchport vlan translation in 50 60 switch(config-if-Et5)#
- These commands translate only egress
packets.
switch(config)# interface ethernet 5 switch(config-if-Et5)# switchport vlan translation out 60 50 switch(config-if-Et5)#
- These commands map interface ethernet 5
traffic with dot1q tag 50 to bridging
vlan
60.
Dropping VLAN Translations
Dropping Mismatched VLAN Translations on a Routed Port
On routed ports, the encapsulation dot1q vlan command, permitted only on routed ports, configures the VLAN on the interface to act as the native VLAN. This command maps packets ingressing with the specified VLAN ID to the internal VLAN ID of the routed port. All traffic egressing out of the routed port tagged with the VLAN ID specified in the command.
Example
These commands translate between vlan 50 and the internal VLAN for interface ethernet 5 (a routed port).
switch(config)# interface ethernet 5
switch(config-if-Et5)# no switchport
switch(config-if-Et5)#encapsulation dot1q vlan 50
switch(config-if-Et5)#
Dropping Unmatched VLAN Translations on an Interface
Configure an Ethernet interface to drop unmatched VLAN translation packets from ingress and egress ports.
Example
Use the following commands to drop invalid VLAN translations from Ethernet1:
switch(config)#interface Ethernet1
switch(config-if-Et2)#switchport vlan translation out required
switch(config-if-Et2)#switchport vlan translation in required
Double VLAN Translation
Double VLAN translation creates mappings between an inner and outer VLAN ID pair of a double-tagged packet and a single bridging VLAN. On ingress, specified double-tagged packets are mapped to the bridging VLAN, and on egress packets with the ID of the bridging VLAN are double tagged as specified. By default, the translation is bidirectional, but it can be applied only on ingress or egress.
Example
switch(config)# interface ethernet 3/1
switch(config-if-Et3/1)# switchport vlan translation in 1000 inner 100 200
switch(config-if-Et3/1)#
Configuring VLAN Counters
Add VLAN ingress and egress counters that provide the ability to count packets and bytes ingressing or egressing a bridge domain for a VLAN.
Use the following commands to add VLAN ingress and egress counters to the switch:
switch(config)#hardware counter feature vlan in
switch(config)#hardware counter feature vlan out
To display the configuration, use the show hardware counter feature
switch(config)#show hardware counter feature
Feature Direction Counter Resource (Engine) Status Detail
--------------- ---------- ------------------------- -------- ------------------------------
Queue out Jericho2C+: 16 up Not user-configurable.
VLAN out Jericho2C+: 2 up
VLAN in Jericho2C+: 1 up
VOQ in Jericho2C+: 0, 8 up Not user-configurable.
Verify the counter status using the show vlan counters command.
switch#show vlan counters
Vlan InOctets InPkts
Vlan1 0 0
Vlan100 186 2
Vlan200 0 0
Vlan300 64 1
Vlan OutOctets OutPkts
Vlan1 0 0
Vlan100 0 0
Vlan200 114 1
Vlan300 70 1
To clear the counter status, use the following command:
switch(config)#clear vlan counters
switch(config)#show vlan counters
Vlan InOctets InPkts
Vlan1 0 0
Vlan100 0 0
Vlan200 0 0
Vlan300 0 0
Vlan OutOctets OutPkts
Vlan1 0 0
Vlan100 0 0
Vlan200 0 0
Vlan300 0 0
VLAN Configuration Commands
Global VLAN Configuration Commands
VLAN Configuration Mode Commands
Layer 2 Interface (Ethernet and Port Channel) Configuration Commands
VLAN Interface Configuration Mode Commands
Show Commands
- show dot1q-tunnel
- show interfaces switchport
- show interfaces switchport backup-link
- show interfaces switchport vlan mapping
- show interfaces trunk
- show interfaces vlans
- show pvlan mapping interfaces
- show vlan
- show vlan brief count
- show vlan counters
- show vlan dynamic
- show vlan internal allocation policy
- show vlan internal usage
- show vlan trunk group
autostate
- the corresponding VLAN exists and is in the active state.
- one or more Layer 2 ports in the VLAN are up and in spanning-tree forwarding state.
- the VLAN interface exists and is not in a shutdown state.
- The no autostate command disables autostate on the configuration mode interface. The no autostate command is stored to running-config.
- The autostate command enables the autostate function on the configuration mode VLAN SVI by removing the corresponding no autostate statement from running-config.
- The default autostate command restores the autostate default state of enabled by removing the corresponding no autostate statement from running-config.
Command Mode
Interface-VLAN Configuration
Command Syntax
autostate
no autostate
default autostate
Guidelines
Autostate should be disabled on SVIs configured as an MLAG local interface.
- These commands disable autostate on vlan
100.
switch(config)# interface vlan 100 switch(config-if-Vl100)# no autostate switch(config-if-Vl100)#
- These commands enable autostate on vlan
100.
switch(config)# interface vlan 100 switch(config-if-Vl100)# autostate switch(config-if-Vl100)#
encapsulation dot1q vlan
In the configuration mode for an Ethernet or port channel interface, the encapsulation dot1q vlan translates packets with a dot1q header to the internal VLAN for a routed port. The VLAN in the incoming packets is mapped to the internal VLAN of the routed port, and packets egressing the routed port are encapsulated with a dot1q header for the specified VLAN. For egress packets, no priority information is added to the dot1q header and the priority from the incoming encapsulation will be retained.
Subinterface VLAN AssignmentWhen used in the configuration mode for an Ethernet or port channel subinterface, however, the encapsulation dot1q vlan command assigns a dot1q tag to the subinterface. Traffic ingressing on the parent interface with that dot1q tag will then be sent to the configured subinterface. See Subinterfaces and Subinterface Configuration for details.
The no encapsulation dot1q vlan and default encapsulation dot1q vlan commands restore the default VLAN to the configuration mode interface by removing the corresponding encapsulation dot1q vlan command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-port-channel Configuration
Subinterface-Ethernet Configuration
Subinterface-port-channel Configuration
Command Syntax
encapsulation dot1q vlan vlan_id
no encapsulation dot1q vlan
default encapsulation dot1q vlan
Parameters
vlan_id For VLAN translation, the ID of the external VLAN to be translated; for subinterface configuration, the VLAN of the subinterface. Values range from 1 to 4094.
- These commands translate between vlan 50 and the
internal VLAN for interface ethernet 5 (a routed
port).
switch(config)# interface ethernet 5 switch(config-if-Et5)# no switchport switch(config-if-Et5)# encapsulation dot1q vlan 50 switch(config-if-Et5)#
- These commands assign packets ingressing on interface ethernet
1/1 with vlan ID 100 to
subinterface ethernet
1/1.1.
switch(config)# interface ethernet1/1.1 switch(config-if-Et1/1.1)# no switchport switch(config-if-Et1/1.1)# encapsulation dot1q vlan 100 switch(config-if-Et1/1.1)#
interface vlan
The interface vlan command places the switch in VLAN-interface configuration mode for modifying parameters of the Switch Virtual Interface (SVI). An SVI provides Layer 3 processing for packets from all ports associated with the VLAN. There is no physical interface for the VLAN.
When entering configuration mode to modify existing SVIs, the command can specify multiple interfaces. The command creates an SVI if the specified interface does not exist prior to issuing the command. When creating an SVI, the command can only specify a single interface.
The no interface vlan command deletes the specified SVI interfaces from running-config. The default interface vlan commands remove all configuration statements for the specified SVI interfaces from running-config without deleting the interfaces.
Command Mode
Global Configuration
Command Syntax
interface vlan v_range
no interface vlan v_range
default interface vlan v_range
Parameter
v_range VLAN interfaces (number, range, or comma-delimited list of numbers and ranges). VLAN number ranges from 1 to 4094.
Restrictions
Internal VLANs: A VLAN interface cannot be created or configured for internal VLAN IDs. The switch rejects any interface vlan command that specifies an internal VLAN ID.
Example
This example creates an SVI for vlan 12:
switch# config
switch(config)# interface vlan 12
switch(config-if-Vl12)#
l2-protocol encapsulation dot1q vlan
The l2-protocol encapsulation dot1q vlan command enables Layer 2 802.1Q traffic encapsulation on the configuration mode interface for a specified VLAN. The default VLAN for all interfaces is VLAN 1.
The no l2-protocol encapsulation dot1q vlan and default l2-protocol encapsulation dot1q vlan commands disable the specified encapsulation on the configuration mode interface by removing the corresponding l2-protocol encapsulation dot1q vlan command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Command Syntax
l2-protocol encapsulation dot1q vlan vlan_id
no l2-protocol encapsulation dot1q vlan
default l2-protocol encapsulation dot1q vlan
Parameters
vlan_id the ID of the native VLAN. Values range from 1 to 4094.
Example
These commands enable 802.1Q encapsulation of traffic on vlan 200.
switch(config)# interface ethernet 5/2
switch(config-if-Et5/2)# l2-protocol encapsulation dot1q vlan 200
switch(config-if-Et5/2)# show active
interface Ethernet5/2
l2-protocol encapsulation dot1q vlan 200
switch(config-if-Et5/2)#
mac address forwarding
- Flood the Layer 2 miss packets on the VLAN
- Drop the Layer 2 miss packets
- Log the Layer 2 miss packets to the CPU (while still flooding them on the VLAN)
The default state is to flood the L2 miss packets on all ports of the VLAN.
The show vlan command displays information about the VLAN policy that is being configured.
The no form and the default form of the command removes the previously configured VLAN policy on the VLAN.
Command Mode
VLAN Configuration
Command Syntax
mac address forwarding [unicast | multicast] miss action [drop | flood | log]
no mac address forwarding [unicast | multicast] miss action [drop | flood | log]
default mac address forwarding [unicast | multicast] miss action [drop | flood | log]
- unicast the unicast type of transmission.
- multicast the multicast type of transmission.
- drop the selected packets are dropped.
- flood the selected packets are flooded in the specific VLAN.
- log the selected packets are sent to the CPU for logging purpose.
Guidelines
VLAN policy configuration is supported on the Arista 7010, 7050 (excluding 7050SX3-48YC12, 7050CX3-32S, 7050QX2-32S, 7050SX2-72Q, 7050SX2-128, 7050TX2-128), 7060, 7250, and the 7300 series platforms.
- STP, LLDP, and LACP packets
- VLAN policy configurations on VXLAN-enabled VLAN
- On a VLAN if IGMP snooping is configured with Multicast miss action is set to drop, then all multicast packets received on that VLAN are dropped.
- These commands create a vlan 333 and then set the
unicast policy to drop and the multicast policy to
log for the specific vlan
333.
switch(config)# vlan 333 switch(config-vlan-333)# mac address forwarding unicast miss action drop switch(config-vlan-333)# mac address forwarding multicast miss action log
- These commands display the VLAN policy that was defined when
vlan 333 is
created.
switch(config)# show vlan 333 mac address forwarding VLAN UcMissAction McMissAction ---- ------------ ------------ 333 flood flood
- These commands display the VLAN policy type that was defined when
vlan 333 is configured with the
drop unicast policy and the
log multicast
policy.
switch(config)# show vlan 333 mac address forwarding VLAN UcMissAction McMissAction ---- ------------ ------------ 333 drop log switch(config)#show vlan mac address forwarding VLAN UcMissAction McMissAction ---- ------------ ------------ 1 flood flood 333 drop log
name (VLAN configuration mode)
The name command configures the VLAN name. The name can have up to 32 characters. The default name for VLAN 1 is default. The default name for all other VLANs is VLANxxxx, where xxxx is the VLAN number. The default name for vlan 55 is VLAN0055. The show vlan command displays the VLAN name.
The name command accepts all characters except the space.
The no name and default name commands restore the default name by removing the name command from running-config.
Command Mode
VLAN Configuration
Command Syntax
name label_text
no name
default name
Parameters
label_text character string assigned to name attribute. Maximum length is 32 characters. The space character is not permitted in the name string.
Example
These commands assign corporate_100 as the name for vlan 25, then displays the VLAN name.
switch(config)# vlan 25
switch(config-vlan-25)# name corporate_100
switch(config-vlan-25)# show vlan 25
VLAN Name Status Ports
----- -------------------------------- --------- ---------
25 corporate_100 active
switch(config-vlan-25)#
pvlan mapping
The pvlan mapping command maps a Switch Virtual Interface (SVI) available in the primary VLAN to the secondary VLAN or VLANs in the VLAN configuration mode. The show pvlan mapping interfaces command displays the list of mapped VLANs.
The no pvlan mapping and default pvlan mapping commands restore the default state of the private VLAN mapping.
Command Mode
VLAN Configuration
Command Syntax
pvlan mapping {add | remove | vlan ID}
no pvlan mapping {add | remove | vlan ID}
default pvlan mapping{add | remove | vlan ID}
- add adding VLANs to the PVLAN mapping of the current VLAN interface.
- remove removing VLANs from the PVLAN mapping of the current VLAN interface.
- vlan ID The secondary VLAN IDs of the private VLAN mapping. The IDs range from 1 to 4094.
Related Commands
Example
These commands assign a secondary VLAN ID of 50 to the primary VLAN.
switch(config)# vlan 25
switch(config-vlan-25)# pvlan mapping 50
switch(config-vlan-25)#
show dot1q-tunnel
The show dot1q-tunnel command displays the ports that are configured in dot1q-tunnel switching mode. The switchport mode command configures the switching mode for the configuration mode interface.
Command Mode
EXEC
Command Syntax
show dot1q-tunnel [INTERFACE]
Parameters
- no parameter Display information for all interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- loopback l_range Loopback interface specified by l_range.
- management m_range Management interface range specified by m_range.
- port-channel p_range Port-Channel Interface range specified by p_range.
- vlan v_range VLAN interface range specified by v_range.
- VXLAN
vx_range VXLAN interface range specified by
vx_range.
Valid range formats include number, number range, or comma-delimited list of numbers and ranges.
Example
This command displays the ports that are configured in dot1q-tunnel switching mode.
switch> show dot1q-tunnel
dot1q-tunnel mode LAN Port (s)
------------------------------
Po4
Po21
Po22
switch>
show interfaces switchport backup-link
The show interfaces switchport backup-link command displays interfaces that are configured as switchport backup pairs and the operational status of each interface. For each pair, the command displays the names, roles, status, and VLAN traffic of each interface.
Command Mode
EXEC
Command Syntax
show interfaces [INTERFACE] switchport backup-link
show interfaces switchport backup-link [module {Fabric f_num | Linecard lc_num | Supervisor svr_num | Switchcard | 1-2 | 3-6 }]
- INTERFACE Interface type and numbers. Options
include:
- no parameter Display information for all interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- loopback l_range Loopback interface specified by l_range.
- management m_range Management interface range specified by m_range.
- port-channel p_range Port-Channel Interface range specified by p_range.
- vlan
v_range VLAN interface range specified
by v_range.
Valid e_range, l_range, m_range, p_range, and v_range formats include number, number range, or comma-delimited list of numbers and ranges.
- module Displays interfaces of the specified
module. Options include:
- Fabric f_num Displays interfaces of the specified fabric module. Value ranges from 1 to 6.
- Linecard lc_num Displays interfaces of the specified linecard module. Value ranges from 3 to 6.
- Supervisor svr_num Displays interfaces of the specified supervisor module. Accepted values are 1 and 2.
- Switchcard Displays interfaces of switchcard modules.
- 1-2 Displays interfaces of the specified supervisor module.
- 3-6 Displays interfaces of the specified linecard module.
- State Operational status of the
interface. Values include:
- Up Spanning tree mode is backup, interface status is up.
- Down Spanning tree mode is backup, interface status is down.
- Inactive Configuration The spanning tree mode is not backup.
- Forwarding vlans VLANs forwarded by the interface. Depends on interface operation status and prefer option specified by the switchport backup command.
- This command displays the configured switchport primary-backup
pairs.
switch> show interfaces switchport backup-link Switch backup interface pair: Ethernet3/17, Ethernet3/8 Primary Interface: Ethernet3/17 State: Inactive Configuration Backup Interface: Ethernet3/8 State: Inactive Configuration Preemption delay: 0 milliseconds Mac move burst size: 0 Mac move burst interval: 20 milliseconds Mac move destination: ff:ff:ff:ff:ff:ff
- This command displays interfaces of the module for linecard
4.
switch(config)# show int switchport backup-link module Linecard 4 Switch backup interface pair: Ethernet4/19/1, Ethernet4/19/2 Primary Interface: Ethernet4/19/1 State: Inactive Configuration Backup Interface: Ethernet4/19/2 State: Inactive Configuration Preemption delay: 0 milliseconds Mac move burst size: 0 Mac move burst interval: 20 milliseconds Mac move destination: ff:ff:ff:ff:ff:ff
show interfaces switchport vlan mapping
The show interfaces switchport vlan mapping command displays mapping information of the configured VLANs in an interface mode.
Command Mode
EXEC
Command Syntax
show interfaces switchport vlan mapping
- This command displays mapping information of the configured VLAN
IDs.
switch# show interfaces switchport vlan mapping -------------- Ethernet3 Direction Direction Original Vlan New Vlan Status Configured Active -------------- --------- --------- ----------- ----------- 10 100 Active In/Out In/Out 11 200 Active In In 300 12 Active Out Out
- This command displays dual tag mapping information of the configured VLAN
IDs.
switch(config)# show interfaces switchport vlan mapping -------------- Ethernet3/1 Direction Direction Outer Tag Inner Tag VLAN ID Status Configured Active Dot1 qTunnel ----------- ----------- --------- --------- ----------- ----------- ----------- 1000 100 200 active In/Out In/Out - 1001 101 201 active In In - 1002 102 202 active Out Out -
- This command displays dual tag mapping information of the configured VLAN
IDs.
switch(config)# show interfaces switchport vlan mapping -------------- Ethernet1/1 Direction Direction Outer Tag Inner Tag VLAN ID Status Configured Active ----------- ----------- --------- --------- ----------- ----------- 70 - 300 Active In/Out In/Out 10 50 100 Active In/Out In/Out 20 60 100 Active In In 30 40 200 Active Out Out
show interfaces switchport
The show interfaces switchport command displays the switching configuration and operational status of the specified ports.
Command Mode
EXEC
Command Syntax
show interfaces [INTERFACE] switchport
Parameters
- no parameter Display the switching status for all interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- loopback l_range Loopback interface specified by l_range.
- management m_range Management interface range specified by m_range.
- port-channel p_range Port-Channel Interface range specified by p_range.
- vlan
v_range VLAN interface range specified by
v_range.
Valid e_range, l_range, m_range, p_range, and v_range formats include number, number range, or comma-delimited list of numbers and ranges.
- This command displays the switching status for all
interfaces.
switch(config)# show interface switchport Default switchport mode: access Name: Et5/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access MAC Address Learning: enabled Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: disabled Trunking VLANs Enabled: ALL Static Trunk Groups: Dynamic Trunk Groups: Name: Et5/2 Switchport: Enabled Administrative Mode: static access Operational Mode: static access MAC Address Learning: enabled Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: disabled Trunking VLANs Enabled: ALL Static Trunk Groups: Dynamic Trunk Groups: [...] switch(config)#
- This command displays the switching status of port channel interfaces
21 and
22.
switch> show interface port-channel 21-22 switchport Name: Po21 Switchport: Enabled Administrative Mode: tunnel Operational Mode: tunnel Access Mode VLAN: 1 (inactive) Trunking Native Mode VLAN: 100 (VLAN0100) Administrative Native VLAN tagging: disabled Trunking VLANs Enabled: ALL Trunk Groups: foo Name: Po22 Switchport: Enabled Administrative Mode: tunnel Operational Mode: tunnel Access Mode VLAN: 1 (inactive) Trunking Native Mode VLAN: 1 (inactive) Administrative Native VLAN tagging: disabled Trunking VLANs Enabled: ALL Trunk Groups: switch>
- This command displays the configured status of VLAN scaling for the
interface ethernet 2/1
port.
switch# show interface Ethernet 2/1 switchport Name: Ethernet 2/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk MAC Address Learning: enabled Dot1q ethertype/TPID: 0x8100 (active) Dot1q VLAN Tag: Allowed Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: disabled Trunking VLANs Enabled: ALL Static Trunk Groups: Dynamic Trunk Groups: Source interface filtering: enabled VLAN forwarding mode: allConfiguredVlans switch>
show interfaces trunk
The show interfaces trunk command displays configuration and status information for interfaces configured in switchport trunk mode.
Command Mode
EXEC
Command Syntax
show interfaces [INTERFACE] trunk
Parameters
- no parameter Display information for all interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- management m_range Management interface range specified by m_range.
- port-channel
p_range Port-Channel Interface range specified
by p_range.
Valid e_range, m_range, and p_range formats include number, number range, or comma-delimited list of numbers and ranges.
Example
This command displays the trunk status for all interfaces configured in switchport trunk mode.
switch> show interfaces trunk
Port Mode Status Native vlan
Po1 trunk trunking 1
Po2 trunk trunking 1
Port Vlans allowed
Po1 1-15
Po2 16-30
Port Vlans allowed and active in management domain
Po1 1-10
Po2 21-30
Port Vlans in spanning tree forwarding state
Po1 1-10
Po2 21-30
switch>
show interfaces vlans
The show interfaces vlans command displays a table that lists the VLANs that are carried by the specified interfaces. Interfaces that do not carry VLANs are not listed in the table. The table lists the untagged (native or access) and tagged VLANs for each interface.
Command Mode
EXEC
Command Syntax
show interfaces [INT_NAME] vlans
Parameters
- ethernet e_num Ethernet interface specified by e_num.
- management m_num Management interface specified by m_num.
- port-channel p_num Port-Channel Interface specified by p_num.
Example
switch> show interfaces vlans
Port Untagged Tagged
Et9 3910 -
Et11 3912 -
Et16 500 -
Et17 3908 -
Et18 3908 -
Po1 1 101-102,500,721,3000,
Po2 101 -
Po4 3902 -
Po5 3903 -
Po6 3992 -
Po7 661 -
Po8 3911 -
show pvlan mapping interfaces
The show pvlan mapping interfaces command displays information about the private VLAN mapping interfaces.
Command Mode
EXEC
Command Syntax
show pvlan mapping interfaces
Example
switch(config)# int vlan 50
switch(config-if-Vl50)# pvlan mapping 70
switch(config-if-Vl50)# show pvlan mapping interfaces
Interface Secondary Vlans
--------- ---------------
Vlan50 70
show vlan
The show vlan command displays the VLAN ID, name, status, and member ports of all configured VLANs. The command only displays active ports by default; by specifying configured-ports, the command displays all ports that are members of a configured VLAN regardless of their activity status, including Ethernet ports that are members of a port channel.
Command Mode
EXEC
Command Syntax
show vlan [VLAN_LIST] [PORT_ACTIVITY]
- VLAN_LIST List of VLANs displayed by command.
Options include:
- no parameter all VLANs.
- v_range VLANs specified by v_range.
- id v_range VLANs specified by v_range.
- name
v_name VLANs specified by the VLAN
name
v_name.
v_range formats include number, number range, or comma-delimited list of numbers and ranges.
- PORT_ACTIVITY Ports listed in table. Options
include:
- no parameter table displays only active ports (same as active-configuration option).
- active-configuration table displays only active ports.
- configured-ports table displays all configured ports.
- VLAN The VLAN ID.
- Name The name of the VLAN.
- Status The status of the VLAN.
- Ports The ports that are members of the VLAN.
- This command displays status and ports of VLANs
1-1000.
switch> show vlan 1-1000 VLAN Name Status Ports ----- ------------------------ --------- -------------- 1 default active Po1 184 fet.arka active Cpu, Po1, Po2 262 mgq.net active PPo2, Po1 512 sant.test active Cpu, Et16, Po1 821 ipv6.net active Cpu, Po1, Po7 switch>
- This command displays the list of all the member interfaces under each
SVI.
switch# show vlan VLAN Name Status Ports ----- ------------------------ --------- ---------------- 1 default active 2148 VLAN2148 active Cpu, Et1, Et26 2700 VLAN2700 active Cpu, Et18
show vlan brief count
The show vlan brief count command displays the number of VLANs that are configured on the switch.
Command Mode
EXEC
Command Syntax
show vlan brief count
Example
switch> show vlan brief count
Number of existing VLANs : 18
switch>
show vlan counters
Display information about configured ingress and egress VLAN counters on the switch.
Configuration Mode
EXEC
Command Syntax
show vlan counters
Use the following command to display VLAN counters configured on the switch:
switch#show vlan counters
Vlan InOctets InPkts
Vlan1 0 0
Vlan100 186 2
Vlan200 0 0
Vlan300 64 1
Vlan OutOctets OutPkts
Vlan1 0 0
Vlan100 0 0
Vlan200 114 1
Vlan300 70 1
show vlan dynamic
The show vlan dynamic command displays the source and quantity of dynamic VLANs on the switch. Dynamic VLANs support VM Tracer monitoring sessions.
Command Mode
EXEC
Command Syntax
show vlan dynamic
Example
switch> show vlan dynamic
Dynamic VLAN source VLANS
vmtracer-poc 88
switch>
show vlan internal allocation policy
The show vlan internal allocation policy command displays the method the switch uses to allocate VLANs to routed ports. The vlan internal order command configures the allocation method.
- range: the list of VLANs that are allocated to routed ports.
- direction: the direction by which VLANs are allocated (ascending or descending).
Command Mode
EXEC
Command Syntax
show vlan internal allocation policy
Example
switch> show vlan internal allocation policy
Internal VLAN Allocation Policy: ascending
Internal VLAN Allocation Range: 1006-4094
switch>
show vlan internal usage
The show vlan internal usage command shows the VLANs that are allocated as internal VLANs for routed ports.
A routed port is an Ethernet or port channel interface that is configured as a layer 3 interface. Routed ports do not bridge frames and are not members of any VLANs. Routed ports can have IP addresses assigned to them and packets are routed directly to and from the port.
When an interface is configured as a routed port, the switch allocates an SVI with a previously unused VLAN ID. The switch prohibits the configuration of VLANs with numbers corresponding to internal VLAN interfaces allocated to a routed port. VLAN interfaces corresponding to SVIs allocated to a routed port cannot be configured by VLAN interface configuration mode commands.
Command Mode
EXEC
Command Syntax
show vlan internal usage
Example
switch> show vlan internal usage
1006 Ethernet3
1007 Ethernet4
switch>
show vlan trunk group
The show vlan trunk group command displays the trunk group membership of the specified VLANs.
Command Mode
EXEC
Command Syntax
show vlan [ VLAN_LIST ] trunk group
Parameters
- no parameter all VLANs.
- v_range VLANs specified by v_range.
- id v_range VLANs specified by v_range.
- name v_name VLANs specified by the VLAN name v_name.
- VLAN VLAN ID.
- Trunk Groups Trunk groups associated with the listed VLANs.
Example
switch> show vlan trunk group
VLAN Trunk Groups
---- -------------------------------------
5
10 first_group
12
40 second_group
100 third_group
101 middle_group
102
200
switch>
state
- Active state: Ports forward VLAN traffic.
- Suspend state: Ports block VLAN traffic.
The default transmission status is active.
The no state command restores the default VLAN transmission state to the configuration mode VLAN by removing the corresponding state command from running-config.
Command Mode
VLAN Configuration
Command Syntax
state OPERATION_STATE
no state
default state
Parameters
- active VLAN traffic is forwarded.
- suspend VLAN traffic is blocked.
Example
switch(config)# vlan 100-102
switch(config-vlan-100-102)# state suspend
switch(config-vlan-100-102)#
switchport access vlan
The switchport access vlan command specifies the access VLAN of the configuration mode interface. Ethernet or port channel interfaces that are in access mode are members of only the access VLAN. Untagged frames that the interface receives are associated with the access VLAN. Frames tagged with the access VLAN are also associated with the access VLAN. The interface drops all other tagged frames that it receives. By default, VLAN 1 is the access VLAN of all Ethernet and port channel interfaces.
An interface's access mode is effective only when the interface is in access mode or dot1q-tunnel mode, as specified by the switchport mode command. Interfaces in dot1q-tunnel mode handle inbound traffic as untagged traffic and associate all traffic with the access VLAN. Interfaces configured to switchport trunk mode maintain and ignore existing switchport access commands.
The no switchport access vlan and default switchport access vlan commands restore VLAN 1 as the access VLAN of the configuration mode interface by removing the corresponding switchport access vlan statement from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Command Syntax
switchport access vlan v_num
no switchport access vlan
default switchport access vlan
Parameters
v_num number of access VLAN. Value ranges from 1 to 4094. Default is 1.
Example
These commands assign VLAN 100 as the access VLAN to interface ethernet 5.
switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport access vlan 100
switch(config-if-Et5)#
switchport dot1q ethertype
The switchport dot1q ethertype command configures the tag protocol identifier (TPID, also known as a dot1q ethertype), of the configuration mode interface. By default, all switch ports use the standard TPID of 0x8100.
The no switchport dot1q ethertype and default switchport dot1q ethertype commands restore the TPID to 0x8100 by removing the corresponding switchport dot1q ethertype statement from running-config.
Command Mode
Interface-Ethernet Configuration
Command Syntax
switchport dot1q ethertype ethertype
no switchport dot1q ethertype
default switchport dot1q ethertype
Parameters
ethertype ethertype number (TPID). Value ranges from 0x600 (1536) through 0xFFFF (65535), and can be entered in decimal or hexadecimal notation. Value is stored and displayed in hexadecimal form; the default value is 0x8100.Example
These commands configure 0x9100 as the TPID of interface ethernet 5.
switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport dot1q ethertype 0x9100
switch(config-if-Et5)#
switchport mode
- Access switching mode: The interface is a member of one VLAN, called the access VLAN, as specified by the switchport access vlan command. Tagged frames received on the interface are dropped unless they are tagged with the access VLAN. Frames transmitted from the interface are always untagged.
- Trunk switching mode: The interface may be a member of multiple VLANs, as configured by the switchport trunk allowed vlan command. Untagged traffic is associated with the interface's native VLAN, as configured with the switchport trunk native vlan command.
- Dot1q-tunnel switching mode: The interface treats all inbound packets as untagged traffic and handles them as traffic of its access VLAN, as specified by the switchport access vlan command.
- Tap mode: The interface operates as a tap port. Tap ports receive traffic for replication on one or more tool ports.The interface may be a member of multiple VLANs, as configured by the switchport tap allowed vlan command. Untagged traffic is associated with the interface's native VLAN, as configured with the switchport tap native vlan command.
Tap ports are in STP forwarding state and prohibit egress traffic. MAC learning, control plane interaction and traps for inbound traffic are disabled.
Tool mode: The interface operates as a tool port. Tool ports replicate traffic received by tap ports. The interface may be a member of multiple VLANs, as configured by the switchport tool allowed vlan command. MAC learning, control plane interaction and traps for inbound traffic are disabled.
Tool ports are in STP forwarding state and prohibit ingress traffic that uses port settings.
- tap aggregation mode enabled: tap and tool ports are enabled. Switching ports are errdisabled.
- tap aggregation mode disabled: tap and tool ports are errdisabled. Switching ports are enabled.
The no switchport mode and default switchport mode commands return the configuration mode interface to its default setting as an access port by deleting the corresponding switchport mode command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Command Syntax
switchport mode MODE_TYPE
no switchport mode
default switchport mode
Parameters
- access access switching mode.
- dot1q-tunnel dot1q-tunnel switching mode.
- tap tap switching mode.
- tool tool switching mode.
- trunk trunk switching mode.
Restrictions
Dot1q-tunnel switching mode is not available on Petra platform switches.
Tap aggregation (tap and tool modes) is available on FM6000 and Arad platform switches.
Example
switch(config)# interface ethernet 4
switch(config-if-Et4)# switchport mode trunk
switch(config-if-Et4)#
switchport trunk allowed vlan
The switchport trunk allowed vlan command creates or modifies the list of VLANs for which the configuration mode interface, in trunk mode, handles tagged traffic. By default, interfaces handle tagged traffic for all VLANs. Command settings persist in running-config without taking effect when the switch is in tap aggregation mode or the interface is not in trunk mode.
The no switchport trunk allowed vlan and default switchport trunk allowed vlan commands restore the trunk mode default allowed VLAN setting of all by removing the corresponding switchport trunk allowed vlan statement from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Command Syntax
switchport trunk allowed vlan EDIT_ACTION
no switchport trunk allowed vlan
default switchport trunk allowed vlan
Parameters
- v_range Creates VLAN list from v_range.
- add v_range Adds specified VLANs to current list.
- all VLAN list contains all VLANs.
- except v_range VLAN list contains all VLANs except those specified.
- none VLAN list is empty (no VLANs).
- remove
v_range Removes specified VLANs from current
list.
Valid v_range formats include number, range, or comma-delimited list of numbers and ranges.
Example
switch(config)# interface ethernet 14
switch(config-if-Et14)# switchport trunk allowed vlan 6-10
switch(config-if-Et14)# show interfaces ethernet 14 switchport
Name: Et14
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Access Mode VLAN: 1 (inactive)
Trunking Native Mode VLAN: 1 (inactive)
Administrative Native VLAN tagging: disabled
Trunking VLANs Enabled: 6-10
Trunk Groups:
switch(config-if-Et14)#
switchport trunk group
The switchport trunk group command assigns the configuration mode interface to the specified trunk group. Trunk group ports handle traffic of the VLANs assigned to the group.
The no switchport trunk group and default switchport trunk group commands remove the configuration mode interface from the specified trunk group by deleting the corresponding statement from running-config. If the command does not specify a trunk group, the interface is removed from all trunk groups to which it is assigned.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Command Syntax
switchport trunk group [ group_name ]
no switchport trunk group [ group_name ]
default switchport trunk group [ group_name ]
Parameters
group_name trunk group name.
Example
switch(config)# interface port-channel 4
switch(config-if-Po4)# switchport trunk group fe-1
switch(config-if-Po4)#
switchport trunk native vlan
The switchport trunk native vlan command specifies the trunk mode native VLAN for the configuration mode interface. Interfaces in trunk mode associate untagged frames with the native VLAN. Trunk mode interfaces can also be configured to drop untagged frames. The default native VLAN for all interfaces is VLAN 1.
The no switchport trunk native vlan and default switchport trunk native vlan commands restore vlan 1 as the trunk mode native VLAN to the configuration mode interface by removing the corresponding switchport trunk native vlan command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Command Syntax
switchport trunk native vlan VLAN_ID
no switchport trunk native vlan
default switchport trunk native vlan
- VLAN_ID the ID of the native VLAN. Options
include:
- v_num VLAN number. Value ranges from 1 to 4094.
- tag interface drops all untagged frames.
Example
switch(config)# interface port-channel 21
switch(config-if-Po21)# switchport trunk native vlan 100
switch(config-if-Po21)#
switchport vlan forwarding
The switchport vlan forwarding command forwards packets between the ports belonging to VLAN in the interface configuration mode. The scaling configuration is applicable on a per-port basis. In the 7160 platform, the hardware uses a Port-VLAN table for storing the configuration on a per port/VLAN combination and supports a maximum of 128 ports.
Command Mode
Interface-Ethernet Configuration
Command Syntax
switchport vlan forwarding [ accept | all ]
- accept accepts packets for VLAN.
- all all VLANs.
Example
switch(config)# interface ethernet 2
switch(config-if-Et2)# switchport vlan forwarding accept all
switch(config-if-Et2)#
switchport vlan translation
The switchport vlan translation command allows you to map packets from one VLAN to another using VLAN translation. This is carried out on packets having a dot1q header (tagged frames) only. The translation rewrites the VLAN ID (VID) field in dot1q headers on packets passing through a switched port without changing any other fields.
By default, the translation is bidirectional. The packets ingressing an interface through vlan A are internally mapped to vlan B; vlan B packets egressing the same interface are mapped to vlan A.
To use VLAN translation on a switched port, the port must be configured as a trunk port using the switchport mode command.
VLAN translation on routed ports is accomplished through the encapsulation dot1q vlan command.
The no switchport vlan translation and default switchport vlan translation commands remove VLAN mapping by removing the switchport vlan translation command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Command Syntax
switchport vlan translation [DIRECTION] incoming_vlanid new_vlanid
no switchport vlan translation incoming_vlanid new_vlanid
no switchport vlan translation DIRECTION incoming_vlanid
default switchport vlan translation incoming_vlanid new_vlanid
default switchport vlan translation DIRECTION incoming_vlanid
- DIRECTION direction of traffic to be
translated.
- no parameter translates the specified VLAN IDs for transmitted and received traffic.
- in translates the specified VLAN IDs for received traffic only.
- out translates the specified VLAN IDs for transmitted traffic only.
- incoming_vlanid Enter the VLAN ID to be translated. Value ranges from 1 to 4094.
- new_vlanid The new VLAN ID or bridging VLAN ID that will be used internally. Value ranges from 1 to 4094.
- These commands translate only incoming packets, changing the VLAN ID to
2008 in the dot1q header of packets
ingressing on vlan
201.
switch(config)# interface ethernet 5 switch(config-if-Et5)# switchport vlan translation in 201 2008 switch(config-if-Et5)#
- These commands translate multiple VLAN mappings on an interface
ethernet 5.
switch(config)# interface ethernet 5 switch(config-if-Et5)# switchport vlan translation 50 60 switch(config-if-Et5)# switchport vlan translation 61 71 switch(config-if-Et5)# switchport vlan translation 62 72 switch(config-if-Et5)#
switchport vlan translation required
On routed ports, the switchport vlan translation required command (permitted only on routed ports) configures the VLAN on the interface to act as the native VLAN.
Command Mode
Interface-Ethernet Configuration
Command Syntax
switchport vlan translation in|out required
Parameters
- in - Ingress packets without a matching VLAN drop from the port.
- out - Egress packets without a matching VLAN drop from the port.
Example
switch(config)#interface Ethernet1
switch(config-if-Et1)#switchport vlan translation out required
Example
switch(config)#interface Ethernet1
switch(config-if-Et1)#switchport vlan translation in required
trunk group
The trunk group command assigns the configuration mode VLAN to a specified trunk group.
A trunk group is the set of physical interfaces that comprise the trunk and the collection of VLANs whose traffic is carried on the trunk. The traffic of a VLAN that belongs to one or more trunk groups is carried only on ports that are members of trunk groups to which the VLAN belongs. Switchport commands specify the physical interfaces that carry trunk group traffic.
The no trunk group and default trunk group commands remove the configuration mode VLAN from the specified trunk group by removing the corresponding trunk group statement from running-config. If a trunk group is not specified, the commands remove the configuration mode VLAN from all trunk groups.
Command Mode
VLAN Configuration
Command Syntax
trunk group [name]
no trunk group [name]
default trunk group [name]
Parameters
name a name representing the trunk group.Example
switch(config)# vlan 49
switch(config-vlan-49)# trunk group mlagpeer
switch(config-vlan-49)#
vlan
The vlan command places the switch in VLAN configuration mode to configure a set of virtual LANs. The command creates the specified VLANs if they do not exist prior to issuing the command. A VLAN that is in use as an internal VLAN may not be created or configured. The switch rejects any vlan command that specifies an internal VLAN ID.
The default vlan and no vlan commands removes the VLAN statements from running-config for the specified VLANs.
The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
vlan vlan_range
no vlan vlan_range
default vlan vlan_range
Parameters
vlan_range VLAN list.
Formats include a name, number, number range, or comma-delimited list of numbers and ranges.
Guidelines
- The VLAN must be configured identically on both MLAG peer switches.
- The port-specific bridging configuration originates on the switch where the port is physically located. This configuration includes the switchport access VLAN, switchport mode (trunk or access), trunk-allowed VLANs, the trunk native VLAN, and the switchport trunk groups.
Example
This command creates vlan 49 and enters VLAN configuration mode for the new VLAN:
switch(config)# vlan 49
switch(config-vlan-49)#
vlan internal order
The vlan internal order command specifies the range that the switch can allocate as internal VLANs when configuring routed ports and the order of their allocation. By default, the switch allocates VLANs in ascending order from VLAN 1006 to VLAN 4094.
The no vlan internal order and default vlan internal order commands revert the policy to its default.
Command Mode
Global Configuration
Command Syntax
vlan internal order DIRECTION [RANGE_VLAN]
no vlan internal order
default vlan internal order
- DIRECTION VLAN allocation number direction.
Options include:
- ascending allocates internal VLANs from lower VLAN bound to upper VLAN bound.
- descending allocates internal VLAN from upper VLAN bound to lower VLAN bound.
- RANGE_VLAN allocation range. Options include:
- no parameter 1006 (lower bound) to 4094 (upper bound).
- range, lower, upper specifies lower bound (lower) and upper bound (upper).
- This command configures the switch to allocate internal VLANS from
3000 through
3999.
switch(config)# vlan internal order ascending range 3000 3999 switch(config)#
- This command configures the switch to allocate internal VLANS from
4094 through
1006.
switch(config)# vlan internal order descending switch(config)#
- This command configures the switch to allocate internal VLANS from
4094 down through
4000.
switch(config)# vlan internal order descending range 4000 4094 switch(config)#
- This command reverts the allocation policy to its default (ascending,
between 1006 and
4094).
switch(config)# no vlan internal order switch(config)#