VLAN Commands

This chapter contains the following sections:

vlan database

Use the vlan database Global Configuration mode command to enter the VLAN Configuration mode. This mode is used to create VLAN(s) and define the default VLAN.

Use the exit command to return to Global Configuration mode.

Syntax

vlan database

Default Configuration

VLAN 1 exists by default.

Command Mode

Global Configuration mode

Example

The following example enters the VLAN Configuration mode, creates VLAN 1972 and exits VLAN Configuration mode.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# vlan 1972
switchxxxxxx(config-vlan)# exit

vlan

Use the vlan VLAN Configuration mode or Global Configuration mode command to create a VLAN and assign it a name (if only a single VLAN is being created). Use the no form of this command to delete the VLAN(s).

Syntax

vlan vlan-range | {vlan-id [name vlan-name]} [media ethernet] [state active]

no vlan vlan-range

Parameters

  • vlan-range—Specifies a list of VLAN IDs. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs (range: 2-4094).

  • vlan-id—Specifies a VLAN ID. (range: 2-4094).

  • vlan-name—Specifies the VLAN name. (range: 1–32 characters).

  • media—Specifies the media type of the VLAN. Valid values are ethernet.

  • state—Specifies whether the state of the VLAN. Valid values are active.

Default Configuration

VLAN 1 exists by default.

Command Mode

Global Configuration mode

VLAN Database Configuration mode

User Guidelines

If the VLAN does not exist, it is created. If the VLAN cannot be created then the command is finished with error and the current context is not changed.

Example

The following example creates a few VLANs. VLAN 1972 is assigned the name Marketing.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# vlan 19-23
switchxxxxxx(config-vlan)# vlan 100
switchxxxxxx(config-vlan)# vlan 1972 name Marketing
switchxxxxxx(config-vlan)# exit

show vlan

Use the show vlan Privileged EXEC mode command to display the following VLAN information.

Syntax

show vlan [tag vlan-id | name vlan-name]

Parameters

  • tag vlan-id—Specifies a VLAN ID.

  • name vlan-name—Specifies a VLAN name string (length: 1–32 characters)

Default Configuration

All VLANs are displayed.

Command Mode

Privileged EXEC mode

Examples

Example 1—The following example displays information for all VLANs:

switchxxxxxx# show vlanCreated by: S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN

VLAN

Name

Tagged Ports

UnTagged Ports

Created by

-----

-----------

--------------

--------------

----------

1

Default

gi1/0/1

S

10

Marketing

gi1/0/2

gi1/0/2

S

91

11

gi1/0/2-4

gi1/0/2

SGR

92

11

gi1/0/3-4

G

93

11

gi1/0/3-4

GR

interface vlan

Use the interface vlan Global Configuration mode command to enter the Interface Configuration (VLAN) mode for a specific VLAN. After this command is entered, all commands configure this VLAN.

Syntax

interface vlan vlan-id

Parameters

  • vlan-id—Specifies the VLAN to be configured.

Command Mode

Global Configuration mode

User Guidelines

If the VLAN does not exist, the VLAN is created. If the VLAN cannot be created, this command is finished with an error and the current context is not changed.

Example

The following example configures VLAN 1 with IP address 131.108.1.27 and subnet mask 255.255.255.0.

switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip address 131.108.1.27 255.255.255.0

interface range vlan

Use the interface range vlan Global Configuration mode command to configure multiple VLANs simultaneously.

Syntax

interface range vlan vlan-range

Parameters

  • vlan-range—Specifies a list of VLANs. Separate nonconsecutive VLANs with a comma and no spaces. Use a hyphen to designate a range of VLANs.

Command Mode

Global Configuration mode

User Guidelines

Commands under the interface VLAN range context are executed independently on each VLAN in the range. If the command returns an error on one of the VLANs, an error message is displayed, and the system attempts to configure the remaining VLANs.

Example

The following example groups VLANs 221 through 228 and 889 to receive the same command(s).

switchxxxxxx(config)# interface range vlan 221-228, vlan 889

name

Use the name Interface Configuration (VLAN) mode command to name a VLAN. Use the no form of this command to remove the VLAN name.

Syntax

name string

no name

Parameters

  • string—Specifies a unique name associated with this VLAN. (Length: 1–32 characters).

Default Configuration

No name is defined.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

The VLAN name must be unique.

Example

The following example assigns VLAN 19 the name Marketing.

switchxxxxxx(config)# interface vlan 19
switchxxxxxx(config-if)# name Marketing

switchport protected-port

Use the switchport protected-port Interface Configuration mode command to isolate Unicast, Multicast, and Broadcast traffic at Layer 2 from other protected ports on the same switch. Use the no form of this command to disable protection on the port.

Syntax

switchport protected-port

no switchport protected-port

Default Configuration

Unprotected

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Note that packets are subject to all filtering rules and Filtering Database (FDB) decisions.

Use this command to isolate Unicast, Multicast, and Broadcast traffic at Layer 2 from other protected ports (that are not associated with the same community as the ingress interface) on the same switch. Please note that the packet is still subject to FDB decision and to all filtering rules.

Example

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport protected-port

show interfaces protected-ports

Use the show interfaces protected-ports EXEC mode command to display protected ports configuration.

Syntax

show interfaces protected-ports [interface-id | detailed]

Parameters

  • interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.

  • detailed—Displays information for non-present ports in addition to present ports.

Default Configuration

Show all protected interfaces. If detailed is not used, only present ports are displayed.

Command Mode

User EXEC mode

Example

switchxxxxxx# show interfaces protected-ports
Interface
---------
gi1/0/1
gi1/0/2
gi1/0/3
gi1/0/4
State
-------------
Protected
Protected
Unprotected
Unprotected

switchport

Use the switchport Interface Configuration mode command to put an interface that is in Layer 3 mode into Layer 2 mode. Use the no form of this command to put an interface in Layer 3 mode.

Syntax

switchport

no switchport

Default Configuration

Layer 2 mode

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the no switchport command to set the interface as a Layer 3 interface.

An interface cannot be set as a Layer 3 interface if 802x.1 is enabled on the interface and one of the following conditions is true:

  • The host mode differs from multi-host.

  • MAC-Based or WEB-Based authentication is enabled.

  • Radius VLAN assignment is enabled.

Examples

Example 1 - The following example puts the port gi1/0/1 into Layer 2 mode.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport

Example 2 - The following example puts the port gi1/0/1 into Layer 3 mode.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# no switchport

switchport mode

Use the switchport mode Interface Configuration mode command to configure the VLAN membership mode. Use the no form of this command to restore the default configuration.

Syntax

switchport mode access | trunk | general | private-vlan {promiscuous | host} | customer | vlan-mapping {tunnel | one-to-one }

no switchport mode

Parameters

  • access—Specifies an untagged layer 2 VLAN port.

  • trunk—Specifies a trunking layer 2 VLAN port.

  • general—Specifies a full 802-1q-supported VLAN port.

  • customer—Specifies that an edge port connected to customer equipment. Traffic received from this port will be tunneled with the additional 802.1q VLAN tag (Q-in-Q VLAN tunneling).

  • private-vlan promiscuous—Private-VLAN promiscuous port.

  • private-vlan host—Private-VLAN host port.

  • vlan-mapping tunnel—VLAN Mapping tunel edge port.

  • vlan-mapping one-to-one—VLAN Mapping one-to-one edge port.

Default Configuration

Access mode.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When the port’s mode is changed, it receives the configuration corresponding to the mode.

If the port mode is changed to access and the access VLAN does not exist, then the port does not belong to any VLAN.

Use the switchport mode vlan-mapping {tunnel | one-to-one} command to configure a VLAN mapping mode of an edge interface of a Provider Edge switch. The edge interface is an interface where a Customer network is connected to the Provider Edge switch. The network which the switch belongs to is a Provider network. These networks (Customer ones and Provider one) can use the same VLAN-IDs and the edge interface must perform vlan mapping between Customer VLANs (C-VLANs) and Provider VLANs (S-VLANs).On an edge interface C-VLANs are mapped to S-VLANs and the original C-VLAN tags are kept as part of payload. When a frame is sent on non-edge tagged interface, it is encapsulated with another layer of S-VLAN tag to which the original C-VLAN-ID is mapped. Therefore, transmitted on non-edge interfaces frames are double-tagged, with the outer S-VLAN tag and inner C-VLAN tag. When a frame is sent on an edge interface the S-VLAN tag is stripped.On an edge interface C-VLANs are mapped to the S-VLANs and the original C-VLAN-ID in input frame is replaced by the S-VLAN ID to which it is mapped. Untagged frames are dropped. Symmetrical translating back to the edge interface.

The following features cannot be enabled if vlan-mapping is allowed:

  • IPv4 routing

  • IPv6 routing

  • Auto Smart Port

  • Voice VLAN

The switchport vlan-mapping commands cannot add a port to a S-VLAN.

IPv4 and IPv6 interfaces cannot be defined on VLANs containing edge interfaces.

The following Layer 2 features are not supported into VLANs containing edge interfaces:

  • IGMP Snooping

  • MLD Snooping

  • DHCP Snooping

  • IPv6 First Hop Security

The following protocols cannot be enabled on edge interfaces:
  • STP

  • GVRP

The following features are not supported on edge interfaces:
  • Radius VLAN assignment

  • 802.1x Guest VLAN

Egress ACLs are not supported on one-to-one VLAN mapping edge ports. A destination port with the network keyword or reflector port cannot be configured on an edge port. Note. All the limitations for edge ports specified above are checked by the switchport vlan-mapping commands and by the commands configuring these features. By default the switch does not forward frames received on edge ports with the following destination MAC addresses:
  • 01:80:C2:00:00:00-01:80:C2:00:00:FF

  • 01:00:0C:00:00:00-01:00:0C:FF:FF:FF

  • 01:00:0C:CD:CD:D0

Note. The following protocols using these MAC addresses can be enabled on edge ports:
  • LACP - 01:80:C2:00:00:02

  • LLDP - 01:80:C2:00:00:0E

  • UDLD - 01:00:0C:CC:CC:CC

  • CDP - 01:00:0C:CC:CC:CC

Example

Example 1 - The following example configures gi1/0/1 as an access port (untagged layer 2) VLAN port.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport mode access
switchxxxxxx(config-if)# switchport access vlan 2

switchport access vlan

A port in access mode can be an untagged member of at most a single VLAN. The switchport access vlan Interface Configuration command reassigns an interface to a different VLAN than it currently belongs or assigns it to none, in which case it is not a member of any VLAN.

The no form of this command to restore the default configuration.

Syntax

switchport access vlan {vlan-id | none}

no switchport access vlan

Parameters

  • vlan-id—Specifies the VLAN to which the port is configured.

  • none—Specifies that the access port cannot belong to any VLAN.

Default Configuration

The interface belongs to the Default VLAN.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When the port is assigned to a different VLAN, it is automatically removed from its previous VLAN and added it to the new VLAN. If the port is assigned to none, it is removed from the previous VLAN and not assigned to any other VLAN.

Example

The following example assigns access port gi1/0/1 to VLAN 2 (and removes it from its previous VLAN).

switchxxxxxx(config)# interface gi1/0/2
switchxxxxxx(config-if)# switchport mode access
switchxxxxxx(config-if)# switchport access vlan 2

switchport trunk allowed vlan

A trunk interface is an untagged member of a single VLAN, and, in addition, it may be an tagged member of one or more VLANs. Use the switchport trunk allowed vlan Interface Configuration mode command to add/remove VLAN(s) to/from a trunk port. Use the no form of the command to return to the default.

Syntax

switchport trunk allowed vlan {all | none | vlan-list | add vlan-list | remove vlan-list | except vlan-list}

no switchport trunk allowed vlan

Parameters

  • all—Specifies all VLANs from 1 to 4094. At any time, the port belongs to all VLANs existing at the time. (range: 1–4094).

  • none—Specifies an empty VLAN list The port does not belong to any VLAN.

  • vlan-list— Specifies the list of VLAN IDs the interface is member of. The VLAN(s) specified in this command are the only VLAN(s) the port will be member of (all previous settings related to trunk VLAN membership are discarded). Use a hyphen to designate a range of IDs. Separate nonconsecutive VLAN IDs with a comma and no spaces (range: 1-4094).

  • add vlan-list—List of VLAN IDs to add to the port. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.

  • remove vlan-list—List of VLAN IDs to remove from a port. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.

  • except vlan-list—List of VLAN IDs including all VLANs from range 1-4094 except VLANs belonging to vlan-list.

Default Configuration

By default, trunk ports belongs to all created VLANs.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the switchport trunk allowed vlan command to specify which VLANs the port belongs to when its mode is configured as trunk.

Non-existed VLANs can be configured. When a non-existed VLAN is created the port will add to it automatically.

Forbidden VLANs can be configured.

Example

To add VLANs 2,3 and 100 to trunk ports 1 to 13

switchxxxxxx(config)# interface range gi1/0/1-3
switchxxxxxx(config-if)# switchport mode trunk
switchxxxxxx(config-if)# switchport trunk allowed vlan add 2-3,100
switchxxxxxx(config-if)

switchport trunk native vlan

If an untagged packet arrives on a trunk port, it is directed to the port’s native VLAN. Use the switchport trunk native vlan Interface Configuration mode command to define the native VLAN for a trunk interface. Use the no form of this command to restore the default native VLAN.

Syntax

switchport trunk native vlan {vlan-id | none}

no switchport trunk native vlan

Parameters

  • vlan-id—Specifies the native VLAN ID.

  • none—Specifies the access port cannot belong to any VLAN.

Default Configuration

The default native VLAN is the Default VLAN.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

A value of the interface PVID is set to this VLAN ID.When the interface belongs to the Native VLAN it is set as VLAN untagged egress interface.

The configuration is applied only when the port mode is trunk.

Examples

The following example defines VLAN 2 as native VLAN for port gi1/0/1:

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport trunk native vlan 2
switchxxxxxx(config-if)# exit

switchport general allowed vlan

General ports can receive tagged or untagged packets. Use the switchport general allowed vlan Interface Configuration mode command to add/remove VLANs to/from a general port and configure whether packets on the egress are tagged or untagged. Use the no form of this command to reset to the default.

Syntax

switchport general allowed vlan add vlan-list [tagged | untagged]

switchport general allowed vlan remove vlan-list

no switchport general allowed vlan

Parameters

  • add vlan-list—List of VLAN IDs to add. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs. (range: 1–4094)

  • remove vlan-list—List of VLAN IDs to remove. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.

  • tagged—Specify that packets are transmitted tagged for the configured VLANs

  • untagged—Specify that packets are transmitted untagged for the configured VLANs (this is the default)

Default Configuration

The port is not a member of any VLAN.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

If the interface is a forbidden member of an added VLAN, the interface does not become a member of this specific VLAN. There will be an error message in this case ("An interface cannot become a a member of a forbidden VLAN. This message will only be displayed once.") and the command continues to execute in case if there are more VLANs in the vlan-list.

A non-existed VLAN cannot be configured. When a VLAN is removed it is deleted from the vlan-list.

The configuration is applied only when the port mode is general.

Example

The example adds gi1/0/1 and to VLAN 2 and 3. Packets are tagged on the egress:

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport general allowed vlan add 2-3 tagged

switchport general pvid

Use the switchport general pvid Interface Configuration mode command to configure the Port VLAN ID (PVID) of an interface when it is in general mode. Use the no form of this command to restore the default configuration.

Syntax

switchport general pvid vlan-id

no switchport general pvid

Parameters

  • vlan-id—Specifies the Port VLAN ID (PVID).

Default Configuration

The PVID is the Default VLAN PVID.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

Examples

Example 1 - The following example sets the gi1/0/2 PVID to 234.

switchxxxxxx(config)# interface gi1/0/2
switchxxxxxx(config-if)# switchport general pvid 234

Example 2 - The following example performs the following:

  • Adds VLANs 2&3 as tagged, and VLAN 100 as untagged to gi1/0/4

  • Defines VID 100 as the PVID

    switchxxxxxx(config)# interface gi1/0/4
    switchxxxxxx(config-if)# switchport mode general
    switchxxxxxx(config-if)#  switchport general allowed vlan add 2-3 tagged
    switchxxxxxx(config-if)# switchport general allowed vlan add 100 untagged
    switchxxxxxx(config-if)# switchport general pvid 100
    switchxxxxxx(config-if)# exit
    

switchport general ingress-filtering disable

Use the switchport general ingress-filtering disable Interface Configuration mode command to disable port ingress filtering (no packets are discarded at the ingress) on a general port. Use the no form of this command to restore the default configuration.

Syntax

switchport general ingress-filtering disable

no switchport general ingress-filtering disable

Default Configuration

Ingress filtering is enabled.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

Example

The following example disables port ingress filtering on gi1/0/1.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport mode general
switchxxxxxx(config-if)# switchport general ingress-filtering disable

switchport general acceptable-frame-type

The switchport general acceptable-frame-type Interface Configuration mode command configures the types of packets (tagged/untagged) that are filtered (discarded) on the interface. Use the no form of this command to return ingress filtering to the default.

Syntax

switchport general acceptable-frame-type {tagged-only | untagged-only | all}

no switchport general acceptable-frame-type

Parameters

  • tagged-only—Ignore (discard) untagged packets and priority-tagged packets.

  • untagged-only—Ignore (discard) VLAN-tagged packets (not including priority-tagged packets)

  • all—Do not discard packets untagged or priority-tagged packets.

Default Configuration

All frame types are accepted at ingress (all).

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

Example

The following example configures port gi1/0/3 to be in general mode and to discard untagged frames at ingress.

switchxxxxxx(config)# interface gi1/0/3
switchxxxxxx(config-if)# switchport mode general
switchxxxxxx(config-if)# switchport general acceptable-frame-type tagged-only

switchport general forbidden vlan

Use the switchport general forbidden vlan Interface Configuration mode command to forbid adding/removing specific VLANs to/from a port. Use the no form of this command to restore the default configuration.

Syntax

switchport general forbidden vlan {add vlan-list | remove vlan-list}

no switchport general forbidden vlan

Parameters

  • add vlan-list—Specifies a list of VLAN IDs to add to interface. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.

  • remove vlan-list—Specifies a list of VLAN IDs to remove from interface. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen designate a range of IDs.

Default Configuration

All VLANs are allowed.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The forbidden VLAN cannot be one that does not exist on the system, or one that is already defined on the port.

Example

The following example define s gi1/0/4 as a forbidden membership in VLANs 5-7:

switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# switchport general forbidden vlan add 5-7
switchxxxxxx(config-if)# exit

switchport customer vlan

Use the switchport customer vlan Interface Configuration mode command to set the port's VLAN when the interface is in customer mode (set by the switchport mode command). Use the no form of this command to restore the default configuration.

Syntax

switchport customer vlan vlan-id

no switchport customer vlan

Parameters

  • vlan-id—Specifies the customer VLAN.

Default Configuration

No VLAN is configured as customer.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When a port is in customer mode it is in QinQ mode. This enables the user to use their own VLAN arrangements (PVID) across a provider network. The switch is in QinQ mode when it has one or more customer ports.

Example

The following example defines gi1/0/4 as a member of customer VLAN 5.

switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# switchport mode customer
switchxxxxxx(config-if)# switchport customer vlan 5

ethtype

To define globally the Ethernet type used into S-VLAN tag, use the ethtype command in Global Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

ethtype dot1q | dot1ad | 9100 | 9200

no ethtype

Parameters

  • dot1q—A value of 0x8100 (802.1q VLAN tag) is used as Ethernet tag in VLAN tag.

  • dot1ad—A value of 0x88a8 (802.1ad VLAN tag) is used as Ethernet tag in VLAN tag.

  • 9100—A value of 0x9100 is used as Ethernet tag in VLAN tag.

  • 9200—A value of 0x9200 is used as Ethernet tag in VLAN tag.

Default Configuration

dot1q

Command Mode

Global Configuration mode

User Guidelines

Use the ethtype command, to define globally the Ethernet type used into S-VLAN tag. The configuration is applied to all NNI interfaces. All non-edge interfaces are considered as NNI interfaces. The edge interface is an interface having one of the following modes:

  • customer

  • vlan-mapping tunnel

  • vlan-mapping one-to-one

Use the no ethtype command to restore the default configuration.

Example

This example sets the Ethernet type into the VLAN tag to dot1ad (0x88a8):

switchxxxxxx(config)# ethtype dot1ad

switchport nni ethtype

To define the Ethernet type used into S-VLAN tag on a NNI interface, use the switchport nni ethtype command in Interface (Ethernet, Port Channel) Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

switchport nni ethtype dot1q | dot1ad | 9100 | 9200

no switchport nni ethtype

Parameters

  • dot1q—A value of 0x8100 (802.1q VLAN tag) is used as Ethernet tag in VLAN tag.

  • dot1ad—A value of 0x88a8 (802.1ad VLAN tag) is used as Ethernet tag in VLAN tag.

  • 9100—A value of 0x9100 is used as Ethernet tag in VLAN tag.

  • 9200—A value of 0x9200 is used as Ethernet tag in VLAN tag.

Default Configuration

Configured by the ethtype command.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the switchport nni ethtype command, to define the Ethernet type used into S-VLAN tag on a NNI interface. All non-edge interfaces are considered as NNI interfaces. The edge interface is an interface having one of the following modes:

  • customer

  • vlan-mapping tunnel

  • vlan-mapping one-to-one

Use the no switchport nni ethtype command to restore the default configuration.

Example

This example sets the Ethernet type into the VLAN tag to dot1ad (0x88a8):

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport nni ethtype dot1ad
switchxxxxxx(config-if)# exit

switchport vlan-mapping tunnel

To configure selective tunneling on an edge interface, use the switchport vlan-mapping tunnel command in Interface (Ethernet, Port Channel) Configuration mode. To delete the configuration, use the no form of this command.

Syntax

switchport vlan-mapping tunnel {vlan-list | default} {outer-vlan-id | drop}

no switchport vlan-mapping tunnel [vlan-list | default]

Parameters

  • vlan-list—Specifies the Customer VLANs (C-VLANs) for selective tunneling. The VLAN IDs in the list are separated by a comma or a series of VLAN IDs separated by a hyphen (for example 1,2,3-5). The range is from 1 to 4094.

  • default—Specifies the list of the C-VLANs other than those not specified. If a default action is not configured the input frames with unspecified C-VLANs are dropped.

  • outer-vlan-id —Specifies the added an outer S-VLAN tag. The range of the S-VLAN tag is 1 to 4094.

  • drop—Specify that frames with the specified C-VLANs are dropped.

Default Configuration

No VLAN mapping is configured.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the switchport vlan-mapping tunnel vlan-list outer-vlan-id command to configure selective tunneling for the given C-VLANs.

The S-VLAN specified by the outer-vlan-id argument must be created before configuring of this command. If this VLAN does not exist the command fails.

Use the switchport vlan-mapping tunnel vlan-list drop command to configure selective drop for the given C-VLANs.

Use the switchport vlan-mapping tunnel default outer-vlan-id command to configure tunneling for C-VLANs other than those not specified.

Use the switchport vlan-mapping tunnel default drop command to configure drop C-VLANs other than those not specified.

The switchport vlan-mapping tunnel command performs the following actions:

  • Creates an ACL for mapping VLANs from vlan-list to outer-vlan-id, it has not been created.

  • Adds to the ACL one rule for each VLAN from vlan-list.

  • Reserves the place into TTI for this ACL. If there is not enough free place into TTI the command fails.

Note. The ACL can be bound on the interface later by the vlan-mapping tunnel command.

  • Adds the edge interface to the VLAN specified by the outer-vlan-id argument.

The ACL contains V+1 rules, where:

  • V—The number of specified C-VLANs.

A few switchport vlan-mapping tunnel commands can be defined on the same interface, only if their vlan-list arguments do not contain common VLAN-IDs.

Use the no switchport vlan-mapping tunnel vlan-list command to delete tunneling for the specified C-VLANs and remove the interface from the corresponding S-VLANs.

Use the no switchport vlan-mapping tunnel default command to delete the default tunneling and remove the interface from the corresponding S-VLANs.

Use the no switchport vlan-mapping tunnel command to delete tunneling for all C-VLANs and remove the interface from the corresponding S-VLANs.

Examples

Example 1 This example shows how to configure traditional tunnelling of all traffic on the port to a S-VLAN ID of 10:

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport vlan-mapping tunnel default 10
switchxxxxxx(config-if)# exit

Example 2 This example shows how to configure selective tunneling on the port so that traffic with a C-VLAN ID of 5, 7, or 8 would be tunneled with a S-VLAN ID of 100. The traffic of any other C-VLAN IDs is dropped:

switchxxxxxx(config)# interface gi1/0/2
switchxxxxxx(config-if)# switchport vlan-mapping tunnel 5,7-8 100
switchxxxxxx(config-if)# switchport vlan-mapping tunnel 12,27 5
switchxxxxxx(config-if)# switchport vlan-mapping tunnel default drop
switchxxxxxx(config-if)# exit

switchport vlan-mapping tunnel l2protocol vlan

To specify S-VLAN-ID used for encapsulation of forwarded untagged Layer 2 frames received on a vlan-mapping tunnel interface, use the switchport vlan-mapping tunnel l2protocol vlan command in Interface (Ethernet, Port Channel) Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

switchport vlan-mapping tunnel l2protocol vlan vlan-id

no switchport vlan-mapping tunnel l2protocol vlan

Parameters

  • vlan-id —Specifies S-VLAN-ID used to encapsulate of forwarded untagged Layer 2 frames.

Default Configuration

The VLAN_ID is not defined.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the switchport vlan-mapping tunnel l2protocol vlan command, to specify S-VLAN-ID used for encapsulation of forwarded untagged Layer 2 frames received on a vlan-mapping tunnel interface. The S-VLAN ID can be that of an S-VLAN already defined on port or a new one

If the command is not configured the allowed untagged Layer 2 frames are not forwarded.

Example

The following example specifies the S-VLAN used for forwarding L2 frames:

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport vlan-mapping tunnel l2protocol vlan 100
switchxxxxxx(config-if)# exit

switchport vlan-mapping tunnel l2protocol cos

To specify a class of service (CoS) value globally into S-VLAN tag of forwarded Layer 2 frames to the Provide network, use the switchport vlan-mapping tunnel l2protocol cos command in Global Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

switchport vlan-mapping tunnel l2protocol cos cos-value

no switchport vlan-mapping tunnel l2protocol cos

Parameters

  • cos-value —Specifies the CoS value in range 0..7.

Default Configuration

The cos-value is 5.

Command Mode

Global Configuration mode

User Guidelines

Use the switchport vlan-mapping tunnel l2protocol cos command, to specify a class of service (CoS) value globally into S-VLAN tag of forwarded Layer 2 frames to the Provide network.

Use the no switchport vlan-mapping tunnel l2protocol cos command, to return to the default CoS.

Example

The following example specifies the cos of forwarded L2 frames:

switchxxxxxx(config)# switchport vlan-mapping tunnel l2protocol cos 6

switchport vlan-mapping tunnel l2protocol cos interface

To specify a class of service (CoS) value per interface into S-VLAN tag of forwarded Layer 2 frames to the Provide network, use the switchport vlan-mapping tunnel l2protocol cos interface command in Interface (Ethernet, Port Channel) Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

switchport vlan-mapping tunnel l2protocol cos interface cos-value

vlan-mapping tunnel l2protocol cos interface

Parameters

  • cos-value —Specifies the CoS value in range 0..7.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the switchport vlan-mapping tunnel l2protocol cos interface command, to specify a class of service (CoS) value globally into S-VLAN tag of forwarded Layer 2 frames received on the given vlan-mapping tunnel edge interface and sent to the Provide network.

Use the no switchport vlan-mapping tunnel l2protocol cos interface command, to return to the default CoS on the given vlan-mapping tunnel edge interface.

Example

The following example specifies the cos of forwarded L2 tunneled frames:

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport vlan-mapping tunnel l2protocol cos interface 6
switchxxxxxx(config-if)# exit

switchport vlan-mapping tunnel l2protocol drop-threshold

To specify the drop threshold for forwarded L2 packets that can be received on the given vlan-mapping tunnel edge interface (in kilobits per second), use the switchport vlan-mapping tunnel l2protocol drop-threshold command in Interface (Ethernet, Port Channel) Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

switchport vlan-mapping tunnel l2protocol drop-threshold [disable | enable committed-rate-kbps]

no switchport vlan-mapping tunnel l2protocol drop-threshold

Parameters

  • disable - disable drop-threshold on interface

  • enable - enable drop-threshold on interface

  • committed-rate-kbps—Specifies the threshold in kilobits per second (range 8-256)

Default Configuration

Drop-threshold is enabled and rate set to 32 kilobits per second.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the switchport vlan-mapping tunnel l2protocol drop-threshold command, to enable or disable drop threshold, and set the drop rate, for received forwarded L2 protocol frames on a given vlan-mapping tunnel edge interface. The frames exceeding this threshold are dropped.

The L2 protocol frames are protocol frames which are tunneled using command switchport vlan-mapping tunnel l2protocol forward.

Use the no switchport vlan-mapping tunnel l2protocol drop-threshold command, to return configuration to default - drop threshold enabled with rate of 32 kilobits per second.

Example

The following example sets the drop threshold to 16 kilobits per second:

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport vlan-mapping tunnel l2protocol drop-threshold 16
switchxxxxxx(config-if)# exit

switchport vlan-mapping tunnel l2protocol forward

To enable forward over the Provider network untagged Layer 2 frames received on a vlan-mapping tunnel interface, use the switchport vlan-mapping tunnel l2protocol forward command in Interface (Ethernet, Port Channel) Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

switchport vlan-mapping tunnel l2protocol forward [protocol]

no switchport vlan-mapping tunnel l2protocol forward [protocol]

Parameters

  • protocol —Configures a protocol the command is applied. The argument may have one of the following values:

    • cdp

    • lldp

    • stp

    • vtp

If the protocol argument is not configured then the command is applied to all these protocols.

Default Configuration

The Layer 2 frames are not forwarded.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

By default, the switch drops on edge ports input L2 PDUs with the following destination MAC addresses:

  • 01:80:C2:00:00:00-01:80:C2:00:00:FF - with the exception of LACP frame (destination MAC 01:80:C2:00:00:02) which is processed by the edge port

  • 01:00:0C:00:00:00-01:00:0C:FF:FF:FF

  • 01:00:0C:CD:CD:D0

Use the switchport vlan-mapping tunnel l2protocol forward command to enable forward over the Provider network untagged frames of a given Layer 2 protocol received on a vlan-mapping tunnel interface. The received tagged Layer 2 frames are discarded.

When a L2 protocol is forwarded the switch overwrites the customer destination MAC address with a ’well-known’ Multicast address 01:00:0C:CD:CD:D0 before transmission the frame on non-edge port.

When a frame with the destination address equals to this well-known Multicast address is received on non-edge port the switch forwards it to all non-edge ports belonging to the S_VLAN and to all edge ports belonging to the S-VLAN and configured with the forward option for the given protocol.

The switch replaces the 'well-known’ destination MAC address with the respective Layer 2 protocol MAC address he respective Layer 2 protocol MAC address.

CDP cannot be both enabled and also tunneled on the same interfaces. To enable CDP tunneling on a Port Channel interface, CDP first needs to be disabled on all the members of the Port Channel (active and in-active). Likewise, an Ethernet Interface with CDP enabled cannot be added to a Port Channel on which CDP tunneling is enabled.

LLDP cannot be both enabled and also tunneled on the same interfaces. To enable LLDP tunneling on a Port Channel interface, LLDP first needs to be disabled on all the members of the Port Channel (active and in-active). Likewise, an Ethernet Interface with CDP enabled cannot be added to a Port Channel on which CDP tunneling is enabled.

If tunnel is defined, use the no switchport vlan-mapping tunnel l2protocol forward command without the protocol argument to return to the default treatment of all Layer 2 BPDUs.

Use the no switchport vlan-mapping tunnel l2protocol forward command with the protocol argument to return to the default treatment of the specified protocol BPDUs.

Examples

Example 1—The following example specifies that all the 4 protocols (CDP, LLDP, VTP and STP) frames will be forwarded:

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport vlan-mapping tunnel l2protocol forward
switchxxxxxx(config-if)# exit

Example 2—The following example specifies that only CDP and LLDP protocols frames will be forwarded (Other 2 protocols frames of STP and VTP will be dropped):

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport vlan-mapping tunnel l2protocol forward cdp
switchxxxxxx(config-if)# switchport vlan-mapping tunnel l2protocol forward lldp
switchxxxxxx(config-if)# exit

switchport vlan-mapping one-to-one

To configure one-to-one VLAN translation on an edge interface, use the switchport vlan-mapping one-to-one command in Interface (Ethernet, Port Channel) Configuration mode. To delete the configuration, use the no form of this command.

Syntax

switchport vlan-mapping one-to-one vlan-id translated-vlan-id

no switchport vlan-mapping one-to-one [vlan-id]

Parameters

  • vlan-id—Specifies the external VLAN (E-VLAN) for one-to-one VLAN translation. The range is from 1 to 4094.

  • translated-vlan-id —Specifies B-VLAN replacing the E-VLAN. The range is from 1 to 4094.

Default Configuration

No VLAN mapping is configured.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Use the switchport vlan-mapping one-to-one command to configure selective one-to-one VLAN translation.

The S-VLAN specified by the translated-vlan-id argument must be created before configuring of this command. If this VLAN does not exist the command fails.

A few switchport vlan-mapping one-to-one commands with different arguments can be defined on the same interface.

In the vlan-mapping one-to-one mode an interface belongs to all S-VLANs for which mapping on this interface is defined as egress tagged interface. The interface PVID is set to 4095.

In the vlan-mapping one-to-one mode an interface uses one ingress ACL and one egress ACL. The switchport vlan-mapping one-to-one command adds rules to this ACLs. These

ACLs are applied in order to:

  • Ingress ACL (in TTI):

    • Replace specified C-VLAN-ID by S-VLAN-ID.

    • Drop frames with unspecified C-VLAN-IDs.

    • Drop untagged input frames.

  • Egress ACL (in TCAM):

    • Replace S-VLAN-ID by C-VLAN-ID.

The switchport vlan-mapping one-to-one command adds rules to these ACLs and they are bound on the interface only if its mode is vlan-mapping one-to-one.

The ingress ACL contains V+1 rules and the egress ACL contains V rules, where

  • V—The number of specified C-VLANs.

Use the no switchport vlan-mapping one-to-one vlan-id command to delete the one-to-one VLAN translation configuration for the given E-VLAN.

Use the no switchport vlan-mapping one-to-one command to delete all VLAN one-to-one translations.

Example

This example shows how to configure one-to-one VLAN translation on a port:

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# switchport vlan mapping one-to-one 5 105
switchxxxxxx(config-if)# switchport vlan mapping one-to-one 15 5
switchxxxxxx(config-if)# switchport vlan mapping one-to-one 105 225
switchxxxxxx(config-if)# exit

map protocol protocols-group

Use the map protocol protocols-group VLAN Configuration mode command to map a protocol to a group of protocols. This protocol group can then be used in . Use the no form of this command to delete a protocol from a group.

Syntax

map protocol protocol [encapsulation-value] protocols-group group

no map protocol protocol [encapsulation]

Parameters

  • protocol—Specifies a 16-bit protocol number or one of the reserved names listed in the User Guidelines. (range: 0x0600–0xFFFF)

  • encapsulation-value—Specifies one of the following values: Ethernet, rfc1042, llcOther.

  • protocols-group group—Specifies the group number of the group of protocols (range: 1–2147483647).

Default Configuration

The default encapsulation value is Ethernet.

Command Mode

VLAN Database Configuration mode

User Guidelines

Forwarding of packets based on their protocol requires setting up groups of protocols and then mapping these groups to VLANs.

The value 0x8100 is not valid as the protocol number for Ethernet encapsulation.

The following protocol names are reserved for Ethernet Encapsulation:

  • ip

  • arp

  • ipv6

  • ipx

Example

The following example maps the IP protocol to protocol group number 213.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map protocol ip protocols-group 213

switchport general map protocols-group vlan

Use the switchport general map protocols-group vlan Interface Configuration mode command to forward packets based on their protocol, otherwise known as setting up a classifying rule. This command forwards packets arriving on an interface containing a specific protocol to a specific VLAN. Use the no form of this command to stop forwarding packets based on their protocol.

Syntax

switchport general map protocols-group group vlan vlan-id

no switchport general map protocols-group group

Parameters

  • group—Specifies the group number as defined in map protocol protocols-group command (range: 1–65535).

  • vlan-id—Defines the VLAN ID in the classifying rule.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The VLAN classification rule priorities are:

  • MAC-based VLAN (best match among the rules)

  • Subnet-based VLAN (best match among the rules)

  • Protocol-based VLAN

  • PVID

Example

The following example forwards packets with protocols belong to protocol-group 1 to VLAN 8.

switchxxxxxx(config-if)# switchport general map protocols-group 1 vlan 8

show vlan protocols-groups

Use the show vlan protocols-groups EXEC mode command to display the protocols that belong to the defined protocols-groups.

Syntax

show vlan protocols-groups

Command Mode

User EXEC mode

Example

The following example displays protocols-groups information.

switchxxxxxx# show vlan protocols-groups
Encapsulation
-------------
Ethernet
Ethernet
Ethernet
Ethernet
Protocol
--------------
0x800 (IP)
0x806 (ARP)
0x86dd (IPv6)
0x8898
Group ID
--------
1
1
2
3

map mac macs-group

Use the map mac macs-group VLAN Configuration mode command to map a MAC address or range of MAC addresses to a group of MAC addresses. Use the no form of this command to delete the mapping.

Syntax

map mac mac-address {prefix-mask | host} macs-group group

no map mac mac-address {prefix-mask | host}

Parameters

  • mac-address—Specifies the MAC address to be mapped to the group of MAC addresses.

  • prefix-mask—Specifies the number of ones in the mask.

  • host—Specifies that the mask is comprised of all 1s.

  • group—Specifies the group number (range: 1–2147483647)

Command Mode

VLAN Database Configuration mode

User Guidelines

Forwarding of packets based on their MAC address requires setting up groups of MAC addresses and then mapping these groups to VLANs.

Up to 256 MAC addresses (host or range) can be mapped to one or many MAC-based VLAN groups.

Example

The following example creates two groups of MAC addresses, sets a port to general mode and maps the groups of MAC addresses to specific VLANs.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map mac 0000.1111.0000 32 macs-group 1
switchxxxxxx(config-vlan)# map mac 0000.0000.2222 host macs-group 2
switchxxxxxx(config-vlan)# exit
switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# switchport mode general
switchxxxxxx(config-if)# switchport general map macs-group 1 vlan 2
switchxxxxxx(config-if)# switchport general map macs-group 2 vlan 3

switchport general map macs-group vlan

Use the switchport general map macs-group vlan Interface Configuration mode command to set a MAC-based classification rule. Use the no form of this command to delete a classification rule.

Syntax

switchport general map macs-group group vlan vlan-id

no switchport general map macs-group group

Parameters

  • group—Specifies the group number (range: 1–2147483647)

  • vlan-id—Defines the VLAN ID associated with the rule.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

MAC-based VLAN rules cannot contain overlapping ranges on the same interface.

The VLAN classification rule priorities are:

  • MAC-based VLAN (best match among the rules)

  • Subnet-based VLAN (best match among the rules)

  • Protocol-based VLAN

  • PVID

User Guidelines

Each MAC address (host or range) in the MAC-based group assigned to an interface consumes a single TCAM entry.

Example

The following example creates two groups of MAC addresses, sets a port to general mode and maps the groups of MAC addresses to specific VLANs.

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map mac 0000.1111.0000 32 macs-group 1
switchxxxxxx(config-vlan)# map mac 0000.0000.2222 host macs-group 2
switchxxxxxx(config-vlan)# exit
switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# switchport mode general
switchxxxxxx(config-if)# switchport general map macs-group 1 vlan 2
switchxxxxxx(config-if)# switchport general map macs-group 2 vlan 3

show vlan macs-groups

Use the show vlan macs-groups EXEC mode command to display the MAC addresses that belong to the defined MAC-based classification rules.

Syntax

show vlan macs-groups

Default Configuration

Command Mode

User EXEC mode

Example

The following example displays defined MAC-based classification rules.

switchxxxxxx# show vlan macs-groups
     MAC Address              Mask                Group ID
--------------------- --------------------- ---------------------
  00:12:34:56:78:90            20                    22
  00:60:70:4c:73:ff            40                    1

map subnet subnets-group

Use the map subnet subnets-group VLAN Configuration mode command to map an IP subnet to a group of IP subnets. Use the no form of this command to delete the map.

Syntax

map subnet ip-address prefix-mask subnets-group group

no map subnet ip-address prefix-mask

Parameters

  • ip-address—Specifies the IP address prefix of the subnet to be mapped to the group.

  • prefix-mask—Specifies the number of 1s in the mask.

  • group—Specifies the group number. (range: 1–2147483647)

Command Mode

VLAN Database Configuration mode

User Guidelines

Forwarding of packets based on their IP subnet requires setting up groups of IP subnets and then mapping these groups to VLANs.

Example

The following example maps an IP subnet to the group of IP subnets 4. It then maps this group of IP subnets to VLAN 8

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map subnet 172.16.1.1 24 subnets-group 4
switchxxxxxx(config-vlan)# switchport general map subnets-group 4 vlan 8

switchport general map subnets-group vlan

Use the switchport general map subnets-group vlan Interface Configuration mode command to set a subnet-based classification rule. Use the no form of this command to delete a subnet-based classification rule.

Syntax

switchport general map subnets-group group vlan vlan-id

no switchport general map subnets-group group

Parameters

  • group—Specifies the group number. (range: 1–2147483647)

  • vlan-id—Defines the VLAN ID associated with the rule.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The VLAN classification rule priorities are:

  • MAC-based VLAN (Best match among the rules)

  • Subnet-based VLAN (Best match among the rules)

  • Protocol-based VLAN

  • PVID

Example

The following example maps an IP subnet to the group of IP subnets 4. It then maps this group of IP subnets to VLAN 8

switchxxxxxx(config)# vlan database
switchxxxxxx(config-vlan)# map subnet 172.16.1.1 24 subnets-group 4
switchxxxxxx(config-vlan)# switchport general map subnets-group 4 vlan 8

show vlan subnets-groups

Use the show vlan subnets-groups EXEC mode command to display subnets-groups information.

Syntax

show vlan subnets-groups

Command Mode

User EXEC mode

Example

The following example displays subnets-groups information.

switchxxxxxx# show vlan subnets-groups
IP Subnet Address    Mask        Group ID
----------------- ----------- --------------
     1.1.1.1          32            1
   172.16.2.0         24            2

show interfaces switchport

Use the show interfaces switchport Privileged EXEC command to display the administrative and operational status of all interfaces or a specific interface.

Syntax

show interfaces switchport [interface-id]

Parameters

  • Interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.

Command Mode

Privileged EXEC mode

Default

Displays the status of all interfaces.

User Guidelines

Each port mode has its own private configuration. The show interfaces switchport command displays all these configurations, but only the port mode configuration that corresponds to the current port mode displayed in "Administrative Mode" is active.

Example

switchxxxxxx# show interfaces switchport gi1/0/1
Gathering information...
S-VLAN Ethernet Type: 0x88a8 (802.1ad)
VLAN Mapping Tunnel L2 protocols Global CoS: 6
Name: gi1/0/1
Switchport: enable
Administrative Mode: access
Operational Mode: down
Access Mode VLAN: 1
Access Multicast TV VLAN: none
Trunking Native Mode VLAN: 1
Trunking VLANs: 1
                2-4094 (Inactive)
General PVID: 1
General VLANs: none
General Egress Tagged VLANs: none
General Forbidden VLANs: none
General Ingress Filtering: enabled
General Acceptable Frame Type: all
General GVRP status: Enabled
General GVRP VLANs: none
Customer Mode VLAN: none
VLAN Mapping Tunnel:
S-VLAN Ethernet Type: 0x8100 (802.1q)
C-VLANs                 Outer S-VLAN
--------------------    ------------
2                       12
12,16-18                100
default                 1100
VLAN Mapping Tunnel L2 protocols S-VLAN: 100
VLAN Mapping Tunnel L2 protocols Interface CoS: 6 (global)
VLAN Mapping Tunnel L2 protocols forward enabled: cdp,stp
Drop Threshold: 4 kbps (default)
VLAN Mapping One-to-one:
C-VLANs                 Translated S-VLAN
--------------------    ----------------------
2                       102
12                      112
100                     10
Private-vlan promiscuous-association primary VLAN: none
Private-vlan promiscuous-association Secondary VLANs: none
Private-vlan host-association primary VLAN: none
Private-vlan host-association Secondary VLAN: none
Protected: Enabled, Uplink is gi1/0/1
Classification rules:
Classification Type   Group ID   VLAN ID
-------------------   --------   -------
Protocol                   1        19
Protocol                   1        20
Protocol                   2        72
Subnet                     1        15
MAC                        1        77

private-vlan

Use the private-vlan Interface VLAN Configuration mode command to configure a private VLAN. Use the no form of this command to return the VLAN to normal VLAN configuration.

Syntax

private-vlan {primary | community | isolated}

no private-vlan

Parameters

  • primary—Designate the VLAN as a primary VLAN.

  • community—Designate the VLAN as a community VLAN.

  • isolated—Designate the VLAN as an isolated VLAN.

Default Configuration

No private VLANs are configured.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

  • The VLAN type cannot be changed if there is a private VLAN port that is a member in the VLAN.

  • The VLAN type cannot be changed if it is associated with other private VLANs.

  • The VLAN type is not kept as a property of the VLAN when the VLAN is deleted.

Example

The following example set vlan 2 to be primary vlan:

switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# private-vlan primary

private-vlan association

Use the private-vlan association Interface VLAN Configuration mode command to configure the association between the primary VLAN and secondary VLANs. Use the no form of this command to remove the association.

Syntax

private-vlan association [add | remove] secondary-vlan-list

no private-vlan association

Parameters

  • add secondary-vlan-list—List of VLAN IDs of type secondary to add to a primary VLAN. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.This is the default action.

  • remove secondary-vlan-list—List of VLAN IDs of type secondary to remove association from a primary VLAN. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.

Default Configuration

No private VLANs are configured.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

  • The command can only be executed in the context of the primary VLAN.

  • A private VLAN cannot be removed or have its type changed, if it is associated with other private VLANs.

  • A primary VLAN can be associated with only a single, isolated VLAN.

  • A secondary VLAN can be associated with only one primary VLAN.

  • The association of secondary VLANs with a primary VLAN cannot be removed if there are private VLAN ports that are members in the secondary VLAN.

  • In MSTP mode, all the VLANs that are associated with a private VLAN must be mapped to the same instance.

Example

The following example associate secondary VLAN 20,21,22 and 24 to primary VLAN 2.

switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# private-vlan association add 20-22,24

switchport private-vlan mapping

Use the switchport private-vlan mapping Interface Configuration mode command to configure the VLANs of the private VLAN promiscuous port. Use the no form of this command to reset to default.

Syntax

switchport private-vlan mapping primary-vlan-id [add | remove] secondary-vlan-list

no switchport private-vlan mapping

Parameters

  • primary-vlan-id —The VLAN ID of the primary VLAN.

  • add secondary-vlan-list—Specifies one or more secondary VLANs to be added to the port.

  • remove secondary-vlan-list—Specifies one or more secondary VLANs to be removed from the port.

Default Configuration

No VLAN is configured.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The secondary VLANs should be associated with the primary VLANs, otherwise the configuration is not accepted.

Example

The following example add promiscuous port gi1/0/4 to primary VLAN 10 and to secondary VLAN 20.

switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# switchport private-vlan mapping 10 add 20

switchport private-vlan host-association

Use the switchport private-vlan host-association Interface Configuration mode command to configure the association of a host port with primary and secondary VLANs of the private VLAN. Use the no form of this command to reset to default.

Syntax

switchport private-vlan host-association primary-vlan-id secondary-vlan-id

no switchport private-vlan host-association

Parameters

  • primary-vlan-id—The VLAN ID of the primary VLAN.

  • secondary-vlan-id—Specifies the secondary VLAN.

Default Configuration

No association.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The secondary VLAN must be associated with the primary VLAN, otherwise the configuration is not accepted. See the private-vlan association command.

The port association configuration depends on the type of the secondary VLAN.

The port association configuration for a community secondary VLAN includes:

  • The port is added as untagged to the primary VLAN and to the secondary VLAN.

  • The PVID is set to the VLAN-ID of the secondary VLAN.

  • The port ingress filtering is enabled.

The port association configuration for an isolated secondary VLAN includes:

  • The port is added as untagged only to the primary VLAN and is not added to the secondary VLAN.

  • The PVID is set to the VLAN-ID of the secondary VLAN.

  • The port ingress filtering is disabled.

Example

The following example set port gi1/0/4 to secondary VLAN 20 in primary VLAN 10.

switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# switchport private-vlan host-association 10 20

show vlan private-vlan

Use the show vlan private-vlan EXEC mode command to display private VLAN information.

Syntax

show vlan private-vlan [tag vlan-id]

Parameters

  • tag vlan-id—Primary VLAN that represent the private VLAN to be displayed.

Default Configuration

All private VLANs are displayed.

Command Mode

User EXEC mode

User Guidelines

The show vlan private-vlan command does not include non-private VLAN ports that are members in private VLANs. Tag parameters of non-primary VLAN will result in an empty show output.

Example

switchxxxxxx# show vlan private-vlan
  Primary    Secondary     Type             Ports
----------- ----------- ----------- ----------------------
    150                   primary           gi1/0/1
    150         151       isolated          gi1/0/2
    160                   primary           gi1/0/3
    160         161       community         gi1/0/4
switchxxxxxx# show vlan private-vlan 150
  Primary    Secondary     Type             Ports
----------- ----------- ----------- ----------------------
    150                   primary           gi1/0/1
    150         151       isolated          gi1/0/4

switchport access multicast-tv vlan

To assign a Multicast-TV VLAN to an access port, use the switchport access multicast-tv vlan command in Interface (Ethernet, Port Channel) Configuration mode. To return to the default, use the no format of the command.

Syntax

switchport access multicast-tv vlan vlan-id

no switchport access multicast-tv vlan

Parameters

  • vlan-id—Specifies the Multicast TV VLAN ID.

Default Configuration

Receiving Multicast transmissions is disabled.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When the port is assigned to a different Multicast-TV VLAN, it is automatically removed from its previous VLAN and added it to the new Multicast-TV VLAN.

When an existed Multicast-TV VLAN is assigned to an access port, the multicast messages received on a membership of the Multicast-TV VLAN are forwarded to the access port. All messages received on the access port are bridged only into its Access VLAN.

Example

The following example enables gi1/0/4 to receive Multicast transmissions from VLAN 11.

switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# switchport access multicast-tv vlan 11

switchport customer multicast-tv vlan

To assign Multicast-TV VLANs to a customer port, use the switchport customer multicast-tv vlan command in Interface (Ethernet, Port Channel) Configuration mode. To return to the default, use the no format of the command.

Syntax

switchport customer multicast-tv vlan {add vlan-list | remove vlan-list}

Parameters

  • add vlan-list—Specifies a list of Multicast TV VLANs to add to interface.

  • remove vlan-list—Specifies a list of Multicast TV VLANs to remove from interface.

Default Configuration

The port is not a member in any Multicast TV VLAN.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

When an existed Multicast-TV VLAN is assigned to a customer port, the multicast messages received on a membership of the Multicast-TV VLAN are forwarded to the customer port. All messages received on the customer port are not bridged only into the Multicast-TV VLAN.

Example

The following example enables gi1/0/4 to receive Multicast transmissions from VLANs 5, 6, 7.

switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# switchport customer multicast-tv vlan add 5-7

show vlan multicast-tv

Use the show vlan Multicast-tv EXEC mode command to display the source and receiver ports of Multicast-TV VLAN. Source ports can transmit and receive traffic to/from the VLAN, while receiver ports can only receive traffic from the VLAN.

Syntax

show vlan Multicast-tv vlan vlan-id

Parameters

  • vlan-id—Specifies the VLAN ID.

Command Mode

User EXEC mode

Example

The following example displays information on the source and receiver ports of Multicast-TV VLAN 1000.

switchxxxxxx# show vlan multicast-tv vlan 1000
Source Ports
------------
gi1/0/3, gi1/0/4
Receiver Ports
----------------------
gi1/0/1-2

vlan prohibit-internal-usage

Use the vlan prohibit-internal-usage command in Global configuration mode to specify VLANs that cannot be used by the switch as internal VLANs.

Syntax

vlan prohibit-internal-usage none | {add | except | remove} vlan-list

Parameters

  • none—The Prohibit Internal Usage VLAN list is empty: any VLAN can be used by the switch as internal.

  • except—The Prohibit Internal Usage VLAN list includes all VLANs except the VLANs specified by the vlan-list argument: only the VLANs specified by the vlan-list argument can be used by the switch as internal.

  • add—Add the given VLANs to the Prohibit Internal Usage VLAN list.

  • remove—Remove the given VLANs from the Prohibit Internal Usage VLAN list.

  • vlan-list—List of VLAN. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs. The VLAN ID that can be used is from 1 through 4094.

Default Configuration

The Prohibit Internal usage VLAN list is empty.

Command Mode

Global Configuration mode

User Guidelines

The switch requires an internal VLAN in the following cases:

  • One VLAN for each IP interface is defined directly on an Ethernet port or on a Port channel.

  • One VLAN for each IPv6 tunnel.

  • One VLAN for 802.1x.

When a switch needs an internal VLAN it takes a free VLAN with the highest VLAN ID.

Use the vlan prohibit-internal-usage command to define a list of VLANs that cannot be used as internal VLANs after reload.

If a VLAN was chosen by the software for internal usage, but you want to use that VLAN for a static or dynamic VLAN, do one of the following

  • Add the VLAN to the Prohibited User Reserved VLAN list.

  • Copy the Running Configuration file to the Startup Configuration file

  • Reload the switch

  • Create the VLAN

Examples

Example 1—The following example specifies that VLANs 4010, 4012, and 4090-4094 cannot be used as internal VLANs:

vlan prohibit-internal-usage add 4010,4012,4090-4094

Example 2—The following specifies that all VLANs except 4000-4107 cannot be used as internal VLANs:

vlan prohibit-internal-usage all
vlan prohibit-internal-usage remove 4000-4107

Example 3—The following specifies that all VLANs except 4000-4107 cannot be used as internal VLANs:

vlan prohibit-internal-usage 4000-4107

show vlan internal usage

Use the show vlan internal usage Privileged EXEC mode command to display a list of VLANs used internally by the device (defined by the user).

Syntax

show vlan internal usage

Command Mode

Privileged EXEC mode

Example

The following example displays VLANs used internally by the switch:

show vlan internal usage

User Reserved VLAN list after reset: 4010,4012,4080-4094
Current User Reserved VLAN list: 4010,4012,4090-4094
VLAN   Usage
----   --------
4089   gi1/0/2
4088   gi1/0/3
4087   tunnel 1
4086   802.1x