Virtual LANs (VLANs)

This chapter describes Arista’s Virtual LANs (VLANs) implementation and MAC address tables.

Sections in this chapter include:

VLAN Introduction

Arista switches support industry standard 802.1q VLANs. Arista EOS provides tools to manage and extend VLANs throughout the data center network.

VLAN Conceptual Overview

VLAN Definition

A virtual local area network (VLAN) allows a group of devices to communicate as if they were in the same network regardless of their physical location. VLANs are Layer 2 structures based on the 802.1Q standard.

These parameters are associated with a VLAN:
  • VLAN number (1-4094): VLAN numbers uniquely identify the VLAN within a network. VLAN 1 exists by default; all other VLANs only exist after they are configured.
  • VLAN name (optional): The VLAN name is a text string that describes the VLAN.
  • VLAN state (active or suspended): The state specifies the VLAN transmission status within the switch. In the suspended state, VLAN traffic is blocked on all switch ports. The default state is active.

VLANs define Layer 2 broadcast domains in a Layer 2 network, in which each device can receive broadcast frames sent by any other within the domain. Switches accommodating multiple broadcast domains serve as multi-port bridges where each broadcast domain is a distinct virtual bridge. Traffic does not pass directly between different VLANs within a switch or between two switches.

VLAN Switching

Ethernet and port channel interfaces are configured as switched ports by default. Switched ports are configurable as members of one or more VLANs. Switched ports ignore all IP-level configuration commands, including IP address assignments.

VLAN Trunking and Trunk Groups

Trunking extends multiple VLANs beyond the switch through a common interface or port channel.

A trunk group is the set of physical interfaces that comprise the trunk and the collection of VLANs whose traffic is carried on the trunk. The traffic of a VLAN that belongs to one or more trunk groups is carried only on ports that are members of trunk groups to which the VLAN belongs, i.e., VLANs configured in a trunk group are pruned of all ports that are not associated with the trunk group. See the Trunk Ports example section for further details.

Note: Be cautious when using allowed VLAN lists or trunk groups to ensure that the VLAN topology is consistent with any Layer-2 control protocol topology, or unpredictable results can occur.
VLAN traffic is carried through Ethernet or LAG ports. A port’s switchport mode defines the number of VLANs for which the port can carry traffic.
  • Access ports carry traffic for one VLAN – the access VLAN. Access ports associate untagged frames with the access VLAN. Access ports drop tagged frames that are not tagged with the access VLAN.
  • Trunk ports carry traffic for multiple VLANs. Tag frames specify the VLAN for which trunk ports process packets.

Q-in-Q Trunking

A Q-in-Q network is a multi-tier layer 2 VLAN network. A typical Q-in-Q network is composed of a service provider network (tier 1) where each node connects to a customer network (tier 2).

802.1ad is a networking standard that supports Q-in-Q networks by allowing multiple 802.1Q tags in an Ethernet frame.

Each interface in a customer network is assigned to a customer-VLAN (c-VLAN). Packets in c-VLANs contain 802.1q tags that switch traffic within the network. c-VLANs access the service provider VLAN (s-VLAN) through a provider switch. Customer switch ports connect to an s-VLAN through provider switch edge ports, which are configured as dot1q ports and operate as follows:
  • Inbound traffic (from customer switches): adds an s-VLAN tag, then forwards packets to the provider network.
  • Outbound traffic (to customer switches): removes the s-VLAN tag, then forwards packets to the customer network.

TPID (Configurable Ethertypes)

By default, VLAN-tagged packets carry a Tag Protocol Identifier (TPID) of 0x8100. On some Arista platforms, however, the TPID of a switchport can be modified in accordance with IEEE 802.1ad to allow for the use of 802.1q TPIDs other than 0x8100. Well known and standard tags include:

0x8100     customer VLAN.
  • 0x88a8     service VLAN tag used in provider bridging.
  • 0x9100     service VLAN tag used in provider bridging (common, but not standardized).

Other non-standard TPID values may also be configured for interoperability with legacy equipment or non-standard systems. Values range from 0x600 (1536) through 0xFFFF (65535).

Non-default TPID values are most commonly used for provider bridging on a network-to-network interface.

VLAN Routing

Each VLAN can be associated with a Switch Virtual Interface (SVI), also called a VLAN interface. The VLAN interface functions in a routed network (Layer 3) with an assigned IP subnet address. Connecting different VLANs requires Layer 3 networking.

VLAN Interfaces

A Switched Virtual Interface (SVI) connects to the VLAN segment on the switch to provide Layer 3 processing for packets from the VLAN. An SVI can be activated only after it is connected to a VLAN. SVIs are typically configured for a VLAN to a default gateway for a subnet to facilitate traffic routing with other subnets.

In a Layer 3 network, each VLAN SVI is associated with an IP subnet, with all stations in the subnet members of the VLAN. Traffic between different VLANs is routed when IP routing is enabled.

Internal VLANs

A routed port is an Ethernet or port channel interface that functions as a Layer 3 interface. Routed ports do not bridge frames nor switch VLAN traffic. Routed ports have IP addresses assigned to them and packets are routed directly to and from the port.

The switch allocates an internal VLAN for an interface when it is configured as a routed port. The internal VLAN is assigned a previously unused VLAN ID. The switch prohibits the subsequent configuration of VLANs and VLAN interfaces with IDs corresponding to allocated internal VLANs.

Support for Private VLAN

Private VLAN is a feature that segregates a regular VLAN broadcast domain while maintaining all ports in the same IP subnet. There are three types of VLAN within a private VLAN:
  1. Primary VLAN: Ports in the primary VLAN can send and or receive traffic from ports in all the corresponding PVLANs. There is only one primary VLAN in a private VLAN.
  2. Community VLAN: This is a secondary VLAN. Hosts in a community VLAN forward traffic to each other as well as ports in the primary VLAN. There are multiple community VLANs in a private VLAN.
  3. Isolated VLAN: This is a secondary VLAN. Hosts in an isolated VLAN only forward traffic to ports in the primary VLAN. Hosts within an isolated VLAN can not communicate with each other useing bridging. There are multiple isolated VLANs in a private VLAN.
Limitations
On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R
  • Private VLAN and Algomatch features are mutually exclusive. Disable algomatch with the hardware access-list mechanism tcam command . Note that this requires a reload of the system to take effect.
  • L2 and L3 multicast traffic is not supported.
On All Platforms except 7300X3, CCS-720XP, DCS-7050X3

Private VLAN and IPv4/IPv6 uRPF features are mutually exclusive.

On All Platforms
  • Tunnel termination on PVLAN ports is not supported.
  • Ingress IPv4/IPv6 RACLs on the primary VLAN are not honored for packets ingressing through ports in secondary VLANs.
  • Only isolated private VLAN trunks and normal trunk ports are supported. It allows trunk ports to forward and receive traffic for all primary and or secondary VLANs. An isolated trunk translates traffic coming in on a primary VLANto the lowest valued secondary VLAN on the trunk port.
  • Private VLAN is not supported on L2 subinterfaces.
  • Hardware accelerated Sflow is not supported on Private VLAN ports.
  • VLAN Mapping and or Translation is not supported with Private VLAN.
Show Commands
  • Use the show vlan private-vlan command to display the primary and secondary defined VLANs:
    switch#show vlan private-vlan
    Primary Secondary Type         Ports
    ------- --------- ----------- ------------------------
    100      101      community    Et1, Et6
    100      102      isolated     Et1, Et7, Et8
    200      201      community    Et10, Et9
  • Use the show vlan 100,101,102,200,201 command to diplay which interfaces are member of which VLANs:
    #show vlan 100,101,102,200,201
    VLAN  Name          Status    Ports
    ----- ------------- --------- -------------------------------
    100   VLAN0100      active    Et1, Et6+, Et7+, Et8+
    101   VLAN0101      active    Et1+, Et6
    102   VLAN0102      active    Et1+, Et7, Et8
    200   VLAN0200      active    Et10
    201   VLAN0201      active    Et10+, Et9
    
    + indicates a private VLAN promoted port

Promoted ports are displayed to indicate they are part of the same broadcast domain as the indicated VLAN. Interfaces in a primary VLAN are included in the display of all its associated secondary VLANs. Interfaces in secondary VLANs are included in the display of both its primary VLAN and its own domain.

On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R
Use the show platform sand pvlan interfaces command to display the status of the interfaces to configure a private VLAN.
switch#show platform sand pvlan interfaces
Interface          Secondary   Primary     State
                        VLAN      VLAN
-----------------  ----------  ----------  ---------
Ethernet6                 101         100  enabled
Ethernet7                 102         100  enabled
Ethernet8                 102         100  enabled
Po1                       102         100  enabled
Ethernet9                 201         200  failed
Po2                       202         200  failed

In this output, the Secondary VLAN column indicates the VLAN which is configured on the interface. The Primary VLAN column indicates the primary VLAN to which the secondary VLAN belongs to. The State field has three possible values - enabled, failed, configured. The enabled state indicates that the private VLAN is configured and enabled on that interface. The failed state indicates that the private VLAN configuration has failed for that interface The configured state indicates that private VLAN is configured on that interface but has not taken effect. When port channels are configured in a private VLAN, it is enabled only if entries for all the member interfaces are successfully programmed in the hardware. If the hardware entries for any one of the member interfaces fails, the entries for other member interfaces are also removed from the hardware and the state is marked as failed.

VLAN Translation

VLAN translation allows you to map packets from one VLAN to another. This can be carried out only on packets having a dot1q header (tagged frames). The translation rewrites the VID field (VLAN ID) in dot1q headers on packets passing through a switched port without changing any other fields.

VLAN translation also supports the ability to translate packets with a dot1q header to the internal VLAN for a routed port. The VLAN in the incoming packets is mapped to the internal VLAN of the routed port and packets egressing the routed port are encapsulated with a dot1q header for the specified VLAN. For egress packets, no priority information is added to the dot1q header and the priority from the incoming encapsulation will be retained.

When configuring the VLAN translation mode, consider the following:

  • VLAN translation is only supported for tagged packets.
  • BPDUs from STP, LLDP and other protocols are not affected by this mapping.
  • VLAN translation is not applicable for access ports.
  • Untagged packets entering the switch on the trunk native VLAN are not mapped.
  • TPID and VLAN priority does not get re-written during the translation.

VLAN Configuration Procedures

Creating and Configuring VLANs

The CLI provides two methods of creating VLANs.

The switchport access vlan command generates a warning message when it creates a VLAN.

To create a VLAN, use the vlan command in global configuration mode. Valid VLAN numbers range between 1 and 4094. To create multiple VLANs, specify a range of VLAN numbers.

To edit an existing VLAN, enter the vlan command with the number of the existing VLAN.

Examples
  • This command creates VLAN 45 and enters VLAN configuration mode for the new VLAN.
    switch(config)#vlan 45
    switch(config-vlan-45)#
  • Use the name (VLAN configuration mode) command to assign a name to a VLAN.

    These commands assign the name Marketing to VLAN 45.

    switch(config)#vlan 45
    switch(config-vlan-45)#name Marketing
    switch(config-vlan-45)#show vlan 45
    
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------
    45   Marketing                        active    Et1
    
    switch(config-vlan-45)#
  • To change a VLAN’s state, use the state command in VLAN configuration mode.
    These commands suspend VLAN 45. VLAN traffic is blocked on all switch ports.
    switch(config)#vlan 45
    switch(config-vlan-45)#state suspend
    switch(config-vlan-45)#show vlan 45
    
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- ------
    45   Marketing                        suspended
    
    switch(config-vlan-45)#
  • These commands activate VLAN 45.
    switch(config)#vlan 45
    switch(config-vlan-45)#state active
    switch(config-vlan-45)#show vlan 45
    
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- ------
    45   Marketing                        active    Et1
    
    switch(config-vlan-45)#

VLAN Policy

The VLAN policy configuration command enables a switch to configure a VLAN policy when it receives a packet with unknown destination MAC address on a VLAN. The mac address forwarding command provides three options to configure a VLAN policy:
  • Flood the Layer 2 miss packets on the VLAN
  • Drop the Layer 2 miss packets
  • Log the Layer 2 miss packets to the CPU (while still flooding them on the VLAN)

The default behavior is to flood the L2 miss packets on all ports of the VLAN.

VLAN policy configuration is supported on the Arista 7010, 7050 (excluding 7050SX3-48YC12, 7050CX3-32S, 7050QX2-32S, 7050SX2-72Q, 7050SX2-128, 7050TX2-128), 7060, 7250, and the 7300 series platforms.

VLAN policy is not supported in the following cases:
  • STP, LLDP, and LACP packets
  • VLAN policy configurations on VXLAN-enabled VLAN
  • On a VLAN if IGMP snooping is configured with Multicast miss action is set to drop, then all multicast packets received on that VLAN are dropped.
Examples
  • These commands create a VLAN 333 and then set the unicast policy to ‘drop’ and the multicast policy to ‘log’ for the specific VLAN 333.
    switch(config)#vlan 333
    switch(config-vlan-333)#mac address forwarding unicast miss action drop
    switch(config-vlan-333)#mac address forwarding multicast miss action log
  • These commands display the VLAN policy that was defined when VLAN 333 is created.
    switch(config)#show vlan 333 mac address forwarding
    
    VLAN  UcMissAction  McMissAction
    ----  ------------  ------------
     333  flood         flood
  • These commands display the VLAN policy type that was defined when VLAN 333 is configured with the ‘drop’ unicast policy and the ‘log’ multicast policy.
    switch(config)#show vlan 333 mac address forwarding
    
    VLAN  UcMissAction  McMissAction
    ----  ------------  ------------
     333  drop          log
    
    switch(config)#show vlan mac address forwarding
    
    VLAN  UcMissAction  McMissAction
    ----  ------------  ------------
       1  flood         flood
     333  drop          log

Configuring VLAN Switching

The following describe the configuration of VLAN ports.

Access Ports

Access ports carry traffic for one VLAN, as designated by a switchport access vlan command. Access ports associate untagged frames with the access VLAN. Tagged frames received by the interface are dropped unless they are tagged with the access VLAN.

To configure an interface group as an access port, use the switchport mode command.

Examples
  • These commands configure interface Ethernet 1 as an access port.
    switch(config)#interface ethernet 1
    switch(config-if-Et1)#switchport mode access
    switch(config-if-Et1)#
  • To specify the port’s access VLAN, use the switchport access vlan command.
    These commands configure VLAN 15 as the access VLAN for interface Ethernet 5.
    switch(config)#interface ethernet 5
    switch(config-if-Et5)#switchport access vlan 15
    switch(config-if-Et5)#
  • These commands configure interface Ethernet 1 through 3 as access ports that process untagged frames as VLAN 5 traffic.
    switch(config)#interface Ethernet 1-3
    switch(config-if-Et1-3)#switchport mode access
    switch(config-if-Et1-3)#switchport access vlan 5
    switch(config-if-Et1-3)#show interfaces ethernet 1-3 vlans
    Port       Untagged Tagged
    Et1        None     23,25
    Et2        18       -
    Et3        None     14
    switch(config-if-Et1-3)#

Trunk Ports

Trunk ports carry traffic for multiple VLANs. Messages use tagged frames to specify the VLAN for which trunk ports process traffic.
  • The vlan trunk list specifies the VLANs for which the port handles tagged frames. The port drops any packets tagged for VLANs not in the VLAN list.
  • The native vlan is the VLAN where the port switches untagged frames.

To configure an interface group as a trunk port, use the switchport mode command.

Example

These commands configure interface Ethernet 8 as a trunk port.
switch(config)#interface ethernet 8
switch(config-if-Et8)#switchport mode trunk
switch(config-if-Et8)#

By default all VLANs are permitted on a port configured with ‘switchport mode trunk’. To limit the port’s VLAN trunk list, use the switchport trunk allowed vlan command. Only VLANs in the allowed list will be permitted.

Examples
  • These commands configure VLAN 15, 20, 21, 22, 40, and 75 as the explicitly permitted VLAN trunk list for ethernet interface 12-16.
    switch(config)#interface ethernet 12-16
    switch(config-if-Et12-16)#switchport trunk allowed vlan 15,20-22,40,75
    switch(config-if-Et12-16)#
  • These commands explicitly permit VLAN 100 through 120 to the VLAN trunk list for interface ethernet 14.
    switch(config)#interface ethernet 14
    switch(config-if-Et14)#switchport trunk allowed vlan add 100-120
    switch(config-if-Et14)#
  • To specify the port’s native VLAN, use the switchport trunk native vlan command.
    These commands configure VLAN 12 as the native VLAN trunk for interface Ethernet 10.
    switch(config)#interface ethernet 10
    switch(config-if-Et10)#switchport trunk native vlan 12
    switch(config-if-Et10)#
  • By default, ports send native VLAN traffic with untagged frames. The switchport trunk native vlan command can also configure the port to send native VLAN traffic with tag frames.
    These commands configure interface ethernet 10 to send native VLAN traffic as tagged.
    switch(config)#interface ethernet 10
    switch(config-if-Et10)#switchport trunk native vlan tag
    switch(config-if-Et10)#
  • These commands configure interface Ethernet 12 as a trunk with VLAN 15 as the native VLAN. The port’s trunk list includes all VLANs except 201-300.
    switch(config)#interface ethernet 12
    switch(config-if-Et12)#switchport mode trunk
    switch(config-if-Et12)#switchport trunk native vlan 15
    switch(config-if-Et12)#switchport trunk allowed vlan except 201-300
    switch(config-if-Et12)#
  • Assume that all ports on the switch are configured with switchport mode trunk similar to Ethernet 1 and 2 shown below:
    !
    interface ethernet 1
        switchport mode trunk
    !
    interface ethernet 2
        switchport mode trunk
    !
  • Further assume that VLAN 30 is not configured as part of a trunk group.
    switch#show vlan
    VLAN  Name                             Status    Ports
    ----- -------------------------------- --------- ----------
    1     default                          active    Et1, Et2
    30    vlan30                           active    Et1, Et2
  • Now configure VLAN 30 as part of trunk group 30:

    switch(config)#vlan 30
    switch(config-vlan-30)#trunk group 30
  • This updates the VLAN membership for VLAN 30.
    switch#show vlan
    VLAN  Name                             Status    Ports
    ----- -------------------------------- --------- -----------
    1     default                          active    Et1, Et2
    30    vlan30                           active
    Note: Vlan 30 is no longer on Et1, Et2 i.e. it has been ‘pruned’ due to the trunk group command in the vlan configuration.
  • To permit VLAN 30 on Et1, you need to associate the interface with the trunk group as follows:
    switch(config-if-Et1)#switchport trunk group 30
    
    Now we see Et1 included in the vlan 30 list
    
    switch#show vlan
    VLAN  Name                             Status    Ports
    ----- -------------------------------- --------- ----------
    1     default                          active    Et1, Et2
    30    vlan30                           active    Et1
  • The trunk group command is not additive to the allowed VLAN command.
    interface ethernet 1
            switchport mode trunk
            switchport trunk allowed vlan 10
            switchport trunk group trunk30
    
    Vlan 30 will not be permitted on the interface as it is not listed in the allowed 
    vlan list.

Dot1q Tunnel Ports

Dot1q (802.1Q) is a tunneling protocol that encapsulates traffic from multiple customer (c-tag) VLANs in an additional single outer service provider (s-tag) VLAN for transit across a larger network structure that includes traffic from all customers. Tunneling eliminates the service provider requirement that every VLAN be configured from multiple customers, avoiding overlapping address space issues.

Tunneling preserves the inner VLANs through the tunneled network; these inner VLANs are ignored by intermediate devices that make forwarding decisions based only on the outermost VLAN tag (S-Tag)

A dot1q-tunnel port sits at the edge of the tunneled network. Unlike regular access ports, a dot1q-tunnel port does not drop traffic that arrives with 802.1Q tags in place; it ignores existing 802.1Q information and associates arriving traffic (with or without 802.1Q headers) with a new tunnel VLAN ID.

Packets arriving at a tunnel port are encapsulated with an additional 802.1Q tag that can be trunked between multiple devices like any traditional VLAN. When exiting a dot1-tunnel port, the S-Tag is removed to revert the customer traffic to its original tagged or untagged state.

To configure an interface group as a dot1q tunnel port, use the switchport mode command.

Example

These commands configure interface ethernet 12 as a dot1q tunnel port.
switch(config)# interface ethernet 12
switch(config-if-Et12)# switchport mode dot1q-tunnel
switch(config-if-Et12)#

To specify the dot1q-tunnel port’s access VLAN, use the switchport access vlan command. The port then handles all inbound traffic as untagged VLAN traffic.

Example

These commands configure VLAN 60 as the access VLAN for interface Ethernet 12.
switch(config)#interface ethernet 12
switch(config-if-Et12)#switchport access vlan 60
switch(config-if-Et12)#

TPID Configuration

The default tag protocol identifier (TPID, also called dot1q ethertype) on all switch ports is 0x8100. To configure a different TPID on a port, use the switchport dot1q ethertype command. This feature is available only on 7280E and 7500E platforms.

Note: If dot1q tunneling is enabled on the interface, a TPID configured on the interface becomes irrelevant.

Example

In this provider bridging example, interface ethernet 1 is the user network interface and interface ethernet 2 is the network-to-network interface. These commands configure dot1q tunneling on interface ethernet 1 and set the TPID of interface ethernet 2 to 0x9100.
switch(config)#interface ethernet 1
switch(config-if-Et1)#switchport mode dot1q-tunnel
switch(config-if-Et1)#interface ethernet 2
switch(config-if-Et2)#switchport mode trunk
switch(config-if-Et2)#switchport dot1q ethertype 0x9100
switch(config-if-Et2)#

In the above configuration, packets from Et1 to Et2 will undergo dot1q-tunneling (stacking of an additional dot1q tag), with an outer TPID of 0x9100 at egress, while packets with outer TPID 0x9100 going from Et2 to Et1 will have the outer tag removed at egress.

Layer 2 802.1Q Encapsulation

Layer 2 traffic encapsulation is enabled on the configuration mode interface for a specified VLAN through l2-protocol encapsulation dot1q vlan.

Example

These commands enable traffic encapsulation for VLAN 200 traffic passing through interface ethernet 5/2.
switch(config)#interface ethernet 5/2
switch(config-if-Et5/2)#l2-protocol encapsulation dot1q vlan 200

Port VLAN Scaling on DCS-7160

Port VLAN scaling allows the user to configure a subset of ports in the scale mode. The switchport vlan forwarding command forwards packets between the ports belonging to VLAN in the interface configuration mode. Port-VLAN table is used for storing the configuration on a per port/VLAN combination. The scaling configuration is applicable on a per-port basis and supports a maximum of 128 ports.

Note: The configuration is applicable to trunk ports only.
Example
  • This command enables VLAN scaling on a port with an interface Ethernet 2.
    switch#config terminal
    switch(config)#interface Ethernet 2
    switch(config-if-Et2)#switchport vlan forwarding accept all
  • This command disables VLAN scaling on a port.
    switch#config
    switch(config)#interface Ethernet 2
    switch(config-if-Et2)#no switchport vlan forwarding accept all

Creating and Configuring VLAN Interfaces

The interface vlan command places the switch in VLAN-interface configuration mode for modifying an SVI. An SVI provides a management address point and Layer 3 processing for packets from all VLAN ports.

Example

This command enters VLAN-interface configuration mode for VLAN 12. The command also creates VLAN 12 interface if it was not previously created.
switch#config t
switch(config)#interface vlan 12
switch(config-if-Vl12)#

Allocating Internal VLANs

The vlan internal order command specifies the VLANs that the switch allocates as internal VLANs when configuring routed ports and the order of their allocation. By default, the switch allocates VLANs in ascending order. The default allocation range is between VLAN 1006 and VLAN 4094.

The no switchport command converts an Ethernet or port channel interface into a routed port, disabling Layer 2 switching for the interface.

Examples
  • This command configures the switch to allocate internal VLANs in ascending order starting with 1006.
    switch(config)#vlan internal order ascending
    switch(config)#
  • This command configures the switch to allocate internal VLANs in descending order starting with 4094.
    switch(config)#vlan internal order descending
    switch(config)#
  • This command configures the switch to allocate internal VLANs in descending order from 4094 through 4000.
    switch(config)#vlan internal order descending range 4000 4094
    switch(config)#

Private VLAN Configuration

On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R

  • On systems with algomatch hardware, the access-list mechanism must explicitly be set to TCAM using the following command. Ignore this step when on non-algomatch hardware based systems.
    switch(config)#hardware access-list mechanism tcam
  • To enable the private VLAN feature, you must also enable the forwarding-ID feature.
    switch(config)#platform sand l2 forwarding-id sharing

On All Platforms

  • Any regular VLAN can act as a primary without any extra configuration. The only requirement is that the VLAN must be active. Use the following command to configure a VLAN as active or inactive:
    switch(config)#vlan 100
    switch(config)#no vlan 100
    switch(config)#default vlan 100
  • Configure VLANs as secondary inside the VLAN configuration mode. Use the configuration to specify the primary VLAN as isolated and the type of secondary VLAN:
    switch(config)#vlan 20
    switch(config-vlan-20)#private-vlan isolated primary vlan 10
    switch(config)#vlan 30
    switch(config-vlan-30)#private-vlan community primary vlan 10
    Figure 1. Support for Private VLAN
  • Interfaces are assigned to primary or secondary VLANs in the same way as regular VLANs. It works with bothaccess and trunk ports. The following shows the standard switchport command configuring an access interface to the secondary VLAN configured before:
    switch(config)#interface Ethernet 1/1
    switch(config-if-Et1/1)#switchport access vlan 20
  • Trunk ports forward any traffic within the allowed VLANs configured on the interface, whether they are primary or secondary VLANs. To configure trunk ports to translate traffic from primary VLAN to secondary (this maps to the lowest secondary VLAN if multiple are allowed) configure the following on the trunk port:
    switch(config)#interface Ethernet 1/1
    switch(config-if-Et1/1)#switchport trunk private-vlan secondary

Steps to Unconfigure

On all Platforms

  • To unconfigure a private VLAN, use the following command. This reverts the VLAN back to a regular VLAN. At this point, the broadcast domain for this VLAN adjusts and all hosts start to be learned in the regular VLAN, as opposed to the primary VLAN. The MAC table entries previously learned on the primary VLAN are not used anymore for forwarding.
    switch(config-vlan-20)#no private-vlan
  • To restore trunk port behavior to allow traffic on all primary and secondary VLANs:
    switch(config)#interface Ethernet1/1
    switch(config-if-Et1/1)#no switchport trunk private-vlan secondary

On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R

To unconfigure forwarding-id sharing:
switch(config)#no platform sand l2 forwarding-id sharing
Note: This configuration needs the device to be rebooted to take effect.

Configuring VLAN Translation

VLAN translation changes the VLAN ID of specified packets entering or leaving a port. The following sections describe the configuration of VLAN translation.

Per-port VLAN Translation on Switched Ports

The switchport vlan translation command allows translation of the VLAN tag of traffic entering or exiting a switched port.

To use VLAN translation on a switched port, the port must be configured as a trunk port using the switchport mode command.

Examples
  • This command configures interface ethernet 5 as a trunk port.

    switch(config)#interface ethernet 5
    switch(config-if-Et5)#switchport mode trunk
    switch(config-if-Et5)#
  • By default, the translation is bidirectional: packets ingressing an interface through VLAN A are internally mapped to VLAN B; VLAN B packets egressing the same interface are mapped to VLAN A.
    • These commands map interface ethernet 5 traffic with dot1q tag 50 to bridging VLAN 60.
      switch(config)#interface ethernet 5
      switch(config-if-Et5)#switchport vlan translation 50 60
      switch(config-if-Et5)#
    • These commands provides multiple 1:1 VLAN mappings under an interface.
      switch(config)#interface ethernet 5
      switch(config-if-Et5)#switchport vlan translation 50 60
      switch(config-if-Et5)#switchport vlan translation 61 71
      switch(config-if-Et5)#switchport vlan translation 62 72
      switch(config-if-Et5)#
    • These commands translate only incoming packets.
      switch(config)#interface ethernet 5
      switch(config-if-Et5)#switchport vlan translation in 50 60
      switch(config-if-Et5)#
    • These commands translate only egress packets.
      switch(config)#interface ethernet 5
      switch(config-if-Et5)#switchport vlan translation out 60 50
      switch(config-if-Et5)#

Per-port VLAN Translation on Routed Ports

On routed ports, the encapsulation dot1q vlan command (permitted only on routed ports) configures the VLAN on the interface to act as the native VLAN. This command will map packets ingressing with the specified VLAN ID to the internal VLAN ID of the routed port. All traffic egressing out of the routed port will be tagged with the VLAN ID specified in the command.

Example

These commands translate between vlan 50 and the internal VLAN for interface ethernet 5 (a routed port).

switch(config)#interface ethernet 5
switch(config-if-Et5)#no switchport
switch(config-if-Et5)#encapsulation dot1q vlan 50
switch(config-if-Et5)#

Double VLAN Translation

Double VLAN translation creates mappings between an inner and outer VLAN ID pair of a double-tagged packet and a single bridging VLAN. On ingress, specified double-tagged packets are mapped to the bridging VLAN, and on egress packets with the ID of the bridging VLAN are double tagged as specified. By default, the translation is bidirectional, but it can be applied only on ingress or egress.

Example

These commands causes packets entering interface ethernet 3/1 with an outer VLAN ID of 1000 and an inner VLAN ID of 100 to be processed in bridging VLAN 200.
switch(config)#interface ethernet 3/1
switch(config-if-Et3/1)#switchport vlan translation in 1000 inner 100 200
switch(config-if-Et3/1)#

VLAN Configuration Commands

vlan internal order

The vlan internal order command specifies the range that the switch can allocate as internal VLANs when configuring routed ports and the order of their allocation. By default, the switch allocates VLANs in ascending order from VLAN 1006 to VLAN 4094.

The no vlan internal order and default vlan internal order commands revert the policy to its default.

Command Mode

Global Configuration

Command Syntax

vlan internal order DIRECTION [RANGE_VLAN]

no vlan internal order

default vlan internal order

Parameters
  • DIRECTION     VLAN allocation number direction. Options include:
    • ascending     allocates internal VLANs from lower VLAN bound to upper VLAN bound.
    • descending     allocates internal VLAN from upper VLAN bound to lower VLAN bound.
  • RANGE_VLAN     allocation range. Options include:
    • no parameter     1006 (lower bound) to 4094 (upper bound).
    • range, lower, upper    specifies lower bound (lower) and upper bound (upper).
Examples
  • This command configures the switch to allocate internal VLANS from 3000 through 3999.
    switch(config)#vlan internal order ascending range 3000 3999
    switch(config)#
  • This command configures the switch to allocate internal VLANS from 4094 through 1006.
    switch(config)#vlan internal order descending
    switch(config)#
  • This command configures the switch to allocate internal VLANS from 4094 down through 4000.
    switch(config)#vlan internal order descending range 4000 4094
    switch(config)#
  • This command reverts the allocation policy to its default (ascending, between 1006 and 4094).
    switch(config)#no vlan internal order
    switch(config)#

vlan

The vlan command places the switch in VLAN configuration mode to configure a set of virtual LANs. The command creates the specified VLANs if they do not exist prior to issuing the command. A VLAN that is in use as an internal VLAN may not be created or configured. The switch rejects any vlan command that specifies an internal VLAN ID.

The default vlan and no vlan commands removes the VLAN statements from running-config for the specified VLANs.

The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

vlan vlan_range

no vlan vlan_range

default vlan vlan_range

Parameters

vlan_range     VLAN list.

Formats include a name, number, number range, or comma-delimited list of numbers and ranges.

Commands Available in VLAN Configuration Mode

Guidelines

In MLAG configurations, VLANs operate as follows:
  • The VLAN must be configured identically on both MLAG peer switches.
  • The port-specific bridging configuration originates on the switch where the port is physically located. This configuration includes the switchport access VLAN, switchport mode (trunk or access), trunk-allowed VLANs, the trunk native VLAN, and the switchport trunk groups.

Example

This command creates VLAN 49 and enters VLAN configuration mode for the new VLAN:

switch(config)#vlan 49
switch(config-vlan-49)#

autostate

When autostate is enabled, the VLAN interface will be up when:
  • the corresponding VLAN exists and is in the active state.
  • one or more Layer 2 ports in the VLAN are up and in spanning-tree forwarding state.
  • the VLAN interface exists and is not in a shutdown state.
Autostate is enabled by default. When autostate is disabled, the VLAN interface is forced to be active.
  • The no autostate command disables autostate on the configuration mode interface. The no autostate command is stored to running-config.
  • The autostate command enables the autostate function on the configuration mode VLAN SVI by removing the corresponding no autostate statement from running-config.
  • The default autostate command restores the autostate default state of enabled by removing the corresponding no autostate statement from running-config.

Command Mode

Interface-VLAN Configuration

Command Syntax

autostate

no autostate

default autostate

Guidelines

Autostate should be disabled on SVIs configured as an MLAG local interface.

Examples
  • These commands disable autostate on VLAN 100.
    switch(config)#interface vlan 100
    switch(config-if-Vl100)#no autostate
    switch(config-if-Vl100)#
  • These commands enable autostate on VLAN 100.
    switch(config)#interface vlan 100
    switch(config-if-Vl100)#autostate
    switch(config-if-Vl100)#

encapsulation dot1q vlan

Routed Port VLAN Translation

In the configuration mode for an Ethernet or port channel interface, the encapsulation dot1q vlan translates packets with a dot1q header to the internal VLAN for a routed port. The VLAN in the incoming packets is mapped to the internal VLAN of the routed port, and packets egressing the routed port are encapsulated with a dot1q header for the specified VLAN. For egress packets, no priority information is added to the dot1q header and the priority from the incoming encapsulation will be retained.

Subinterface VLAN Assignment

When used in the configuration mode for an Ethernet or port channel subinterface, however, the encapsulation dot1q vlan command assigns a dot1q tag to the subinterface. Traffic ingressing on the parent interface with that dot1q tag will then be sent to the configured subinterface. See Subinterfaces and Subinterface Configuration for details.

The no encapsulation dot1q vlan and default encapsulation dot1q vlan commands restore the default VLAN to the configuration mode interface by removing the corresponding encapsulation dot1q vlan command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-port-channel Configuration

Subinterface-Ethernet Configuration

Subinterface-port-channel Configuration

Command Syntax

encapsulation dot1q vlan vlan_id

no encapsulation dot1q vlan

default encapsulation dot1q vlan

Parameters

vlan_id For VLAN translation, the ID of the external VLAN to be translated; for subinterface configuration, the VLAN of the subinterface. Values range from 1 to 4094.

Examples
  • These commands translate between vlan 50 and the internal VLAN for interface ethernet 5 (a routed port).
    switch(config)#interface ethernet 5
    switch(config-if-Et5)#no switchport
    switch(config-if-Et5)#encapsulation dot1q vlan 50
    switch(config-if-Et5)#
  • These commands assign packets ingressing on interface ethernet 1/1 with VLAN ID 100 to subinterface ethernet 1/1.1.
    switch(config)#interface ethernet1/1.1
    switch(config-if-Et1/1.1)#no switchport
    switch(config-if-Et1/1.1)#encapsulation dot1q vlan 100
    switch(config-if-Et1/1.1)#

interface vlan

The interface vlan command places the switch in VLAN-interface configuration mode for modifying parameters of the Switch Virtual Interface (SVI). An SVI provides Layer 3 processing for packets from all ports associated with the VLAN. There is no physical interface for the VLAN.

When entering configuration mode to modify existing SVIs, the command can specify multiple interfaces. The command creates an SVI if the specified interface does not exist prior to issuing the command. When creating an SVI, the command can only specify a single interface.

The no interface vlan command deletes the specified SVI interfaces from running-config. The default interface vlan commands remove all configuration statements for the specified SVI interfaces from running-config without deleting the interfaces.

Command Mode

Global Configuration

Command Syntax

interface vlan v_range

no interface vlan v_range

default interface vlan v_range

Parameter

v_range     VLAN interfaces (number, range, or comma-delimited list of numbers and ranges). VLAN number ranges from 1 to 4094.

Restrictions

Internal VLANs: A VLAN interface cannot be created or configured for internal VLAN IDs. The switch rejects any interface vlan command that specifies an internal VLAN ID.

Example

This example creates an SVI for VLAN 12:

switch#config
switch(config)#interface vlan 12
switch(config-if-Vl12)#

l2-protocol encapsulation dot1q vlan

The l2-protocol encapsulation dot1q vlan command enables Layer 2 802.1Q traffic encapsulation on the configuration mode interface for a specified VLAN. The default VLAN for all interfaces is VLAN 1.

The no l2-protocol encapsulation dot1q vlan and default l2-protocol encapsulation dot1q vlan commands disable the specified encapsulation on the configuration mode interface by removing the corresponding l2-protocol encapsulation dot1q vlan command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

l2-protocol encapsulation dot1q vlan vlan_id

no l2-protocol encapsulation dot1q vlan

default l2-protocol encapsulation dot1q vlan

Parameters

vlan_id  the ID of the native VLAN. Values range from 1 to 4094.

Example

These commands enable 802.1Q encapsulation of traffic on vlan 200.

switch(config)#interface ethernet 5/2
switch(config-if-Et5/2)#l2-protocol encapsulation dot1q vlan 200
switch(config-if-Et5/2)#show active
interface Ethernet5/2
   l2-protocol encapsulation dot1q vlan 200
switch(config-if-Et5/2)#

mac address forwarding

The mac address forwarding command enables a switch to configure a VLAN policy when it receives a packet with an unknown destination MAC address on a VLAN. The command provides three options to configure a VLAN policy:
  • Flood the Layer 2 miss packets on the VLAN
  • Drop the Layer 2 miss packets
  • Log the Layer 2 miss packets to the CPU (while still flooding them on the VLAN)

The default state is to flood the L2 miss packets on all ports of the VLAN.

The show vlan command displays information about the VLAN policy that is being configured.

The no form and the default form of the command removes the previously configured VLAN policy on the VLAN.

Command Mode

VLAN Configuration

Command Syntax

mac address forwarding [unicast | multicast] miss action [drop | flood | log]

no mac address forwarding [unicast | multicast] miss action [drop | flood | log]

default mac address forwarding [unicast | multicast] miss action [drop | flood | log]

Parameters
  • unicast     the unicast type of transmission.
  • multicast     the multicast type of transmission.
  • drop     the selected packets are dropped.
  • flood     the selected packets are flooded in the specific VLAN.
  • log     the selected packets are sent to the CPU for logging purpose.

Guidelines

VLAN policy configuration is supported on the Arista 7010, 7050 (excluding 7050SX3-48YC12, 7050CX3-32S, 7050QX2-32S, 7050SX2-72Q, 7050SX2-128, 7050TX2-128), 7060, 7250, and the 7300 series platforms.

VLAN policy is not supported in the following cases:
  • STP, LLDP, and LACP packets
  • VLAN policy configurations on VXLAN-enabled VLAN
  • On a VLAN if IGMP snooping is configured with Multicast miss action is set to drop, then all multicast packets received on that VLAN are dropped.
Examples
  • These commands create a VLAN 333 and then set the unicast policy to drop and the multicast policy to log for the specific VLAN 333.
    switch(config)#vlan 333
    switch(config-vlan-333)#mac address forwarding unicast miss action drop
    switch(config-vlan-333)#mac address forwarding multicast miss action log
  • These commands display the VLAN policy that was defined when VLAN 333 is created.
    switch(config)#show vlan 333 mac address forwarding
    
    VLAN  UcMissAction  McMissAction
    ----  ------------  ------------
     333  flood         flood
  • These commands display the VLAN policy type that was defined when VLAN 333 is configured with the drop unicast policy and the log multicast policy.
    switch(config)#show vlan 333 mac address forwarding
    
    VLAN  UcMissAction  McMissAction
    ----  ------------  ------------
     333  drop          log
    
    switch(config)#show vlan mac address forwarding
    
    VLAN  UcMissAction  McMissAction
    ----  ------------  ------------
       1  flood         flood
     333  drop          log

name (VLAN configuration mode)

The name command configures the VLAN name. The name can have up to 32 characters. The default name for VLAN 1 is default. The default name for all other VLANs is VLANxxxx, where xxxx is the VLAN number. The default name for VLAN 55 is VLAN0055. The show vlan command displays the VLAN name.

The name command accepts all characters except the space.

The no name and default name commands restore the default name by removing the name command from running-config.

Command Mode

VLAN Configuration

Command Syntax

name label_text

no name

default name

Parameters

label_text     character string assigned to name attribute. Maximum length is 32 characters. The space character is not permitted in the name string.

Example

These commands assign corporate_100 as the name for VLAN 25, then displays the VLAN name.

switch(config)#vlan 25
switch(config-vlan-25)#name corporate_100
switch(config-vlan-25)#show vlan 25
VLAN  Name                             Status    Ports
----- -------------------------------- --------- ---------
25    corporate_100                    active

switch(config-vlan-25)#

pvlan mapping

The pvlan mapping command maps a switch virtual interface (SVI) available in the primary VLAN to the secondary VLAN or VLANs in the VLAN configuration mode. The show pvlan mapping interfaces command displays the list of mapped VLANs.

The no pvlan mapping and default pvlan mapping commands restore the default state of the private VLAN mapping.

Command Mode

VLAN Configuration

Command Syntax

pvlan mapping{add | remove | vlan ID}

no pvlan mapping{add | remove | vlan ID}

default pvlan mapping{add | remove | vlan ID}

Parameters
  • add     adding VLANs to the PVLAN mapping of the current VLAN interface.
  • remove     removing VLANs from the PVLAN mapping of the current VLAN interface.
  • vlan ID     The secondary VLAN IDs of the private VLAN mapping. The IDs range from 1 to 4094.

Related Commands

show pvlan mapping interfaces

Example

These commands assign a secondary VLAN ID of 50 to the primary VLAN.

switch(config)#vlan 25
switch(config-vlan-25)#pvlan mapping 50
switch(config-vlan-25)#

show dot1q-tunnel

The show dot1q-tunnel command displays the ports that are configured in dot1q-tunnel switching mode. The switchport mode command configures the switching mode for the configuration mode interface.

Command Mode

EXEC

Command Syntax

show dot1q-tunnel [INTERFACE]

Parameters

INTERFACE     Interface type and numbers. Options include:
  • no parameter     Display information for all interfaces.
  • ethernet e_range     Ethernet interface range specified by e_range.
  • loopback l_range     Loopback interface specified by l_range.
  • management m_range     Management interface range specified by m_range.
  • port-channel p_range     Port-Channel Interface range specified by p_range.
  • vlan v_range     VLAN interface range specified by v_range.
  • vxlan vx_range     VXLAN interface range specified by vx_range.

    Valid range formats include number, number range, or comma-delimited list of numbers and ranges.

Example

This command displays the ports that are configured in dot1q-tunnel switching mode.

switch>show dot1q-tunnel
dot1q-tunnel mode LAN Port (s)
------------------------------
Po4
Po21
Po22
switch>

show interfaces switchport backup-link

The show interfaces switchport backup-link command displays interfaces that are configured as switchport backup pairs and the operational status of each interface. For each pair, the command displays the names, roles, status, and VLAN traffic of each interface.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] switchport backup-link

show interfaces switchport backup-link [module{Fabric f_num | Linecard lc_num | Supervisor svr_num | Switchcard | 1-2 | 3-6}]

Parameters
  • INTERFACE     Interface type and numbers. Options include:
    • no parameter     Display information for all interfaces.
    • ethernet e_range     Ethernet interface range specified by e_range.
    • loopback l_range     Loopback interface specified by l_range.
    • management m_range     Management interface range specified by m_range.
    • port-channel p_range     Port-Channel Interface range specified by p_range.
    • vlan v_range     VLAN interface range specified by v_range.

      Valid e_range, l_range, m_range, p_range, and v_range formats include number, number range, or comma-delimited list of numbers and ranges.

  • module     Displays interfaces of the specified module. Options include:
    • Fabric f_num     Displays interfaces of the specified fabric module. Value ranges from 1 to 6.
    • Linecard lc_num     Displays interfaces of the specified linecard module. Value ranges from 3 to 6.
    • Supervisor svr_num     Displays interfaces of the specified supervisor module. Accepted values are 1 and 2.
    • Switchcard     Displays interfaces of switchcard modules.
    • 1-2     Displays interfaces of the specified supervisor module.
    • 3-6     Displays interfaces of the specified linecard module.
Display Values
  • State     Operational status of the interface. Values include:
    • Up     Spanning tree mode is backup, interface status is up.
    • Down      Spanning tree mode is backup, interface status is down.
    • Inactive Configuration     The spanning tree mode is not backup.
  • Forwarding vlans      VLANs forwarded by the interface. Depends on interface operation status and prefer option specified by the switchport backup command.
Examples
  • This command displays the configured switchport primary-backup pairs.
    switch>show interfaces switchport backup-link
    Switch backup interface pair: Ethernet3/17, Ethernet3/8
    Primary Interface: Ethernet3/17     State:  Inactive Configuration
    Backup Interface:  Ethernet3/8      State:  Inactive Configuration
    Preemption delay: 0 milliseconds
    Mac move burst size: 0
    Mac move burst interval: 20 milliseconds
    Mac move destination: ff:ff:ff:ff:ff:ff
  • This command displays interfaces of the module for linecard 4.
    switch(config)#show int switchport backup-link module Linecard 4
    Switch backup interface pair: Ethernet4/19/1, Ethernet4/19/2
    Primary Interface: Ethernet4/19/1   State:  Inactive Configuration
    Backup Interface:  Ethernet4/19/2   State:  Inactive Configuration
    Preemption delay: 0 milliseconds
    Mac move burst size: 0
    Mac move burst interval: 20 milliseconds
    Mac move destination: ff:ff:ff:ff:ff:ff

show interfaces switchport vlan mapping

The show interfaces switchport vlan mapping command displays mapping information of the configured VLANs in an interface mode.

Command Mode

EXEC

Command Syntax

show interfaces switchport vlan mapping

Examples
  • This command displays mapping information of the configured VLAN IDs.
    switch#show interfaces switchport vlan mapping
    --------------
    Ethernet3
                                       Direction   Direction
    Original Vlan  New Vlan  Status    Configured  Active
    -------------- --------- --------- ----------- -----------
    10             100       Active    In/Out      In/Out
    11             200       Active    In          In
    300            12        Active    Out         Out
  • This command displays dual tag mapping information of the configured VLAN IDs.
    switch(config)#show interfaces switchport vlan mapping
    --------------
    Ethernet3/1
    Direction     Direction
    Outer Tag     Inner Tag     VLAN ID     Status      Configured    Active Dot1  qTunnel
    -----------   -----------   ---------   ---------   -----------   -----------  -----------
    1000          100           200         active        In/Out        In/Out      -
    
    1001          101           201         active        In            In          -
    
    1002          102           202         active        Out           Out          -
  • This command displays dual tag mapping information of the configured VLAN IDs.
    switch(config)#show interfaces switchport vlan mapping
    --------------
    Ethernet1/1
                                                       Direction     Direction 
    Outer Tag    Inner Tag     VLAN ID     Status      Configured    Active         
    ----------- -----------   ---------   ---------   -----------   ----------- 
    70            -             300         Active      In/Out        In/Out             
    10            50            100         Active      In/Out        In/Out            
    20            60            100         Active      In            In                
    30            40            200         Active      Out           Out                

show interfaces switchport

The show interfaces switchport command displays the switching configuration and operational status of the specified ports.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] switchport

Parameters

INTERFACE     Interface type and numbers. Options include:
  • no parameter     Display the switching status for all interfaces.
  • ethernet e_range     Ethernet interface range specified by e_range.
  • loopback l_range     Loopback interface specified by l_range.
  • management m_range     Management interface range specified by m_range.
  • port-channel p_range     Port-Channel Interface range specified by p_range.
  • vlan v_range     VLAN interface range specified by v_range.

    Valid e_range, l_range, m_range, p_range, and v_range formats include number, number range, or comma-delimited list of numbers and ranges.

Examples
  • This command displays the switching status for all interfaces.
    switch(config)#show interface switchport
    Default switchport mode: access
    
    Name: Et5/1
    Switchport: Enabled
    Administrative Mode: static access
    Operational Mode: static access
    MAC Address Learning: enabled
    Access Mode VLAN: 1 (default)
    Trunking Native Mode VLAN: 1 (default)
    Administrative Native VLAN tagging: disabled
    Trunking VLANs Enabled: ALL
    Static Trunk Groups: 
    Dynamic Trunk Groups: 
    
    Name: Et5/2
    Switchport: Enabled
    Administrative Mode: static access
    Operational Mode: static access
    MAC Address Learning: enabled
    Access Mode VLAN: 1 (default)
    Trunking Native Mode VLAN: 1 (default)
    Administrative Native VLAN tagging: disabled
    Trunking VLANs Enabled: ALL
    Static Trunk Groups: 
    Dynamic Trunk Groups: 
    
    [...]
    
    switch(config)#
  • This command displays the switching status of port channel interfaces 21 and 22.
    switch>show interface port-channel 21-22 switchport
    Name: Po21
    Switchport: Enabled
    Administrative Mode: tunnel
    Operational Mode: tunnel
    Access Mode VLAN: 1 (inactive)
    Trunking Native Mode VLAN: 100 (VLAN0100)
    Administrative Native VLAN tagging: disabled
    Trunking VLANs Enabled: ALL
    Trunk Groups: foo
    
    Name: Po22
    Switchport: Enabled
    Administrative Mode: tunnel
    Operational Mode: tunnel
    Access Mode VLAN: 1 (inactive)
    Trunking Native Mode VLAN: 1 (inactive)
    Administrative Native VLAN tagging: disabled
    Trunking VLANs Enabled: ALL
    Trunk Groups:
    
    switch>
  • This command displays the configured status of VLAN scaling for the interface ethernet 2/1 port.
    switch#show interface Ethernet 2/1 switchport 
    Name: Ethernet 2/1
    Switchport: Enabled
    Administrative Mode: trunk
    Operational Mode: trunk
    MAC Address Learning: enabled
    Dot1q ethertype/TPID: 0x8100 (active)
    Dot1q VLAN Tag: Allowed
    Access Mode VLAN: 1 (default)
    Trunking Native Mode VLAN: 1 (default)
    Administrative Native VLAN tagging: disabled
    Trunking VLANs Enabled: ALL
    Static Trunk Groups: 
    Dynamic Trunk Groups: 
    Source interface filtering: enabled
    VLAN forwarding mode: allConfiguredVlans
    
    switch>

show interfaces trunk

The show interfaces trunk command displays configuration and status information for interfaces configured in switchport trunk mode.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] trunk

Parameters

INTERFACE     Interface type and numbers. Options include:
  • no parameter     Display information for all interfaces.
  • ethernet e_range     Ethernet interface range specified by e_range.
  • management m_range     Management interface range specified by m_range.
  • port-channel p_range     Port-Channel Interface range specified by p_range.

    Valid e_range, m_range, and p_range formats include number, number range, or comma-delimited list of numbers and ranges.

Example

This command displays the trunk status for all interfaces configured in switchport trunk mode.

switch>show interfaces trunk
Port            Mode            Status          Native vlan
Po1             trunk           trunking        1
Po2             trunk           trunking        1

Port            Vlans allowed
Po1             1-15
Po2             16-30

Port            Vlans allowed and active in management domain
Po1             1-10
Po2             21-30


Port            Vlans in spanning tree forwarding state
Po1             1-10
Po2             21-30

switch>

show interfaces vlans

The show interfaces vlans command displays a table that lists the VLANs that are carried by the specified interfaces. Interfaces that do not carry VLANs are not listed in the table. The table lists the untagged (native or access) and tagged VLANs for each interface.

Command Mode

EXEC

Command Syntax

show interfaces [INT_NAME] vlans

Parameters

INT_NAME     Interface type and number. Values include:
  • ethernet e_num     Ethernet interface specified by e_num.
  • management m_num     Management interface specified by m_num.
  • port-channel p_num     Port-Channel Interface specified by p_num.

Example

This command displays the VLANs carried by all L2 ports.
switch>show interfaces vlans
Port       Untagged Tagged
Et9        3910     -
Et11       3912     -
Et16       500      -
Et17       3908     -
Et18       3908     -
Po1        1        101-102,500,721,3000,
Po2        101      -
Po4        3902     -
Po5        3903     -
Po6        3992     -
Po7        661      -
Po8        3911     -

show pvlan mapping interfaces

The show pvlan mapping interfaces command displays information about the private VLAN mapping interfaces.

Command Mode

EXEC

Command Syntax

show pvlan mapping interfaces

Example

This command displays information about the private VLAN mapping interfaces.
switch(config)#int vlan 50
switch(config-if-Vl50)#pvlan mapping 70
switch(config-if-Vl50)#show pvlan mapping interfaces 
Interface    Secondary Vlans
---------    ---------------        
Vlan50       70 

show vlan brief count

The show vlan brief count command displays the number of VLANs that are configured on the switch.

Command Mode

EXEC

Command Syntax

show vlan brief count

Example

This command displays the number of VLANs on the switch.
switch>show vlan brief count
Number of existing VLANs           : 18

switch>

show vlan dynamic

The show vlan dynamic command displays the source and quantity of dynamic VLANs on the switch. Dynamic VLANs support VM Tracer monitoring sessions.

Command Mode

EXEC

Command Syntax

show vlan dynamic

Example

This command displays the source and quantity of dynamic VLANs on the switch.
switch>show vlan dynamic
Dynamic VLAN source       VLANS
vmtracer-poc              88
switch>

show vlan internal allocation policy

The show vlan internal allocation policy command displays the method the switch uses to allocate VLANs to routed ports. The vlan internal order command configures the allocation method.

The allocation method consists of two configurable components:
  • range: the list of VLANs that are allocated to routed ports.
  • direction: the direction by which VLANs are allocated (ascending or descending).

Command Mode

EXEC

Command Syntax

show vlan internal allocation policy

Example

This command displays the internal allocation policy.
switch>show vlan internal allocation policy
Internal VLAN Allocation Policy: ascending
Internal VLAN Allocation Range: 1006-4094
switch>

show vlan internal usage

The show vlan internal usage command shows the VLANs that are allocated as internal VLANs for routed ports.

A routed port is an Ethernet or port channel interface that is configured as a layer 3 interface. Routed ports do not bridge frames and are not members of any VLANs. Routed ports can have IP addresses assigned to them and packets are routed directly to and from the port.

When an interface is configured as a routed port, the switch allocates an SVI with a previously unused VLAN ID. The switch prohibits the configuration of VLANs with numbers corresponding to internal VLAN interfaces allocated to a routed port. VLAN interfaces corresponding to SVIs allocated to a routed port cannot be configured by VLAN interface configuration mode commands.

Command Mode

EXEC

Command Syntax

show vlan internal usage

Example

This command displays the VLANs that are allocated to routed ports.
switch>show vlan internal usage
1006  Ethernet3
1007  Ethernet4
switch>

show vlan trunk group

The show vlan trunk group command displays the trunk group membership of the specified VLANs.

Command Mode

EXEC

Command Syntax

show vlan [VLAN_LIST] trunk group

Parameters

VLAN_LIST      VLAN list. Options include:
  • no parameter      all VLANs.
  • v_range     VLANs specified by v_range.
  • id v_range     VLANs specified by v_range.
  • name v_name     VLANs specified by the VLAN name v_name.
Display Values
  • VLAN      VLAN ID.
  • Trunk Groups      Trunk groups associated with the listed VLANs.

Example

This command displays the trunk group membership of all configured VLANs.
switch>show vlan trunk group
VLAN     Trunk Groups
----     -------------------------------------
5
10       first_group
12
40       second_group
100      third_group
101      middle_group
102
200

switch>

show vlan

The show vlan command displays the VLAN ID, name, status, and member ports of all configured VLANs. The command only displays active ports by default; by specifying configured-ports, the command displays all ports that are members of a configured VLAN regardless of their activity status, including Ethernet ports that are members of a port channel.

Command Mode

EXEC

Command Syntax

show vlan [VLAN_LIST] [PORT_ACTIVITY]

Parameters
  • VLAN_LIST      List of VLANs displayed by command. Options include:
    • no parameter      all VLANs.
    • v_range     VLANs specified by v_range.
    • id v_range     VLANs specified by v_range.
    • name v_name     VLANs specified by the VLAN name v_name.

      v_range formats include number, number range, or comma-delimited list of numbers and ranges.

  • PORT_ACTIVITY      Ports listed in table. Options include:
    • no parameter      table displays only active ports (same as active-configuration option).
    • active-configuration      table displays only active ports.
    • configured-ports      table displays all configured ports.
Display Values
  • VLAN     The VLAN ID.
  • Name     The name of the VLAN.
  • Status     The status of the VLAN.
  • Ports     The ports that are members of the VLAN.
Examples
  • This command displays status and ports of VLANs 1-1000.
    switch>show vlan 1-1000
    VLAN  Name                     Status    Ports
    ----- ------------------------ --------- --------------
    1     default                  active    Po1
    184   fet.arka                 active    Cpu, Po1, Po2
    262   mgq.net                  active    PPo2, Po1
    512   sant.test                active    Cpu, Et16, Po1
    821   ipv6.net                 active    Cpu, Po1, Po7
    
    switch>
  • This command displays the list of all the member interfaces under each SVI.
    switch#show vlan
    VLAN  Name                     Status    Ports
    ----- ------------------------ --------- ----------------
    1     default                  active
    2148  VLAN2148                 active    Cpu, Et1, Et26
    2700  VLAN2700                 active    Cpu, Et18

state

The state command configures the VLAN transmission state of the configuration mode VLAN.
  • Active state: Ports forward VLAN traffic.
  • Suspend state: Ports block VLAN traffic.

The default transmission status is active.

The no state command restores the default VLAN transmission state to the configuration mode VLAN by removing the corresponding state command from running-config.

Command Mode

VLAN Configuration

Command Syntax

state OPERATION_STATE

no state

default state

Parameters

OPERATION_STATE      VLAN transmission state. Options include:
  • active     VLAN traffic is forwarded.
  • suspend      VLAN traffic is blocked.

Example

These commands suspend VLAN traffic on VLANs 100-102.
switch(config)#vlan 100-102
switch(config-vlan-100-102)#state suspend
switch(config-vlan-100-102)#

switchport access vlan

The switchport access vlan command specifies the access VLAN of the configuration mode interface. Ethernet or port channel interfaces that are in access mode are members of only the access VLAN. Untagged frames that the interface receives are associated with the access VLAN. Frames tagged with the access VLAN are also associated with the access VLAN. The interface drops all other tagged frames that it receives. By default, VLAN 1 is the access VLAN of all Ethernet and port channel interfaces.

An interface's access mode is effective only when the interface is in access mode or dot1q-tunnel mode, as specified by the switchport mode command. Interfaces in dot1q-tunnel mode handle inbound traffic as untagged traffic and associate all traffic with the access VLAN. Interfaces configured to switchport trunk mode maintain and ignore existing switchport access commands.

The no switchport access vlan and default switchport access vlan commands restore VLAN 1 as the access VLAN of the configuration mode interface by removing the corresponding switchport access vlan statement from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport access vlan v_num

no switchport access vlan

default switchport access vlan

Parameters

v_num     number of access VLAN. Value ranges from 1 to 4094. Default is 1.

Example

These commands assign VLAN 100 as the access VLAN to interface ethernet 5.

switch(config)#interface ethernet 5
switch(config-if-Et5)#switchport access vlan 100
switch(config-if-Et5)#

switchport dot1q ethertype

The switchport dot1q ethertype command configures the tag protocol identifier (TPID, also known as a dot1q ethertype), of the configuration mode interface. By default, all switch ports use the standard TPID of 0x8100.

The no switchport dot1q ethertype and default switchport dot1q ethertype commands restore the TPID to 0x8100 by removing the corresponding switchport dot1q ethertype statement from running-config.

Command Mode

Interface-Ethernet Configuration

Command Syntax

switchport dot1q ethertype ethertype

no switchport dot1q ethertype

default switchport dot1q ethertype

Parameters

ethertype     ethertype number (TPID). Value ranges from 0x600 (1536) through 0xFFFF (65535), and can be entered in decimal or hexadecimal notation. Value is stored and displayed in hexadecimal form; the default value is 0x8100.

Example

These commands configure 0x9100 as the TPID of interface ethernet 5.

switch(config)#interface ethernet 5
switch(config-if-Et5)#switchport dot1q ethertype 0x9100
switch(config-if-Et5)#

switchport mode

The switchport mode command specifies the switching mode of the configuration mode interface. The switch supports five switching modes: access, trunk, dot1q-tunnel, tap, and tool.
  • Access switching mode: The interface is a member of one VLAN, called the access VLAN, as specified by the switchport access vlan command. Tagged frames received on the interface are dropped unless they are tagged with the access VLAN. Frames transmitted from the interface are always untagged.
  • Trunk switching mode: The interface may be a member of multiple VLANs, as configured by the switchport trunk allowed vlan command. Untagged traffic is associated with the interface's native VLAN, as configured with the switchport trunk native vlan command.
  • Dot1q-tunnel switching mode: The interface treats all inbound packets as untagged traffic and handles them as traffic of its access VLAN, as specified by the switchport access vlan command.
  • Tap mode: The interface operates as a tap port. Tap ports receive traffic for replication on one or more tool ports.The interface may be a member of multiple VLANs, as configured by the switchport tap allowed vlan command. Untagged traffic is associated with the interface's native VLAN, as configured with the switchport tap native vlan command.

Tap ports are in STP forwarding state and prohibit egress traffic. MAC learning, control plane interaction and traps for inbound traffic are disabled.

Tool mode: The interface operates as a tool port. Tool ports replicate traffic received by tap ports. The interface may be a member of multiple VLANs, as configured by the switchport tool allowed vlan command. MAC learning, control plane interaction and traps for inbound traffic are disabled.

Tool ports are in STP forwarding state and prohibit ingress traffic that uses port settings.

The status of switchport configured ports depends on the switch’s tap aggregation mode (which can be viewed by using the mode command):
  • tap aggregation mode enabled: tap and tool ports are enabled. Switching ports are errdisabled.
  • tap aggregation mode disabled: tap and tool ports are errdisabled. Switching ports are enabled.

The no switchport mode and default switchport mode commands return the configuration mode interface to its default setting as an access port by deleting the corresponding switchport mode command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport mode MODE_TYPE

no switchport mode

default switchport mode

Parameters

MODE_TYPE     switching mode of the configuration mode interfaces. Options include:
  • access access switching mode.
  • dot1q-tunnel dot1q-tunnel switching mode.
  • tap tap switching mode.
  • tool tool switching mode.
  • trunk trunk switching mode.

Restrictions

Dot1q-tunnel switching mode is not available on Petra platform switches.

Tap aggregation (tap and tool modes) is available on FM6000 and Arad platform switches.

Example

These commands configure interface ethernet 4 as a trunk port.
switch(config)#interface ethernet 4
switch(config-if-Et4)#switchport mode trunk
switch(config-if-Et4)#

switchport trunk allowed vlan

The switchport trunk allowed vlan command creates or modifies the list of VLANs for which the configuration mode interface, in trunk mode, handles tagged traffic. By default, interfaces handle tagged traffic for all VLANs. Command settings persist in running-config without taking effect when the switch is in tap aggregation mode or the interface is not in trunk mode.

The no switchport trunk allowed vlan and default switchport trunk allowed vlan commands restore the trunk mode default allowed VLAN setting of all by removing the corresponding switchport trunk allowed vlan statement from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport trunk allowed vlan EDIT_ACTION

no switchport trunk allowed vlan

default switchport trunk allowed vlan

Parameters

EDIT_ACTION     modifications to the VLAN list.
  • v_range     Creates VLAN list from v_range.
  • add v_range     Adds specified VLANs to current list.
  • all     VLAN list contains all VLANs.
  • except v_range     VLAN list contains all VLANs except those specified.
  • none     VLAN list is empty (no VLANs).
  • remove v_range     Removes specified VLANs from current list.

    Valid v_range formats include number, range, or comma-delimited list of numbers and ranges.

Example

These commands create the trunk mode allowed VLAN list of 6-10 for interface ethernet 14, then verifies the VLAN list.
switch(config)#interface ethernet 14
switch(config-if-Et14)#switchport trunk allowed vlan 6-10
switch(config-if-Et14)#show interfaces ethernet 14 switchport
Name: Et14
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Access Mode VLAN: 1 (inactive)
Trunking Native Mode VLAN: 1 (inactive)
Administrative Native VLAN tagging: disabled
Trunking VLANs Enabled: 6-10
Trunk Groups:

switch(config-if-Et14)#

switchport trunk group

The switchport trunk group command assigns the configuration mode interface to the specified trunk group. Trunk group ports handle traffic of the VLANs assigned to the group.

The no switchport trunk group and default switchport trunk group commands remove the configuration mode interface from the specified trunk group by deleting the corresponding statement from running-config. If the command does not specify a trunk group, the interface is removed from all trunk groups to which it is assigned.

Note: On platforms which support the use of port channels as mirror destinations, a port channel which is being used as a mirror destination must not be assigned to an MLAG.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport trunk group [group_name]

no switchport trunk group [group_name]

default switchport trunk group [group_name]

Parameters

group_name    trunk group name.

Example

These commands assign port channel 4 to trunk group fe-1.
switch(config)#interface port-channel 4
switch(config-if-Po4)#switchport trunk group fe-1
switch(config-if-Po4)#

switchport trunk native vlan

The switchport trunk native vlan command specifies the trunk mode native VLAN for the configuration mode interface. Interfaces in trunk mode associate untagged frames with the native VLAN. Trunk mode interfaces can also be configured to drop untagged frames. The default native VLAN for all interfaces is VLAN 1.

The no switchport trunk native vlan and default switchport trunk native vlan commands restore VLAN 1 as the trunk mode native VLAN to the configuration mode interface by removing the corresponding switchport trunk native vlan command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport trunk native vlan VLAN_ID

no switchport trunk native vlan

default switchport trunk native vlan

Parameters
  • VLAN_ID the ID of the native VLAN. Options include:
    • v_num VLAN number. Value ranges from 1 to 4094.
    • tag interface drops all untagged frames.

Example

These commands configure VLAN 100 as the native VLAN for port channel 21.
switch(config)#interface port-channel 21
switch(config-if-Po21)#switchport trunk native vlan 100
switch(config-if-Po21)#

switchport vlan forwarding

The switchport vlan forwarding command forwards packets between the ports belonging to VLAN in the interface configuration mode. The scaling configuration is applicable on a per-port basis. In the 7160 platform, the hardware uses a Port-VLAN table for storing the configuration on a per port/VLAN combination and supports a maximum of 128 ports.

Note: The configuration is applicable to trunk ports only.

Command Mode

Interface-Ethernet Configuration

Command Syntax

switchport vlan forwarding accept | all

Parameters
  • accept     accepts packets for VLAN.
  • all      all VLANs.

Example

This command forwards and accepts all the packets of VLAN of interface ethernet 2.
switch(config)#interface ethernet 2
switch(config-if-Et2)#switchport vlan forwarding accept all
switch(config-if-Et2)#

switchport vlan translation

The switchport vlan translation command allows you to map packets from one VLAN to another using VLAN translation. This is carried out on packets having a dot1q header (tagged frames) only. The translation rewrites the VLAN ID (VID) field in dot1q headers on packets passing through a switched port without changing any other fields.

By default, the translation is bidirectional. The packets ingressing an interface through VLAN A are internally mapped to VLAN B; VLAN B packets egressing the same interface are mapped to VLAN A.

To use VLAN translation on a switched port, the port must be configured as a trunk port using the switchport mode command.

VLAN translation on routed ports is accomplished through the encapsulation dot1q vlan command.

The no switchport vlan translation and default switchport vlan translation commands remove VLAN mapping by removing the switchport vlan translation command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport vlan translation [DIRECTION] incoming_vlanid new_vlanid

no switchport vlan translation incoming_vlanid new_vlanid

no switchport vlan translation DIRECTION incoming_vlanid

default switchport vlan translation incoming_vlanid new_vlanid

default switchport vlan translation DIRECTION incoming_vlanid

Parameters
  • DIRECTION     direction of traffic to be translated.
    • no parameter     translates the specified VLAN IDs for transmitted and received traffic.
    • in     translates the specified VLAN IDs for received traffic only.
    • out     translates the specified VLAN IDs for transmitted traffic only.
    • incoming_vlanid     Enter the VLAN ID to be translated. Value ranges from 1 to 4094.
  • new_vlanid     The new VLAN ID or bridging VLAN ID that will be used internally. Value ranges from 1 to 4094.
Example
  • These commands translate only incoming packets, changing the VLAN ID to 2008 in the dot1q header of packets ingressing on vlan 201.
    switch(config)#interface ethernet 5
    switch(config-if-Et5)#switchport vlan translation in 201 2008 
    switch(config-if-Et5)#
  • These commands translate multiple VLAN mappings on an interface ethernet 5.
    switch(config)#interface ethernet 5
    switch(config-if-Et5)#switchport vlan translation 50 60
    switch(config-if-Et5)#switchport vlan translation 61 71
    switch(config-if-Et5)#switchport vlan translation 62 72
    switch(config-if-Et5)#

trunk group

The trunk group command assigns the configuration mode VLAN to a specified trunk group.

A trunk group is the set of physical interfaces that comprise the trunk and the collection of VLANs whose traffic is carried on the trunk. The traffic of a VLAN that belongs to one or more trunk groups is carried only on ports that are members of trunk groups to which the VLAN belongs. Switchport commands specify the physical interfaces that carry trunk group traffic.

The no trunk group and default trunk group commands remove the configuration mode VLAN from the specified trunk group by removing the corresponding trunk group statement from running-config. If a trunk group is not specified, the commands remove the configuration mode VLAN from all trunk groups.

Command Mode

VLAN Configuration

Command Syntax

trunk group [name]

no trunk group [name]

default trunk group [name]

Parameters

name     a name representing the trunk group.

Example

These commands assigns VLAN 49 to the trunk group mlagpeer:
switch(config)#vlan 49
switch(config-vlan-49)#trunk group mlagpeer
switch(config-vlan-49)#