Virtual LANs (VLANs)

This chapter describes Arista’s Virtual LANs (VLANs) implementation and MAC address tables.

sections in this chapter include:

VLAN Introduction
VLAN Conceptual Overview
VLAN Configuration Procedures
VLAN Configuration commands

VLAN Introduction

Arista switches support industry standard 802.1q VLANs. Arista eos provides tools to manage and extend VLANs throughout the data center network.

VLAN Conceptual Overview

VLAN Definition

A Virtual Local Area Network (VLAN) allows a group of devices to communicate as if they were in the same network regardless of their physical location. VLANs are Layer 2 structures based on the 802.1Q standard.

These parameters are associated with a VLAN:

VLAN number (1-4094): VLAN numbers uniquely identify the VLAN within a network. VLAN 1 exists by default; all other VLANs only exist after configuring.
VLAN name (optional): The VLAN name is a text string that describes the VLAN.
VLAN state (active or suspended): The state specifies the VLAN transmission status within the switch. In the suspended state, VLAN traffic is blocked on all switch ports. The default state is active.

VLANs define Layer 2 broadcast domains in a Layer 2 network, in which each device can receive broadcast frames sent by any other within the domain. Switches accommodating multiple broadcast domains serve as multi-port bridges where each broadcast domain is a distinct virtual bridge. Traffic does not pass directly between different VLANs within a switch or between two switches.

VLAN Switching

Ethernet and port channel interfaces are configured as switched ports by default. Switched ports are configurable as members of one or more VLANs. Switched ports ignore all IP-level configuration commands, including IP address assignments.

VLAN Trunking and Trunk Groups

Trunking extends multiple VLANs beyond the switch through a common interface or port channel.

A trunk group is the set of physical interfaces that comprise the trunk and the collection of VLANs whose traffic is carried on the trunk. The traffic of a VLAN that belongs to one or more trunk groups is carried only on ports that are members of trunk groups to which the VLAN belongs, i.e., VLANs configured in a trunk group are pruned of all ports that are not associated with the trunk group. See the Trunk Ports example section for further details.

Note: Be cautious when using allowed VLAN lists or trunk groups to ensure that the VLAN topology is consistent with any Layer-2 control protocol topology, or unpredictable results can occur.

VLAN traffic is carried through Ethernet or LAG ports. A port’s switchport mode defines the number of VLANs for which the port can carry traffic.

Access ports carry traffic for one VLAN – the access VLAN. Access ports associate untagged frames with the access VLAN. Access ports drop tagged frames that are not tagged with the access VLAN.
Trunk ports carry traffic for multiple VLANs. Tag frames specify the VLAN for which trunk ports process packets.

Q-in-Q Trunking

A Q-in-Q network is a multi-tier layer 2 VLAN network. A typical Q-in-Q network is composed of a service provider network (tier 1) where each node connects to a customer network (tier 2).

802.1ad is a networking standard that supports Q-in-Q networks by allowing multiple 802.1Q tags in an Ethernet frame.

Each interface in a customer network is assigned to a customer-VLAN (c-VLAN). Packets in c-VLANs contain 802.1q tags that switch traffic within the network. c-VLANs access the service provider VLAN (s-VLAN) through a provider switch. Customer switch ports connect to an s-VLAN through provider switch edge ports, which are configured as dot1q ports and operate as follows:

Inbound traffic (from customer switches): adds an s-VLAN tag, then forwards packets to the provider network.
Outbound traffic (to customer switches): removes the s-VLAN tag, then forwards packets to the customer network.

Tag Protocol Identifier (TPID) Configurable Ethertypes

By default, VLAN-tagged packets carry a Tag Protocol Identifier (TPID) of 0x8100. On some Arista platforms, however, the TPID of a switchport can be modified in accordance with IEEE 802.1ad to allow for the use of 802.1q TPIDs other than 0x8100. Well known and standard tags include the following:

0x8100 - Specifies the customer VLAN.
0x88a8 - Specifies the service VLAN tag used in provider bridging.
0x9100 - Specifies the service VLAN tag also used in provider bridging, but not a common configuration.

Other non-standard TPID values may also be configured for interoperability with legacy equipment or non-standard systems. Values range from 0x600 (1536) through 0xFFFF (65535).

Non-default TPID values are most commonly used for provider bridging on a network-to-network interface.

VLAN Routing

Each VLAN can be associated with a Switch Virtual Interface (SVI), also called a VLAN interface. The VLAN interface functions in a routed network (Layer 3) with an assigned IP subnet address. Connecting different VLANs requires Layer 3 networking.

VLAN Interfaces

A Switched Virtual Interface (SVI) connects to the VLAN segment on the switch to provide Layer 3 processing for packets from the VLAN. An SVI can be activated only after it is connected to a VLAN. SVIs are typically configured for a VLAN to a default gateway for a subnet to facilitate traffic routing with other subnets.

In a Layer 3 network, each VLAN SVI is associated with an IP subnet, with all stations in the subnet members of the VLAN. Traffic between different VLANs is routed when IP routing is enabled.

Internal VLANs

A routed port is an Ethernet or port channel interface that functions as a Layer 3 interface. Routed ports do not bridge frames nor switch VLAN traffic. Routed ports have IP addresses assigned to them and packets are routed directly to and from the port.

The switch allocates an internal VLAN for an interface when it is configured as a routed port. The internal VLAN is assigned a previously unused VLAN ID. The switch prohibits the subsequent configuration of VLANs and VLAN interfaces with IDs corresponding to allocated internal VLANs.

Support for Private VLAN

Private VLAN is a feature that segregates a regular VLAN broadcast domain while maintaining all ports in the same IP subnet. There are three types of VLAN within a private VLAN:

Primary VLAN: Ports in the primary VLAN can send and or receive traffic from ports in all the corresponding PVLANs. There is only one primary VLAN in a private VLAN.
Community VLAN: This is a secondary VLAN. Hosts in a community VLAN forward traffic to each other as well as ports in the primary VLAN. There are multiple community VLANs in a private VLAN.
Isolated VLAN: This is a secondary VLAN. Hosts in an isolated VLAN only forward traffic to ports in the primary VLAN. Hosts within an isolated VLAN can not communicate with each other using bridging. There are multiple isolated VLANs in a private VLAN.

Limitations

On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R

Private VLAN and Algomatch features are mutually exclusive. Disable algomatch with the hardware access-list mechanism tcam command . Note that this requires a reload of the system to take effect.
L2 and L3 multicast traffic is not supported.

On All Platforms except 7300X3, CCS-720XP, DCS-7050X3

Private VLAN and IPv4/IPv6 uRPF features are mutually exclusive.

On All Platforms

Tunnel termination on PVLAN ports is not supported.
Ingress IPv4/IPv6 RACLs on the primary VLAN are not honored for packets ingressing through ports in secondary VLANs.
Only isolated private VLAN trunks and normal trunk ports are supported. It allows trunk ports to forward and receive traffic for all primary and or secondary VLANs. An isolated trunk translates traffic coming in on a primary VLANto the lowest valued secondary VLAN on the trunk port.
Private VLAN is not supported on L2 subinterfaces.
Hardware accelerated Sflow is not supported on Private VLAN ports.
VLAN Mapping and or Translation is not supported with Private VLAN.

Show commands

Use the show vlan private-vlan command to display the primary and secondary defined VLANs:

switch# show vlan private-vlan
Primary Secondary Type         Ports
------- --------- ----------- ------------------------
100      101      community    Et1, Et6
100      102      isolated     Et1, Et7, Et8
200      201      community    Et10, Et9

Use the show vlan 100,101,102,200,201 command to diplay which interfaces are member of which VLANs:

# show vlan 100,101,102,200,201
VLAN  Name          Status    Ports
----- ------------- --------- -------------------------------
100   VLAN0100      active    Et1, Et6+, Et7+, Et8+
101   VLAN0101      active    Et1+, Et6
102   VLAN0102      active    Et1+, Et7, Et8
200   VLAN0200      active    Et10
201   VLAN0201      active    Et10+, Et9

+ indicates a private VLAN promoted port

Promoted ports are displayed to indicate they are part of the same broadcast domain as the indicated VLAN. Interfaces in a primary VLAN are included in the display of all its associated secondary VLANs. Interfaces in secondary VLANs are included in the display of both its primary VLAN and its own domain.

On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R

Use the show platform sand pvlan interfaces command to display the status of the interfaces to configure a private VLAN.

switch# show platform sand pvlan interfaces
Interface          Secondary      Primary     State
                        VLAN         VLAN
-----------------  ----------  ----------  ---------
Ethernet6                 101         100    enabled
Ethernet7                 102         100    enabled
Ethernet8                 102         100    enabled
Po1                       102         100    enabled
Ethernet9                 201         200     failed
Po2                       202         200     failed

In this output, the Secondary VLAN column indicates the VLAN which is configured on the interface. The Primary VLAN column indicates the primary VLAN to which the secondary VLAN belongs to. The State field has three possible values - enabled, failed, configured. The enabled state indicates that the private VLAN is configured and enabled on that interface. The failed state indicates that the private VLAN configuration has failed for that interface The configured state indicates that private VLAN is configured on that interface but has not taken effect. When port channels are configured in a private VLAN, it is enabled only if entries for all the member interfaces are successfully programmed in the hardware. If the hardware entries for any one of the member interfaces fails, the entries for other member interfaces are also removed from the hardware and the state is marked as failed.

VLAN Translation

VLAN translation allows you to map packets from one VLAN to another. This can be carried out only on packets having a dot1q header (tagged frames). The translation rewrites the Vlan ID field (VID) in dot1q headers on packets passing through a switched port without changing any other fields.

VLAN translation also supports the ability to translate packets with a dot1q header to the internal VLAN for a routed port. The VLAN in the incoming packets is mapped to the internal VLAN of the routed port and packets egressing the routed port are encapsulated with a dot1q header for the specified VLAN. For egress packets, no priority information is added to the dot1q header and the priority from the incoming encapsulation will be retained.

When configuring the VLAN translation mode, consider the following:

VLAN translation is only supported for tagged packets.
BPDUs from STP, LLDP and other protocols are not affected by this mapping.
VLAN translation is not applicable for access ports.
Untagged packets entering the switch on the trunk native VLAN are not mapped.
TPID and VLAN priority does not get re-written during the translation.

VLAN Configuration Procedures

These sections describe basic VLAN configuration tasks.

Creating and Configuring VLANs
Configuring VLAN Switching
Creating and Configuring VLAN Interfaces
Allocating Internal VLANs
Configuring Private VLANs
Configuring VLAN Translation
Configuring VLAN Counters

Creating and Configuring VLANs

The CLI provides two methods of creating VLANs.

Explicitly through the vlan command.
Implicitly through the switchport access vlan command.

The switchport access vlan command generates a warning message when it creates a VLAN.

To create a VLAN, use the vlan command in global configuration mode. Valid VLAN numbers range between 1 and 4094. To create multiple VLANs, specify a range of VLAN numbers.

To edit an existing VLAN, enter the vlan command with the number of the existing VLAN.

Examples

This command creates VLAN 45 and enters VLAN configuration mode for the new VLAN.
```
switch(config)# vlan 45
switch(config-vlan-45)#
```

Use the name (VLAN configuration mode) command to assign a name to a VLAN.

These commands assign the name Marketing to VLAN 45.

switch(config)# vlan 45
switch(config-vlan-45)# name Marketing
switch(config-vlan-45)# show vlan 45

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------
45   Marketing                        active    Et1

switch(config-vlan-45)#

To change the state of a VLAN, use the state command in VLAN configuration mode.

These commands suspend VLAN 45. VLAN traffic is blocked on all switch ports.

switch(config)# vlan 45
switch(config-vlan-45)# state suspend
switch(config-vlan-45)# show vlan 45

VLAN Name                             Status    Ports
---- -------------------------------- --------- ------
45   Marketing                        suspended

switch(config-vlan-45)#

These commands activate VLAN 45.

switch(config)# vlan 45 
switch(config-vlan-45)# state active
switch(config-vlan-45)# show vlan 45

VLAN Name                             Status    Ports
---- -------------------------------- --------- ------
45   Marketing                        active    Et1

switch(config-vlan-45)#

VLAN Policy

The VLAN policy configuration command enables a switch to configure a VLAN policy when it receives a packet with unknown destination MAC address on a VLAN. The mac address forwarding command provides three options to configure a VLAN policy:

Flood the Layer 2 miss packets on the VLAN
Drop the Layer 2 miss packets
Log the Layer 2 miss packets to the CPU (while still flooding them on the VLAN)

The default behavior is to flood the L2 miss packets on all ports of the VLAN.

VLAN policy configuration is supported on the Arista 7010, 7050 (excluding 7050SX3-48YC12, 7050CX3-32S, 7050QX2-32S, 7050SX2-72Q, 7050SX2-128, 7050TX2-128), 7060, 7250, and the 7300 series platforms.

VLAN policy is not supported in the following cases:

STP, LLDP, and LACP packets
VLAN policy configurations on VXLAN-enabled VLAN
On a VLAN if IGMP snooping is configured with Multicast miss action is set to drop, then all multicast packets received on that VLAN are dropped.

Examples

These commands create a vlan 333 and then set the unicast policy to ‘drop’ and the multicast policy to ‘log’ for the specific vlan 333.

switch(config)# vlan 333
switch(config-vlan-333)# mac address forwarding unicast miss action drop
switch(config-vlan-333)# mac address forwarding multicast miss action log

These commands display the VLAN policy that was defined when vlan 333 is created.

switch(config)# show vlan 333 mac address forwarding

VLAN  UcMissAction  McMissAction
----  ------------  ------------
 333  flood         flood

These commands display the VLAN policy type that was defined when vlan 333 is configured with the ‘drop’ unicast policy and the ‘log’ multicast policy.

switch(config)# show vlan 333 mac address forwarding

VLAN  UcMissAction  McMissAction
----  ------------  ------------
 333  drop          log

switch(config)# show vlan mac address forwarding
 
VLAN  UcMissAction  McMissAction
----  ------------  ------------
   1  flood         flood
 333  drop          log

Configuring VLAN Switching

The following describe the configuration of VLAN ports.

Access Ports

Access ports carry traffic for one VLAN, as designated by a switchport access vlan command. Access ports associate untagged frames with the access VLAN. Tagged frames received by the interface are dropped unless they are tagged with the access VLAN.

To configure an interface group as an access port, use the switchport mode command.

Examples

These commands configure interface ethernet 1 as an access port.

switch(config)# interface ethernet 1
switch(config-if-Et1)# switchport mode access
switch(config-if-Et1)#

To specify the port’s access VLAN, use the switchport access vlan command.
These commands configure vlan 15 as the access VLAN for interface ethernet 5.
```
switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport access vlan 15
switch(config-if-Et5)#
```

These commands configure interface Ethernet 1 through 3 as access ports that process untagged frames as vlan 5 traffic.

switch(config)# interface Ethernet 1-3
switch(config-if-Et1-3)# switchport mode access
switch(config-if-Et1-3)# switchport access vlan 5
switch(config-if-Et1-3)# show interfaces ethernet 1-3 vlans
Port       Untagged Tagged
Et1        None     23,25
Et2        18       -
Et3        None     14
switch(config-if-Et1-3)#

Dot1q Tunnel Ports

Dot1q (802.1Q) is a tunneling protocol that encapsulates traffic from multiple customer (c-tag) VLANs in an additional single outer service provider (s-tag) VLAN for transit across a larger network structure that includes traffic from all customers. Tunneling eliminates the service provider requirement that every VLAN be configured from multiple customers, avoiding overlapping address space issues.

Tunneling preserves the inner VLANs through the tunneled network; these inner VLANs are ignored by intermediate devices that make forwarding decisions based only on the outermost VLAN tag (S-Tag)

A dot1q-tunnel port sits at the edge of the tunneled network. Unlike regular access ports, a dot1q-tunnel port does not drop traffic that arrives with 802.1Q tags in place; it ignores existing 802.1Q information and associates arriving traffic (with or without 802.1Q headers) with a new tunnel VLAN ID.

Packets arriving at a tunnel port are encapsulated with an additional 802.1Q tag that can be trunked between multiple devices like any traditional VLAN. When exiting a dot1-tunnel port, the S-Tag is removed to revert the customer traffic to its original tagged or untagged state.

To configure an interface group as a dot1q tunnel port, use the switchport mode command.

Example

These commands configure interface ethernet 12 as a dot1q tunnel port.

switch(config)# interface ethernet 12
switch(config-if-Et12)# switchport mode dot1q-tunnel
switch(config-if-Et12)#

To specify the dot1q-tunnel port’s access VLAN, use the switchport access vlan command. The port then handles all inbound traffic as untagged VLAN traffic.

Example

These commands configure vlan 60 as the access VLAN for interface ethernet 12.

switch(config)# interface ethernet 12
switch(config-if-Et12)# switchport access vlan 60
switch(config-if-Et12)#

TPID Configuration

The default Tag Protocol IDentifier (TPID, also called dot1q ethertype) on all switch ports is 0x8100. To configure a different TPID on a port, use the switchport dot1q ethertype command. This feature is available only on 7280E and 7500E platforms.

Note: If dot1q tunneling is enabled on the interface, a TPID configured on the interface becomes irrelevant.

Example

In this provider bridging example, interface ethernet 1 is the user network interface and interface ethernet 2 is the network-to-network interface. These commands configure dot1q tunneling on interface ethernet 1 and set the TPID of interface ethernet 2 to 0x9100.

switch(config)# interface ethernet 1
switch(config-if-Et1)# switchport mode dot1q-tunnel
switch(config-if-Et1)# interface ethernet 2
switch(config-if-Et2)# switchport mode trunk
switch(config-if-Et2)# switchport dot1q ethertype 0x9100
switch(config-if-Et2)#

In the above configuration, packets from Et1 to Et2 will undergo dot1q-tunneling (stacking of an additional dot1q tag), with an outer TPID of 0x9100 at egress, while packets with outer TPID 0x9100 going from Et2 to Et1 will have the outer tag removed at egress.

Layer 2 802.1Q Encapsulation

Layer 2 traffic encapsulation is enabled on the configuration mode interface for a specified VLAN through l2-protocol encapsulation dot1q vlan.

Example

These commands enable traffic encapsulation for vlan 200 traffic passing through interface ethernet 5/2.

switch(config)# interface ethernet 5/2
switch(config-if-Et5/2)# l2-protocol encapsulation dot1q vlan 200

Port VLAN Scaling on DCS-7160

Port VLAN scaling allows the user to configure a subset of ports in the scale mode. The switchport vlan forwarding command forwards packets between the ports belonging to VLAN in the interface configuration mode. Port-VLAN table is used for storing the configuration on a per port/VLAN combination. The scaling configuration is applicable on a per-port basis and supports a maximum of 128 ports.

Note: The configuration is applicable to trunk ports only.

Example

This command enables VLAN scaling on a port with an interface ethernet 2.

switch# config terminal
switch(config)# interface ethernet 2
switch(config-if-Et2)# switchport vlan forwarding accept all

This command disables VLAN scaling on a port.

switch# config
switch(config)# interface ethernet 2
switch(config-if-Et2)# no switchport vlan forwarding accept all

Creating and Configuring VLAN Interfaces

The interface vlan command places the switch in VLAN-interface configuration mode for modifying an SVI. An SVI provides a management address point and Layer 3 processing for packets from all VLAN ports.

Example

This command enters VLAN-interface configuration mode for vlan 12. The command also creates vlan 12 interface if it was not previously created.

switch# config t
switch(config)# interface vlan 12
switch(config-if-Vl12)#

Allocating Internal VLANs

The vlan internal order command specifies the VLANs that the switch allocates as internal VLANs when configuring routed ports and the order of their allocation. By default, the switch allocates VLANs in ascending order. The default allocation range is between VLAN 1006 and VLAN 4094.

The no switchport command converts an Ethernet or port channel interface into a routed port, disabling Layer 2 switching for the interface.

Examples

This command configures the switch to allocate internal VLANs in ascending order starting with 1006.
```
switch(config)# vlan internal order ascending
switch(config)#
```
This command configures the switch to allocate internal VLANs in descending order starting with 4094.
```
switch(config)# vlan internal order descending
switch(config)#
```
This command configures the switch to allocate internal VLANs in descending order from 4094 through 4000.
```
switch(config)# vlan internal order descending range 4000 4094
switch(config)#
```

Configuring Private VLANs

Configuring Private VLANs on Platforms with Algomatch Hardware

The following platforms contain algomatch hardware-based systems:

DCS-7280R
DCS-7280R2
DCS-7500R2
DCS-7020

On systems with algomatch hardware, the access-list mechanism must explicitly be set to TCAM using the following command.

switch(config)# hardware access-list mechanism tcam

To enable the private VLAN feature, you must also enable the forwarding-ID feature.

switch(config)# platform sand l2 forwarding-id sharing

Configuring TCAMs for Private VLANs

Support for private VLANs on the following platforms:

DCS-7280R3
DCS-7500R3
DCS-7800R3

Use the following commands to add private VLANs to these platforms:

switch(config)# hardware tcam
switch(config-tcam)# system profile private-vlan

switch(config)# hardware tcam
switch(config-tcam)# profile pvlanprofile copy default
switch(config-tcam-profile-pvlanprofile)# feature private-vlan
switch(config-tcam-feature-private-vlan)# system profile pvlanprofile

Configuring Private VLANs On All Platforms

Any regular VLAN can act as a primary without any extra configuration, and requires an active VLAN. Use the following command to configure a VLAN as active or inactive:
```
switch(config)# vlan 100
```
```
switch(config)# no vlan 100
```
```
switch(config)# default vlan 100
```
Configure VLANs as secondary inside the VLAN configuration mode. Use the configuration to specify the primary VLAN as isolated and the type of secondary VLAN:
```
switch(config)# vlan 20
switch(config-vlan-20)# private-vlan isolated primary vlan 10
switch(config)# vlan 30
switch(config-vlan-30)# private-vlan community primary vlan 10
```
Figure 1. Support for Private VLANs
eos assigns interfaces to primary or secondary VLANs in the same manner as regular VLANs. It works with both access and trunk ports. Use the following switchport command to configure an access interface to the secondary VLAN:
```
switch(config)# interface ethernet 1/1
switch(config-if-Et1/1)# switchport access vlan 20
```
Trunk ports forward any traffic within the allowed VLANs configured on the interface whether primary or secondary VLANs. To configure secondary trunk ports to translate traffic from the primary VLAN to the lowest numbered secondary VLAN, use the following commands on the switch:
```
switch(config)# interface ethernet 1/1
switch(config-if-Et1/1)# switchport trunk private-vlan secondary
```

Adding Promiscuous Trunk Ports

Promiscuous trunk ports translate traffic from the primary VLAN to the lowest numbered secondary VLAN. Use the following commands for a primary VLAN, VLAN10, with an isolated VLAN, VLAN20, and a community VLAN, VLAN30, on Ethernet interface, Et16/1, and create a promiscuous port:

switch(config)# int Et16/1
switch(config-if-Et16/1)#switchport mode trunk
switch(config-if-Et16/1)#switchport trunk allowed vlan 10,20,30
switch(config-if-Et16/1)#switchport vlan translation out 20,30 10

Removing a Private VLAN

The no private-vlan command reverts the VLAN back to a regular VLAN. At this point, the broadcast domain for this VLAN adjusts and all hosts start learning from the regular VLAN, as opposed to the primary VLAN. The switch no longer uses the MAC table entries learned previouslyon the primary VLAN for forwarding. To remove a private VLAN, use the following command.
```
switch(config-vlan-20)# no private-vlan
```
To restore trunk port behavior to allow traffic on all primary and secondary VLANs, use the following commands:
```
switch(config)# interface ethernet1/1
switch(config-if-Et1/1)# no switchport trunk private-vlan secondary
```

Removing Private VLANs from Platforms with Algomatch Hardware

The following platforms contain algomatch hardware-based systems:

DCS-7280R
DCS-7280R2
DCS-7500R2
DCS-7020

To remove forwarding-id sharing from the configuration, use the following command:

switch(config)# no platform sand l2 forwarding-id sharing
Note: This configuration needs the device to be rebooted to take effect.

Disabling Private VLANs on TCAMs

Support for private VLANs on the following platforms:

DCS-7280R3
DCS-7500R3
DCS-7800R3

Disable the private VLAN on the TCAM profile of the switch using the following command:

switch(config)# hardware tcam
switch(config-tcam)# no system profile private-vlan

switch(config)# hardware tcam
switch(config-tcam)# profile pvlanprofile
smv418(config-tcam-profile-pvlanprofile)# no system profile pvlanprofile

Configuring VLAN Translation

VLAN translation changes the VLAN ID of specified packets entering or leaving a port. The following sections describe the configuration of VLAN translation.

Per-port VLAN Translation on Switched Ports

The switchport vlan translation command allows translation of the VLAN tag of traffic entering or exiting a switched port.

To use VLAN translation on a switched port, the port must be configured as a trunk port using the switchport mode command.

Examples

This command configures interface ethernet 5 as a trunk port.

switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport mode trunk
switch(config-if-Et5)#

By default, the translation is bidirectional: packets ingressing an interface through vlan A are internally mapped to vlan B; vlan B packets egressing the same interface are mapped to vlan A.

These commands map interface ethernet 5 traffic with dot1q tag 50 to bridging vlan 60.

switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport vlan translation 50 60
switch(config-if-Et5)#

These commands provides multiple 1:1 VLAN mappings under an interface.

switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport vlan translation 50 60
switch(config-if-Et5)# switchport vlan translation 61 71
switch(config-if-Et5)# switchport vlan translation 62 72
switch(config-if-Et5)#

These commands translate only incoming packets.

switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport vlan translation in 50 60
switch(config-if-Et5)#

These commands translate only egress packets.

switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport vlan translation out 60 50
switch(config-if-Et5)#

Dropping VLAN Translations

Dropping Mismatched VLAN Translations on a Routed Port

On routed ports, the encapsulation dot1q vlan command, permitted only on routed ports, configures the VLAN on the interface to act as the native VLAN. This command maps packets ingressing with the specified VLAN ID to the internal VLAN ID of the routed port. All traffic egressing out of the routed port tagged with the VLAN ID specified in the command.

Example

These commands translate between vlan 50 and the internal VLAN for interface ethernet 5 (a routed port).

switch(config)# interface ethernet 5
switch(config-if-Et5)# no switchport
switch(config-if-Et5)#encapsulation dot1q vlan 50
switch(config-if-Et5)#

Dropping Unmatched VLAN Translations on an Interface

Configure an Ethernet interface to drop unmatched VLAN translation packets from ingress and egress ports.

Example

Use the following commands to drop invalid VLAN translations from Ethernet1:

switch(config)# interface Ethernet1
switch(config-if-Et2)# switchport vlan translation out required
switch(config-if-Et2)# switchport vlan translation in required

Double VLAN Translation

Double VLAN translation creates mappings between an inner and outer VLAN ID pair of a double-tagged packet and a single bridging VLAN. On ingress, specified double-tagged packets are mapped to the bridging VLAN, and on egress packets with the ID of the bridging VLAN are double tagged as specified. By default, the translation is bidirectional, but it can be applied only on ingress or egress.

Example

These commands causes packets entering interface ethernet 3/1 with an outer VLAN ID of 1000 and an inner VLAN ID of 100 to be processed in bridging vlan 200.

switch(config)# interface ethernet 3/1
switch(config-if-Et3/1)# switchport vlan translation in 1000 inner 100 200
switch(config-if-Et3/1)#

Configuring VLAN Counters

Add VLAN ingress and egress counters that provide the ability to count packets and bytes ingressing or egressing a bridge domain for a VLAN.

Note: Only R Series platforms support this configuration.

Use the following commands to add VLAN ingress and egress counters to the switch:

switch(config)# hardware counter feature vlan in
switch(config)# hardware counter feature vlan out

To display the configuration, use the show hardware counter.

switch(config)# show hardware counter feature
Feature         Direction  Counter Resource (Engine) Status   Detail
--------------- ---------- ------------------------- -------- ------------------------------
Queue           out        Jericho2C+: 16            up       Not user-configurable.
VLAN            out        Jericho2C+: 2             up
VLAN            in         Jericho2C+: 1             up
VOQ             in         Jericho2C+: 0, 8          up       Not user-configurable.

Verify the counter status using the show vlan counters command.

switch# show vlan counters
Vlan                 InOctets          InPkts
Vlan1                       0               0
Vlan100                   186               2
Vlan200                     0               0
Vlan300                    64               1
       
       
Vlan                OutOctets         OutPkts
Vlan1                       0               0
Vlan100                     0               0
Vlan200                   114               1
Vlan300                    70               1

To clear the counter status, use the following command:

switch(config)# clear vlan counters
switch(config)# show vlan counters
            
Vlan                 InOctets          InPkts
Vlan1                       0               0
Vlan100                     0               0
Vlan200                     0               0
Vlan300                     0               0
            
            
Vlan                OutOctets         OutPkts
Vlan1                       0               0
Vlan100                     0               0
Vlan200                     0               0
Vlan300                     0               0

VLAN Configuration commands

autostate

When autostate is enabled, the VLAN interface will be up when:

the corresponding VLAN exists and is in the active state.
one or more Layer 2 ports in the VLAN are up and in spanning-tree forwarding state.
the VLAN interface exists and is not in a shutdown state.

Autostate is enabled by default. When autostate is disabled, the VLAN interface is forced to be active.

The no autostate command disables autostate on the configuration mode interface. The no autostate command is stored to running-config.
The autostate command enables the autostate function on the configuration mode VLAN SVI by removing the corresponding no autostate statement from running-config.
The default autostate command restores the autostate default state of enabled by removing the corresponding no autostate statement from running-config.

Command Mode

Interface-VLAN Configuration

Command Syntax

autostate

no autostate

default autostate

Guidelines

Autostate should be disabled on SVIs configured as an mlag local interface.

Examples

These commands disable autostate on vlan 100.

switch(config)# interface vlan 100
switch(config-if-Vl100)# no autostate
switch(config-if-Vl100)#

These commands enable autostate on vlan 100.

switch(config)# interface vlan 100
switch(config-if-Vl100)# autostate
switch(config-if-Vl100)#

encapsulation dot1q vlan

Routed Port VLAN Translation

In the configuration mode for an Ethernet or port channel interface, the encapsulation dot1q vlan translates packets with a dot1q header to the internal VLAN for a routed port. The VLAN in the incoming packets is mapped to the internal VLAN of the routed port, and packets egressing the routed port are encapsulated with a dot1q header for the specified VLAN. For egress packets, no priority information is added to the dot1q header and the priority from the incoming encapsulation will be retained.

Subinterface VLAN Assignment

When used in the configuration mode for an Ethernet or port channel subinterface, however, the encapsulation dot1q vlan command assigns a dot1q tag to the subinterface. Traffic ingressing on the parent interface with that dot1q tag will then be sent to the configured subinterface. See Subinterfaces and Subinterface Configuration for details.

The no encapsulation dot1q vlan and default encapsulation dot1q vlan commands restore the default VLAN to the configuration mode interface by removing the corresponding encapsulation dot1q vlan command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-port-channel Configuration

Subinterface-Ethernet Configuration

Subinterface-port-channel Configuration

Command Syntax

encapsulation dot1q vlan vlan_id

no encapsulation dot1q vlan

default encapsulation dot1q vlan

Parameter

vlan_id For VLAN translation, the ID of the external VLAN to be translated; for subinterface configuration, the VLAN of the subinterface. Values range from 1 to 4094.

Examples

These commands translate between vlan 50 and the internal VLAN for interface ethernet 5 (a routed port).

switch(config)# interface ethernet 5
switch(config-if-Et5)# no switchport
switch(config-if-Et5)# encapsulation dot1q vlan 50
switch(config-if-Et5)#

These commands assign packets ingressing on interface ethernet 1/1 with vlan ID 100 to subinterface ethernet 1/1.1.

switch(config)# interface ethernet1/1.1
switch(config-if-Et1/1.1)# no switchport
switch(config-if-Et1/1.1)# encapsulation dot1q vlan 100
switch(config-if-Et1/1.1)#

interface vlan

The interface vlan command places the switch in VLAN-interface configuration mode for modifying parameters of the Switch Virtual Interface (SVI). An SVI provides Layer 3 processing for packets from all ports associated with the VLAN. There is no physical interface for the VLAN.

When entering configuration mode to modify existing SVIs, the command can specify multiple interfaces. The command creates an SVI if the specified interface does not exist prior to issuing the command. When creating an SVI, the command can only specify a single interface.

The no interface vlan command deletes the specified SVI interfaces from running-config. The default interface vlan commands remove all configuration statements for the specified SVI interfaces from running-config without deleting the interfaces.

Command Mode

Global Configuration

Command Syntax

interface vlan v_range

no interface vlan v_range

default interface vlan v_range

Parameter

v_range VLAN interfaces (number, range, or comma-delimited list of numbers and ranges). VLAN number ranges from 1 to 4094.

Restrictions

Internal VLANs: A VLAN interface cannot be created or configured for internal VLAN IDs. The switch rejects any interface vlan command that specifies an internal VLAN ID.

Example

This example creates an SVI for vlan 12:

switch# config
switch(config)# interface vlan 12
switch(config-if-Vl12)#

l2-protocol encapsulation dot1q vlan

The l2-protocol encapsulation dot1q vlan command enables Layer 2 802.1Q traffic encapsulation on the configuration mode interface for a specified VLAN. The default VLAN for all interfaces is VLAN 1.

The no l2-protocol encapsulation dot1q vlan and default l2-protocol encapsulation dot1q vlan commands disable the specified encapsulation on the configuration mode interface by removing the corresponding l2-protocol encapsulation dot1q vlan command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

l2-protocol encapsulation dot1q vlan vlan_id

no l2-protocol encapsulation dot1q vlan

default l2-protocol encapsulation dot1q vlan

Parameter

vlan_id the ID of the native VLAN. Values range from 1 to 4094.

Example

These commands enable 802.1Q encapsulation of traffic on vlan 200.

switch(config)# interface ethernet 5/2
switch(config-if-Et5/2)# l2-protocol encapsulation dot1q vlan 200
switch(config-if-Et5/2)# show active
interface Ethernet5/2
   l2-protocol encapsulation dot1q vlan 200
switch(config-if-Et5/2)#

mac address forwarding

The mac address forwarding command enables a switch to configure a VLAN policy when it receives a packet with an unknown destination MAC address on a VLAN. The command provides three options to configure a VLAN policy:

Flood the Layer 2 miss packets on the VLAN
Drop the Layer 2 miss packets
Log the Layer 2 miss packets to the CPU (while still flooding them on the VLAN)

The default state behavior floods the L2 miss packets on all ports of the VLAN.

The show vlan command displays information about the configured VLAN policy.

The no form and the default form of the command removes the previously configured VLAN policy on the VLAN.

Command Mode

VLAN Configuration

Command Syntax

mac address forwarding [unicast | multicast] miss action [drop | flood | log]

no mac address forwarding [unicast | multicast] miss action [drop | flood | log]

default mac address forwarding [unicast | multicast] miss action [drop | flood | log]

Parameters

unicast - Specify the unicast type of transmission.
multicast - Specify the multicast type of transmission.
drop - Specify the selected packets to drop.
flood - Specify the selected packets to flood in the specific VLAN.
log - Specify the selected packets to send to the CPU for logging purpose.

Guidelines

eos does not support VLAN policy in the following cases:

STP, LLDP, and LACP packets
VLAN policy configurations on VXLAN-enabled VLAN
On a VLAN if IGMP snooping with Multicast miss action set to drop, then drops all multicast packets received on that VLAN.

Examples

These commands create a vlan 333 and then set the unicast policy to drop and the multicast policy to log for the specific vlan 333.

switch(config)# vlan 333
switch(config-vlan-333)# mac address forwarding unicast miss action drop
switch(config-vlan-333)# mac address forwarding multicast miss action log

These commands display the VLAN policy defined when creating vlan 333.

switch(config)# show vlan 333 mac address forwarding

VLAN  UcMissAction  McMissAction
----  ------------  ------------
 333  flood         flood

These commands display the VLAN policy type defined when configuring vlan 333 with the drop unicast policy and the log multicast policy.

switch(config)# show vlan 333 mac address forwarding

VLAN  UcMissAction  McMissAction
----  ------------  ------------
 333  drop          log

switch(config)#show vlan mac address forwarding

VLAN  UcMissAction  McMissAction
----  ------------  ------------
   1  flood         flood
 333  drop          log

name (VLAN configuration mode)

The name command configures the VLAN name. The name can have up to 32 characters. The default name for VLAN 1 is default. The default name for all other VLANs is VLANxxxx, where xxxx is the VLAN number. The default name for vlan 55 is VLAN0055. The show vlan command displays the VLAN name.

The name command accepts all characters except the space.

The no name and default name commands restore the default name by removing the name command from running-config.

Command Mode

VLAN Configuration

Command Syntax

name label_text

no name

default name

Parameter

label_text character string assigned to name attribute. Maximum length is 32 characters. The space character is not permitted in the name string.

Example

These commands assign corporate_100 as the name for vlan 25, then displays the VLAN name.

switch(config)# vlan 25
switch(config-vlan-25)# name corporate_100
switch(config-vlan-25)# show vlan 25
VLAN  Name                             Status    Ports
----- -------------------------------- --------- ---------
25    corporate_100                    active

switch(config-vlan-25)#

pvlan mapping

The pvlan mapping command maps a Switch Virtual Interface (SVI) available in the primary VLAN to the secondary VLAN or VLANs in the VLAN configuration mode. The show pvlan mapping interfaces command displays the list of mapped VLANs.

The no pvlan mapping and default pvlan mapping commands restore the default state of the private VLAN mapping.

Command Mode

VLAN Configuration

Command Syntax

pvlan mapping {add | remove | vlan ID}

no pvlan mapping {add | remove | vlan ID}

default pvlan mapping {add | remove | vlan ID}

Parameters

add adding VLANs to the PVLAN mapping of the current VLAN interface.
remove removing VLANs from the PVLAN mapping of the current VLAN interface.
vlan ID The secondary VLAN IDs of the private VLAN mapping. The IDs range from 1 to 4094.

Related commands

show pvlan mapping interfaces

Example

These commands assign a secondary VLAN ID of 50 to the primary VLAN.

switch(config)# vlan 25
switch(config-vlan-25)# pvlan mapping 50
switch(config-vlan-25)#

show dot1q-tunnel

The show dot1q-tunnel command displays the ports that are configured in dot1q-tunnel switching mode. The switchport mode command configures the switching mode for the configuration mode interface.

Command Mode

EXEC

Command Syntax

show dot1q-tunnel [INTERFACE]

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter Display information for all interfaces.
ethernet e_range Ethernet interface range specified by e_range.
loopback l_range Loopback interface specified by l_range.
management m_range Management interface range specified by m_range.
port-channel p_range Port-Channel Interface range specified by p_range.
vlan v_range VLAN interface range specified by v_range.
VXLAN vx_range VXLAN interface range specified by vx_range.
Valid range formats include number, number range, or comma-delimited list of numbers and ranges.

Example

This command displays the ports that are configured in dot1q-tunnel switching mode.

switch> show dot1q-tunnel
dot1q-tunnel mode LAN Port (s)
------------------------------
Po4
Po21
Po22
switch>

show interfaces switchport backup-link

The show interfaces switchport backup-link command displays interfaces that are configured as switchport backup pairs and the operational status of each interface. For each pair, the command displays the names, roles, status, and VLAN traffic of each interface.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] switchport backup-link

show interfaces switchport backup-link [module {Fabric f_num | Linecard lc_num | Supervisor svr_num | Switchcard | 1-2 | 3-6 }]

Parameters

INTERFACE Interface type and numbers. Options include:
- no parameter Display information for all interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- loopback l_range Loopback interface specified by l_range.
- management m_range Management interface range specified by m_range.
- port-channel p_range Port-Channel Interface range specified by p_range.
- vlan v_range VLAN interface range specified by v_range.
  Valid e_range, l_range, m_range, p_range, and v_range formats include number, number range, or comma-delimited list of numbers and ranges.
module Displays interfaces of the specified module. Options include:
- Fabric f_num Displays interfaces of the specified fabric module. Value ranges from 1 to 6.
- Linecard lc_num Displays interfaces of the specified linecard module. Value ranges from 3 to 6.
- Supervisor svr_num Displays interfaces of the specified supervisor module. Accepted values are 1 and 2.
- Switchcard Displays interfaces of switchcard modules.
- 1-2 Displays interfaces of the specified supervisor module.
- 3-6 Displays interfaces of the specified linecard module.

Display Values

State Operational status of the interface. Values include:
- Up Spanning tree mode is backup, interface status is up.
- Down Spanning tree mode is backup, interface status is down.
- Inactive Configuration The spanning tree mode is not backup.
Forwarding vlans VLANs forwarded by the interface. Depends on interface operation status and prefer option specified by the switchport backup command.

Examples

This command displays the configured switchport primary-backup pairs.

switch> show interfaces switchport backup-link
Switch backup interface pair: Ethernet3/17, Ethernet3/8
Primary Interface: Ethernet3/17     State:  Inactive Configuration
Backup Interface:  Ethernet3/8      State:  Inactive Configuration
Preemption delay: 0 milliseconds
Mac move burst size: 0
Mac move burst interval: 20 milliseconds
Mac move destination: ff:ff:ff:ff:ff:ff

This command displays interfaces of the module for linecard 4.

switch(config)# show int switchport backup-link module Linecard 4
Switch backup interface pair: Ethernet4/19/1, Ethernet4/19/2
Primary Interface: Ethernet4/19/1   State:  Inactive Configuration
Backup Interface:  Ethernet4/19/2   State:  Inactive Configuration
Preemption delay: 0 milliseconds
Mac move burst size: 0
Mac move burst interval: 20 milliseconds
Mac move destination: ff:ff:ff:ff:ff:ff

show interfaces switchport vlan mapping

The show interfaces switchport vlan mapping command displays mapping information of the configured VLANs in an interface mode.

Command Mode

EXEC

Command Syntax

show interfaces switchport vlan mapping

Examples

This command displays mapping information of the configured VLAN IDs.

switch# show interfaces switchport vlan mapping
--------------
Ethernet3
                                   Direction   Direction
Original Vlan  New Vlan  Status    Configured  Active
-------------- --------- --------- ----------- -----------
10             100       Active    In/Out      In/Out
11             200       Active    In          In
300            12        Active    Out         Out

This command displays dual tag mapping information of the configured VLAN IDs.

switch(config)# show interfaces switchport vlan mapping
--------------
Ethernet3/1
Direction     Direction
Outer Tag     Inner Tag     VLAN ID     Status      Configured    Active Dot1  qTunnel
-----------   -----------   ---------   ---------   -----------   -----------  -----------
1000          100           200         active        In/Out        In/Out      -

1001          101           201         active        In            In          -

1002          102           202         active        Out           Out          -

This command displays dual tag mapping information of the configured VLAN IDs.

switch(config)# show interfaces switchport vlan mapping
--------------
Ethernet1/1
                                                   Direction     Direction 
Outer Tag    Inner Tag     VLAN ID     Status      Configured    Active         
----------- -----------   ---------   ---------   -----------   ----------- 
70            -             300         Active      In/Out        In/Out             
10            50            100         Active      In/Out        In/Out            
20            60            100         Active      In            In                
30            40            200         Active      Out           Out

show interfaces switchport

The show interfaces switchport command displays the switching configuration and operational status of the specified ports.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] switchport

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter Display the switching status for all interfaces.
ethernet e_range Ethernet interface range specified by e_range.
loopback l_range Loopback interface specified by l_range.
management m_range Management interface range specified by m_range.
port-channel p_range Port-Channel Interface range specified by p_range.
vlan v_range VLAN interface range specified by v_range.
Valid e_range, l_range, m_range, p_range, and v_range formats include number, number range, or comma-delimited list of numbers and ranges.

Examples

This command displays the switching status for all interfaces.

switch(config)# show interface switchport
Default switchport mode: access

Name: Et5/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
MAC Address Learning: enabled
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Trunking VLANs Enabled: ALL
Static Trunk Groups: 
Dynamic Trunk Groups: 

Name: Et5/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
MAC Address Learning: enabled
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Trunking VLANs Enabled: ALL
Static Trunk Groups: 
Dynamic Trunk Groups: 

[...]

switch(config)#

This command displays the switching status of port channel interfaces 21 and 22.

switch> show interface port-channel 21-22 switchport
Name: Po21
Switchport: Enabled
Administrative Mode: tunnel
Operational Mode: tunnel
Access Mode VLAN: 1 (inactive)
Trunking Native Mode VLAN: 100 (VLAN0100)
Administrative Native VLAN tagging: disabled
Trunking VLANs Enabled: ALL
Trunk Groups: foo

Name: Po22
Switchport: Enabled
Administrative Mode: tunnel
Operational Mode: tunnel
Access Mode VLAN: 1 (inactive)
Trunking Native Mode VLAN: 1 (inactive)
Administrative Native VLAN tagging: disabled
Trunking VLANs Enabled: ALL
Trunk Groups:

switch>

This command displays the configured status of VLAN scaling for the interface ethernet 2/1 port.

switch# show interface Ethernet 2/1 switchport 
Name: Ethernet 2/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
MAC Address Learning: enabled
Dot1q ethertype/TPID: 0x8100 (active)
Dot1q VLAN Tag: Allowed
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Trunking VLANs Enabled: ALL
Static Trunk Groups: 
Dynamic Trunk Groups: 
Source interface filtering: enabled
VLAN forwarding mode: allConfiguredVlans

switch>

show interfaces trunk

The show interfaces trunk command displays configuration and status information for interfaces configured in switchport trunk mode.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] trunk

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter Display information for all interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.
port-channel p_range Port-Channel Interface range specified by p_range.
Valid e_range, m_range, and p_range formats include number, number range, or comma-delimited list of numbers and ranges.

Example

This command displays the trunk status for all interfaces configured in switchport trunk mode.

switch> show interfaces trunk
Port            Mode            Status          Native vlan
Po1             trunk           trunking        1
Po2             trunk           trunking        1

Port            Vlans allowed
Po1             1-15
Po2             16-30

Port            Vlans allowed and active in management domain
Po1             1-10
Po2             21-30


Port            Vlans in spanning tree forwarding state
Po1             1-10
Po2             21-30

switch>

show interfaces vlans

The show interfaces vlans command displays a table that lists the VLANs that are carried by the specified interfaces. Interfaces that do not carry VLANs are not listed in the table. The table lists the untagged (native or access) and tagged VLANs for each interface.

Command Mode

EXEC

Command Syntax

show interfaces [INT_NAME] vlans

Parameters

INT_NAME Interface type and number. Values include:

ethernet e_num Ethernet interface specified by e_num.
management m_num Management interface specified by m_num.
port-channel p_num Port-Channel Interface specified by p_num.

Example

This command displays the VLANs carried by all L2 ports.

switch> show interfaces vlans
Port       Untagged Tagged
Et9        3910     -
Et11       3912     -
Et16       500      -
Et17       3908     -
Et18       3908     -
Po1        1        101-102,500,721,3000,
Po2        101      -
Po4        3902     -
Po5        3903     -
Po6        3992     -
Po7        661      -
Po8        3911     -

show pvlan mapping interfaces

The show pvlan mapping interfaces command displays information about the private VLAN mapping interfaces.

Command Mode

EXEC

Command Syntax

show pvlan mapping interfaces

Example

This command displays information about the private VLAN mapping interfaces.

switch(config)# int vlan 50
switch(config-if-Vl50)# pvlan mapping 70
switch(config-if-Vl50)# show pvlan mapping interfaces 
Interface    Secondary Vlans
---------    ---------------        
Vlan50       70

show vlan

The show vlan command displays the VLAN ID, name, status, and member ports of all configured VLANs. The command only displays active ports by default; by specifying configured-ports, the command displays all ports that are members of a configured VLAN regardless of their activity status, including Ethernet ports that are members of a port channel.

Command Mode

EXEC

Command Syntax

show vlan [VLAN_LIST] [PORT_ACTIVITY]

Parameters

VLAN_LIST List of VLANs displayed by command. Options include:
- no parameter all VLANs.
- v_range VLANs specified by v_range.
- id v_range VLANs specified by v_range.
- name v_name VLANs specified by the VLAN name v_name.
  v_range formats include number, number range, or comma-delimited list of numbers and ranges.
PORT_ACTIVITY Ports listed in table. Options include:
- no parameter table displays only active ports (same as active-configuration option).
- active-configuration table displays only active ports.
- configured-ports table displays all configured ports.

Display Values

VLAN The VLAN ID.
Name The name of the VLAN.
Status The status of the VLAN.
Ports The ports that are members of the VLAN.

Examples

This command displays status and ports of VLANs 1-1000.

switch> show vlan 1-1000
VLAN  Name                     Status    Ports
----- ------------------------ --------- --------------
1     default                  active    Po1
184   fet.arka                 active    Cpu, Po1, Po2
262   mgq.net                  active    PPo2, Po1
512   sant.test                active    Cpu, Et16, Po1
821   ipv6.net                 active    Cpu, Po1, Po7

switch>

This command displays the list of all the member interfaces under each SVI.

switch# show vlan
VLAN  Name                     Status    Ports
----- ------------------------ --------- ----------------
1     default                  active
2148  VLAN2148                 active    Cpu, Et1, Et26
2700  VLAN2700                 active    Cpu, Et18

show vlan brief count

The show vlan brief count command displays the number of VLANs that are configured on the switch.

Command Mode

EXEC

Command Syntax

show vlan brief count

Example

This command displays the number of VLANs on the switch.

switch> show vlan brief count
Number of existing VLANs           : 18

switch>

show vlan counters

Displays information about configured ingress and egress VLAN counters on the switch.

Configuration Mode

EXEC

Command Syntax

show vlan counters

Example

Use the following command to display VLAN counters configured on the switch:

switch# show vlan counters
Vlan                 InOctets          InPkts
Vlan1                       0               0
Vlan100                   186               2
Vlan200                     0               0
Vlan300                    64               1
                
                
Vlan                OutOctets         OutPkts
Vlan1                       0               0
Vlan100                     0               0
Vlan200                   114               1
Vlan300                    70               1

show vlan dynamic

The show vlan dynamic command displays the source and quantity of dynamic VLANs on the switch. Dynamic VLANs support VM Tracer monitoring sessions.

Command Mode

EXEC

Command Syntax

show vlan dynamic

Example

This command displays the source and quantity of dynamic VLANs on the switch.

switch> show vlan dynamic
Dynamic VLAN source       VLANS
vmtracer-poc              88
switch>

show vlan internal allocation policy

The show vlan internal allocation policy command displays the method the switch uses to allocate VLANs to routed ports. The vlan internal order command configures the allocation method.

The allocation method consists of two configurable components:

range: the list of VLANs that are allocated to routed ports.
direction: the direction by which VLANs are allocated (ascending or descending).

Command Mode

EXEC

Command Syntax

show vlan internal allocation policy

Example

This command displays the internal allocation policy.

switch> show vlan internal allocation policy
Internal VLAN Allocation Policy: ascending
Internal VLAN Allocation Range: 1006-4094
switch>

show vlan internal usage

The show vlan internal usage command shows the VLANs that are allocated as internal VLANs for routed ports.

A routed port is an Ethernet or port channel interface that is configured as a layer 3 interface. Routed ports do not bridge frames and are not members of any VLANs. Routed ports can have IP addresses assigned to them and packets are routed directly to and from the port.

When an interface is configured as a routed port, the switch allocates an SVI with a previously unused VLAN ID. The switch prohibits the configuration of VLANs with numbers corresponding to internal VLAN interfaces allocated to a routed port. VLAN interfaces corresponding to SVIs allocated to a routed port cannot be configured by VLAN interface configuration mode commands.

Command Mode

EXEC

Command Syntax

show vlan internal usage

Example

This command displays the VLANs that are allocated to routed ports.

switch> show vlan internal usage
1006  Ethernet3
1007  Ethernet4
switch>

show vlan trunk group

The show vlan trunk group command displays the trunk group membership of the specified VLANs.

Command Mode

EXEC

Command Syntax

show vlan [ VLAN_LIST ] trunk group

Parameters

VLAN_LIST VLAN list. Options include:

no parameter all VLANs.
v_range VLANs specified by v_range.
id v_range VLANs specified by v_range.
name v_name VLANs specified by the VLAN name v_name.

Display Values

VLAN VLAN ID.
Trunk Groups Trunk groups associated with the listed VLANs.

Example

This command displays the trunk group membership of all configured VLANs.

switch> show vlan trunk group
VLAN     Trunk Groups
----     -------------------------------------
5
10       first_group
12
40       second_group
100      third_group
101      middle_group
102
200

switch>

state

The state command configures the VLAN transmission state of the configuration mode VLAN.

Active state: Ports forward VLAN traffic.
Suspend state: Ports block VLAN traffic.

The default transmission status is active.

The no state command restores the default VLAN transmission state to the configuration mode VLAN by removing the corresponding state command from running-config.

Command Mode

VLAN Configuration

Command Syntax

state OPERATION_STATE

no state

default state

Parameters

OPERATION_STATE VLAN transmission state. Options include:

active VLAN traffic is forwarded.
suspend VLAN traffic is blocked.

Example

These commands suspend VLAN traffic on VLANs 100-102.

switch(config)# vlan 100-102
switch(config-vlan-100-102)# state suspend
switch(config-vlan-100-102)#

switchport access vlan

The switchport access vlan command specifies the access VLAN of the configuration mode interface. Ethernet or port channel interfaces that are in access mode are members of only the access VLAN. Untagged frames that the interface receives are associated with the access VLAN. Frames tagged with the access VLAN are also associated with the access VLAN. The interface drops all other tagged frames that it receives. By default, VLAN 1 is the access VLAN of all Ethernet and port channel interfaces.

An interface's access mode is effective only when the interface is in access mode or dot1q-tunnel mode, as specified by the switchport mode command. Interfaces in dot1q-tunnel mode handle inbound traffic as untagged traffic and associate all traffic with the access VLAN. Interfaces configured to switchport trunk mode maintain and ignore existing switchport access commands.

The no switchport access vlan and default switchport access vlan commands restore VLAN 1 as the access VLAN of the configuration mode interface by removing the corresponding switchport access vlan statement from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport access vlan v_num

no switchport access vlan

default switchport access vlan

Parameter

v_num number of access VLAN. Value ranges from 1 to 4094. Default is 1.

Example

These commands assign VLAN 100 as the access VLAN to interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport access vlan 100
switch(config-if-Et5)#

switchport dot1q ethertype

The switchport dot1q ethertype command configures the tag protocol identifier (TPID, also known as a dot1q ethertype), of the configuration mode interface. By default, all switch ports use the standard TPID of 0x8100.

The no switchport dot1q ethertype and default switchport dot1q ethertype commands restore the TPID to 0x8100 by removing the corresponding switchport dot1q ethertype statement from running-config.

Command Mode

Interface-Ethernet Configuration

Command Syntax

switchport dot1q ethertype ethertype

no switchport dot1q ethertype

default switchport dot1q ethertype

Parameter

ethertype ethertype number (TPID). Value ranges from 0x600 (1536) through 0xFFFF (65535), and can be entered in decimal or hexadecimal notation. Value is stored and displayed in hexadecimal form; the default value is 0x8100.

Example

These commands configure 0x9100 as the TPID of interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport dot1q ethertype 0x9100
switch(config-if-Et5)#

switchport mode

The switchport mode command specifies the switching mode of the configuration mode interface. The switch supports five switching modes: access, trunk, dot1q-tunnel, tap, and tool.

Access switching mode: The interface is a member of one VLAN, called the access VLAN, as specified by the switchport access vlan command. Tagged frames received on the interface are dropped unless they are tagged with the access VLAN. Frames transmitted from the interface are always untagged.
Trunk switching mode: The interface may be a member of multiple VLANs, as configured by the switchport trunk allowed vlan command. Untagged traffic is associated with the interface's native VLAN, as configured with the switchport trunk native vlan command.
Dot1q-tunnel switching mode: The interface treats all inbound packets as untagged traffic and handles them as traffic of its access VLAN, as specified by the switchport access vlan command.
Tap mode: The interface operates as a tap port. Tap ports receive traffic for replication on one or more tool ports.The interface may be a member of multiple VLANs, as configured by the switchport tap allowed vlan command. Untagged traffic is associated with the interface's native VLAN, as configured with the switchport tap native vlan command.

Tap ports are in STP forwarding state and prohibit egress traffic. MAC learning, control plane interaction and traps for inbound traffic are disabled.

Tool mode: The interface operates as a tool port. Tool ports replicate traffic received by tap ports. The interface may be a member of multiple VLANs, as configured by the switchport tool allowed vlan command. MAC learning, control plane interaction and traps for inbound traffic are disabled.

Tool ports are in STP forwarding state and prohibit ingress traffic that uses port settings.

The status of switchport configured ports depends on the switch’s tap aggregation mode (which can be viewed by using the mode command):

tap aggregation mode enabled: tap and tool ports are enabled. Switching ports are errdisabled.
tap aggregation mode disabled: tap and tool ports are errdisabled. Switching ports are enabled.

The no switchport mode and default switchport mode commands return the configuration mode interface to its default setting as an access port by deleting the corresponding switchport mode command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport mode MODE_TYPE

no switchport mode

default switchport mode

Parameters

MODE_TYPE switching mode of the configuration mode interfaces. Options include:

access access switching mode.
dot1q-tunnel dot1q-tunnel switching mode.
tap tap switching mode.
tool tool switching mode.
trunk trunk switching mode.

Restrictions

Dot1q-tunnel switching mode is not available on Petra platform switches.

Tap aggregation (tap and tool modes) is available on FM6000 and Arad platform switches.

Example

These commands configure interface ethernet 4 as a trunk port.

switch(config)# interface ethernet 4
switch(config-if-Et4)# switchport mode trunk
switch(config-if-Et4)#

switchport trunk allowed vlan

The switchport trunk allowed vlan command creates or modifies the list of VLANs for which the configuration mode interface, in trunk mode, handles tagged traffic. By default, interfaces handle tagged traffic for all VLANs. Command settings persist in running-config without taking effect when the switch is in tap aggregation mode or the interface is not in trunk mode.

The no switchport trunk allowed vlan and default switchport trunk allowed vlan commands restore the trunk mode default allowed VLAN setting of all by removing the corresponding switchport trunk allowed vlan statement from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport trunk allowed vlan EDIT_ACTION

no switchport trunk allowed vlan

default switchport trunk allowed vlan

Parameters

EDIT_ACTION modifications to the VLAN list.

v_range Creates VLAN list from v_range.
add v_range Adds specified VLANs to current list.
all VLAN list contains all VLANs.
except v_range VLAN list contains all VLANs except those specified.
none VLAN list is empty (no VLANs).
remove v_range Removes specified VLANs from current list.
Valid v_range formats include number, range, or comma-delimited list of numbers and ranges.

Example

These commands create the trunk mode allowed VLAN list of 6-10 for interface ethernet 14, then verifies the VLAN list.

switch(config)# interface ethernet 14
switch(config-if-Et14)# switchport trunk allowed vlan 6-10
switch(config-if-Et14)# show interfaces ethernet 14 switchport
Name: Et14
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Access Mode VLAN: 1 (inactive)
Trunking Native Mode VLAN: 1 (inactive)
Administrative Native VLAN tagging: disabled
Trunking VLANs Enabled: 6-10
Trunk Groups:

switch(config-if-Et14)#

switchport trunk group

The switchport trunk group command assigns the configuration mode interface to the specified trunk group. Trunk group ports handle traffic of the VLANs assigned to the group.

The no switchport trunk group and default switchport trunk group commands remove the configuration mode interface from the specified trunk group by deleting the corresponding statement from running-config. If the command does not specify a trunk group, the interface is removed from all trunk groups to which it is assigned.

Note: On platforms which support the use of port channels as mirror destinations, a port channel which is being used as a mirror destination must not be assigned to an mlag.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport trunk group [ group_name ]

no switchport trunk group [ group_name ]

default switchport trunk group [ group_name ]

Parameter

group_name trunk group name.

Example

These commands assign port channel 4 to trunk group fe-1.

switch(config)# interface port-channel 4
switch(config-if-Po4)# switchport trunk group fe-1
switch(config-if-Po4)#

switchport trunk native vlan

The switchport trunk native vlan command specifies the trunk mode native VLAN for the configuration mode interface. Interfaces in trunk mode associate untagged frames with the native VLAN. Trunk mode interfaces can also be configured to drop untagged frames. The default native VLAN for all interfaces is VLAN 1.

The no switchport trunk native vlan and default switchport trunk native vlan commands restore vlan 1 as the trunk mode native VLAN to the configuration mode interface by removing the corresponding switchport trunk native vlan command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport trunk native vlan VLAN_ID

no switchport trunk native vlan

default switchport trunk native vlan

Parameters

VLAN_ID the ID of the native VLAN. Options include:
- v_num VLAN number. Value ranges from 1 to 4094.
- tag interface drops all untagged frames.

Example

These commands configure vlan 100 as the native VLAN for port channel 21.

switch(config)# interface port-channel 21
switch(config-if-Po21)# switchport trunk native vlan 100
switch(config-if-Po21)#

switchport vlan forwarding

The switchport vlan forwarding command forwards packets between the ports belonging to VLAN in the interface configuration mode. The scaling configuration is applicable on a per-port basis. In the 7160 platform, the hardware uses a Port-VLAN table for storing the configuration on a per port/VLAN combination and supports a maximum of 128 ports.

Note: The configuration is applicable to trunk ports only.

Command Mode

Interface-Ethernet Configuration

Command Syntax

switchport vlan forwarding [ accept | all ]

Parameters

accept accepts packets for VLAN.
all all VLANs.

Example

This command forwards and accepts all the packets of VLAN of interface ethernet 2.

switch(config)# interface ethernet 2
switch(config-if-Et2)# switchport vlan forwarding accept all
switch(config-if-Et2)#

switchport vlan translation

The switchport vlan translation command allows you to map packets from one VLAN to another using VLAN translation. This is carried out on packets having a dot1q header (tagged frames) only. The translation rewrites the VLAN ID (VID) field in dot1q headers on packets passing through a switched port without changing any other fields.

By default, the translation is bidirectional. The packets ingressing an interface through vlan A are internally mapped to vlan B; vlan B packets egressing the same interface are mapped to vlan A.

To use VLAN translation on a switched port, the port must be configured as a trunk port using the switchport mode command.

VLAN translation on routed ports is accomplished through the encapsulation dot1q vlan command.

The no switchport vlan translation and default switchport vlan translation commands remove VLAN mapping by removing the switchport vlan translation command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Command Syntax

switchport vlan translation [DIRECTION] incoming_vlanid new_vlanid

no switchport vlan translation incoming_vlanid new_vlanid

no switchport vlan translation DIRECTION incoming_vlanid

default switchport vlan translation incoming_vlanid new_vlanid

default switchport vlan translation DIRECTION incoming_vlanid

Parameters

DIRECTION direction of traffic to be translated.
- no parameter translates the specified VLAN IDs for transmitted and received traffic.
- in translates the specified VLAN IDs for received traffic only.
- out translates the specified VLAN IDs for transmitted traffic only.
- incoming_vlanid Enter the VLAN ID to be translated. Value ranges from 1 to 4094.
new_vlanid The new VLAN ID or bridging VLAN ID that will be used internally. Value ranges from 1 to 4094.

Example

These commands translate only incoming packets, changing the VLAN ID to 2008 in the dot1q header of packets ingressing on vlan 201.

switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport vlan translation in 201 2008 
switch(config-if-Et5)#

These commands translate multiple VLAN mappings on an interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# switchport vlan translation 50 60
switch(config-if-Et5)# switchport vlan translation 61 71
switch(config-if-Et5)# switchport vlan translation 62 72
switch(config-if-Et5)#

switchport vlan translation required

On routed ports, the switchport vlan translation required command (permitted only on routed ports) configures the VLAN on the interface to act as the native VLAN.

Command Mode

Interface-Ethernet Configuration

Command Syntax

switchport vlan translation [in | out] required

Parameters

in - Ingress packets without a matching VLAN drop from the port.
out - Egress packets without a matching VLAN drop from the port.

Examples

The following command places the switch in switchport configuration mode and sets the requirement that egress VLAN translations must match or drop from the port.
```
switch(config)# interface Ethernet1
switch(config-if-Et1)# switchport vlan translation out required
```
The following command places the switch in switchport configuration mode and sets the requirement that ingress VLAN translations must match or drop from the port.
```
switch(config)# interface Ethernet1
switch(config-if-Et1)# switchport vlan translation in required
```

trunk group

The trunk group command assigns the configuration mode VLAN to a specified trunk group.

A trunk group is the set of physical interfaces that comprise the trunk and the collection of VLANs whose traffic is carried on the trunk. The traffic of a VLAN that belongs to one or more trunk groups is carried only on ports that are members of trunk groups to which the VLAN belongs. Switchport commands specify the physical interfaces that carry trunk group traffic.

The no trunk group and default trunk group commands remove the configuration mode VLAN from the specified trunk group by removing the corresponding trunk group statement from running-config. If a trunk group is not specified, the commands remove the configuration mode VLAN from all trunk groups.

Command Mode

VLAN Configuration

Command Syntax

trunk group [name]

no trunk group [name]

default trunk group [name]

Parameter

name a name representing the trunk group.

Example

These commands assigns vlan 49 to the trunk group mlagpeer:

switch(config)# vlan 49
switch(config-vlan-49)# trunk group mlagpeer
switch(config-vlan-49)#

vlan

The vlan command places the switch in VLAN configuration mode to configure a set of virtual LANs. The command creates the specified VLANs if they do not exist prior to issuing the command. A VLAN in use as an internal VLAN may not be created or configured. The switch rejects any vlan command that specifies an internal VLAN ID.

The default vlan and no vlan commands removes the VLAN statements from running-config for the specified VLANs.

The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

vlan vlan_range

no vlan vlan_range

default vlan vlan_range

Parameter

vlan_range VLAN list.

Formats include a name, number, number range, or comma-delimited list of numbers and ranges.

commands Available in VLAN Configuration Mode

name (VLAN configuration mode)
state
trunk group

Guidelines

In mlag configurations, VLANs operate as follows:

The VLAN must be configured identically on both mlag peer switches.
The port-specific bridging configuration originates on the switch where the port is physically located. This configuration includes the switchport access VLAN, switchport mode (trunk or access), trunk-allowed VLANs, the trunk native VLAN, and the switchport trunk groups.

Example

This command creates vlan 49 and enters VLAN configuration mode for the new VLAN:

switch(config)# vlan 49
switch(config-vlan-49)#

vlan internal order

The vlan internal order command specifies the range that the switch can allocate as internal VLANs when configuring routed ports and the order of their allocation. By default, the switch allocates VLANs in ascending order from VLAN 1006 to VLAN 4094.

The no vlan internal order and default vlan internal order commands revert the policy to its default.

Command Mode

Global Configuration

Command Syntax

vlan internal order DIRECTION [RANGE_VLAN]

no vlan internal order

default vlan internal order

Parameters

DIRECTION VLAN allocation number direction. Options include:
- ascending allocates internal VLANs from lower VLAN bound to upper VLAN bound.
- descending allocates internal VLAN from upper VLAN bound to lower VLAN bound.
RANGE_VLAN allocation range. Options include:
- no parameter 1006 (lower bound) to 4094 (upper bound).
- range, lower, upper specifies lower bound (lower) and upper bound (upper).

Examples

This command configures the switch to allocate internal VLANS from 3000 through 3999.
```
switch(config)# vlan internal order ascending range 3000 3999
switch(config)#
```
This command configures the switch to allocate internal VLANS from 4094 through 1006.
```
switch(config)# vlan internal order descending
switch(config)#
```
This command configures the switch to allocate internal VLANS from 4094 down through 4000.
```
switch(config)# vlan internal order descending range 4000 4094
switch(config)#
```
This command reverts the allocation policy to its default (ascending, between 1006 and 4094).
```
switch(config)# no vlan internal order
switch(config)#
```

EOS 4.34.1F User Manual

Virtual LANs (VLANs)

VLAN Introduction

VLAN Conceptual Overview

VLAN Definition

VLAN Switching

VLAN Trunking and Trunk Groups

Q-in-Q Trunking

Tag Protocol Identifier (TPID) Configurable Ethertypes

VLAN Routing

VLAN Interfaces

Internal VLANs

Support for Private VLAN

Limitations

On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R

On All Platforms except 7300X3, CCS-720XP, DCS-7050X3

On All Platforms

Show commands

On DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2, DCS-7020R

VLAN Translation

VLAN Configuration Procedures

Creating and Configuring VLANs

VLAN Policy

Configuring VLAN Switching

Access Ports

Dot1q Tunnel Ports

TPID Configuration

Layer 2 802.1Q Encapsulation

Port VLAN Scaling on DCS-7160

Creating and Configuring VLAN Interfaces

Allocating Internal VLANs

Configuring Private VLANs

Configuring Private VLANs on Platforms with Algomatch Hardware

Configuring TCAMs for Private VLANs

Configuring Private VLANs On All Platforms

Adding Promiscuous Trunk Ports

Removing a Private VLAN

Removing Private VLANs from Platforms with Algomatch Hardware

Disabling Private VLANs on TCAMs

Configuring VLAN Translation

Per-port VLAN Translation on Switched Ports

Dropping VLAN Translations

Dropping Mismatched VLAN Translations on a Routed Port

Dropping Unmatched VLAN Translations on an Interface

Double VLAN Translation

Configuring VLAN Counters

VLAN Configuration commands

Global VLAN Configuration commands

VLAN Configuration Mode commands

Layer 2 Interface (Ethernet and Port Channel) Configuration commands

VLAN Interface Configuration Mode commands

Show commands

autostate

encapsulation dot1q vlan

interface vlan

l2-protocol encapsulation dot1q vlan

mac address forwarding

name (VLAN configuration mode)

pvlan mapping

show dot1q-tunnel

show interfaces switchport backup-link

show interfaces switchport vlan mapping

show interfaces switchport

show interfaces trunk

show interfaces vlans

show pvlan mapping interfaces

show vlan

show vlan brief count

show vlan counters

show vlan dynamic

show vlan internal allocation policy

show vlan internal usage

show vlan trunk group

state

switchport access vlan

switchport dot1q ethertype

switchport mode

switchport trunk allowed vlan

switchport trunk group

switchport trunk native vlan