Configuring Virtual LANs

Each VLAN in a network has an associated VLAN ID, which appears in the IEEE 802.1Q tag in the Layer 2 header of packets transmitted on a VLAN. An end station may omit the tag, or the VLAN portion of the tag, in which case the first switch port to receive the packet may either reject it or insert a tag using its default VLAN ID. A given port may handle traffic for more than one VLAN, but it can only support one default VLAN ID.

Two features let you define packet filters that the switch uses as the matching criteria to determine if a particular packet belongs to a particular VLAN.

The Private Edge VLAN feature lets you set protection between ports located on the switch. This means that a protected port cannot forward traffic to another protected port on the same switch.

The feature does not provide protection between ports located on different switches.

The diagram in this section shows a switch with four ports configured to handle the traffic for two VLANs. Port 0/2 handles traffic for both VLANs, while port 0/1 is a member of VLAN 2 only, and ports 0/3 and 0/4 are members of VLAN 3 only. The script following the diagram shows the commands you would use to configure the switch as shown in the diagram.

FIGURE 5-1 VLAN Example Network Diagram

CLI Examples

The following examples show how to create VLANs, assign ports to the VLANs, and assign a VLAN as the default VLAN to a port.

Example 1: Create Two VLANs

Use the following commands to create two VLANs and to assign the VLAN IDs while leaving the names blank.

CODE EXAMPLE 5-1 Creating Two VLANs
(DTI SWITCH) #vlan database (DTI SWITCH) (Vlan)#vlan 2 (DTI SWITCH) (Vlan)#vlan 3 (DTI SWITCH) (Vlan)#exit

Example 2: Assign Ports to VLAN2

This sequence shows how to assign ports to VLAN2, specify that frames will always be transmitted tagged from all member ports, and that untagged frames will be rejected on receipt.

CODE EXAMPLE 5-2 Assigning Ports to VLAN2
(DTI SWITCH) #config (DTI SWITCH) (Config)#interface 0/1 (DTI SWITCH) (Interface 0/1)#vlan participation include 2 (DTI SWITCH) (Interface 0/1)#vlan acceptframe vlanonly (DTI SWITCH) (Interface 0/1)#exit (DTI SWITCH) (Config)#interface 0/2 (DTI SWITCH) (Interface 0/2)#vlan participation include 2 (DTI SWITCH) (Interface 0/2)#vlan acceptframe vlanonly (DTI SWITCH) (Interface 0/2)#exit (DTI SWITCH) (Config)#exit (DTI SWITCH) #config (DTI SWITCH) (Config)#vlan port tagging all 2 (DTI SWITCH) (Config)#exit

CODE EXAMPLE 5-2 Assigning Ports to VLAN2

(DTI SWITCH) #config
(DTI SWITCH) (Config)#interface 0/1
(DTI SWITCH) (Interface 0/1)#vlan participation include 2
(DTI SWITCH) (Interface 0/1)#vlan acceptframe vlanonly
(DTI SWITCH) (Interface 0/1)#exit
(DTI SWITCH) (Config)#interface 0/2
(DTI SWITCH) (Interface 0/2)#vlan participation include 2
(DTI SWITCH) (Interface 0/2)#vlan acceptframe vlanonly
(DTI SWITCH) (Interface 0/2)#exit
(DTI SWITCH) (Config)#exit
 
(DTI SWITCH) #config
(DTI SWITCH) (Config)#vlan port tagging all 2
(DTI SWITCH) (Config)#exit

Example 3: Assign Ports to VLAN3

This example shows how to assign the ports that will belong to VLAN 3, and to specify that untagged frames will be accepted on port 0/4.

Note that port 0/2 belongs to both VLANs and that port 0/1 can never belong to VLAN 3.

CODE EXAMPLE 5-3 Assigning Ports to VLAN3
(DTI SWITCH) #config (DTI SWITCH) (Config)#interface 0/2 (DTI SWITCH) (Interface 0/2)#vlan participation include 3 (DTI SWITCH) (Interface 0/2)#exit (DTI SWITCH) (Config)#interface 0/3 (DTI SWITCH) (Interface 0/3)#vlan participation include 3 (DTI SWITCH) (Interface 0/3)#exit (DTI SWITCH) (Config)#interface 0/4 (DTI SWITCH) (Interface 0/4)#vlan participation include 3 (DTI SWITCH) (Interface 0/4)#exit (DTI SWITCH) (Config)# (DTI SWITCH) (Config)#exit (DTI SWITCH) #config (DTI SWITCH) (Config)#interface 0/4 (DTI SWITCH) (Interface 0/4)#vlan acceptframe all (DTI SWITCH) (Interface 0/4)#exit (DTI SWITCH) (Config)#exit

CODE EXAMPLE 5-3 Assigning Ports to VLAN3

(DTI SWITCH) #config
(DTI SWITCH) (Config)#interface 0/2
(DTI SWITCH) (Interface 0/2)#vlan participation include 3
(DTI SWITCH) (Interface 0/2)#exit
(DTI SWITCH) (Config)#interface 0/3
(DTI SWITCH) (Interface 0/3)#vlan participation include 3
(DTI SWITCH) (Interface 0/3)#exit
(DTI SWITCH) (Config)#interface 0/4
(DTI SWITCH) (Interface 0/4)#vlan participation include 3
(DTI SWITCH) (Interface 0/4)#exit
(DTI SWITCH) (Config)#
(DTI SWITCH) (Config)#exit
(DTI SWITCH) #config
(DTI SWITCH) (Config)#interface 0/4
(DTI SWITCH) (Interface 0/4)#vlan acceptframe all
(DTI SWITCH) (Interface 0/4)#exit
(DTI SWITCH) (Config)#exit

Example 4: Assign VLAN3 as the Default VLAN

This example shows how to assign VLAN 3 as the default VLAN for port 0/2.

CODE EXAMPLE 5-4 Assigning VLAN3 as Default
(DTI SWITCH) #config (DTI SWITCH) (Config)#interface 0/2 (DTI SWITCH) (Interface 0/2)#vlan pvid 3 (DTI SWITCH) (Interface 0/2)#exit (DTI SWITCH) (Config)#exit

Example 5: Assign IP Addresses to VLAN 2

CODE EXAMPLE 5-5 Assigning IP Addresses to VLAN2
(DTI SWITCH) #vlan database (DTI SWITCH) (Vlan)#vlan association subnet 192.168.10.10 255.255.255.0 2 (DTI SWITCH) (Vlan)#exit (DTI SWITCH) #show vlan association subnet IP Address IP Mask VLAN ID ---------------- ---------------- ------- 192.168.10.10 255.255.255.0 2 (DTI SWITCH) #

CODE EXAMPLE 5-5 Assigning IP Addresses to VLAN2

(DTI SWITCH) #vlan database
 
(DTI SWITCH) (Vlan)#vlan association subnet 192.168.10.10 		255.255.255.0 2
(DTI SWITCH) (Vlan)#exit
(DTI SWITCH) #show vlan association subnet
 
IP Address         IP Mask            VLAN ID
----------------   ----------------   -------
 
192.168.10.10      255.255.255.0      2
(DTI SWITCH) #

Web Interface

Use the following screens to perform the same configurations described in the previous sections, but using the Web interface instead of the CLI:

Switching --> VLAN--> Configuration. To create VLANs and specify port participation.

Switching --> VLAN --> Port Configuration. To specify the handling of untagged frames on receipt, and whether frames will be transmitted tagged or untagged.

Private Edge VLANs

Use the Private Edge VLAN feature to prevent ports on the switch from forwarding traffic to each other even if they are on the same VLAN.

Protected ports cannot forward traffic to other protected ports in the same group, even if they have the same VLAN membership. Protected ports can forward traffic to unprotected ports.

Unprotected ports can forward traffic to both protected and unprotected ports.

You can also configure groups of protected ports, but unprotected ports are independent and cannot be added to a group. Each group’s configuration consists of a name and a mask of ports. A port can belong to only one set of protected ports, but an unprotected port can be added to a group as a protected port.

The group name is configurable by the network administrator.

Use the switchport protected command to designate a port as protected. Use the show switchport protected command to display a listing of the protected ports.

CLI Example

Example 1: Switchport Protected

CODE EXAMPLE 5-6 Protecting the Switchport
(DTI SWITCH) #config(DTI SWITCH) (Config)#interface 0/1(DTI SWITCH) (Interface 0/1)#switchport protected ?<cr> Press Enter to execute the command.(DTI SWITCH) (Interface 0/1)#switchport protected

Example 2: Show Switchport Protected

(DTI SWITCH) #show switchport protected 0/1

VLAN Configuration Example