VLAN Membership

A virtual LAN (VLAN) is an administratively defined broadcast domain logically segmented by function, team, or application that enhances performance by limiting traffic to stations in the same VLAN; traffic to other VLANs is blocked. By default, a switch is configured with a single VLAN that contains only static-access ports. With the VLAN Membership window, you can:

• Assign static-access ports to a VLAN.
• Assign dynamic-access ports to a VLAN.
• Assign multi-VLAN ports to a VLAN.
• Display port membership in VLANs.
• Configure ports as VLAN trunks.
• Restrict VLAN membership using the Allowed VLANs list.
• Disable pruning.

Note: You cannot use this window to assign ATM ports to VLANs; see the Catalyst 2900 Series ATM Modules Install and Configure Guide for CLI instructions.

Assigning Static-Access Ports to VLANs

By default, all ports are static-access ports assigned to VLAN 1. If you change the VLAN ID, use VLAN IDs in the range of 1 to 1001. Four VLAN IDs are reserved, 1002 to 1005.

Static access ports cannot be assigned to multiple VLANs, so if you plan to move a port connection from one switch to another, configure the port for dynamic VLAN membership or as a trunk port to avoid reconfiguring it.

On Catalyst 2912MF, 2924M, and 3500 XL series switches, you can configure up to 250 port-based VLANs and up to 64 instances of the Spanning-Tree Protocol (see STP Membership). On other Catalyst 2900, 1900, and 2820 switches, you can create up to 64 port-based VLANs.

Note: Before you assign ports to a VLAN, you must first create the VLAN (select VLAN > VTP Management) and decide whether to use VLAN Trunking Protocol (see VTP Management for details).

To assign static-access ports to a different VLAN:

1. Select the Assign VLANs tab from the VLAN Membership page.
2. Select one or more ports in the port table to assign to the new VLAN.
   To select multiple ports, hold down the Ctrl key and click on individual ports; or hold down the Shift key and select the first and last ports in a range.
3. Click Modify to display the Group VLAN Assignment dialog box.
4. Select Static Access from the Mode drop-down list.
   Remember that static-access ports can belong to only one VLAN.
5. To assign the ports that you selected to a different VLAN, enter the VLAN ID.
   Valid entries range from 1 to 1001.
   Note: If you change the VLAN ID on a port in a EtherChannel port group, the ID for all ports in the group also changes.
6. Click OK to put your changes in effect and close the Group VLAN Assignment dialog.
   The ports in the new VLAN are displayed on the Assign VLANs tab.
7. Click OK to close the VLAN Membership window.

Assigning Dynamic-Access Ports to VLANs

Dynamic-access ports function as the VLAN Query protocol (VQP) client that queries the VLAN Membership Policy Server (VMPS). Assign dynamic-access ports to only one VLAN and connect them only to end stations. Be sure to configure the network so that STP does not put the dynamic-access port into an STP blocking state (see Spanning-Tree Protocol for details).

You must configure the VMPS server before you configure dynamic ports (see VMPS Configuration for details).

You cannot configure dynamic-access ports as:

• The source or destination port in a static-address entry
• A network port (another port in the VLAN can be the network port)
• A member of any port group (including other dynamic-access ports)
• A secure port
• A port with a secure address
• A monitor port

Caution: To avoid loss of connectivity, do not connect dynamic-access ports to switches or routers running bridging protocols.

To assign a dynamic-access port to a VLAN:

Note: Be sure the VMPS server is configured before you start this procedure (see VMPS Configuration for details).

1. Select the Assign VLANs tab from the VLAN Membership page.
2. On the Assign VLANs tab, select a port to assign to the VLAN.
3. Click Modify to display the Group VLAN Assignment dialog box.
4. Select Dynamic Access from the Mode drop-down list.
   Because the VMPS assigns VLAN numbers to dynamic-access ports, the VLAN ID field in this dialog changes to read-only.
5. Click OK to put your changes in effect and close the Group VLAN Assignment dialog box.
   The dynamic-access port is displayed on the Assign VLANs tab.
6. Click OK to close the VLAN Membership window.

Assigning Multi-VLAN Ports to VLANs

A multi-VLAN port can belong to more than one VLAN, which creates overlapping VLANs. Only ports connected to routers or servers should be defined as multi-VLAN ports. When the multi-VLAN port is connected to a router, all traffic is forwarded within the boundaries of the VLANs, but the two (or more) VLANs establish connectivity through the router.

A multi-VLAN port functions normally in all its VLANs. For example, when an unknown MAC address is received on a multi-VLAN port, it is learned by all VLANs in which the port is a member. Multi-VLAN ports also respond to the STP messages generated by the different instance of STP in each VLAN. Because the multi-VLAN port is a member of more than one VLAN, flooded traffic received from the multi-VLAN port is forwarded to ports in all VLANs assigned to the multi-VLAN port, unless the VLAN is pruned (see Configuring Trunk Ports).

Caution: To avoid loss of connectivity, do not connect multi-VLAN ports to hubs or switches.

To assign a multi-VLAN port to a VLAN:

1. Select the Assign VLANs tab from the VLAN Membership page.
2. On the Assign VLANs tab, select a port to serve as the multi-VLAN port.
3. Click Modify to display the Group VLAN Assignment dialog box.
4. Select Multi-VLAN from the Mode drop-down list.
5. In the VLAN ID field, enter the VLANs in which this port will be a member.
   Valid entries range from 1 to 1001. To enter multiple VLAN IDs, enter a comma between ID numbers or enter a hyphen (-) between ID numbers to specify a VLAN range.
6. Click OK to put your changes in effect and close the Group VLAN Assignment dialog box.
   The multi-VLAN port is displayed on the Assign VLANs tab.
7. Click OK to close the VLAN Membership window.

Displaying Port Members

To display port members of a VLAN:

1. Select the Display Port Members tab on the VLAN Membership window.
   This tab shows the ID and name of each VLAN and the VLAN status.
2. Select a VLAN and click Highlight Port Members on Device.
   All ports that belong to the VLAN are highlighted. (You might need to move the window to see the displayed ports.)

Configuring a Trunk Port

A trunk is a point-to-point link between two switches or between switches and routers. Trunks carry the traffic of multiple VLANs and extend VLANs from one switch to another.

You can configure two types of trunk ports: ISL and IEEE 802.1Q. On ISL trunk ports, the switch encapsulates all received and transmitted packets with an ISL header, and it filters native frames received from an ISL trunk port. On an 802.1Q trunk port, the switch receives both untagged traffic and traffic containing 802.1Q tags.

Follow these guidelines when configuring a trunk port:

• Do not configure a trunk port as a secure port or a monitor port.
• Assign a static-access port to monitor a VLAN on a trunk port. The VLAN monitored is the one associated with the static-access port.
• If you configure a trunk port as a network port (the port used for forwarding packets with unknown addresses), the trunk port becomes the network port for all the VLANs associated with the port.
• Do not configure one end of the trunk as an 802.1Q trunk and the other end as an ISL or nontrunk port. However, you can configure one port as an ISL trunk and another port on the same switch as a 802.1Q trunk.
• Define ports connected to routers or servers as multi-VLAN ports.

To configure a trunk port:

1. Select the Assign VLAN tab on the VLAN Membership window.
2. On the Assign VLANs tab, select the port to serve as the trunk port.
3. Click Modify to display the Group VLAN Assignment dialog box.
4. Select ISL or 802.1Q  from the VLAN Mode drop-down list.
   Because the port is automatically assigned to all active VLANs in the VTP domain, the Assigned VLANs field becomes read-only. To restrict VLAN membership for this port, see Specifying Allowed VLANs.
   Note: If you configured an 802.1Q trunk, see Special 802.1Q Trunk Considerations.
5. Click OK to create the trunk and close the Group VLAN Assignment dialog box.
   The trunk port is displayed on the Assign VLANs tab.
   Note: If this switch is in a VTP domain, see Disabling Pruning for changes you might need to make on the new trunk.
6. Click OK to close the VLAN Membership window.

Special 802.1Q Trunk Considerations

The Per VLAN Spanning Tree+ (PVST+) protocol is automatically enabled on 802.1Q trunks. This protocol ensures interoperability between Cisco devices that implement one spanning-tree instance per VLAN (PVST) and devices that implement one spanning tree for all VLANs in the network (specified in the IEEE 802.1 standard). By default, the switch forwards untagged traffic with the native VLAN configured for the port.

Disabling STP on the native VLAN of an 802.1Q trunk or disabling STP on any VLAN in the network can cause STP loops. Cisco recommends that you leave STP enabled on the native VLAN of an 802.1Q trunk, or disable STP on every VLAN in the network (see Spanning Tree Protocol).

Specifying Allowed VLANs

Trunk ports are automatically assigned to all VLANs in the VTP domain where the switch is a member. To restrict the VLAN membership for a trunk port:

1. Select the Trunk Configuration tab on the VLAN Membership window.
2. Select the VLAN on which you want to restrict VLAN traffic.
3. Click Modify to display the Group VLAN Assignment dialog box.
4. In the Allowed VLAN List section, enter the IDs of VLANs for which the port will forward traffic.
5. Click OK to put your change in effect and close the Group VLAN Assignment dialog box.
   The Trunk Configuration tab contains only the VLANs you specified in the Allowed VLANs List (reserved VLANs also appear in this list).
6. Click OK to close the VLAN Membership window.

Disabling Pruning

VLAN information is advertised to network devices by means of the VLAN Trunk Protocol (VTP). To save network bandwidth, VTP  prunes to protect VLANs from unnecessary traffic. If you create a new trunk on a switch that belongs to a VTP domain where pruning is in effect, pruning is automatically enabled. If the trunk is created in a VTP domain where pruning is not in effect, pruning is disabled.

All VLANs are placed on a Pruning Eligibility list so pruning will occur if it is in effect. However, in some network configurations, pruning will block VLAN traffic to ports that need it. Pruning should not occur in these VLANs. To disable pruning on a VLAN, you must remove the VLAN from the Pruning Eligibility list.

To remove a VLAN from the Pruning Eligibility list:

1. Select the Trunk Configuration tab on the VLAN Membership window.
2. Select the VLAN to be removed from the Pruning Eligibility list.
3. Click Modify to display the Group VLAN Assignment dialog box.
4. In the VLAN Pruning Eligibility list, enter the VLAN number in the VLAN ID field.
5. Click OK to put your change in effect and close the Group VLAN Assignment dialog box.
   The VLAN is removed from the VLAN Pruning Eligibility column of the Trunk Configuration tab.
6. Click OK to close the VLAN Membership window.