Table Of Contents

traceroute mac

traceroute mac ip

trust

udld

udld port

udld reset

vlan (global configuration)

vlan (VLAN configuration)

vlan access-map

vlan database

vlan dot1q tag native

vlan filter

vmps reconfirm (privileged EXEC)

vmps reconfirm (global configuration)

vmps retry

vmps server

vtp (global configuration)

vtp (privileged EXEC)

vtp (VLAN configuration)

wrr-queue bandwidth

wrr-queue cos-map

wrr-queue dscp-map

wrr-queue min-reserve

wrr-queue queue-limit

wrr-queue random-detect max-threshold

wrr-queue threshold

2]

traceroute mac

Use the traceroute mac privileged EXEC command to display the Layer 2 path taken by the packets from the specified source MAC address to the specified destination MAC address.

traceroute mac [interface interface-id] {source-mac-address} [interface interface-id] {destination-mac-address} [vlan vlan-id] [detail]

Syntax Description

interface interface-id	(Optional) Specify an interface on the source or destination switch.
source-mac-address	Specify the MAC address of the source switch in hexadecimal format.
destination-mac-address	Specify the MAC address of the destination switch in hexadecimal format.
vlan vlan-id	(Optional) Specify the VLAN on which to trace the Layer 2 path that the packets take from the source switch to the destination switch. The range is 1 to 4094.
detail	(Optional) Specify that detailed information appears.

Defaults

There is no default.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(12c)EA1	This command was introduced.

Usage Guidelines

For Layer 2 traceroute to functional properly, Cisco Discovery Protocol (CDP) must be enabled on all the switches in the network. Do not disable CDP.

When the switch detects a device in the Layer 2 path that does not support Layer 2 traceroute, the switch continues to send Layer 2 trace queries and lets them time out.

The maximum number of hops identified in the path is ten.

Layer 2 traceroute supports only unicast traffic. If you specify a multicast source or destination MAC address, the physical path is not identified, and an error message appears.

The traceroute mac command output shows the Layer 2 path when the specified source and destination addresses belong to the same VLAN. If you specify source and destination addresses that belong to different VLANs, the Layer 2 path is not identified, and an error message appears.

If the source or destination MAC address belongs to multiple VLANs, you must specify the VLAN to which both the source and destination MAC addresses belong. If the VLAN is not specified, the path is not identified, and an error message appears.

The Layer 2 traceroute feature is not supported when multiple devices are attached to one port through hubs (for example, multiple CDP neighbors are detected on a port). When more than one CDP neighbor is detected on a port, the Layer 2 path is not identified, and an error message appears.

This feature is not supported in Token Ring VLANs.

Examples

This example shows how to display the Layer 2 path by specifying the source and destination MAC addresses:

Switch# traceroute mac 0000.0201.0601 0000.0201.0201

Source 0000.0201.0601 found on con6[WS-C2950G-24-EI] (2.2.6.6)

con6 (2.2.6.6) :Fa0/1 => Fa0/3

con5                 (2.2.5.5        )  :    Fa0/3 => Gi0/1

con1                 (2.2.1.1        )  :    Gi0/1 => Gi0/2

con2                 (2.2.2.2        )  :    Gi0/2 => Fa0/1

Destination 0000.0201.0201 found on con2[WS-C3550-24] (2.2.2.2)

Layer 2 trace completed

This example shows how to display the Layer 2 path by using the detail keyword:

Switch# traceroute mac 0000.0201.0601 0000.0201.0201 detail

Source 0000.0201.0601 found on con6[WS-C2950G-24-EI] (2.2.6.6)

con6 / WS-C2950G-24-EI / 2.2.6.6 :

        Fa0/1 [auto, auto] => Fa0/3 [auto, auto]

con5 / WS-C2950G-24-EI / 2.2.5.5 :

        Fa0/3 [auto, auto] => Gi0/1 [auto, auto]

con1 / WS-C3550-12G / 2.2.1.1 :

        Gi0/1 [auto, auto] => Gi0/2 [auto, auto]

con2 / WS-C3550-24 / 2.2.2.2 :

        Gi0/2 [auto, auto] => Fa0/1 [auto, auto]

Destination 0000.0201.0201 found on con2[WS-C3550-24] (2.2.2.2)

Layer 2 trace completed.

This example shows how to display the Layer 2 path by specifying the interfaces on the source and destination switches:

Switch# traceroute mac interface fastethernet0/1 0000.0201.0601 interface fastethernet0/3 
0000.0201.0201

Source 0000.0201.0601 found on con6[WS-C2950G-24-EI] (2.2.6.6)

con6 (2.2.6.6) :Fa0/1 => Fa0/3

con5                 (2.2.5.5        )  :    Fa0/3 => Gi0/1

con1                 (2.2.1.1        )  :    Gi0/1 => Gi0/2

con2                 (2.2.2.2        )  :    Gi0/2 => Fa0/1

Destination 0000.0201.0201 found on con2[WS-C3550-24] (2.2.2.2)

Layer 2 trace completed

This example shows the Layer 2 path when the switch is not connected to the source switch:

Switch# traceroute mac 0000.0201.0501 0000.0201.0201 detail

Source not directly connected, tracing source .....

Source 0000.0201.0501 found on con5[WS-C2950G-24-EI] (2.2.5.5)

con5 / WS-C2950G-24-EI / 2.2.5.5 :

        Fa0/1 [auto, auto] => Gi0/1 [auto, auto]

con1 / WS-C3550-12G / 2.2.1.1 :

        Gi0/1 [auto, auto] => Gi0/2 [auto, auto]

con2 / WS-C3550-24 / 2.2.2.2 :

        Gi0/2 [auto, auto] => Fa0/1 [auto, auto]

Destination 0000.0201.0201 found on con2[WS-C3550-24] (2.2.2.2)

Layer 2 trace completed.

This example shows the Layer 2 path when the switch cannot find the destination port for the source MAC address:

Switch# traceroute mac 0000.0011.1111 0000.0201.0201

Error:Source Mac address not found. 

Layer2 trace aborted.

This example shows the Layer 2 path when the source and destination devices are in different VLANs:

Switch# traceroute mac 0000.0201.0601 0000.0301.0201

Error:Source and destination macs are on different vlans. 

Layer2 trace aborted.

This example shows the Layer 2 path when the destination MAC address is a multicast address:

Switch# traceroute mac 0000.0201.0601 0100.0201.0201

Invalid destination mac address

This example shows the Layer 2 path when source and destination switches belong to multiple VLANs:

Switch# traceroute mac 0000.0201.0601 0000.0201.0201

Error:Mac found on multiple vlans.

Layer2 trace aborted.

Related Commands

Command	Description
traceroute mac ip	Displays the Layer 2 path taken by the packets from the specified source IP address or hostname to the specified destination IP address or hostname.

traceroute mac ip

Use the traceroute mac privileged EXEC command to display the Layer 2 path taken by the packets from the specified source IP address or hostname to the specified destination IP address or hostname.

traceroute mac ip {source-ip-address | source-hostname} {destination-ip-address | destination-hostname} [detail]

Syntax Description

source-ip-address	Specify the IP address of the source switch as a 32-bit quantity in dotted-decimal format.
destination-ip-address	Specify the IP address of the destination switch as a 32-bit quantity in dotted-decimal format.
source-hostname	Specify the IP hostname of the source switch.
destination-hostname	Specify the IP hostname of the destination switch.
detail	(Optional) Specify that detailed information appears.

Defaults

There is no default.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(12c)EA1	This command was introduced.

Usage Guidelines

For Layer 2 traceroute to functional properly, Cisco Discovery Protocol (CDP) must be enabled on all the switches in the network. Do not disable CDP.

When the switch detects an device in the Layer 2 path that does not support Layer 2 traceroute, the switch continues to send Layer 2 trace queries and lets them time out.

The maximum number of hops identified in the path is ten.

The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses are in the same subnet. When you specify the IP addresses, the switch uses Address Resolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs.

•If an ARP entry exists for the specified IP address, the switch uses the associated MAC address and identifies the physical path.

•If an ARP entry does not exist, the switch sends an ARP query and tries to resolve the IP address. The IP addresses must be in the same subnet. If the IP address is not resolved, the path is not identified, and an error message appears.

The Layer 2 traceroute feature is not supported when multiple devices are attached to one port through hubs (for example, multiple CDP neighbors are detected on a port). When more than one CDP neighbor is detected on a port, the Layer 2 path is not identified, and an error message appears.

This feature is not supported in Token Ring VLANs.

Examples

This example shows how to display the Layer 2 path by specifying the source and destination IP addresses and by using the detail keyword:

Switch# traceroute mac ip 2.2.66.66 2.2.22.22 detail

Translating IP to mac ..... 

2.2.66.66 => 0000.0201.0601

2.2.22.22 => 0000.0201.0201

Source 0000.0201.0601 found on con6[WS-C2950G-24-EI] (2.2.6.6)

con6 / WS-C2950G-24-EI / 2.2.6.6 :

        Fa0/1 [auto, auto] => Fa0/3 [auto, auto]

con5 / WS-C2950G-24-EI / 2.2.5.5 :

        Fa0/3 [auto, auto] => Gi0/1 [auto, auto]

con1 / WS-C3550-12G / 2.2.1.1 :

        Gi0/1 [auto, auto] => Gi0/2 [auto, auto]

con2 / WS-C3550-24 / 2.2.2.2 :

        Gi0/2 [auto, auto] => Fa0/1 [auto, auto]

Destination 0000.0201.0201 found on con2[WS-C3550-24] (2.2.2.2)

Layer 2 trace completed.

This example shows how to display the Layer 2 path by specifying the source and destination hostnames:

Switch# traceroute mac ip con6 con2

Translating IP to mac ..... 

2.2.66.66 => 0000.0201.0601

2.2.22.22 => 0000.0201.0201

Source 0000.0201.0601 found on con6

con6 (2.2.6.6) :Fa0/1 => Fa0/3

con5                 (2.2.5.5        )  :    Fa0/3 => Gi0/1

con1                 (2.2.1.1        )  :    Gi0/1 => Gi0/2

con2                 (2.2.2.2        )  :    Gi0/2 => Fa0/1

Destination 0000.0201.0201 found on con2

Layer 2 trace completed

This example shows the Layer 2 path when ARP cannot associate the source IP address with the corresponding MAC address:

Switch# traceroute mac ip 2.2.66.66 2.2.77.77

Arp failed for destination 2.2.77.77.

Layer2 trace aborted.

Related Commands

Command	Description
traceroute mac	Displays the Layer 2 path taken by the packets from the specified source MAC address to the specified destination MAC address.

trust

Use the trust policy-map class configuration command to define a trust state for traffic classified by the class or the class-map command. Use the no form of this command to return to the default setting.

trust [cos | dscp | ip-precedence]

no trust [cos | dscp | ip-precedence]

Syntax Description

cos	(Optional) Classify ingress packets by using the packet class of service (CoS) values. For untagged packets, the port default CoS value is used.
dscp	(Optional) Classify ingress packets by using the packet Differentiated Services Code Point (DSCP) values (most significant 6 bits of 8-bit service-type field). For non-IP packets, the packet CoS value is used if the packet is tagged. If the packet is untagged, the default port CoS value is used to map CoS to DSCP.
ip-precedence	(Optional) Classify ingress packets by using the packet IP-precedence values (most significant 3 bits of 8-bit service-type field). For non-IP packets, the packet CoS value is used if the packet is tagged. If the packet is untagged, the port default CoS value is used to map CoS to DSCP.

Defaults

The action is not trusted. If no keyword is specified when the command is entered, the default is dscp.

Command Modes

Policy-map class configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Use this command to distinguish the quality of service (QoS) trust behavior for certain traffic from others. For example, incoming traffic with certain DSCP values can be trusted. You can configure a class map to match and trust the DSCP values in the incoming traffic.

Trust values set with this command supersede trust values set on specific interfaces with the mls qos trust interface configuration command.

The trust command is mutually exclusive with set policy-map class configuration command within the same policy map.

You cannot use the service-policy interface configuration command to attach policy maps that contain these elements to an egress interface:

•set or trust policy-map class configuration commands. Instead, you can use the police policy-map class configuration command to mark down (reduce) the DSCP value at the egress interface.

•Access control list (ACL) classification.

•Per-port per-VLAN classification.

The only match criterion in a policy map that can be attached to an egress interface is the match ip dscp dscp-list class-map configuration command.

If you specify trust cos, QoS derives the internal DSCP value by using the received or default port CoS value and the CoS-to-DSCP map.

If you specify trust dscp, QoS derives the internal DSCP value by using the DSCP value from the ingress packet. For non-IP packets that are tagged, QoS derives the internal DSCP value by using the received CoS value; for non-IP packets that are untagged, QoS derives the internal DSCP value by using the default port CoS value. In either case, the internal DSCP value is derived from the CoS-to-DSCP map.

If you specify trust ip-precedence, QoS derives the internal DSCP value by using the IP precedence value from the ingress packet and the IP-precedence-to-DSCP map. For non-IP packets that are tagged, QoS derives the internal DSCP value by using the received CoS value; for non-IP packets that are untagged, QoS derives the internal DSCP value by using the default port CoS value. In either case, the internal DSCP value is derived from the CoS-to-DSCP map.

To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.

Examples

This example shows how to define a port trust state to trust incoming DSCP values for traffic classified with class1:

Switch(config)# policy-map policy1

Switch(config-pmap)# class class1

Switch(config-pmap-c)# trust dscp

Switch(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmit

Switch(config-pmap-c)# exit

You can verify your settings by entering the show policy-map privileged EXEC command.

Related Commands

Command	Description
class	Defines a traffic classification for the policy to act on.
police	Defines a policer for classified traffic.
policy-map	Creates or modifies a policy map that can be attached to multiple interfaces to specify a service policy.
show policy-map	Displays QoS policy maps.

udld

Use the udld global configuration command to enable aggressive or normal mode in the UniDirectional Link Detection (UDLD) and to set the configurable message timer time. Use the no form of this command to disable aggressive or normal mode UDLD on all fiber-optic ports.

udld {aggressive | enable | message time message-timer-interval}

no udld {aggressive | enable | message}

Syntax Description

aggressive	Enable UDLD in aggressive mode on all fiber-optic interfaces.
enable	Enable UDLD in normal mode on all fiber-optic interfaces.
message time message-timer-interval	Configure the period of time between UDLD probe messages on ports that are in the advertisement phase and are determined to be bidirectional. The range is 7 to 90 seconds.

Defaults

UDLD is disabled on all fiber-optic interfaces.

The message timer is set at 60 seconds.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD detects unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD also detects unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and due to misconnected interfaces on fiber-optic links. For information about normal and aggressive modes, refer to the "Understanding UDLD" section in the software configuration guide for this release.

If you change the message time between probe packets, you are making a trade-off between the detection speed and the CPU load. By decreasing the time, you can make the detection-response faster but increase the load on the CPU.

This command affects fiber-optic interfaces only. Use the udld interface configuration command to enable UDLD on other interface types.

You can use these commands to reset an interface shut down by UDLD:

•The udld reset privileged EXEC command to reset all interfaces shut down by UDLD

•The shutdown and no shutdown interface configuration commands

•The no udld enable global configuration command followed by the udld {aggressive | enable} global configuration command to re-enable UDLD globally

•The udld port disable interface configuration command followed by the udld port or udld port aggressive interface configuration command to re-enable UDLD on the specified interface

•The errdisable recovery cause udld and errdisable recovery interval interval global configuration commands to automatically recover from the UDLD error-disabled state

Examples

This example shows how to enable UDLD on all fiber-optic interfaces:

Switch(config)# udld enable

You can verify your setting by entering the show udld privileged EXEC command.

Related Commands

Command	Description
show udld	Displays UDLD administrative and operational status for all ports or the specified port.
udld port	Enables UDLD on an individual interface or prevents a fiber-optic interface from being enabled by the udld global configuration command.
udld reset	Resets all interfaces shut down by UDLD and permits traffic to again pass through.

udld port

Use the udld port interface configuration command to enable the UniDirectional Link Detection (UDLD) on an individual interface or prevent a fiber-optic interface from being enabled by the udld global configuration command. Use the no form of this command to return to the udld global configuration command setting or to disable UDLD if entered for a nonfiber-optic port.

udld port [aggressive]

no udld port [aggressive]

Syntax Description

aggressive

(Optional) Enable UDLD in aggressive mode on the specified interface.

Defaults

On fiber-optic interfaces, UDLD is neither enabled, not in aggressive mode, and not disabled. For this reason, fiber-optic interfaces enable UDLD according to the state of the udld enable or udld aggressive global configuration command.

On nonfiber-optic interfaces, UDLD is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.1(14)EA1	The port keyword was added. The enable keyword was removed.
12.1(20)EA2	The disable keyword was removed.

Usage Guidelines

A UDLD-capable port cannot detect a unidirectional link if it is connected to a UDLD-incapable port of another switch.

UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD detects unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD also detects unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and due to misconnected interfaces on fiber-optic links. For information about normal and aggressive modes, refer to the "Configuring UDLD" chapter in the software configuration guide for this release.

To enable UDLD in normal mode, use the udld port interface configuration command. To enable UDLD in aggressive mode, use the udld port aggressive interface configuration command.

Use the no udld port command on fiber-optic ports to return control of UDLD to the udld enable global configuration command or to disable UDLD on nonfiber-optic ports.

Use the udld port aggressive command on fiber-optic ports to override the setting of the udld enable or udld aggressive global configuration command. Use the no form on fiber-optic ports to remove this setting and to return control of UDLD enabling to the udld global configuration command or to disable UDLD on nonfiber-optic ports.

If the switch software detects a Gigabit Interface Converter (GBIC) module change and the port changes from fiber optic to nonfiber optic or vice versa, all configurations are maintained.

You can use these commands to reset an interface shut down by UDLD:

•The udld reset privileged EXEC command to reset all interfaces shut down by UDLD

•The shutdown and no shutdown interface configuration commands

•The no udld enable global configuration command followed by the udld {aggressive | enable} global configuration command to re-enable UDLD globally

•The no udld port interface configuration command followed by the udld port or udld port aggressive interface configuration command to re-enable UDLD on the specified interface

•The errdisable recovery cause udld and errdisable recovery interval interval global configuration commands to automatically recover from the UDLD error-disabled state

Examples

This example shows how to enable UDLD on an interface:

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# udld port 

This example shows how to disable UDLD on a fiber-optic interface despite the setting of the udld global configuration command:

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# no udld port

You can verify your settings by entering the show running-config or the show udld interface privileged EXEC command.

Related Commands

Command	Description
show running-config	Displays the running configuration on the switch. For syntax information, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1 > Cisco IOS File Management Commands > Configuration File Commands.
show udld	Displays UDLD administrative and operational status for all ports or the specified port.
udld	Enables aggressive or normal mode in UDLD or sets the configurable message timer time.
udld reset	Resets all interfaces shut down by UDLD and permits traffic to again pass through.

udld reset

Use the udld reset privileged EXEC command to reset all interfaces shutdown by the UniDirectional Link Detection (UDLD) and permit traffic to begin passing through them again (though other features, such as spanning tree, Port Aggregation Protocol (PAgP), and Dynamic Trunking Protocol (DTP) still have their normal effects, if enabled).

udld reset

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

If the interface configuration is still enabled for UDLD, these ports begin to run UDLD again and might shutdown for the same reason if the problem has not been corrected.

Examples

This example shows how to reset all interfaces disabled by UDLD:

Switch# udld reset

1 ports shutdown by UDLD were reset.

You can verify your setting by entering the show udld privileged EXEC command.

Related Commands

Command	Description
show running-config	Displays the running configuration on the switch. For syntax information, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1 > Cisco IOS File Management Commands > Configuration File Commands.
show udld	Displays UDLD administrative and operational status for all ports or the specified port.
udld	Enables aggressive or normal mode in UDLD or sets the configurable message timer time.
udld port	Enables UDLD on an individual interface or prevents a fiber-optic interface from being enabled by the udld global configuration command.

vlan (global configuration)

Use the vlan global configuration command to add a VLAN and enter the config-vlan mode. Use the no form of this command to delete the VLAN.

vlan vlan-id

no vlan vlan-id

Syntax Description

vlan-id

ID of the VLAN to be added and configured. The range is 1 to 4094; do not enter leading zeros. You can enter a single VLAN ID, a series of VLAN IDs separated by commas, or a range of VLAN IDs separated by hyphens.

Defaults

This command has no default settings.

Command Modes

Global configuration

Command History

Release	Modification
12.1(9)EA1	This command was introduced.
12.1(11)EA1	The remote-span configuration command was added.

Usage Guidelines

You must use the vlan vlan-id global configuration command to add extended-range VLANs (VLAN IDs 1006 to 4094). Before configuring VLANs in the extended range, you must use the vtp transparent global configuration or VLAN configuration command to put the switch in VTP transparent mode. Extended-range VLANs are not learned by VTP and are not added to the VLAN database, but when VTP mode is transparent, VTP mode and domain name and all VLAN configurations are saved in the running configuration, and you can save them in the switch startup configuration file by entering the copy running-config startup-config privileged EXEC command.

When you save the VLAN and VTP configurations in the startup configuration file and reboot the switch, the configuration is determined in these ways:

•If both the VLAN database and the configuration file show the VTP mode as transparent and the VTP domain names match, the VLAN database is ignored. The VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.

•If the VTP mode is server, or if the startup VTP mode or domain names do not match the VLAN database, the VTP mode and the VLAN configuration for the first 1005 VLANs use the VLAN database information.

•If the image on the switch or the configuration file is earlier than Cisco IOS Release 12.1(9)EA1, the switch reboots with information in the VLAN database.

Configuration information for normal-range VLANs (VLAN IDs 1 to 1005) is always saved in the VLAN database.

If you try to create an extended-range VLAN when the switch is not in VTP transparent mode, the VLAN is rejected, and you receive an error message.

If you enter an invalid VLAN ID, you receive an error message and do not enter config-vlan mode.

Entering the vlan command with a VLAN ID enables config-vlan mode. When you enter the VLAN ID of an existing VLAN, you do not create a new VLAN, but you can modify VLAN parameters for that VLAN. The specified VLANs are added or modified when you exit the config-vlan mode. Only the shutdown command (for VLANs 1 to 1005) takes effect immediately.

These configuration commands are available in config-vlan mode. The no form of each command returns the characteristic to its default state.

---

Note Although all commands are visible, the only config-vlan command supported on extended-range VLANs is mtu mtu-size. For extended-range VLANs, all other characteristics must remain at the default state.

---

•are are-number: defines the maximum number of all-routes explorer (ARE) hops for this VLAN. This keyword applies only to TrCRF VLANs. The range is 0 to 13. The default is 7. If no value is entered, 0 is assumed to be the maximum.

•backupcrf: specifies the backup CRF mode. This keyword applies only to TrCRF VLANs.

–enable backup CRF mode for this VLAN.

–disable backup CRF mode for this VLAN (the default).

•bridge {bridge-number| type}: specifies the logical distributed source-routing bridge, the bridge that interconnects all logical rings having this VLAN as a parent VLAN in FDDI-NET, Token Ring-NET, and TrBRF VLANs. The range is 0 to 15. The default bridge number is 0 (no source-routing bridge) for FDDI-NET, TrBRF, and Token Ring-NET VLANs. The type keyword applies only to TrCRF VLANs and is one of these:

–srb (source-route bridging)

–srt (source-route transparent) bridging VLAN

•exit: applies changes, increments the VLAN database revision number (VLANs 1 to 1005 only), and exits config-vlan mode.

•media: defines the VLAN media type. See Table 2-29 for valid commands and syntax for different media types.

---

Note The switch supports only Ethernet ports. You configure only FDDI and Token Ring media-specific characteristics for VLAN Trunking Protocol (VTP) global advertisements to other switches. These VLANs are locally suspended.

---

–ethernet is Ethernet media type (the default).

–fddi is FDDI media type.

–fd-net is FDDI network entity title (NET) media type.

–tokenring is Token Ring media type if the VTP v2 mode is disabled, or TrCRF if the VTP version 2 (v) mode is enabled.

–tr-net is Token Ring network entity title (NET) media type if the VTP v2 mode is disabled or TrBRF media type if the VTP v2 mode is enabled.

•mtu mtu-size: specifies the maximum transmission unit (MTU) (packet size in bytes). The range is 1500 to 18190. The default is 1500 bytes.

•name vlan-name: names the VLAN with an ASCII string from 1 to 32 characters that must be unique within the administrative domain. The default is VLANxxxx where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number.

•no: negates a command or returns it to the default setting.

•parent parent-vlan-id: specifies the parent VLAN of an existing FDDI, Token Ring, or TrCRF VLAN. This parameter identifies the TrBRF to which a TrCRF belongs and is required when defining a TrCRF. The range is 0 to 1005. The default parent VLAN ID is 0 (no parent VLAN) for FDDI and Token Ring VLANs. For both Token Ring and TrCRF VLANs, the parent VLAN ID must already exist in the database and be associated with a Token Ring-NET or TrBRF VLAN.

---

Note Though visible in the command-line interface, the private-vlan command is not supported.

---

•remote-span: adds the Remote SPAN (RSPAN) feature to the VLAN. When the RSPAN feature is added to an existing VLAN, the VLAN is first deleted and is then recreated with the RSPAN feature. Any access ports are deactivated until the RSPAN feature is removed. The new RSPAN VLAN is propagated by VTP for VLAN-IDs that are lower than 1024. Learning is disabled on the VLAN. Only Layer 2 switch protocols will be processed by the CPU. Broadcast packets, multicast packets and unicast packets addressed directly to the switch will be flooded on the VLAN but will not be forwarded to the CPU.

•ring ring-number: defines the logical ring for an FDDI, Token Ring, or TrCRF VLAN. The range is 1 to 4095. The default for Token Ring VLANs is 0. For FDDI VLANs, there is no default.

•said said-value: specifies the security association identifier (SAID) as documented in IEEE 802.10. The range is 1 to 4294967294 and must be unique within the administrative domain. The default value is 100000 plus the VLAN ID number.

•shutdown: shuts down VLAN switching on the VLAN. This command takes effect immediately. Other commands take effect when you exit config-vlan mode.

•state: specifies the VLAN state:

–active means the VLAN is operational (the default).

–suspend means the VLAN is suspended. Suspended VLANs do not pass packets.

•ste ste-number: defines the maximum number of spanning-tree explorer (STE) hops. This keyword applies only to TrCRF VLANs. The range is 0 to 13. The default is 7.

•stp type: defines the spanning-tree type for FDDI-NET, Token Ring-NET, or TrBRF VLANs. For FDDI-NET VLANs, the default STP type is ieee. For Token Ring-NET VLANs, the default STP type is ibm. For FDDI and Token Ring VLANs, the default is no type specified.

–ieee for IEEE Ethernet STP running source-route transparent (SRT) bridging.

–ibm for IBM STP running source-route bridging (SRB).

–auto for STP running a combination of source-route transparent bridging (IEEE) and source-route bridging (IBM).

•tb-vlan1 tb-vlan1-id and tb-vlan2 tb-vlan2-id: specifies the first and second VLAN to which this VLAN is translationally bridged. Translational VLANs translate FDDI or Token Ring to Ethernet, for example. The range is 0 to 1005. If no value is specified, 0 (no transitional bridging) is assumed.

Table 2-29 Valid Commands and Syntax for Different Media Types 

Media Type	Valid Syntax
Ethernet	name vlan-name, media ethernet, state {suspend | active}, said said-value, mtu mtu-size, remote-span, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
FDDI	name vlan-name, media fddi, state {suspend | active}, said said-value, mtu mtu-size, ring ring-number, parent parent-vlan-id, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
FDDI-NET	name vlan-name, media fd-net, state {suspend | active}, said said-value, mtu  mtu-size, bridge bridge-number, stp type {ieee | ibm | auto}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id If VTP v2 mode is disabled, do not set the stp type to auto.
Token Ring	VTP v1 mode is enabled. name vlan-name, media tokenring, state {suspend | active}, said said-value, mtu mtu-size, ring ring-number, parent parent-vlan-id, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
Token Ring concentrator relay function (TrCRF)	VTP v2 mode is enabled. name vlan-name, media tokenring, state {suspend | active}, said said-value, mtu mtu-size, ring ring-number, parent parent-vlan-id, bridge type {srb | srt}, are are-number, ste ste-number, backupcrf {enable | disable}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
Token Ring-NET	VTP v1 mode is enabled. name vlan-name, media tr-net, state {suspend | active}, said said-value, mtu mtu-size, bridge bridge-number, stp type {ieee | ibm}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
Token Ring bridge relay function (TrBRF)	VTP v2 mode is enabled. name vlan-name, media tr-net, state {suspend | active}, said said-value, mtu mtu-size, bridge bridge-number, stp type {ieee | ibm | auto}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id

Table 2-30 describes the rules for configuring VLANs.

Table 2-30 VLAN Configuration Rules 

Configuration	Rule
VTP v2 mode is enabled, and you are configuring a TrCRF VLAN media type.	Specify a parent VLAN ID of a TrBRF that already exists in the database. Specify a ring number. Do not leave this field blank. Specify unique ring numbers when TrCRF VLANs have the same parent VLAN ID. Only one backup concentrator relay function (CRF) can be enabled.
VTP v2 mode is enabled, and you are configuring VLANs other than TrCRF media type.	Do not specify a backup CRF.
VTP v2 mode is enabled, and you are configuring a TrBRF VLAN media type.	Specify a bridge number. Do not leave this field blank.
VTP v1 mode is enabled.	No VLAN can have an STP type set to auto. This rule applies to Ethernet, FDDI, FDDI-NET, Token Ring, and Token Ring-NET VLANs.
Add a VLAN that requires translational bridging (values are not set to zero).	The translational bridging VLAN IDs that are used must already exist in the database. The translational bridging VLAN IDs that a configuration points to must also contain a pointer to the original VLAN in one of the translational bridging parameters (for example, Ethernet points to FDDI, and FDDI points to Ethernet). The translational bridging VLAN IDs that a configuration points to must be different media types than the original VLAN (for example, Ethernet can point to Token Ring). If both translational bridging VLAN IDs are configured, these VLANs must be different media types (for example, Ethernet can point to FDDI and Token Ring).

Examples

This example shows how to add an Ethernet VLAN with default media characteristics. The default includes a vlan-name of VLANxxx, where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number. The default media option is ethernet; the state option is active. The default said-value variable is 100000 plus the VLAN ID; the mtu-size variable is 1500; the stp-type option is ieee. When you enter the exit config-vlan configuration command, the VLAN is added if it did not already exist; otherwise, this command does nothing.

This example shows how to create a new VLAN with all default characteristics and enter config-vlan mode:

Switch(config)# vlan 200

Switch(config-vlan)# exit

Switch(config)#

This example shows how to create a new extended-range VLAN with all the default characteristics, to enter config-vlan mode, and to save the new VLAN in the switch startup configuration file:

Switch(config)# vtp mode transparent

Switch(config)# vlan 2000

Switch(config-vlan)# end

Switch# copy running-config startup config

You can verify your setting by entering the show vlan privileged EXEC command.

Related Commands

Command	Description
show running-config vlan	Displays all or a range of VLAN-related configurations on the switch.
show vlan	Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain.
vlan (VLAN configuration)	Configures normal-range VLANs in the VLAN database.

vlan (VLAN configuration)

Use the vlan VLAN configuration command to configure VLAN characteristics for a normal-range VLAN (VLAN IDs 1 to 1005) in the VLAN database. You access VLAN configuration mode by entering the vlan database privileged EXEC command. Use the no form of this command without additional parameters to delete a VLAN. Use the no form with parameters to change its configured characteristics.

vlan vlan-id [are are-number] [backupcrf {enable | disable}] [bridge bridge-number |
type {srb | srt}] [media {ethernet | fddi | fdi-net | tokenring | tr-net}] [mtu mtu-size]
[name vlan-name] [parent parent-vlan-id] [ring ring-number] [said said-value]
[state {suspend | active}] [ste ste-number] [stp type {ieee | ibm | auto}]
[tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id]

no vlan vlan-id [are are-number] [backupcrf {enable | disable}] [bridge bridge-number |
type {srb | srt}] [media {ethernet | fddi | fdi-net | tokenring | tr-net}] [mtu mtu-size]
[name vlan-name] [parent parent-vlan-id] [ring ring-number] [said said-value]
[state {suspend | active}] [ste ste-number] [stp type {ieee | ibm | auto}]
[tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id]

Extended-range VLANs (with VLAN IDs from 1006 to 4094) cannot be added or modified by using these commands. To add extended-range VLANs, use the vlan (global configuration) command to enter config-vlan mode.

---

Note The switch supports only Ethernet ports. You configure only FDDI and Token Ring media-specific characteristics for VLAN Trunking Protocol (VTP) global advertisements to other switches. These VLANs are locally suspended.

---

Syntax Description

vlan-id	ID of the configured VLAN. The range is 1 to 1005 and must be unique within the administrative domain. Do not enter leading zeros.
are are-number	(Optional) Specify the maximum number of all-routes explorer (ARE) hops for this VLAN. This keyword applies only to TrCRF VLANs. The range is 0 to 13. If no value is entered, 0 is assumed to be the maximum.
backupcrf {enable | disable}	(Optional) Specify the backup CRF mode. This keyword applies only to TrCRF VLANs. •enable backup CRF mode for this VLAN. •disable backup CRF mode for this VLAN.
bridge bridge-number| type {srb | srt}	(Optional) Specify the logical distributed source-routing bridge, the bridge that interconnects all logical rings having this VLAN as a parent VLAN in FDDI-NET, Token Ring-NET, and TrBRF VLANs. The range is 0 to 15. The type keyword applies only to TrCRF VLANs and is one of these: •srb (source-route bridging) •srt (source-route transparent) bridging VLAN
media {ethernet | fddi | fd-net | tokenring | tr-net}	(Optional) Specify the VLAN media type. Table 2-31 lists the valid syntax for each media type. •ethernet is Ethernet media type (the default). •fddi is FDDI media type. •fd-net is FDDI network entity title (NET) media type. •tokenring is Token Ring media type if the VTP v2 mode is disabled, or TrCRF if the VTP v2 mode is enabled. •tr-net is Token Ring network entity title (NET) media type if the VTP v2 mode is disabled or TrBRF media type if the VTP v2 mode is enabled.
mtu mtu-size	(Optional) Specify the maximum transmission unit (MTU) (packet size in bytes). The range is 1500 to 18190.
name vlan-name	(Optional) Specify the VLAN name, an ASCII string from 1 to 32 characters that must be unique within the administrative domain.
parent parent-vlan-id	(Optional) Specify the parent VLAN of an existing FDDI, Token Ring, or TrCRF VLAN. This parameter identifies the TrBRF to which a TrCRF belongs and is required when defining a TrCRF. The range is 0 to 1005.
ring ring-number	(Optional) Specify the logical ring for an FDDI, Token Ring, or TrCRF VLAN. The range is 1 to 4095.
said said-value	(Optional) Enter the security association identifier (SAID) as documented in IEEE 802.10. The range is 1 to 4294967294 and must be unique within the administrative domain.
state {suspend | active}	(Optional) Specify the VLAN state: •If active, the VLAN is operational. •If suspend, the VLAN is suspended. Suspended VLANs do not pass packets.
ste ste-number	(Optional) Specify the maximum number of spanning-tree explorer (STE) hops. This keyword applies only to TrCRF VLANs. The range is 0 to 13.
stp type {ieee | ibm | auto}	(Optional) Specify the spanning-tree type for FDDI-NET, Token Ring-NET, or TrBRF VLAN. •ieee for IEEE Ethernet STP running source-route transparent (SRT) bridging. •ibm for IBM STP running source-route bridging (SRB). •auto for STP running a combination of source-route transparent bridging (IEEE) and source-route bridging (IBM).
tb-vlan1 tb-vlan1-id and tb-vlan2 tb-vlan2-id	(Optional) Specify the first and second VLAN to which this VLAN is translationally bridged. Translational VLANs translate FDDI or Token Ring to Ethernet, for example. The range is 0 to 1005. Zero is assumed if no value is specified.

Table 2-31 shows the valid syntax options for different media types.

Table 2-31 Valid Syntax for Different Media Types 

Media Type	Valid Syntax
Ethernet	vlan vlan-id [name vlan-name] media ethernet [state {suspend | active}] [said said-value] [mtu mtu-size] [tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id]
FDDI	vlan vlan-id [name vlan-name] media fddi [state {suspend | active}] [said said-value] [mtu mtu-size] [ring ring-number] [parent parent-vlan-id] [tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id]
FDDI-NET	vlan vlan-id [name vlan-name] media fd-net [state {suspend | active}] [said said-value] [mtu mtu-size] [bridge bridge-number] [stp type {ieee | ibm | auto}] [tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id] If VTP v2 mode is disabled, do not set the stp type to auto.
Token Ring	VTP v1 mode is enabled. vlan vlan-id [name vlan-name] media tokenring [state {suspend | active}] [said said-value] [mtu mtu-size] [ring ring-number] [parent parent-vlan-id] [tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id]
Token Ring concentrator relay function (TrCRF)	VTP v2 mode is enabled. vlan vlan-id [name vlan-name] media tokenring [state {suspend | active}] [said said-value] [mtu mtu-size] [ring ring-number] [parent parent-vlan-id] [bridge type {srb | srt}] [are are-number] [ste ste-number] [backupcrf {enable | disable}] [tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id]
Token Ring-NET	VTP v1 mode is enabled. vlan vlan-id [name vlan-name] media tr-net [state {suspend | active}] [said said-value] [mtu mtu-size] [bridge bridge-number] [stp type {ieee | ibm}] [tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id]
Token Ring bridge relay function (TrBRF)	VTP v2 mode is enabled. vlan vlan-id [name vlan-name] media tr-net [state {suspend | active}] [said said-value] [mtu mtu-size] [bridge bridge-number] [stp type {ieee | ibm | auto}] [tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id]

Table 2-32 describes the rules for configuring VLANs.

Table 2-32 VLAN Configuration Rules 

Configuration	Rule
VTP v2 mode is enabled, and you are configuring a TrCRF VLAN media type.	Specify a parent VLAN ID of a TrBRF that already exists in the database. Specify a ring number. Do not leave this field blank. Specify unique ring numbers when TrCRF VLANs have the same parent VLAN ID. Only one backup concentrator relay function (CRF) can be enabled.
VTP v2 mode is enabled, and you are configuring VLANs other than TrCRF media type.	Do not specify a backup CRF.
VTP v2 mode is enabled, and you are configuring a TrBRF VLAN media type.	Specify a bridge number. Do not leave this field blank.
VTP v1 mode is enabled.	No VLAN can have an STP type set to auto. This rule applies to Ethernet, FDDI, FDDI-NET, Token Ring, and Token Ring-NET VLANs.
Add a VLAN that requires translational bridging (values are not set to zero).	The translational bridging VLAN IDs that are used must already exist in the database. The translational bridging VLAN IDs that a configuration points to must also contain a pointer to the original VLAN in one of the translational bridging parameters (for example, Ethernet points to FDDI, and FDDI points to Ethernet). The translational bridging VLAN IDs that a configuration points to must be different media types than the original VLAN (for example, Ethernet can point to Token Ring). If both translational bridging VLAN IDs are configured, these VLANs must be different media types (for example, Ethernet can point to FDDI and Token Ring).

Defaults

The ARE value is 7.

Backup CRF is disabled.

The bridge number is 0 (no source-routing bridge) for FDDI-NET, TrBRF, and Token Ring-NET VLANs.

The media type is ethernet.

The default mtu size is 1500 bytes.

The vlan-name variable is VLANxxxx, where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number.

The parent VLAN ID is 0 (no parent VLAN) for FDDI and Token Ring VLANs. For TrCRF VLANs, you must specify a parent VLAN ID. For both Token Ring and TrCRF VLANs, the parent VLAN ID must already exist in the database and be associated with a Token Ring-NET or TrBRF VLAN.

The ring number for Token Ring VLANs is 0. For FDDI VLANs, there is no default.

The said value is 100000 plus the VLAN ID.

The state is active.

The STE value is 7.

The STP type is ieee for FDDI-NET and ibm for Token Ring-NET VLANs. For FDDI and Token Ring VLANs, the default is no type specified.

The tb-vlan1-id and tb-vlan2-id variables are zero (no translational bridging).

Command Modes

VLAN configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.1(13)EA1	The value for vlan-id variable was changed.

Usage Guidelines

You can only use this command mode for configuring normal-range VLANs, that is, VLAN IDs 1 to 1005.

---

Note To configure extended-range VLANs (VLAN IDs 1006 to 4094), use the vlan global configuration command.

---

VLAN configuration is always saved in the VLAN database. If VTP mode is transparent, it is also saved in the switch running configuration file, along with the VTP mode and domain name. You can then save it in the switch startup configuration file by using the copy running-config startup-config privileged EXEC command.

When you save VLAN and VTP configuration in the startup configuration file and reboot the switch, the configuration is determined in these ways:

•If both the VLAN database and the configuration file show the VTP mode as transparent and the VTP domain names match, the VLAN database is ignored. The VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.

•If the VTP mode is server, or if the startup VTP mode or domain names do not match the VLAN database, the VTP mode and the VLAN configuration for the first 1005 VLANs use VLAN database information.

•If the image on the switch or the configuration file is earlier than Cisco IOS Release 12.1(9)EA1, the switch reboots with information in the VLAN database.

The following are the results of using the no vlan commands:

•When the no vlan vlan-id form is used, the VLAN is deleted. Deleting VLANs automatically resets to zero any other parent VLANs and translational bridging parameters that refer to the deleted VLAN.