Usage Guidelines

This command affects fiber interfaces only. Use the udld port command in interface configuration mode to enable UDLD on other interface types.

If you enable the aggressive mode, after all the neighbors of a port age out either in the advertisement phase or in the detection phase, UDLD restarts the linkup sequence to resynchronize with any potentially out-of-sync neighbor and shuts down the port if the message train from the link is still undetermined.

Usage Guidelines

This command is used only on Ethernet ports.

Use the udld port and udld port aggressive commands on fiber ports to override the setting of the global udld (enable or aggressive ) command. Use the no form of the udld port command on fiber ports to remove this setting and return the control of the UDLD-enabling task to the global udld command or to disable UDLD in case of the nonfiber ports.

If you enable the aggressive mode, after all the neighbors of a port age out either in the advertisement phase or in the detection phase, UDLD restarts the linkup sequence to resynchronize with any potentially out-of-sync neighbor and shuts down the port if the message train from the link is still undetermined.

If the port changes from fiber to nonfiber or vice versa, all the configurations are maintained because the platform software detects a change of module or a Gigabit Interface Converter (GBIC) change.

Usage Guidelines

If you do not enable UDLD recovery, the interface stays in the error-disabled state until UDLD is reset. If you enable UDLD recovery, the interface is brought out of the error-disabled state and allowed to retry the unidirectional link detection process again.

Usage Guidelines

If the interface configuration is enabled for UDLD, the ports will begin to run UDLD again and may be error disabled if the reason for error disabling is not corrected.

Usage Guidelines

VLAN 1 parameters are factory configured and cannot be changed.

VLAN 1 and VLANs 1002-1005 are default VLANs. Default VLANs are created automatically and cannot be configured or deleted by users.

The specified VLAN is added or modified in the VLAN database when you exit config-VLAN submode.

When you enter the vlan vlan-id command, a new VLAN is created with all default parameters in a temporary buffer and causes the CLI to enter config-VLAN submode. If the vlan-id that you entered matches an existing VLAN, any configuration commands you enter in config-VLAN submode will apply to the existing VLAN. You will not create a new VLAN.

If you define a range of configured VLANS, you are not allowed to set the vlan-name argument in config-VLAN submode.

You can enter the vlan-range argument using a comma (,), a dash (-), and the number.

VLAN IDs in the range from 1006 to 4094 are considered “extended VLAN IDs.” Beginning in Cisco IOS Release 12.4(15)T, you can configure extended VLAN IDs on the following routers:

• Cisco 800 series routers, including models 851, 857, 871, 876, 877, 878

• Cisco 1700 series routers, including models 1711, 1712, 1751, 1751V, 1760

• Cisco 1800 series routers, including models 1801, 1802, 1803, 1811, 1812, 1841

• Cisco 2600 series routers, including models 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM, 2691

• Cisco 2800 series routers, including models 2801, 2811, 2821, 2851

• Cisco 3600 series routers, including models 3620, 3640, 3640A, 3660

• Cisco 3700 series routers, including models 3725, 3745

• Cisco 3800 series routers, including models 3825, 3845

The reduced MAC address feature is required to support 4000 VLANs. Cisco IOS Release 12.1(14)E1 and later releases support chassis with 64 or 1024 MAC addresses. For chassis with 64 MAC addresses, Spanning Tree Protocol (STP) uses the extended system ID (which is the VLAN ID) plus a MAC address to make the bridge ID unique for each VLAN. (Without the reduced MAC address support, 4096 VLANs would require 4096 MAC addresses on the switch.)

If you configure extended VLANs, you must also enable the spanning-tree extended system-ID feature.

The legacy vlan database mode does not support extended VLAN configuration.

See the vlan(config-VLAN) command for information on the commands that are available under config-VLAN submode.

Usage Guidelines

This command was replaced by the vlan (config-VLAN) command but is kept for backward compatibility.

This command is not supported in Cisco 7600 series routers that are configured with a Supervisor Engine 720.

This command, which is similar to the VLAN 1 parameters, are configured at the factory and cannot be changed.

Extended-range VLANs are not supported in VLAN configuration mode.

When you define vlan-name , the name must be unique within the administrative domain.

The security association ID (SAID) is documented in 802.10. When the no form is used, the VLAN’s SAID is returned to the default value.

When you define the said -value , the name must be unique within the administrative domain.

The bridge -number argument is used only for Token Ring-net and FDDI-net VLANs and is ignored in other types of VLANs. When the no form is used, the VLAN’s source-routing bridge number returns to the default value.

The parent VLAN resets to the default if the parent VLAN is deleted or the media keyword changes the VLAN type or the VLAN type of the parent VLAN.

The tb-vlan1 and tb-vlan2 keywords are used to configure translational bridge VLANs of a specified type and are not allowed in other types of VLANs. Translational bridge VLANs must differ in type from the affected VLAN; if two VLANs are specified, the two must be different VLAN types.

A translational bridge VLAN resets to the default if the translational bridge VLAN is deleted or the media keyword changes the VLAN type or the VLAN type of the corresponding translational bridge VLAN.

Usage Guidelines

Due to the rate-limiting function for redirected packets, VACL-logging counters may not be accurate.

Only denied IP packets are logged.

When the log-table size is full, the logging packets from the new flows are dropped by the software.

The packets that exceed the maximum redirect VACL-logging packet rate limit are dropped by the hardware.

A logging message is displayed if the flow threshold is reached before the 5-minute interval.

If you do not configure the maximum log-table size, maximum packet rate, or threshold, or if you enter the no form of the commands, the default values are assumed.

Usage Guidelines

If you enter the sequence number of an existing map sequence, you enter VLAN access-map mode.

If you do not specify a sequence number, a number is automatically assigned. You can enter one match clause and one action clause per map sequence.

If you enter the novlanaccess-mapname [seq-number ] command without entering a sequence number, the whole map is removed.

Once you enter VLAN access-map mode, the following commands are available:

• action -- Specifies the packet action clause; see the action command section.

• default -- Sets a command to its defaults.

• end -- Exits from configuration mode.

• exit -- Exits from VLAN access-map configuration mode.

• match -- Specifies the match clause; see the match command section.

• no -- Negates a command or sets its defaults.

Usage Guidelines

Note	If you are running in RPR+ mode on a Cisco 7600 series router or Catalyst 6500 series switch, do not configure a VLAN in VLAN-database mode. Performance problems might occur during configuration synchronization between the active and standby supervisor engines.

Once you are in VLAN configuration mode, you can access the VLAN database editing buffer manipulation commands, including:

• abort --Exits themode without applying the changes.

• apply --Applies current changes and increases the release number.

• exit --Applies changes, increases the release number, and exit mode.

• no --Negates a command or sets its defaults; valid values are vlan and vtp .

• reset --Abandons current changes and rereads the current database.

• show --Displays database information.

• vlan --Accesses subcommands to add, delete, or modify values associated with a single VLAN. For information about the vlan subcommands, see the vlan (VLAN) command.

• vtp --Accesses subcommands to perform Virtual Trunking Protocol (VTP) administrative functions. For information about the vtp subcommands, see the vtpclient command.

Usage Guidelines

The vlandot1qtagnative command configures the switch to tag native-VLAN traffic and admit only 802.1Q-tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN.

Follow these configuration guidelines when configuring Layer 2-protocol tunneling:

• On all the service-provider edge switches, you must enable spanning-tree bridge protocol data unit (BPDU) filtering on the 802.1Q-tunnel ports by entering the spanning-treebpdufilter enable command.

• Ensure that at least one VLAN is available for native-VLAN tagging. If you use all the available VLANs and then enter the vlandot1qtagnative command, native-VLAN tagging is not enabled.

• On all the service-provider core switches, enter the vlandot1qtagnative command to tag native-VLAN egress traffic and drop untagged native-VLAN ingress traffic.

• On all the customer switches, either enable or disable native-VLAN tagging on each switch.

Note	If you enable dot1q tagging on one switch and disable it on another switch, all traffic is dropped; you must identically configure dot1q tagging on each switch.

Usage Guidelines

When configuring an action clause in a VLAN access map, note the following:

• You can apply the VLAN access map to one or more VLANs or WAN interfaces.

• The vlan-list argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID ranges (vlan-id -vlan-id ). Multiple entries are separated by a hyphen (-) or a comma (,).

• If you delete a WAN interface that has a VLAN access control list (VACL) applied, the VACL configuration on the interface is also removed.

• You can apply only one VLAN access map to each VLAN or WAN interface.

• VACLs that are applied to VLANs are active only for VLANs with a Layer 3-VLAN interface configured. VACLs that are applied to VLANs without a Layer 3-VLAN interface are inactive. Applying a VLAN access map to a VLAN without a Layer 3-VLAN interface creates an administratively down Layer 3-VLAN interface to support the VLAN access map. If creation of the Layer 3-VLAN interface fails, the VACL is inactive.

When entering the no form of this command, the vlan-list argument is optional (but the keyword vlan-list is required). If you do not enter the vlan-list argument, the VACL is removed from all VLANs where the map-name argument is applied.

When entering the no form of this command for WAN interfaces, the interface argument is optional (but the interface keyword is required). If you do not enter the interface argument, the VACL is removed from interfaces where the map-name is applied.

The vlanfilter map-name interface command accepts only ATM, POS, or serial interface types. If your Cisco 7600 series router is not configured with any of these interface types, the interface interfaceinterface-number keyword and argument are not provided.

The interface-number format can be mod /port or slot /port-adapter /port ; it can include a subinterface or channel-group descriptor.

Usage Guidelines

You can configure internal VLAN allocation to be from 1006 and up or from 4094 and down.

Internal VLANs and user-configured VLANs share the 1006 to 4094 VLAN spaces. A “first come, first served” policy is used in allocating these spaces.

You must perform a system reboot before the vlaninternalallocationpolicy command changes can take effect.

During system bootup, internal VLANs that are required for features in the startup-config file are allocated first. The user-configured VLANs in the startup-config file are configured next. If you configure a VLAN that conflicts with an existing internal VLAN, the VLAN that you configured is put into a nonoperational status until the internal VLAN is freed and becomes available.

After you enter the writemem command and the system reloads, the reconfigured allocation is used by the port manager.

Usage Guidelines

VLAN 1 parameters are factory configured and cannot be changed.

You can map up to eight VLANs. You can map only one 802.1Q VLAN to an ISL VLAN. For example, if 802.1Q VLAN 800 has been automatically mapped to ISL VLAN 800, do not manually map any other 802.1Q VLANs to ISL VLAN 800.

You cannot overwrite existing 802.1Q-VLAN mapping. If the 802.1Q-VLAN number already exists, the command is terminated. You must first clear that mapping.

If the table is full, the command is terminated with an error message indicating that the table is full.

Usage Guidelines

When you enable the VLAN port provisioning, you must specify the VLAN name in order to change a port from one VLAN to another.

When VLAN port provisioning is enabled, you can still create new VLANs, but you cannot add ports to the VLAN without specifying both the VLAN number and the VLAN name. The feature does not affect assigning ports to VLANs using other features such as Simple Network Management Protocol (SNMP), dynamic VLANs, and 802.1X.

Usage Guidelines

Note	The vtppruning , vtppassword , and vtpversion commands are also available in privileged EXEC mode. We recommend that you use these commands in global configuration mode only; do not use these commands in privileged EXEC mode.

Extended-range VLANs are not supported by VTP version 1 and version 2. Extended range VLANs are supported in VTP version 3.

When you define the domain-name value , the dom ain name is case sensitive and can be from 1 to 32 characters.

The filename and interface-name values are ASCII strings from 1 to 255 characters.

You must configure a password on each network device in the management domain when the switch is in secure mode.

Caution

If you configure VTP in secure mode, the management domain does not function properly if you do not assign a management domain password to each network device in the domain.

A VTP version 2-capable network device can operate in the same VTP domain as a network device running VTP version 1 if VTP version 2 is disabled on the VTP version 2-capable network device (VTP version 2 is disabled by default).

Do not enable VTP version 2 on a network device unless all of the network devices in the same VTP domain are version 2-capable. When you enable VTP version 2 on a network device, all of the version 2-capable network devices in the domain enable VTP version 2.

In a Token Ring environment, you must enable VTP version 2 for VLAN switching to function properly.

Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management domain.

Configuring VLANs as pruning eligible or pruning ineligible on an applicable device affects pruning eligibility for those VLANs on that switch only; it does not affect pruning eligibility on all network devices in the VTP domain.

The vtppassword , vtppruning , and vtpversion commands are not placed in startup memory but are included in the VTP transparent-mode startup configuration file.

Extended-range VLANs are not supported by VTP.

You can configure the pruning keyword in VTP-server mode; the version keyword is configurable in VTP-server mode or VTP transparent mode.

The password- value argument is an ASCII string from 8 to 64 characters identifying the administrative domain for the device.

VTP pruning causes information about each pruning-eligible VLAN to be removed from VTP updates if there are no stations belonging to that VLAN.

All applicable devices in a VTP domain must run the same version of VTP. VTP version 1 and VTP version 2 do not operate on applicable devices in the same VTP domain.

If all applicable devices in a domain are VTP version 2-capable, you need only to enable VTP version 2 on one applicable devices; the version number is then propagated to the other version 2-capable applicable devices in the VTP domain.

If you toggle the version 2 mode, certain default VLAN parameters are modified.

If you enter the vtpmodeoff command, it sets the device to off. If you enter the novtpmodeoff command, it resets the device to the VTP server mode.

Catalyst 6500 Series Switch

VTP version 3 supports all the features in version 1 and version 2. VTP version 3 also supports the following features not supported in version 1 and version 2:

• Enhanced authentication--In VTP version 3, you can configure the authentication password to be hidden using the vtppassword command. When you configure the authentication password to be hidden, it does not appear in plain text in the configuration. Instead, the secret associated with the password is saved in hexadecimal format in the running configuration. The password- string argument is an ASCII string from 8 to 64 characters identifying the administrative domain for the device. The following syntax is available:

password password-string [hidden | secret ]

password password-string --Specifies the administrative domain password.

hidden --(Optional) Configures the password with a secret key saved in hexadecimal format in the running configuration.

secret --(Optional) Allows the password secret key to be directly configured in hexadecimal format.

The hidden keyword for the VTP password is supported only in VTP version 3. If converting to VTP version 2 from VTP version 3, you must remove the hidden keyword prior to the conversion.

• Support for extended-range VLAN database propagation--VTP version 1 and version 2 support VLANs 1 to 1000 only. In VTP version 3, the entire VLAN range is supported (VLANs 1 to 4096). The pruning of VLANs still applies to VLANs 1 to 1000 only. Extended-range VLANs are supported in VTP version 3 only. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are removed from VTP control.

• Support for propagation of any database in a domain--In VTP version 1 and version 2, a VTP server is used to backup the database to the NVRAM and allows you to change the database information. In VTP version 3, there is a VTP-primary server and a VTP-secondary server. A primary server allows you to alter the database information, and the database updates sent out are honored by all the devices in the system. A secondary server can only back up the updated VTP configuration received from the primary server in the NVRAMs. The status of the primary and secondary servers is a runtime status and is not configurable.

By default, all devices come up as secondary servers. You can enter the vtpprimary privileged EXEC mode command to specify a primary server. The following syntax is available:

vtp primary [vlan | mst ] [force

vlan --(Optional) Specifies this device as the primary server for the VTP VLAN feature.

mst-- (Optional) Specifies this device as the primary server for the VTP MST feature.

force-- (Optional) Forces this device to become the primary server.

The primary-server status is needed only when database changes have to be performed and is obtained when the administrator issues a takeover message in the domain. The primary-server status is lost when you reload, switch over, or the domain parameters change. The secondary servers back up the configuration and continue to propagate the database. You can have a working VTP domain without any primary servers.

In VTP version 3, there is no longer a restriction to propagate only VLAN database information. You can use VTP version 3 to propagate any database information across the VTP domain. A separate instance of the protocol is running for each application that uses VTP.

• CLI to turn off/on VTP on a per-trunk basis--You can disable VTP on a per-trunk basis using the novtp command in interface configuration mode . When you disable VTP on the trunking port, all the VTP instances for that port are disabled. You will not be provided with the option of setting VTP to OFF for the MST database and ON for the VLAN database. You can enable VTP on a per-trunk basis using the vtp command in interface configuration mode .

VTP on a global basis--When you set VTP mode to OFF globally, this applies to all the trunking ports in the system. Unlike the per-port configuration, you can specify the OFF option on a per-VTP instance basis. For example, the system could be configured as VTP-server for the VLAN database and as VTP-off for the MST database. In this case, VLAN databases are propagated by VTP, MST updates are sent out on the trunk ports in the system, and the MST updates received by the system are discarded.

Usage Guidelines

The VTP enable value is applied only when a port becomes a switched port and is in trunk mode.

Usage Guidelines

If the receiving switch is in client mode, the client switch changes its configuration to duplicate the configuration of the server. If you have switches in client mode, be sure to make all VTP or VLAN configuration changes on a switch in server mode.

The vtpserver command is the functional equivalent of novtpclient command except that it does not return an error if the device is not in client mode.

Usage Guidelines

When you define the domain name argument, the domain name is case-sensitive.

Until a domain name is set, the device is in the no-management-domain state. In this state, the device does not transmit any VLAN Trunking Protocol (VTP) advertisements regardless of changes to local VLAN configuration. The device leaves the no-management-domain state upon receiving the first VTP summary packet on any port that is currently trunking or when it receives a domain name configured by the vtpdomain command. If the device receives its domain from a summary packet, it resets its configuration revision number to 0.

When the device leaves the no-management-domain state, it can never be configured to reenter it, except by the cleaning of NVRAM and the reloading of the device.

Usage Guidelines

The value of the passwordvalue argument is an ASCII string from 1 to 32 characters.

Usage Guidelines

If you make a change to the VTP or VLAN configuration on a switch in server mode, that change is propagated to all the switches in the same VTP domain.

VTP can be set to either server or client mode only when dynamic VLAN creation is disabled.

If the receiving switch is in server mode, the configuration is not changed.

The vtpserver command is the functional equivalent of the novtpclient command, except that it does not return an error if the device is not in client mode.

Usage Guidelines

Thevtptransparent command disables VTP from the domain but does not remove the domain from the switch.

If the receiving switch is in transparent mode, the configuration is not changed. Switches in transparent mode do not participate in VTP. If you make VTP or VLAN configuration changes on a switch in transparent mode, the changes are not propagated to the other switches in the network.

The vtpserver command is similar to the novtptransparent command, except that it does not return an error if the device is not in transparent mode.

Usage Guidelines

All switches in a VTP domain must run the same version of VTP. VTP version 1 and VTP version 2 do not operate on switches in the same VTP domain.

If all switches in a domain are VTP version 2-capable, you must enable VTP version 2 only on one switch; the version number is then propagated to the other version 2-capable switches in the VTP domain.

If you toggle the version 2 mode, parameters of certain default VLANs are modified.