Command Reference, Cisco IOS XE Amsterdam 17.1.x (Catalyst 9400 Switches)

clear vtp counters

To clear the VLAN Trunking Protocol (VTP) and pruning counters, use the clear vtp counters command in privileged EXEC mode.

clear vtp counters

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Examples

This example shows how to clear the VTP counters:

Device> enable
Device# clear vtp counters

You can verify that information was deleted by entering the show vtp counters privileged EXEC command.

debug sw-vlan

To enable debugging of VLAN manager activities, use the debug sw-vlan command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug sw-vlan {badpmcookies | cfg-vlan {bootup | cli} | events | ifs | mapping | notification | packets | redundancy | registries | vtp}

no debug sw-vlan {badpmcookies | cfg-vlan {bootup | cli} | events | ifs | mapping | notification | packets | redundancy | registries | vtp}

Syntax Description


badpmcookies	Displays debug messages for VLAN manager incidents of bad port manager cookies.
cfg-vlan	Displays VLAN configuration debug messages.
bootup	Displays messages when the switch is booting up.
cli	Displays messages when the command-line interface (CLI) is in VLAN configuration mode.
events	Displays debug messages for VLAN manager events.
ifs	Displays debug messages for the VLAN manager IOS file system (IFS). See debug sw-vlan ifs for more information.
mapping	Displays debug messages for VLAN mapping.
notification	Displays debug messages for VLAN manager notifications. See debug sw-vlan notification for more information.
packets	Displays debug messages for packet handling and encapsulation processes.
redundancy	Displays debug messages for VTP VLAN redundancy.
registries	Displays debug messages for VLAN manager registries.
vtp	Displays debug messages for the VLAN Trunking Protocol (VTP) code. See debug sw-vlan vtp for more information.

Command Default

Debugging is disabled.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

The undebug sw-vlan command is the same as the no debug sw-vlan command.

Examples

This example shows how to display debug messages for VLAN manager events:

Device> enable 
Device# debug sw-vlan events

debug sw-vlan ifs

To enable debugging of the VLAN manager IOS file system (IFS) error tests, use the debug sw-vlan ifs command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug sw-vlan ifs {open {read | write} | read {1 | 2 | 3 | 4} | write}

no debug sw-vlan ifs {open {read | write} | read {1 | 2 | 3 | 4} | write}

Syntax Description


open read	Displays VLAN manager IFS file-read operation debug messages.
open write	Displays VLAN manager IFS file-write operation debug messages.
read	Displays file-read operation debug messages for the specified error test (1 , 2 , 3 , or 4 ).
write	Displays file-write operation debug messages.

Command Default

Debugging is disabled.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

The undebug sw-vlan ifs command is the same as the no debug sw-vlan ifs command.

When selecting the file read operation, Operation 1 reads the file header, which contains the header verification word and the file version number. Operation 2 reads the main body of the file, which contains most of the domain and VLAN information. Operation 3 reads type length version (TLV) descriptor structures. Operation 4 reads TLV data.

Examples

This example shows how to display file-write operation debug messages:

Device> enable
Device# debug sw-vlan ifs write

debug sw-vlan notification

To enable debugging of VLAN manager notifications, use the debug sw-vlan notification command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug sw-vlan notification {accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange}

no debug sw-vlan notification {accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange}

Syntax Description


accfwdchange	Displays debug messages for VLAN manager notification of aggregated access interface spanning-tree forward changes.
allowedvlancfgchange	Displays debug messages for VLAN manager notification of changes to the allowed VLAN configuration.
fwdchange	Displays debug messages for VLAN manager notification of spanning-tree forwarding changes.
linkchange	Displays debug messages for VLAN manager notification of interface link-state changes.
modechange	Displays debug messages for VLAN manager notification of interface mode changes.
pruningcfgchange	Displays debug messages for VLAN manager notification of changes to the pruning configuration.
statechange	Displays debug messages for VLAN manager notification of interface state changes.

Command Default

Debugging is disabled.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

The undebug sw-vlan notification command is the same as the no debug sw-vlan notification command.

Examples

This example shows how to display debug messages for VLAN manager notification of interface mode changes:

Device> enable
Device# debug sw-vlan notification

debug sw-vlan vtp

To enable debugging of the VLAN Trunking Protocol (VTP) code, use the debug sw-vlan vtp command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug sw-vlan vtp {events | packets | pruning [packets | xmit] | redundancy | xmit}

no debug sw-vlan vtp {events | packets | pruning | redundancy | xmit}

Syntax Description


events	Displays debug messages for general-purpose logic flow and detailed VTP messages generated by the VTP_LOG_RUNTIME macro in the VTP code.
packets	Displays debug messages for the contents of all incoming VTP packets that have been passed into the VTP code from the Cisco IOS VTP platform-dependent layer, except for pruning packets.
pruning	Displays debug messages generated by the pruning segment of the VTP code.
packets	(Optional) Displays debug messages for the contents of all incoming VTP pruning packets that have been passed into the VTP code from the Cisco IOS VTP platform-dependent layer.
xmit	(Optional) Displays debug messages for the contents of all outgoing VTP packets that the VTP code requests the Cisco IOS VTP platform-dependent layer to send.
redundancy	Displays debug messages for VTP redundancy.
xmit	Displays debug messages for the contents of all outgoing VTP packets that the VTP code requests the Cisco IOS VTP platform-dependent layer to send, except for pruning packets.

Command Default

Debugging is disabled.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

The undebug sw-vlan vtp command is the same as the no debug sw-vlan vtp command.

If no additional parameters are entered after the pruning keyword, VTP pruning debugging messages appear. They are generated by the VTP_PRUNING_LOG_NOTICE, VTP_PRUNING_LOG_INFO, VTP_PRUNING_LOG_DEBUG, VTP_PRUNING_LOG_ALERT, and VTP_PRUNING_LOG_WARNING macros in the VTP pruning code.

Examples

This example shows how to display debug messages for VTP redundancy:

Device> enable
Device# debug sw-vlan vtp redundancy

dot1q vlan native

To assign the native VLAN ID of a physical interface trunking 802.1Q VLAN traffic, use the dot1q vlan native command in interface configuration mode. To remove the VLAN ID assignment, use the no form of this command.

dot1q vlan vlan-id [native]

no dot1q vlan vlan-id [native]

Syntax Description


`vlan-id`	Trunk interface ID. The range is from 1 to 4000.
native	Specifies the native VLAN associated with the 802.1Q trunk interface.

Command Default

No default behavior or values

Command Modes

Interface configuration (config-if)

Command History


Release	Modification
Cisco IOS XE Gibraltar 16.10.1	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes proper task IDs. If you suspect that user group assignment is preventing you from using a command, contact your AAA administrator.

The dot1q vlan native command defines the default, or native VLAN, associated with an 802.1Q trunk interface. The native VLAN of a trunk interface is the VLAN to which all the untagged VLAN packets are logically assigned.

Note

The native VLAN cannot be configured on a subinterface of the trunk interface. The native VLAN must be configured with the same value at both ends of the link, or traffic can be lost or sent to the wrong VLAN.

Examples

The following example shows how to configure the native VLAN of a GigabitEthernet 1/0/33 trunk interface as 1. Packets received on this interface that are untagged, or that have an 802.1Q tag with VLAN ID 1, are received on the main interface. Packets sent from the main interface are transmitted without an 802.1Q tag.

Device> enable
Device(config)# interface GigabitEthernet 1/0/33.201
Device(config-subif)# dot1q vlan 1 native

interface (VLAN)

To create a VLAN subinterface, use the interface command in global configuration mode. To delete a subinterface, use the no form of this command.

interface {type switch |slot |port.subinterface }

no interface {type switch |slot |port.subinterface }

Syntax Description


`type`	Type of interface to be configured.
`switch/slot/port.subinterface`	Physical interfaces or virtual interfaces followed by the subinterface path ID.

Command Default

No default behavior or values

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE Gibraltar 16.10.1	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

To configure a large number of subinterfaces, we recommend entering all configuration data before you commit the interface command.

To change an interface from Layer 2 to Layer 3 mode and back, you must delete the interface first and then re-configure it in the appropriate mode.

Examples

This example shows how to configure subinterfaces on layer 3 interfaces:

Device> enable
Device(config)# interface HundredGigabitEthernet 1/0/33.201
Device(config-subif)# encapsulation dot1q 33 native

Related Commands


Command	Description
dot1q vlan native	Defines the native VLAN ID associated with a subinterface.

private-vlan

To configure private VLANs and to configure the association between private VLAN primary and secondary VLANs, use the private-vlan VLAN configuration command on the switch stack or on a standalone switch. Use the no form of this command to return the VLAN to normal VLAN configuration.

private-vlan {association [add | remove] secondary-vlan-list | community | isolated | primary}

no private-vlan {association | community | isolated | primary}

Syntax Description


association	Creates an association between the primary VLAN and a secondary VLAN.
add	Associates a secondary VLAN to a primary VLAN.
remove	Clears the association between a secondary VLAN and a primary VLAN.
`secondary-vlan-list`	One or more secondary VLANs to be associated with a primary VLAN in a private VLAN.
community	Designates the VLAN as a community VLAN.
isolated	Designates the VLAN as an isolated VLAN.
primary	Designates the VLAN as a primary VLAN.

Command Default

The default is to have no private VLANs configured.

Command Modes

VLAN configuration

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

Before configuring private VLANs, you must disable VTP (VTP mode transparent). After you configure a private VLAN, you should not change the VTP mode to client or server.

VTP does not propagate private VLAN configurations. You must manually configure private VLANs on all switches in the Layer 2 network to merge their Layer 2 databases and to prevent flooding of private VLAN traffic.

You cannot include VLAN 1 or VLANs 1002 to 1005 in the private VLAN configuration. Extended VLANs (VLAN IDs 1006 to 4094) can be configured in private VLANs.

You can associate a secondary (isolated or community) VLAN with only one primary VLAN. A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it.

A secondary VLAN cannot be configured as a primary VLAN.
The secondary-vlan-list cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private VLAN ID or a hyphenated range of private VLAN IDs. The list can contain one isolated VLAN and multiple community VLANs.
If you delete either the primary or secondary VLANs, the ports associated with the VLAN become inactive.

A community VLAN carries traffic among community ports and from community ports to the promiscuous ports on the corresponding primary VLAN.

An isolated VLAN is used by isolated ports to communicate with promiscuous ports. It does not carry traffic to other community ports or isolated ports with the same primary VLAN domain.

A primary VLAN is the VLAN that carries traffic from a gateway to customer end stations on private ports.

Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.

The private-vlan commands do not take effect until you exit from VLAN configuration mode.

Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive.

Do not configure a private VLAN as a Remote Switched Port Analyzer (RSPAN) VLAN.

Do not configure a private VLAN as a voice VLAN.

Do not configure fallback bridging on switches with private VLANs.

Although a private VLAN contains more than one VLAN, only one STP instance runs for the entire private VLAN. When a secondary VLAN is associated with the primary VLAN, the STP parameters of the primary VLAN are propagated to the secondary VLAN.

For more information about private VLAN interaction with other features, see the software configuration guide for this release.

Examples

This example shows how to configure VLAN 20 as a primary VLAN, VLAN 501 as an isolated VLAN, and VLANs 502 and 503 as community VLANs, and to associate them in a private VLAN:

# configure terminal
(config)# vlan 20
(config-vlan)# private-vlan primary
(config-vlan)# exit
(config)# vlan 501
(config-vlan)# private-vlan isolated
(config-vlan)# exit
(config)# vlan 502
(config-vlan)# private-vlan community
(config-vlan)# exit
(config)# vlan 503
(config-vlan)# private-vlan community
(config-vlan)# exit
(config)# vlan 20
(config-vlan)# private-vlan association 501-503
(config-vlan)# end

You can verify your setting by entering the show vlan private-vlan or show interfaces status privileged EXEC command.

private-vlan mapping

To create a mapping between the primary and the secondary VLANs so that both VLANs share the same primary VLAN switched virtual interface (SVI), use the private-vlan mapping interface configuration command on a switch virtual interface (SVI). Use the no form of this command to remove private VLAN mappings from the SVI.

private-vlan mapping [add | remove] secondary-vlan-list

no private-vlan mapping

Syntax Description


add	(Optional) Maps the secondary VLAN to the primary VLAN SVI.
remove	(Optional) Removes the mapping between the secondary VLAN and the primary VLAN SVI.
`secondary-vlan-list`	One or more secondary VLANs to be mapped to the primary VLAN SVI.

Command Default

No private VLAN SVI mapping is configured.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

The device must be in VTP transparent mode when you configure private VLANs.

The SVI of the primary VLAN is created at Layer 3.

Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.

The secondary-vlan-list argument cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private VLAN ID or a hyphenated range of private VLAN IDs. The list can contain one isolated VLAN and multiple community VLANs.

Traffic that is received on the secondary VLAN is routed by the SVI of the primary VLAN.

A secondary VLAN can be mapped to only one primary SVI. If you configure the primary VLAN as a secondary VLAN, all SVIs specified in this command are brought down.

If you configure a mapping between two VLANs that do not have a valid Layer 2 private VLAN association, the mapping configuration does not take effect.

Examples

This example shows how to map the interface of VLAN 20 to the SVI of VLAN 18:

Device# configure terminal
Device# interface vlan 18
Device(config-if)# private-vlan mapping 20
Device(config-vlan)# end

This example shows how to permit routing of secondary VLAN traffic from secondary VLANs 303 to 305 and 307 through VLAN 20 SVI:

Device# configure terminal
Device# interface vlan 20
Device(config-if)# private-vlan mapping 303-305, 307
Device(config-vlan)# end

You can verify your settings by entering the show interfaces private-vlan mapping privileged EXEC command.

show interfaces private-vlan mapping

To display private VLAN mapping information for the VLAN switch virtual interfaces (SVIs), use the show interfaces private-vlan mapping command in user EXEC or privileged EXEC mode.

show interfaces [interface-id] private-vlan mapping

Syntax Description


`interface-id`	(Optional) ID of the interface for which to display private VLAN mapping information.

Command Default

None

Command Modes

User EXEC

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Examples

This example shows how to display the information about the private VLAN mapping:

Device#show interfaces private-vlan mapping
Interface Secondary VLAN Type
--------- -------------- -----------------
vlan2     301            community
vlan3     302            community

show vlan

To display the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) on the switch, use the show vlan command in user EXEC mode.

Syntax Description


brief	(Optional) Displays one line for each VLAN with the VLAN name, status, and its ports.
dot1q tag native	(Optional) Displays the IEEE 802.1Q native VLAN tagging status.
group	(Optional) Displays information about VLAN groups.
id `vlan-id`	(Optional) Displays information about a single VLAN identified by the VLAN ID number. For `vlan-id` , the range is 1 to 4094.
mtu	(Optional) Displays a list of VLANs and the minimum and maximum transmission unit (MTU) sizes configured on ports in the VLAN.
name `vlan-name`	(Optional) Displays information about a single VLAN identified by the VLAN name. The VLAN name is an ASCII string from 1 to 32 characters.
private-vlan	(Optional) Displays information about configured private VLANs, including primary and secondary VLAN IDs, type (community, isolated, or primary) and ports belonging to the private VLAN. This keyword is only supported if your switch is running the IP services feature set.
type	(Optional) Displays only private VLAN ID and type.
remote-span	(Optional) Displays information about Remote SPAN (RSPAN) VLANs.
summary	(Optional) Displays VLAN summary information.

Note

The ifindex keyword is not supported, even though it is visible in the command-line help string.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

In the show vlan mtu command output, the MTU_Mismatch column shows whether all the ports in the VLAN have the same MTU. When yes appears in the column, it means that the VLAN has ports with different MTUs, and packets that are switched from a port with a larger MTU to a port with a smaller MTU might be dropped. If the VLAN does not have an SVI, the hyphen (-) symbol appears in the SVI_MTU column. If the MTU-Mismatch column displays yes, the names of the ports with the MinMTU and the MaxMTU appear.

If you try to associate a private VLAN secondary VLAN with a primary VLAN before you define the secondary VLAN, the secondary VLAN is not included in the show vlan private-vlan command output.

In the show vlan private-vlan type command output, a type displayed as normal means a VLAN that has a private VLAN association but is not part of the private VLAN. For example, if you define and associate two VLANs as primary and secondary VLANs and then delete the secondary VLAN configuration without removing the association from the primary VLAN, the VLAN that was the secondary VLAN is shown as normal in the display. In the show vlan private-vlan output, the primary and secondary VLAN pair is shown as nonoperational.

Examples

This is an example of output from the show vlan command. See the table that follows for descriptions of the fields in the display.

Device> show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/2, Gi1/0/3, Gi1/0/4
                                                Gi1/0/5, Gi1/0/6, Gi1/0/7
                                                Gi1/0/8, Gi1/0/9, Gi1/0/10
                                                Gi1/0/11, Gi1/0/12, Gi1/0/13
                                                Gi1/0/14, Gi1/0/15, Gi1/0/16
                                                Gi1/0/17, Gi1/0/18, Gi1/0/19
                                                Gi1/0/20, Gi1/0/21, Gi1/0/22
                                                Gi1/0/23, Gi1/0/24, Gi1/0/25
                                                Gi1/0/26, Gi1/0/27, Gi1/0/28
                                                Gi1/0/29, Gi1/0/30, Gi1/0/31
                                                Gi1/0/32, Gi1/0/33, Gi1/0/34
                                                Gi1/0/35, Gi1/0/36, Gi1/0/37
                                                Gi1/0/38, Gi1/0/39, Gi1/0/40
                                                Gi1/0/41, Gi1/0/42, Gi1/0/43
                                                Gi1/0/44, Gi1/0/45, Gi1/0/46
                                                Gi1/0/47, Gi1/0/48
2    VLAN0002                         active
40   vlan-40                          active
300  VLAN0300                         active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
2    enet  100002     1500  -      -      -        -    -        0      0
40   enet  100040     1500  -      -      -        -    -        0      0
300  enet  100300     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0
2000 enet  102000     1500  -      -      -        -    -        0      0
3000 enet  103000     1500  -      -      -        -    -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------
2000,3000

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Table 1. show vlan Command Output Fields
Field	Description
VLAN	VLAN number.
Name	Name, if configured, of the VLAN.
Status	Status of the VLAN (active or suspend).
Ports	Ports that belong to the VLAN.
Type	Media type of the VLAN.
SAID	Security association ID value for the VLAN.
MTU	Maximum transmission unit size for the VLAN.
Parent	Parent VLAN, if one exists.
RingNo	Ring number for the VLAN, if applicable.
BrdgNo	Bridge number for the VLAN, if applicable.
Stp	Spanning Tree Protocol type used on the VLAN.
BrdgMode	Bridging mode for this VLAN—possible values are source-route bridging (SRB) and source-route transparent (SRT); the default is SRB.
Trans1	Translation bridge 1.
Trans2	Translation bridge 2.
Remote SPAN VLANs	Identifies any RSPAN VLANs that have been configured.
Primary/Secondary/Type/Ports	Includes any private VLANs that have been configured, including the primary VLAN ID, the secondary VLAN ID, the type of secondary VLAN (community or isolated), and the ports that belong to it.

This is an example of output from the show vlan dot1q tag native command:

Device> enable
Device> show vlan dot1q tag native
dot1q native vlan tagging is disabled

This is an example of output from the show vlan private-vlan command:

Device> show vlan private-vlan
Primary Secondary Type               Ports
------- --------- ----------------- ------------------------------------------
10      501       isolated          Gi3/0/3
10      502       community         Gi2/0/11
10      503       non-operational3      -
20      25        isolated          Gi1/0/13, Gi1/0/20, Gi1/0/22, Gi1/0/1, Gi2/0/13, Gi2/0/22, Gi3/0/13, Gi3/0/14, Gi3/0/20, Gi3/0/1
20      30        community         Gi1/0/13, Gi1/0/20, Gi1/0/21, Gi1/0/1, Gi2/0/13, Gi2/0/20, Gi3/0/14, Gi3/0/20, Gi3/0/21, Gi3/0/1
20      35        community         Gi1/0/13, Gi1/0/20, Gi1/0/23, Gi1/0/33. Gi1/0/1, Gi2/0/13, Gi3/0/14, Gi3/0/20. Gi3/0/23, Gi3/0/33, Gi3/0/1
20      55        non-operational
2000    2500      isolated          Gi1/0/5, Gi1/0/10, Gi2/0/5, Gi2/0/10, Gi2/0/15

This is an example of output from the show vlan private-vlan type command:

Device> show vlan private-vlan type
Vlan Type
---- -----------------
10 		primary
501 	isolated
502 	community
503	 normal

This is an example of output from the show vlan summary command:

Device> show vlan summary
Number of existing VLANs               : 45
 Number of existing VTP VLANs          : 45
 Number of existing extended VLANS     : 0

This is an example of output from the show vlan id command:

Device# show vlan id 2
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
2    VLAN0200                         active    Gi1/0/7, Gi1/0/8
2    VLAN0200                         active    Gi2/0/1, Gi2/0/2

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
2    enet  100002     1500  -      -      -        -    -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------
Disabled

show vtp

To display general information about the VLAN Trunking Protocol (VTP) management domain, status, and counters, use the show vtp command in EXEC mode.

show vtp {counters | devices [conflicts] | interface [interface-id] | password | status}

Syntax Description


counters	Displays the VTP statistics for the device.
devices	Displays information about all VTP version 3 devices in the domain. This keyword applies only if the device is not running VTP version 3.
conflicts	(Optional) Displays information about VTP version 3 devices that have conflicting primary servers. This command is ignored when the device is in VTP transparent or VTP off mode.
interface	Displays VTP status and configuration for all interfaces or the specified interface.
`interface-id`	(Optional) Interface for which to display VTP status and configuration. This can be a physical interface or a port channel.
password	Displays whether the VTP password is configured or not (available in privileged EXEC mode only).
status	Displays general information about the VTP management domain status.

Command Modes

User EXEC

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.
Cisco IOS XE Gibraltar 16.12.4	The show vtp password command output now displays whether the password is or is not configured.

Examples

This is an example of output from the show vtp devices command. A Yes in the Conflict column indicates that the responding server is in conflict with the local server for the feature; that is, when two devices in the same domain do not have the same primary server for a database.

Device> enable
Device# show vtp devices
Retrieving information from the VTP domain. Waiting for 5 seconds.
VTP Database Conf Device ID      Primary Server Revision   System Name
             lict
------------ ---- -------------- -------------- ---------- ----------------------
VLAN         Yes  00b0.8e50.d000 000c.0412.6300 12354      main.cisco.com
MST          No   00b0.8e50.d000 0004.AB45.6000 24         main.cisco.com
VLAN         Yes  000c.0412.6300=000c.0412.6300 67         qwerty.cisco.com

This is an example of output from the show vtp counters command. The table that follows describes each field in the display.

Device> show vtp counters
VTP statistics:
Summary advertisements received    : 0
Subset advertisements received     : 0
Request advertisements received    : 0
Summary advertisements transmitted : 0
Subset advertisements transmitted  : 0
Request advertisements transmitted : 0
Number of config revision errors   : 0
Number of config digest errors     : 0
Number of V1 summary errors        : 0

VTP pruning statistics:

Trunk            Join Transmitted Join Received    Summary advts received from
                                                   non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
Gi1/0/47              0               0                0
Gi1/0/48              0               0                0
Gi2/0/1               0               0                0
Gi3/0/2               0               0                0

Table 2. show vtp counters Field Descriptions
Field	Description
Summary advertisements received	Number of summary advertisements received by this device on its trunk ports. Summary advertisements contain the management domain name, the configuration revision number, the update timestamp and identity, the authentication checksum, and the number of subset advertisements to follow.
Subset advertisements received	Number of subset advertisements received by this device on its trunk ports. Subset advertisements contain all the information for one or more VLANs.
Request advertisements received	Number of advertisement requests received by this device on its trunk ports. Advertisement requests normally request information on all VLANs. They can also request information on a subset of VLANs.
Summary advertisements transmitted	Number of summary advertisements sent by this device on its trunk ports. Summary advertisements contain the management domain name, the configuration revision number, the update timestamp and identity, the authentication checksum, and the number of subset advertisements to follow.
Subset advertisements transmitted	Number of subset advertisements sent by this device on its trunk ports. Subset advertisements contain all the information for one or more VLANs.
Request advertisements transmitted	Number of advertisement requests sent by this device on its trunk ports. Advertisement requests normally request information on all VLANs. They can also request information on a subset of VLANs.
Number of configuration revision errors	Number of revision errors. Whenever you define a new VLAN, delete an existing one, suspend or resume an existing VLAN, or modify the parameters on an existing VLAN, the configuration revision number of the device increments. Revision errors increment whenever the device receives an advertisement whose revision number matches the revision number of the device, but the MD5 digest values do not match. This error means that the VTP password in the two devices is different or that the devices have different configurations. These errors indicate that the device is filtering incoming advertisements, which causes the VTP database to become unsynchronized across the network.
Number of configuration digest errors	Number of MD5 digest errors. Digest errors increment whenever the MD5 digest in the summary packet and the MD5 digest of the received advertisement calculated by the device do not match. This error usually means that the VTP password in the two devices is different. To solve this problem, make sure the VTP password on all devices is the same. These errors indicate that the device is filtering incoming advertisements, which causes the VTP database to become unsynchronized across the network.
Number of V1 summary errors	Number of Version 1 errors. Version 1 summary errors increment whenever a device in VTP V2 mode receives a VTP Version 1 frame. These errors indicate that at least one neighboring device is either running VTP Version 1 or VTP Version 2 with V2-mode disabled. To solve this problem, change the configuration of the devices in VTP V2-mode to disabled.
Join Transmitted	Number of VTP pruning messages sent on the trunk.
Join Received	Number of VTP pruning messages received on the trunk.
Summary Advts Received from non-pruning-capable device	Number of VTP summary messages received on the trunk from devices that do not support pruning.

This is an example of output from the show vtp status command. The table that follows describes each field in the display.

Device> show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 2037.06ce.3580
Configuration last modified by 192.168.1.1 at 10-10-12 04:34:02
Local updater ID is 192.168.1.1 on interface LIIN0 (first layer3 interface found
)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 7
Configuration Revision            : 2
MD5 digest                        : 0xA0 0xA1 0xFE 0x4E 0x7E 0x5D 0x97 0x41
                                    0x89 0xB9 0x9B 0x70 0x03 0x61 0xE9 0x27

Table 3. show vtp status Field Descriptions

Field

Description

VTP Version capable

Displays the VTP versions that are capable of operating on the device.

VTP Version running

Displays the VTP version operating on the device. By default, the device implements Version 1 but can be set to Version 2.

VTP Domain Name

Name that identifies the administrative domain for the device.

VTP Pruning Mode

Displays whether pruning is enabled or disabled. Enabling pruning on a VTP server enables pruning for the entire management domain. Pruning restricts flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.

VTP Traps Generation

Displays whether VTP traps are sent to a network management station.

Device ID

Displays the MAC address of the local device.

Configuration last modified

Displays the date and time of the last configuration modification. Displays the IP address of the device that caused the configuration change to the database.

VTP Operating Mode

Displays the VTP operating mode, which can be server, client, or transparent.

Server —A device in VTP server mode is enabled for VTP and sends advertisements. You can configure VLANs on it. The device guarantees that it can recover all the VLAN information in the current VTP database from NVRAM after reboot. By default, every device is a VTP server.

Note

The device automatically changes from VTP server mode to VTP client mode if it detects a failure while writing the configuration to NVRAM and cannot return to server mode until the NVRAM is functioning.

Client—A device in VTP client mode is enabled for VTP, can send advertisements, but does not have enough nonvolatile storage to store VLAN configurations. You cannot configure VLANs on it. When a VTP client starts up, it does not send VTP advertisements until it receives advertisements to initialize its VLAN database.

Transparent—A device in VTP transparent mode is disabled for VTP, does not send or learn from advertisements sent by other devices, and cannot affect VLAN configurations on other devices in the network. The device receives VTP advertisements and forwards them on all trunk ports except the one on which the advertisement was received.

Maximum VLANs Supported Locally

Maximum number of VLANs supported locally.

Number of Existing VLANs

Number of existing VLANs.

Configuration Revision

Current configuration revision number on this device.

MD5 Digest

A 16-byte checksum of the VTP configuration.

switchport mode private-vlan

To configure an interface as either a host private-VLAN port or a promiscuous private-VLAN port, use the switchport mode private-vlan command in interface configuration mode. To reset the mode to the appropriate default for the device, use the no form of this command.

switchport mode private-vlan {host | promiscuous}

no switchport mode private-vlan

Syntax Description


host	Configures the interface as a private-VLAN host port. Host ports belong to private-VLAN secondary VLANs and are either community ports or isolated ports, depending on the VLAN to which they belong.
promiscuous	Configures the interface as a private-VLAN promiscuous port. Promiscuous ports are members of private-VLAN primary VLANs.

Command Default

None

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

A private-VLAN host or promiscuous port cannot be a Switched Port Analyzer (SPAN) destination port. If you configure a SPAN destination port as a private-VLAN host or promiscuous port, the port becomes inactive.

Do not configure private VLAN on ports with these other features:

Dynamic-access port VLAN membership
Dynamic Trunking Protocol (DTP)
Port Aggregation Protocol (PAgP)
Link Aggregation Control Protocol (LACP)
Multicast VLAN Registration (MVR)
Voice VLAN

While a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive

A private-VLAN port cannot be a secure port and should not be configured as a protected port.

For more information about private-VLAN interaction with other features, see the software configuration guide for this release.

We strongly recommend that you enable spanning tree Port Fast and bridge-protocol-data-unit (BPDU) guard on isolated and community host ports to prevent STP loops due to misconfigurations and to speed up STP convergence.

If you configure a port as a private-VLAN host port and you do not configure a valid private-VLAN association by using the switchport private-vlan host-association command, the interface becomes inactive.

If you configure a port as a private-VLAN promiscuous port and you do not configure a valid private VLAN mapping by using theswitchport private-vlan mapping command, the interface becomes inactive.

Examples

This example shows how to configure an interface as a private-VLAN host port and associate it to primary VLAN 20. The interface is a member of secondary isolated VLAN 501 and primary VLAN 20.

(config)# interface gigabitethernet2/0/1
(config-if)# switchport mode private-vlan host
 (config-if)# switchport private-vlan host-association 20 501
 (config-if)# end

This example shows how to configure an interface as a private-VLAN promiscuous port and map it to a private VLAN. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it.

(config)# interface gigabitethernet2/0/1
(config-if)# switchport mode private-vlan promiscuous
 (config-if)# switchport private-vlan mapping 20 501-503
 (config-if)# end

switchport priority extend

To set a port priority for the incoming untagged frames or the priority of frames received by the IP phone connected to the specified port, use the switchport priority extend command in interface configuration mode. To return to the default setting, use the no form of this command.

switchport priority extend {cos value | trust}

no switchport priority extend

Syntax Description


cos `value`	Sets the IP phone port to override the IEEE 802.1p priority received from the PC or the attached device with the specified class of service (CoS) value. The range is 0 to 7. Seven is the highest priority. The default is 0.
trust	Sets the IP phone port to trust the IEEE 802.1p priority received from the PC or the attached device.

Command Default

The default port priority is set to a CoS value of 0 for untagged frames received on the port.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

When voice VLAN is enabled, you can configure the device to send the Cisco Discovery Protocol (CDP) packets to instruct the IP phone how to send data packets from the device attached to the access port on the Cisco IP Phone. You must enable CDP on the device port connected to the Cisco IP Phone to send the configuration to the Cisco IP Phone. (CDP is enabled by default globally and on all device interfaces.)

You should configure voice VLAN on the device access ports.

Examples

This example shows how to configure the IP phone connected to the specified port to trust the received IEEE 802.1p priority:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet1/0/2
Device(config-if)# switchport priority extend trust

You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.

switchport trunk

To set the trunk characteristics when the interface is in trunking mode, use the switchport trunk command in interface configuration mode. To reset a trunking characteristic to the default, use the no form of this command.

switchport trunk {allowed vlan vlan-list | native vlan vlan-id | pruning vlan vlan-list}

no switchport trunk {allowed vlan | native vlan | pruning vlan}

Syntax Description


allowed vlan `vlan-list`	Sets the list of allowed VLANs that can receive and send traffic on this interface in tagged format when in trunking mode. See the Usage Guidelines for the `vlan-list` choices.
native vlan `vlan-id`	Sets the native VLAN for sending and receiving untagged traffic when the interface is in IEEE 802.1Q trunking mode. The range is 1 to 4094.
pruning vlan `vlan-list`	Sets the list of VLANs that are eligible for VTP pruning when in trunking mode. See the Usage Guidelines for the `vlan-list` choices.

Command Default

VLAN 1 is the default native VLAN ID on the port.

The default for all VLAN lists is to include all VLANs.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

The vlan-list format is all | none | [add | remove | except] vlan-atom [,vlan-atom...] :

all specifies all VLANs from 1 to 4094. This is the default. This keyword is not allowed on commands that do not permit all VLANs in the list to be set at the same time.
none specifies an empty list. This keyword is not allowed on commands that require certain VLANs to be set or at least one VLAN to be set.

add adds the defined list of VLANs to those currently set instead of replacing the list. Valid IDs are from 1 to 1005; extended-range VLANs (VLAN IDs greater than 1005) are valid in some cases.

Note

You can add extended-range VLANs to the allowed VLAN list, but not to the pruning-eligible VLAN list.

Separate nonconsecutive VLAN IDs with a comma; use a hyphen to designate a range of IDs.

remove removes the defined list of VLANs from those currently set instead of replacing the list. Valid IDs are from 1 to 1005; extended-range VLAN IDs are valid in some cases.

Note

You can remove extended-range VLANs from the allowed VLAN list, but you cannot remove them from the pruning-eligible list.

except lists the VLANs that should be calculated by inverting the defined list of VLANs. (VLANs are added except the ones specified.) Valid IDs are from 1 to 1005. Separate nonconsecutive VLAN IDs with a comma; use a hyphen to designate a range of IDs.
vlan-atom is either a single VLAN number from 1 to 4094 or a continuous range of VLANs described by two VLAN numbers, the lesser one first, separated by a hyphen.

Native VLANs:

All untagged traffic received on an IEEE 802.1Q trunk port is forwarded with the native VLAN configured for the port.
If a packet has a VLAN ID that is the same as the sending-port native VLAN ID, the packet is sent without a tag; otherwise, the switch sends the packet with a tag.
The no form of the native vlan command resets the native mode VLAN to the appropriate default VLAN for the device.

Allowed VLAN:

To reduce the risk of spanning-tree loops or storms, you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to send and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), Dynamic Trunking Protocol (DTP), and VLAN Trunking Protocol (VTP) in VLAN 1.
The no form of the allowed vlan command resets the list to the default list, which allows all VLANs.

Trunk pruning:

The pruning-eligible list applies only to trunk ports.
Each trunk port has its own eligibility list.
If you do not want a VLAN to be pruned, remove it from the pruning-eligible list. VLANs that are pruning-ineligible receive flooded traffic.
VLAN 1, VLANs 1002 to 1005, and extended-range VLANs (VLANs 1006 to 4094) cannot be pruned.

Examples

This example shows how to configure VLAN 3 as the default for the port to send all untagged traffic:

Device> enable
Device(config)# interface gigabitethernet1/0/2
Device(config-if)# switchport trunk native vlan 3

This example shows how to add VLANs 1, 2, 5, and 6 to the allowed list:

Device> enable
Device(config)# interface gigabitethernet1/0/2
Device(config-if)# switchport trunk allowed vlan add 1,2,5,6

This example shows how to remove VLANs 3 and 10 to 15 from the pruning-eligible list:

Device> enable
Device(config)# interface gigabitethernet1/0/2
Device(config-if)# switchport trunk pruning vlan remove 3,10-15

You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.

vlan

To add a VLAN and to enter the VLAN configuration mode, use the vlan command in global configuration mode. To delete the VLAN, use the no form of this command.

vlan vlan-id

no vlan vlan-id

Syntax Description


`vlan-id`	ID of the VLAN to be added and configured. The range is 1 to 4094. You can enter a single VLAN ID, a series of VLAN IDs separated by commas, or a range of VLAN IDs separated by hyphens.

Command Default

None

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

You can use the vlan vlan-id global configuration command to add normal-range VLANs (VLAN IDs 1 to 1005) or extended-range VLANs (VLAN IDs 1006 to 4094). Configuration information for normal-range VLANs is always saved in the VLAN database, and you can display this information by entering the show vlan privileged EXEC command. If the VTP mode is transparent, VLAN configuration information for normal-range VLANs is also saved in the running configuration file. VLAN IDs in the extended range are not saved in the VLAN database, but they are stored in the switch running configuration file, and you can save the configuration in the startup configuration file.

VTP version 3 supports propagation of extended-range VLANs. VTP versions 1 and 2 propagate only VLANs 1 to 1005.

When you save the VLAN and VTP configurations in the startup configuration file and reboot the , the configuration is selected as follows:

If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.
If the VTP mode or domain name in the startup configuration do not match the VLAN database, the domain name and VTP mode and configuration for VLAN IDs 1 to 1005 use the VLAN database information.

If you enter an invalid VLAN ID, you receive an error message and do not enter VLAN configuration mode.

Entering the vlan command with a VLAN ID enables VLAN configuration mode. When you enter the VLAN ID of an existing VLAN, you do not create a new VLAN, but you can modify VLAN parameters for that VLAN. The specified VLANs are added or modified when you exit the VLAN configuration mode. Only the shutdown command (for VLANs 1 to 1005) takes effect immediately.

Note

Although all commands are visible, the only VLAN configuration command that is supported on extended-range VLANs is remote-span . For extended-range VLANs, all other characteristics must remain at the default state.

These configuration commands are available in VLAN configuration mode. The no form of each command returns the characteristic to its default state:

are are-number —Defines the maximum number of all-routes explorer (ARE) hops for this VLAN. This keyword applies only to TrCRF VLANs. The range is 0 to 13. The default is 7. If no value is entered, 0 is assumed to be the maximum.
backupcrf —Specifies the backup CRF mode. This keyword applies only to TrCRF VLANs.
- enable —Backup CRF mode for this VLAN.
- disable —Backup CRF mode for this VLAN (the default).
bridge {bridge-number | type} —Specifies the logical distributed source-routing bridge, the bridge that interconnects all logical rings that have this VLAN as a parent VLAN in FDDI-NET, Token Ring-NET, and TrBRF VLANs. The range is 0 to 15. The default bridge number is 0 (no source-routing bridge) for FDDI-NET, TrBRF, and Token Ring-NET VLANs. The type keyword applies only to TrCRF VLANs and is one of these:
- srb —Ssource-route bridging
- srt —Source-route transparent) bridging VLAN
exit —Applies changes, increments the VLAN database revision number (VLANs 1 to 1005 only), and exits VLAN configuration mode.

media —Defines the VLAN media type and is one of these:

Note

The supports only Ethernet ports. You configure only FDDI and Token Ring media-specific characteristics for VLAN Trunking Protocol (VTP) global advertisements to other . These VLANs are locally suspended.

ethernet —Ethernet media type (the default).
fd-net —FDDI network entity title (NET) media type.
fddi —FDDI media type.
tokenring —Token Ring media type if the VTP v2 mode is disabled, or TrCRF if the VTP Version 2 (v) mode is enabled.
tr-net —Token Ring network entity title (NET) media type if the VTP v2 mode is disabled or TrBRF media type if the VTP v2 mode is enabled.

See the table that follows for valid commands and syntax for different media types.

name vlan-name —Names the VLAN with an ASCII string from 1 to 32 characters that must be unique within the administrative domain. The default is VLANxxxx where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number.
no —Negates a command or returns it to the default setting.
parent parent-vlan-id —Specifies the parent VLAN of an existing FDDI, Token Ring, or TrCRF VLAN. This parameter identifies the TrBRF to which a TrCRF belongs and is required when defining a TrCRF. The range is 0 to 1005. The default parent VLAN ID is 0 (no parent VLAN) for FDDI and Token Ring VLANs. For both Token Ring and TrCRF VLANs, the parent VLAN ID must already exist in the database and be associated with a Token Ring-NET or TrBRF VLAN.
remote-span —Configures the VLAN as a Remote SPAN (RSPAN) VLAN. When the RSPAN feature is added to an existing VLAN, the VLAN is first deleted and is then recreated with the RSPAN feature. Any access ports are deactivated until the RSPAN feature is removed. If VTP is enabled, the new RSPAN VLAN is propagated by VTP for VLAN IDs that are lower than 1024. Learning is disabled on the VLAN.
ring ring-number —Defines the logical ring for an FDDI, Token Ring, or TrCRF VLAN. The range is 1 to 4095. The default for Token Ring VLANs is 0. For FDDI VLANs, there is no default.
said said-value —Specifies the security association identifier (SAID) as documented in IEEE 802.10. The range is 1 to 4294967294, and the number must be unique within the administrative domain. The default value is 100000 plus the VLAN ID number.
shutdown —Shuts down VLAN switching on the VLAN. This command takes effect immediately. Other commands take effect when you exit VLAN configuration mode.
state —Specifies the VLAN state:
- active means the VLAN is operational (the default).
- suspend means the VLAN is suspended. Suspended VLANs do not pass packets.
ste ste-number —Defines the maximum number of spanning-tree explorer (STE) hops. This keyword applies only to TrCRF VLANs. The range is 0 to 13. The default is 7.
stp type —Defines the spanning-tree type for FDDI-NET, Token Ring-NET, or TrBRF VLANs. For FDDI-NET VLANs, the default STP type is ieee. For Token Ring-NET VLANs, the default STP type is ibm. For FDDI and Token Ring VLANs, the default is no type specified.
- ieee —IEEE Ethernet STP running source-route transparent (SRT) bridging.
- ibm —IBM STP running source-route bridging (SRB).
- auto —STP running a combination of source-route transparent bridging (IEEE) and source-route bridging (IBM).
tb-vlan1 tb-vlan1-id and tb-vlan2 tb-vlan2-id —Specifies the first and second VLAN to which this VLAN is translationally bridged. Translational VLANs translate FDDI or Token Ring to Ethernet, for example. The range is 0 to 1005. If no value is specified, 0 (no transitional bridging) is assumed.

Table 4. Valid Commands and Syntax for Different Media Types
Media Type	Valid Syntax
Ethernet	name vlan-name, media ethernet, state {suspend \| active}, said said-value, remote-span, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
FDDI	name vlan-name, media fddi, state {suspend \| active}, said said-value, ring ring-number, parent parent-vlan-id, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
FDDI-NET	name vlan-name, media fd-net , state {suspend \| active}, said said-value, bridge bridge-number, stp type {ieee \| ibm \| auto}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id If VTP v2 mode is disabled, do not set the stp type to auto.
Token Ring	VTP v1 mode is enabled. name vlan-name, media tokenring, state {suspend \| active}, said said-value, ring ring-number, parent parent-vlan-id, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
Token Ring concentrator relay function (TrCRF)	VTP v2 mode is enabled. name vlan-name, media tokenring, state {suspend \| active}, said said-value, ring ring-number, parent parent-vlan-id, bridge type {srb \| srt}, are are-number, ste ste-number, backupcrf {enable \| disable}, tb-vlan1 tb-vlan1-id, tb-vlan2 tb-vlan2-id
Token Ring-NET	VTP v1 mode is enabled. name vlan-name, media tr-net, state {suspend \| active}, said said-value, bridge bridge-number, stp type {ieee \| ibm}, tb-vlan1 `tb-vlan1-id` , tb-vlan2 `tb-vlan2-id`
Token Ring bridge relay function (TrBRF)	VTP v2 mode is enabled. name vlan-name, media tr-net, state {suspend \| active}, said said-value, bridge bridge-number, stp type {ieee \| ibm \| auto}, tb-vlan1 `tb-vlan1-id` , tb-vlan2 `tb-vlan2-id`

The following table describes the rules for configuring VLANs:

Table 5. VLAN Configuration Rules
Configuration	Rule
VTP v2 mode is enabled, and you are configuring a TrCRF VLAN media type.	Specify a parent VLAN ID of a TrBRF that already exists in the database. Specify a ring number. Do not leave this field blank. Specify unique ring numbers when TrCRF VLANs have the same parent VLAN ID. Only one backup concentrator relay function (CRF) can be enabled.
VTP v2 mode is enabled, and you are configuring VLANs other than TrCRF media type.	Do not specify a backup CRF.
VTP v2 mode is enabled, and you are configuring a TrBRF VLAN media type.	Specify a bridge number. Do not leave this field blank.
VTP v1 mode is enabled.	No VLAN can have an STP type set to auto. This rule applies to Ethernet, FDDI, FDDI-NET, Token Ring, and Token Ring-NET VLANs.
Add a VLAN that requires translational bridging (values are not set to zero).	The translational bridging VLAN IDs that are used must already exist in the database. The translational bridging VLAN IDs that a configuration points to must also contain a pointer to the original VLAN in one of the translational bridging parameters (for example, Ethernet points to FDDI, and FDDI points to Ethernet). The translational bridging VLAN IDs that a configuration points to must be different media types than the original VLAN (for example, Ethernet can point to Token Ring). If both translational bridging VLAN IDs are configured, these VLANs must be different media types (for example, Ethernet can point to FDDI and Token Ring).

Examples

This example shows how to add an Ethernet VLAN with default media characteristics. The default includes a vlan-name of VLAN xxxx, where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number. The default media is ethernet; the state is active. The default said-value is 100000 plus the VLAN ID; the mtu-size variable is 1500; the stp-type is ieee. When you enter the exit VLAN configuration command, the VLAN is added if it did not already exist; otherwise, this command does nothing.

This example shows how to create a new VLAN with all default characteristics and enter VLAN configuration mode:

(config)# vlan 200
(config-vlan)# exit
(config)#

This example shows how to create a new extended-range VLAN with all the default characteristics, to enter VLAN configuration mode, and to save the new VLAN in the startup configuration file:

(config)# vlan 2000
(config-vlan)# end
# copy running-config startup config

You can verify your setting by entering the show vlan privileged EXEC command.

vlan dot1q tag native

To enable tagging of native VLAN frames on all IEEE 802.1Q trunk ports, use the vlan dot1q tag native command in global configuration mode. To return to the default setting, use the no form of this command.

vlan dot1q tag native

no vlan dot1q tag native

Syntax Description

This command has no arguments or keywords.

Command Default

The IEEE 802.1Q native VLAN tagging is disabled.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

When enabled, native VLAN packets going out of all IEEE 802.1Q trunk ports are tagged.

When disabled, native VLAN packets going out of all IEEE 802.1Q trunk ports are not tagged.

For more information about IEEE 802.1Q tunneling, see the software configuration guide for this release.

Examples

This example shows how to enable IEEE 802.1Q tagging on native VLAN frames:

Device# configure terminal
Device (config)# vlan dot1q tag native
Device (config)# end

You can verify your settings by entering the show vlan dot1q tag native privileged EXEC command.

vtp (global configuration)

To set or modify the VLAN Trunking Protocol (VTP) configuration characteristics, use the vtp command in global configuration mode. To remove the settings or to return to the default settings, use the no form of this command.

vtp {domain domain-name | file filename | interface interface-name [only] | mode {client | off | server | transparent} [mst | unknown | vlan] | password password [hidden | secret] | pruning | version number}

no vtp {file | interface | mode [client | off | server | transparent] [mst | unknown | vlan] | password | pruning | version}

Syntax Description


domain `domain-name`	Specifies the VTP domain name, an ASCII string from 1 to 32 characters that identifies the VTP administrative domain for the device. The domain name is case sensitive.
file `filename`	Specifies the Cisco IOS file system file where the VTP VLAN configuration is stored.
interface `interface-name`	Specifies the name of the interface providing the VTP ID updated for this device.
only	(Optional) Uses only the IP address of this interface as the VTP IP updater.
mode	Specifies the VTP device mode as client, server, or transparent.
client	Places the device in VTP client mode. A device in VTP client mode is enabled for VTP, and can send advertisements, but does not have enough nonvolatile storage to store VLAN configurations. You cannot configure VLANs on a VTP client. VLANs are configured on another device in the domain that is in server mode. When a VTP client starts up, it does not send VTP advertisements until it receives advertisements to initialize its VLAN database.
off	Places the device in VTP off mode. A device in VTP off mode functions the same as a VTP transparent device except that it does not forward VTP advertisements on trunk ports.
server	Places the device in VTP server mode. A device in VTP server mode is enabled for VTP and sends advertisements. You can configure VLANs on the device. The device can recover all the VLAN information in the current VTP database from nonvolatile storage after reboot.
transparent	Places the device in VTP transparent mode. A device in VTP transparent mode is disabled for VTP, does not send advertisements or learn from advertisements sent by other devices, and cannot affect VLAN configurations on other devices in the network. The device receives VTP advertisements and forwards them on all trunk ports except the one on which the advertisement was received. When VTP mode is transparent, the mode and domain name are saved in the device running configuration file, and you can save them in the device startup configuration file by entering the copy running-config startup config privileged EXEC command.
mst	(Optional) Sets the mode for the multiple spanning tree (MST) VTP database (only VTP Version 3).
unknown	(Optional) Sets the mode for unknown VTP databases (only VTP Version 3).
vlan	(Optional) Sets the mode for VLAN VTP databases. This is the default (only VTP Version 3).
password `password`	Sets the administrative domain password for the generation of the 16-byte secret value used in MD5 digest calculation to be sent in VTP advertisements and to validate received VTP advertisements. The password can be an ASCII string from 1 to 32 characters. The password is case sensitive.
hidden	(Optional) Specifies that the key generated from the password string is saved in the VLAN database file. When the hidden keyword is not specified, the password string is saved in clear text. When the hidden password is entered, you need to reenter the password to issue a command in the domain. This keyword is supported only in VTP Version 3.
secret	(Optional) Allows the user to directly configure the password secret key (only VTP Version 3).
pruning	Enables VTP pruning on the device.
version `number`	Sets the VTP Version to Version 1, Version 2, or Version 3.

Command Default

The default filename is flash:vlan.dat.

The default mode is server mode and the default database is VLAN.

In VTP Version 3, for the MST database, the default mode is transparent.

No domain name or password is defined.

No password is configured.

Pruning is disabled.

The default version is Version 1.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

When you save VTP mode, domain name, and VLAN configurations in the device startup configuration file and reboot the device, the VTP and VLAN configurations are selected by these conditions:

If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.
If the VTP mode or domain name in the startup configuration do not match the VLAN database, the domain name and VTP mode and configuration for VLAN IDs 1 to 1005 use the VLAN database information.

The vtp file filename cannot be used to load a new database; it renames only the file in which the existing database is stored.

Follow these guidelines when configuring a VTP domain name:

The device is in the no-management-domain state until you configure a domain name. While in the no-management-domain state, the device does not send any VTP advertisements even if changes occur to the local VLAN configuration. The device leaves the no-management-domain state after it receives the first VTP summary packet on any port that is trunking or after you configure a domain name by using the vtp domain command. If the device receives its domain from a summary packet, it resets its configuration revision number to 0. After the device leaves the no-management-domain state, it cannot be configured to reenter it until you clear the NVRAM and reload the software.
Domain names are case-sensitive.
After you configure a domain name, it cannot be removed. You can only reassign it to a different domain.

Follow these guidelines when setting VTP mode:

The no vtp mode command returns the device to VTP server mode.
The vtp mode server command is the same as no vtp mode except that it does not return an error if the device is not in client or transparent mode.
If the receiving device is in client mode, the client device changes its configuration to duplicate the configuration of the server. If you have devices in client mode, be sure to make all VTP or VLAN configuration changes on a device in server mode, as it has a higher VTP configuration revision number. If the receiving device is in transparent mode, the device configuration is not changed.
A device in transparent mode does not participate in VTP. If you make VTP or VLAN configuration changes on a device in transparent mode, the changes are not propagated to other devices in the network.
If you change the VTP or VLAN configuration on a device that is in server mode, that change is propagated to all the devices in the same VTP domain.
The vtp mode transparent command disables VTP from the domain but does not remove the domain from the device.
In VTP Versions 1 and 2, the VTP mode must be transparent for VTP and VLAN information to be saved in the running configuration file.
With VTP Versions 1 and 2, you cannot change the VTP mode to client or server if extended-range VLANs are configured on the switch. Changing the VTP mode is allowed with extended VLANs in VTP Version 3.
The VTP mode must be transparent for you to add extended-range VLANs or for VTP and VLAN information to be saved in the running configuration file.
VTP can be set to either server or client mode only when dynamic VLAN creation is disabled.
The vtp mode off command sets the device to off. The no vtp mode off command resets the device to the VTP server mode.

Follow these guidelines when setting a VTP password:

Passwords are case sensitive. Passwords should match on all devices in the same domain.
When you use the no vtp password form of the command, the device returns to the no-password state.
The hidden and secret keywords are supported only in VTP Version 3. If you convert from VTP Version 2 to VTP Version 3, you must remove the hidden or secret keyword before the conversion.

Follow these guidelines when setting VTP pruning:

VTP pruning removes information about each pruning-eligible VLAN from VTP updates if there are no stations belonging to that VLAN.
If you enable pruning on the VTP server, it is enabled for the entire management domain for VLAN IDs 1 to 1005.
Only VLANs in the pruning-eligible list can be pruned.
Pruning is supported with VTP Version 1 and Version 2.

Follow these guidelines when setting the VTP version:

Toggling the Version 2 (v2) mode state modifies parameters of certain default VLANs.
Each VTP device automatically detects the capabilities of all the other VTP devices. To use Version 2, all VTP devices in the network must support Version 2; otherwise, you must configure them to operate in VTP Version 1 mode.
If all devices in a domain are VTP Version 2-capable, you only need to configure Version 2 on one device; the version number is then propagated to the other Version-2 capable devices in the VTP domain.
If you are using VTP in a Token Ring environment, VTP Version 2 must be enabled.
If you are configuring a Token Ring bridge relay function (TrBRF) or Token Ring concentrator relay function (TrCRF) VLAN media type, you must use Version 2.
If you are configuring a Token Ring or Token Ring-NET VLAN media type, you must use Version 1.
In VTP Version 3, all database VTP information is propagated across the VTP domain, not only VLAN database information.
Two VTP Version 3 regions can only communicate over a VTP Version 1 or VTP Version 2 region in transparent mode.

You cannot save password, pruning, and version configurations in the device configuration file.

Examples

This example shows how to rename the filename for VTP configuration storage to vtpfilename:

Device(config)# vtp file vtpfilename

This example shows how to clear the device storage filename:

Device(config)# no vtp file vtpconfig
Clearing device storage filename.

This example shows how to specify the name of the interface providing the VTP updater ID for this device:

Device(config)# vtp interface gigabitethernet

This example shows how to set the administrative domain for the device:

Device(config)# vtp domain OurDomainName

This example shows how to place the device in VTP transparent mode:

Device(config)# vtp mode transparent

This example shows how to configure the VTP domain password:

Device(config)# vtp password ThisIsOurDomainsPassword

This example shows how to enable pruning in the VLAN database:

Device(config)# vtp pruning
Pruning switched ON

This example shows how to enable Version 2 mode in the VLAN database:

Device(config)# vtp version 2

You can verify your settings by entering the show vtp status privileged EXEC command.

vtp (interface configuration)

To enable the VLAN Trunking Protocol (VTP) on a per-port basis, use the vtp command in interface configuration mode. To disable VTP on the interface, use the no form of this command.

vtp

no vtp

Syntax Description

This command has no arguments or keywords.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

Enter this command only on interfaces that are in trunking mode.

Examples

This example shows how to enable VTP on an interface:

Device> enable
Device(config-if)# vtp

This example shows how to disable VTP on an interface:

Device(config-if)# no vtp

vtp primary

To configure a device as the VLAN Trunking Protocol (VTP) primary server, use the vtp primary command in privileged EXEC mode.

vtp primary [mst | vlan] [force]

Syntax Description


mst	(Optional) Configures the device as the primary VTP server for the multiple spanning tree (MST) feature.
vlan	(Optional) Configures the device as the primary VTP server for VLANs.
force	(Optional) Configures the device to not check for conflicting devices when configuring the primary server.

Command Default

The device is a VTP secondary server.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Everest 16.6.1	This command was introduced.

Usage Guidelines

A VTP primary server updates the database information and sends updates that are honored by all devices in the system. A VTP secondary server can only back up the updated VTP configurations received from the primary server to NVRAM.

By default, all devices come up as secondary servers. Primary server status is needed only for database updates when the administrator issues a takeover message in the domain. You can have a working VTP domain without any primary servers.

Primary server status is lost if the device reloads or domain parameters change.

Note

This command is supported only when the device is running VTP Version 3.

Examples

This example shows how to configure the device as the primary VTP server for VLANs:

Device> enable
Device# vtp primary vlan
Setting device to VTP TRANSPARENT mode.

You can verify your settings by entering the show vtp status privileged EXEC command.

Bias-Free Language

Results

Chapter: VLAN Commands

VLAN Commands

clear vtp counters

Syntax Description

Command Modes

Command History

Examples

debug sw-vlan

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

debug sw-vlan ifs

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

debug sw-vlan notification

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

debug sw-vlan vtp

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

dot1q vlan native

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

interface (VLAN)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

private-vlan

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

private-vlan mapping

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

show interfaces private-vlan mapping

Syntax Description

Command Default

Command Modes

Command History

Examples

show vlan

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

show vtp