VLAN Membership

With the VLAN Membership page, you can:

• Display the current VLAN configuration.
• Assign ports for static-access VLAN membership.
• Assign ports for multi-VLAN membership.
• Assign ports for dynamic VLAN membership (Enterprise Edition Software only).
• Assign ports as VLAN trunks (Enterprise Edition Software only).

A virtual LAN (VLAN) is an administratively defined broadcast domain logically segmented by function, team, or application. Stations only receive traffic sent by other stations in the same VLAN. A VLAN enhances performance by limiting traffic; it allows the transmission of traffic among member stations and blocks traffic from other stations in other VLANs.

You can configure up to 64 port-based VLANs with IDs from 1 to 1001 and up to 64 instances of the Spanning-Tree Protocol.

Note: On the Catalyst 2912MF, 2924M, and 3500 XL series switches, you can configure up to 250 port-based VLANs.

You can assign a static-access port to a single VLAN only; you can assign a multi-VLAN port to multiple VLANs.

With Enterprise Edition Software, you can also configure a port for dynamic VLAN membership or as a trunk port. Dynamic VLAN assignment is especially useful in administering large networks because you can move a connection from a port on one switch to a port on another switch in the network without reconfiguring the port. Dynamic-access ports can be in only one VLAN and should be connected only to end stations; connecting them to routers or switches can cause a loss of connectivity.

Note: Using the ATM module's command-line interface, you map the LAN emulation (LANE) client to a VLAN or bind one or more permanent virtual connections (PVCs) to a VLAN. The VLAN ID is then displayed in the Assigned VLANs column of the VLAN Membership page. In standard edition software, an ATM port can be a static-access port only. In Enterprise Edition Software, an ATM port can be a trunk port only.

A trunk is a point-to-point link between two switches or between a switch and a router. Trunks carry the traffic of multiple VLANs; each packet traveling on a trunk is tagged with a VLAN ID to indicate its destination. Trunks allow you to extend VLANs from one switch to another.

Displaying the Current VLAN Configuration

The Port, Mode, and the Assigned VLANs columns indicate whether the port is a static-access port or a multi-VLAN port, and the VLAN assignment of the port. You can assign a static-access port to only one VLAN. You can assign a multi-VLAN port to multiple VLANs to create an overlapping VLAN.

Note: With Enterprise Edition Software, the Mode column indicates whether the port is also a dynamic-access or trunk port. The word "Unassigned" in the Assigned VLANs column indicates that the dynamic-access port has not yet been assigned to a VLAN. The Configure Trunk button in the Trunk Configuration column allows you to further configure the trunk port.

Assigning Ports for Static-Access VLAN Membership

A simple port-based VLAN consists of a static-access port assigned to a single VLAN. By default, all ports are static-access ports assigned to VLAN 1.

To assign a port for static-access VLAN membership (to a VLAN other than 1):

1. In the Mode drop-down list, verify that Static Access is selected.
   For ATM ports, this field is read only and displays "Static Access" in the standard edition software.
2. In the Assigned VLANs field, highlight the current VLAN ID and then enter the new ID (from 1 to 1001) to which you want the port assigned.
   For ATM ports, this field is read only and displays the VLAN ID previously configured on the module. For more information, see the installation guide that shipped with the ATM module.
3. Click Apply.
4. In the Assigned VLANs field, verify that the port is assigned to the new VLAN ID and no longer assigned to VLAN 1.
   Note: If you change the VLAN ID on a port that belongs to a port group, the ID for all the ports in that group are also changed.

Assigning Ports for Multi-VLAN Membership

A multi-VLAN port belongs to more than one VLAN. Only ports connected to routers or servers should be defined as multi-VLAN ports. By connecting the multi-VLAN port to a router, all traffic is forwarded within the boundaries of the VLANs, but the two (or more) VLANs establish connectivity through the router.

A multi-VLAN port functions normally in all its VLANs. For example, when an unknown MAC address is received on a multi-VLAN port, it is learned by all the port VLANs. Multi-VLAN ports also respond to the STP messages generated by different instances of STP in each VLAN. Because the multi-VLAN port is a member of more than one VLAN, flooded traffic received from the multi-VLAN port is forwarded to ports in all VLANs assigned to the multi-VLAN port.

Caution: To avoid loss of connectivity, do not connect multi-VLAN ports to hubs or switches. Connect multi-VLAN ports to routers or servers.

To assign ports for multi-VLAN membership:

1. From the Mode drop-down list, select Multi-VLAN on each port that belongs to more than one VLAN.
   Note: You cannot concurrently configure multi-VLAN ports and trunk ports on the same switch. You cannot configure a multi-VLAN port as a secure port or a monitor port. You cannot configure an ATM port as a multi-VLAN port.
2. In the Assigned VLANs field, enter the new VLAN IDs (from 1 to 1001) separated by commas (with no spaces) or hyphens for a range of IDs.
3. Click Apply.
4. In the Assigned VLANs field, verify that the ports are assigned to the new VLAN IDs.
   Note: If you change the VLAN ID on a port that belongs to a port group, the ID for all the ports in that group is also changed.

To remove a VLAN from a multi-VLAN port:

1. Highlight the ID in the Assigned VLANs field.
2. Press Delete on your keyboard.
3. Click Apply.
   In the Assigned VLANs field, verify that the VLAN is no longer assigned to the port.

Assigning Ports for Dynamic VLAN Membership

With Enterprise Edition Software, you can assign ports for dynamic VLAN membership. This switch functions as the VLAN Query Protocol (VQP) client capable of querying a VLAN Membership Policy Server (VMPS) such as the Catalyst 5000 switch. Make sure you configure the server before configuring a client port as dynamic.

Note: A dynamic-access port can be in only one VLAN and should only be connected to end stations; connecting it to routers (running bridging protocols) or switches can cause a loss of connectivity. Make sure to configure the network so that STP does not put the dynamic-access port into an STP blocking state.

You cannot configure dynamic-access ports as:

• The source or destination port in a static address entry.
• A network port (dynamic-access ports can be assigned to a VLAN in which one of the other ports is a network port).
• A port group (dynamic-access ports cannot be grouped with any other port including other dynamic-access ports)
• A secure port
• A port with a secure address
• A monitor port

To assign a port for dynamic VLAN membership:

1. Set up the VLAN Membership Policy Server before assigning the port.
   From the menu bar, select VLAN > VMPS Configuration.
   Click Help on this page for configuration information.
2. From the Mode drop-down list, select Dynamic Access.
   Note: The Assigned VLANs column is a read-only field. By default, a dynamic-access port belongs to no VLAN.
3. Click Apply.
   The port receives its VLAN ID from the server.

Assigning Ports as VLAN Trunks

With Enterprise Edition Software, you can assign ports as VLAN trunks. A trunk is a point-to-point link between two switches or between switches and routers. Trunks carry the traffic of multiple VLANs and allow you to extend VLANs from one switch to another.

Note: You cannot configure a trunk port as a secure port or a monitor port. However, a static-access port can monitor a VLAN on a trunk port. The VLAN monitored is the one associated with the static-access port. If you configure a trunk port as a network port, the trunk port becomes the network port for all the VLANs associated with the port.

To assign a port as a VLAN trunk:

1. From the Mode drop-down list, select ISL Trunk or 802.1Q Trunk.
   Note: For ATM ports, this field is read only and displays "ATM Trunk" in the Enterprise Edition Software.
   With ISL, the switch encapsulates all received and transmitted packets with an ISL header. The switch filters native frames received from an ISL trunk port.
   With the IEEE 802.1Q tagging format, the switch supports simultaneous tagged and untagged traffic on a port.
   Note: You cannot concurrently configure multi-VLAN ports and trunk ports on the same switch. You cannot configure one end of the trunk as an 802.1Q trunk and the other end as an ISL or nontrunk port. However, you can configure one port as an ISL trunk and another port on the same switch as a 802.1Q trunk.
2. Click Apply.
3. Ignore the Assigned VLANs field.
   For ATM ports, this field is read only and displays the VLAN ID previously configured on the module. For more information, see the installation guide that shipped with the ATM module.
4. In the Trunk Configuration column, click Configure Trunk.
   The Port Trunk Configuration pop-up page displays so that you can further control the VLAN membership of a trunk port by modifying the allowed list. Click Help on the pop-up page for configuration information.