cisco show interface vlan assignment

• Skip to content
• Skip to search
• Skip to footer

Configure Inter VLAN Routing with Catalyst Switches

Available Languages

Download options.

• PDF (129.2 KB) View with Adobe Reader on a variety of devices
• ePub (152.4 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
• Mobi (Kindle) (136.1 KB) View on Kindle device or Kindle app on multiple devices

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to configure Inter VLAN routing with Cisco Catalyst series switches.

Prerequisites

Requirements.

Ensure that you meet these requirements before you attempt this configuration:

Knowledge of how to create VLANs

For more information, refer to Create Ethernet VLANs on Catalyst Switches .

Knowledge of how to create Trunk links

Components Used

The information in this document is based on these software and hardware versions:

Catalyst 3850 that runs  Cisco IOS® XE Software Release 16.12.7

Catalyst 4500 that runs Cisco IOS® Software Release 03.09.00E

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Related Products

This configuration can also be used with these hardware and software versions:

Any Catalyst 3k/9k switch and later

Any Catalyst switch model, used as the access layer switch

Background Information

This document provides a sample configuration for Inter VLAN routing with a Catalyst 3850 series switch in a typical network scenario. The document uses two Catalyst 4500 series switch as Layer 2 (L2) switches that connect directly to the Catalyst 3850. The Catalyst 3850 configuration also has a default route for all traffic that goes to the Internet when the next hop points to a Cisco router. You can substitute the Internet Gateway with a firewall or other routers model.

Note : The configuration from the Internet Gateway router is not relevant, so this document does not cover the configuration.

In a switched network, VLANs separate devices into different collision domains and Layer 3 (L3) subnets. Devices within a VLAN can communicate with each other without the need for routing. Devices in separate VLANs require a routing device to communicate with each other.

L2-only switches require an L3 routing device to provide communication between VLANs. The device is either external to the switch or in another module on the same chassis. A new breed of switches incorporate routing capability within the switch. An example is the 3850. The switch receives a packet, determines that the packet belongs to another VLAN, and sends the packet to the appropriate port on the destination VLAN.

A typical network design segments the network based on the group or function to which the device belongs. For example, the engineering VLAN only has devices that relate to the engineering department, and the finance VLAN only has devices that relate to finance. If you enable routing, the devices in each VLAN can talk to one another without the need for all the devices to be in the same broadcast domain. Such a VLAN design also has an additional benefit. The design allows the administrator to restrict communication between VLANs with use of access lists. For example, you can use access lists to restrict the engineering VLAN from access to devices on the finance VLAN.

Refer to this document that demonstrates how to configure the Inter VLAN routing on a Catalyst 3550 series switch for more information,  How To Configure Inter VLAN Routing On Layer 3 Switches  .

In this section, you are presented with the information to configure the features described in this document.

Note : Use the Cisco Support Tools to find more information on the commands used here. Only registered Cisco users have access to tools like this and other internal information.

Network Diagram

This document uses this network setup:

In this diagram, a small sample network with the Catalyst 3850 provides Inter VLAN routing between the various segments. The Catalyst 3850 switch can act as an L2 device with the disablement of IP routing. In order to make the switch function as an L3 device and provide Inter VLAN routing, make sure that ip routing is enabled globally.

These are the three VLANs defined by the user:

VLAN 2 — User-VLAN

VLAN 3 — Server-VLAN

VLAN 10 — Mgmt-VLAN

The default gateway configuration on each server and host device must be the VLAN interface IP address that corresponds on the 3850. For example, for Servers, the default gateway is 10.1.3.1. The access layer switches, which are the Catalyst 4500, are trunked to the Catalyst 3850 switch.

The default route for the Catalyst 3850 points to the Cisco router, and this is used to route traffic destined for the Internet. Therefore, traffic for which the 3850 does not have a route in the routing table is forwarded to the Cisco Router for additional process.

Practical Tips

Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different than the native VLAN on the other end, the traffic of the native VLANs on both sides cannot be transmitted correctly on the trunk. This failure to transmit correctly can imply some connectivity issues in your network.

Separate the management VLAN from the User or Server VLAN, as in this diagram. The management VLAN is different from the user or server VLAN. With this separation, any broadcast/packet storm that occurs in the user or server VLAN does not affect the management of switches.

Do not use VLAN 1 for management. All ports in Catalyst switches default to VLAN 1, and any devices that connect to ports that are not configured are in VLAN 1. The use of VLAN 1 for management can cause potential issues for the management of switches.

Use a Layer 3 (routed) port to connect to the default gateway port. In this example, you can easily replace a Cisco router with a firewall that connects to the Internet gateway router.

This example configures a static default route on the 3850 towards the Csco Router to reach the Internet. This setup is best if there is only one route to the Internet. Make sure to configure static routes, preferably summarized, on the gateway router for subnets that can be reached by the Catalyst 3850. This step is very important because this configuration does not use routing protocols.

If you have two Catalyst 3850 switches in your network, you can dually connect the access layer switches to the 3850 switches, and then run Hot Standby Router Protocol (HSRP) between the switches to provide redundancy in the network.

If you need additional bandwidth for the uplink ports, you can configure EtherChannels. The EtherChannel also provides link redundancy in the case of a link failure.

Configurations

This document uses these configurations:

Catalyst 3850 

Catalyst 4500-A 

Catalyst 4500-B 

Note : For this example, VLAN Trunk Protocol (VTP) was set to off on all the switches. This switch uses the next commands to set VTP as off and to create the three VLANs that the user defined from global configuration mode:

SW_3850(config)# vtp mode off Setting device to VTP Off mode for VLANS. SW_3850(config)# vlan 2 SW_3850(config-vlan)# name User_VLAN SW_3850(config-vlan)# exit SW_3850(config)# vlan 3 SW_3850(config-vlan)# name Server_VLAN SW_3850(config-vlan)# exit SW_3850(config)# vlan 10 SW_3850(config-vlan)# name Mgmt_VLAN SW_3850(config-vlan)# exit SW_3850(config)# end

This section provides information you can use to confirm your configuration works properly.

Note : The Cisco CLI Analyzer Tool can help troubleshoot and check the overall health of your Cisco-supported software with this smart SSH client that uses integrated TAC tools and knowledge.

Note : For details on CLI commands, see the Command Reference Guides for specific switching platform.  

Note : Only registered Cisco users have access to tools like this and other internal information.

Catalyst 3850

show vtp status

SW_3850# show vtp status VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name : VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : bc67.1c5d.3800 Configuration last modified by 10.0.0.10 at 0-0-00 00:00:00 Feature VLAN: -------------- VTP Operating Mode : Off Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 Configuration Revision : 0 MD5 digest : 0x7E 0xC3 0x8D 0x91 0xC8 0x53 0x42 0x14 0x79 0xA2 0xDF 0xE9 0xC0 0x06 0x1D 0x7D

show interfaces trunk 

SW_3850# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi1/0/3 on 802.1q trunking 1 Gi1/0/5 on 802.1q trunking 1 Port Vlans allowed on trunk Gi1/0/3 1-4094 Gi1/0/5 1-4094 Port Vlans allowed and active in management domain Gi1/0/3 1-3,10 Gi1/0/5 1-3,10 Port Vlans in spanning tree forwarding state and not pruned Gi1/0/3 1-3,10 Gi1/0/5 1,3,10

show ip route 

SW_3850# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route H - NHRP, G - NHRP registered, g - NHRP registration summary o - ODR, P - periodic downloaded static route, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 10.100.100.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.100.100.2 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks C 10.1.2.0/24 is directly connected, Vlan2 L 10.1.2.1/32 is directly connected, Vlan2 C 10.1.3.0/24 is directly connected, Vlan3 L 10.1.3.1/32 is directly connected, Vlan3 C 10.1.10.0/24 is directly connected, Vlan10 L 10.1.10.1/32 is directly connected, Vlan10 C 10.100.100.0/24 is directly connected, GigabitEthernet1/0/2 L 10.100.100.1/32 is directly connected, GigabitEthernet1/0/2

Catalyst 4500-A

Switch-A# show vtp status VTP Version capable : 1 to 3 VTP version running : 2 VTP Domain Name : cisco.com VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : 6400.f13e.dc40 Configuration last modified by 10.1.10.2 at 0-0-00 00:00:00 Feature VLAN: -------------- VTP Operating Mode : Off Maximum VLANs supported locally : 1005 Number of existing VLANs : 32 Configuration Revision : 0 MD5 digest : 0x0B 0x61 0x4F 0x9B 0xCD 0x1B 0x37 0x55 0xAB 0x0C 0xC1 0x4B 0xF8 0xDE 0x33 0xB3

Switch-A# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi1/3 on 802.1q trunking 1 Port Vlans allowed on trunk Gi1/3 1-4094 Port Vlans allowed and active in management domain Gi1/3 1,3,10 Port Vlans in spanning tree forwarding state and not pruned Gi1/3 1,3,10

Catalyst 4500-B

Switch-B# show vtp status VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name : VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : 6c20.5606.3540 Configuration last modified by 10.1.10.3 at 11-15-22 10:42:29 Feature VLAN: -------------- VTP Operating Mode : Off Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 0 MD5 digest : 0xEC 0xB4 0x8D 0x46 0x94 0x95 0xE0 0x8F 0xEE 0x1E 0xC7 0x9F 0x26 0x88 0x49 0x9F

show interfaces trunk

Switch-B# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi1/1 on 802.1q trunking 1 Port Vlans allowed on trunk Gi1/1 1-4094 Port Vlans allowed and active in management domain Gi1/1 1-2,10 Port Vlans in spanning tree forwarding state and not pruned Gi1/1 1-2,10

Troubleshoot

Use this section to troubleshoot your configuration.

Troubleshoot Procedure

Use these instructions:

If you are not able to ping devices within the same VLAN, check the VLAN assignment of the source and destination ports to make sure that the source and destination are in the same VLAN.

In order to check the VLAN assignment, issue the show interface status command for Cisco IOS Software.

If the source and destination are not in the same switch, make sure that you have configured the trunks properly. In order to check the configuration, issue the show interfaces trunk command.

Also, check that the native VLAN matches on either side of the trunk link. Make sure that the subnet mask matches between the source and destination devices.

If you are not able to ping devices in different VLANs, make sure that you can ping the respective default gateway. (See Step 1.)

Also, make sure that the default gateway of the device points to the correct VLAN interface IP address. Ensure that the subnet mask matches.

If you are not able to reach the Internet, make sure that the default route on the 3850 points to the correct IP address, and that the subnet address matches the Internet Gateway router.

In order to check, issue the show ip interface interface-id  command. Make sure that the Internet Gateway router has routes to the Internet and the internal networks.

Related Information

• Create Ethernet VLANs on Catalyst Switches
• Cisco Technical Support & Downloads

Revision History

Contributed by Cisco Engineers

• Julio Jimenez Project Manager

Was this Document Helpful?

Contact Cisco

• (Requires a Cisco Service Contract )

Configuring VLANs on Cisco Switches

We’ve before written about VLANs and what they can do as a concept . This article will focus on configuring VLANs on Cisco switches.

We will look at each command necessary to configure the topology below. If this topology looks familiar, it is because you saw it in the article which described how VLANs operated on a conceptual level.

We will first look at what goes into configuring the access ports in the topology above, followed by what goes into configuring the trunk ports. Then we will look at some verification and show commands to validate what is configured. Finally, we will look at the default configuration for a switch port, so we know our starting point when we are applying the commands we discuss.

Contents: Configuring VLANs on Cisco Switches

• Creating the VLAN in the VLAN Database
• Assigning the Switchport to a VLAN
• Native VLAN
• Allowed VLAN List
• show vlan brief
• show interfaces trunk
• show interfaces switchport
• show interfaces status
• show spanning-tree
• Dynamic Trunking Protocol
• Default Access Port Settings
• Default Trunk Port Settings

Access Ports

An access port is a switch port that is a member of only one VLAN . There are two parts to configuring an access port: creating the VLAN in the switch’s VLAN Database and assigning the switch port to a VLAN.

Before a switch will accept or forward traffic for a VLAN, the VLAN must exist in the switch’s VLAN Database. Adding a VLAN to the VLAN database requires only one command:

From this point, you can also optionally name the VLAN. While not explicitly necessary for traffic to flow, it is best practice to provide a name for each VLAN. This will make the VLAN easier to identify.

To name a VLAN, simply use the name ; command directly after creating it.

For VLAN 20, we will create and name the VLAN on SwitchX:

Now that the VLAN is in the VLAN database, we can configure a switch port to be an access port for a particular VLAN. There are two commands within the interface configuration mode for this step:

The switchport mode access command sets the port as an access port, and the switchport access vlan <#> command designates the port as a member of VLAN 10.

Some versions of Cisco switches automatically create the VLAN in the VLAN Database when you assign an access port to a VLAN:

However, it is not recommended that you depend on this. Some switches will do it, some will not. Some switches will not create the VLAN and also not report any errors, leaving you confused as to why traffic might not be flowing. Moreover, this creates the VLAN with a generic name – the name for VLAN 30 above defaults to VLAN0030 , which is not very helpful.

As such, we always recommend to create and name a VLAN before assigning it anywhere. If you happen to forget to name it first, you can always update the name of a VLAN in that database after the fact:

In summary, the two steps to configure an access port:

• Create and optionally (but ideally) name the VLAN
• Set a switch port as an access port and designate it as a member of a VLAN

Both steps will also need to be accomplished for each VLAN and switch port on SwitchY. First we will create and name each VLAN:

Then we will set Eth0/2 and Eth0/3 as access ports in VLANs 10 and 30, respectively:

The commands above created the following configuration in the running-configuration for each switch:

Trunk Ports

As discussed before, a trunk port is a switch port that is carrying more than one VLAN .

Traffic traversing a trunk port is still in the form of 1 s and 0 s. To designate which 1 s and 0 s belong to which VLANs, a VLAN Tag is added to all traffic leaving a trunk port. The 802.1q standard specifies the ubiquitous format for the VLAN tag.

Creating a trunk port involves only one command:

Just like switchport mode access set the port as an access port, switchport mode trunk will set the port as a trunk port.

Some switches support more than one method for adding the VLAN tag. Namely, some switches support the antiquated ISL method of VLAN tagging. Before these switches allow you to set a port as a trunk port, they force you to set a tagging method, also called an encapsulation method:

For these switches, you simply use the switchport trunk encapsulation dot1q command before setting the switchport as a trunk port:

We will also configure Eth2/1 and Eth2/2 on SwitchX as trunk ports:

This is all you need to create a trunk port. With the configuration above, the switch will forward traffic from all VLANs in the VLAN Database out the configured trunk port.

That being said, there are some additional helpful settings you can apply to a trunk port to modify the default behavior. We will discuss two of them in the sections that follow.

The Native VLAN is the one VLAN on a trunk port which is allowed to remain untagged . By default, this is set to VLAN 1, but this can be changed by an administrator.

To set the Native VLAN, you use this command:

After setting this command, any time SwitchX is sending traffic on VLAN 2 out the trunk port Eth1/1, it will do so without adding a VLAN tag. Moreover, anytime SwitchX receives untagged traffic on trunk port Eth1/1, SwitchX will assign that traffic to VLAN 2.

An important point to remember: both switches on either end of the same trunk must have the same Native VLAN. Otherwise, you easily run the risk of a host in one VLAN being able to communicate with a host in another VLAN.

Therefore, we will set the same Native VLAN on SwitchY:

We will also set another VLAN as the Native VLAN for Eth2/1 and Eth2/2 ports, facing Router1 and Router2, respectively. This is to show that the Native VLAN configuration is a per- interface configuration, not a per- device configuration. But keep in mind, in most deployments the Native VLAN is typically consistent across all ports.

By default, when an interface is set as a trunk port, traffic from all the VLANs in the VLAN database is forwarded out that switch port.

There are times, however, where it is wise to limit which VLAN’s traffic is traversing a particular trunk. This can be done by applying what is known as an Allowed VLAN list . An Allowed VLAN list allows the administrator to manually select which VLANs are traversing a trunk port .

Take a look at the illustration . Notice that the trunk port to Router1 is only processing traffic for VLAN 10 and 20, but if the trunk port is left to its default behavior, SwitchX will be forwarding traffic to Router1 from VLANs 10, 20, and 30. The VLAN 30 traffic will simply be dropped by Router1, but it does needlessly add congestion to the link.

To solve this, we will add an Allowed VLAN list to Eth2/1 on SwitchX to restrict which VLANs are traversing the trunk port:

This will limit the VLANs which are traversing the trunk port to Router1 to only the VLANs which actually need to be on that link.

The trunk port to Router2 can also be limited to only carry traffic for VLAN 20 and 30. Below is another way of applying an Allowed VLAN list which shows how to add VLANs to the list after initially creating it:

Notice the important keyword add in the second command above. This instructs the switch to add VLAN 30 traffic to whatever VLANs are already allowed on the link.

Had the keyword add been omitted, the switch will have replaced the current Allowed VLAN List (which was allowing just VLAN 20) with the new one (which was allowing just VLAN 30). If Router1 was the gateway for the traffic in VLAN 20, all that traffic would now be dropped – creating a decidedly poor experience for the users in that VLAN.

As such, it is very important to either apply the full list of VLANs in one command (as in the first example), or to use the add command to add VLANs to the current allowed VLAN list.

You also have the option of using the remove keyword to remove individual VLANs from the allowed VLAN list.

In fact, the remove keyword provides one more way to apply an allowed VLAN list to a trunk port. Take a look at the link between SwitchX and SwitchY. Notice VLAN 20 does not need to be traversing that link.

Rather than simply adding an Allowed VLAN list with VLANs 10 and 30, you can also simply remove VLAN 20 from the default configuration. We’ll show you how it works with the trunk port between the switches (Eth1/1):

This automatically applies an Allowed VLAN list for every VLAN except VLAN 20:

Since the default trunk port behavior was to allow all VLANs, removing VLAN 20 caused the switch to apply an Allowed VLAN list which included every VLAN (1 – 4094), except VLAN 20.

That said, this is typically not the way you would apply a new Allowed VLAN list to an interface – the remove keyword is more often used to remove individual VLANs from an already added Allowed VLAN list. We will remove the Allowed VLAN list on Eth1/1, and leave that port configured as a default trunk port – allowing traffic for all VLANs to traverse the trunk:

Show Commands

The commands above explain the steps for configuring VLANs on Cisco Switches. The output at the end of each section displayed the way the configurations appears in the running-configuration . However, the running-configuration will only show how a device is configured – it will not show how a device operates .

This is an important distinction – a talented network engineer needs to not only know how to configure VLANs, but also how to validate their operation as well. To that end, we will discuss five show commands that can be used to verify a device’s operation – how it is actually handling traffic.

The show vlan brief command provides two main pieces of information:

• The VLANs which exist in the switch’s VLAN Database
• The access ports configured in each VLAN

Here is what the output from both our switches:

For both switches, the command displays VLANs 1, 10, 20, and 30. These are the only VLANs that were created in the VLAN database. Should the switch receive traffic tagged for a VLAN other than these, that traffic will be discarded.

For each VLAN, the VLAN’s name is also provided. Notice VLANs 10, 20, and 30 are named RED , ORANGE , and BLUE , respectively.

Also notice VLAN 1 exists and is named default , despite us not explicitly creating it. This is because VLAN 1 is the default configuration that every switch port starts out in. The switch will not allow you to delete VLAN 1 or change its name.

The Status column reflects whether the VLAN is active on the switch. A VLAN can become inactive for two reasons. The first is explicitly using the shutdown command within the VLAN configuration mode. The second is a VLAN existing in the database, but having no access ports or trunk ports utilizing that VLAN.

On the far right of output, under the Ports column, you get a list of each access port in each VLAN. We configured SwitchX’s Eth0/0 interface in VLAN 10, and the output reflects that. Also notice the port Eth1/1 is nowhere to be found. This is because Eth1/1 was configured as a trunk port, and will not be visible in the output of show vlan brief .

If show vlan brief is the go-to command to show you information about access ports on a switch, then show interfaces trunk is the go-to command to show you information about trunk ports on a switch.

There are four sections to the output of this command. To the untrained eye, it might appear like some of the information is duplicate – but this is not the case.

The first section of the output lists each interface which is operationally behaving like a trunk port. This will make more sense a little later in the article when we discuss a mechanism that lets a switch port automatically determine whether it should be a trunk port. In the case above, we explicitly configured ports Eth1/1, Eth2/1, and Eth2/2 on SwitchX and port Eth1/1 on SwitchY as trunk ports.

The first section also lists what method of Encapsulation is in use (i.e., what method of VLAN tagging ), as well as the VLAN configured as the Native VLAN for each trunk.

The second section, labeled Vlans allowed on trunk , is a reflection of which VLANs have made it through any configured Allowed VLAN lists on each trunk port. On SwitchX, we created two Allowed VLAN lists, one allowing VLAN 10 and 20 on Eth2/1, and another allowing VLANs 20 and 30 on Eth2/2. Interface Eth1/1 did not have any VLANs restricted, so therefore all possible VLANs are listed as allowed on the trunk port – VLANs IDs can only be 1 – 4094.

The third section, labeled Vlans allowed and active in management domain , is a combination of the section before it ( Vlans allowed on trunk ) and the VLANs which are created in the VLAN database (i.e., visible in show vlan brief ). Despite all VLANs being allowed on Eth1/1 (as indicated by the 1-4094 in the second section), only VLANs 1, 10, 20, and 30 exist in the VLAN database.

The fourth section, labeled Vlans in spanning tree forwarding state and not pruned , is a combination of the last two sections and the ports the Spanning Tree Protocol deems as safe to forward traffic.

The Spanning Tree Protocol (STP) exists to ensure the L2 domain does not contain any loops. If any are detected, those ports are disabled. In our topology, there are no loops, so the output of the fourth section looks identical to the output of the third section because STP did not disable any ports. STP is a fascinating protocol, but its operation is outside the scope of this article – it will be the subject of a future article.

The show interfaces switchport command can give you an overwhelming amount of information. Using the command by itself shows you 26 pieces of information for each interface on your switch (or more, depending on the code version you are using).

Rather than try to sift through all that, you can specify a particular interface to get those same 26 pieces of information for just the desired interface using the command show interfaces <intf> switchport .

For the sake of brevity and relevance, the output below has been trimmed to just show the lines which relate to something discussed in this article. There is an example of the full output of this command later in this article .

The description of each line in the output above is in the table that follows.

Typically, the show interfaces status command is associated with seeing whether devices are plugged into a switchport or not ( connected vs notconnect in the Status column). However, this command can also reveal some information about the VLAN configuration of a switchport.

Namely, if you see a number in the VLAN column, then the switchport is an access Port in the provided VLAN. And if you see the word trunk , then the switchport is configured as a trunk port.

The show spanning-tree command is obviously mostly associated with verifying the Spanning Tree Protocol, but it can also provide useful VLAN configuration information.

Earlier we talked about show vlan brief , which provides information about interfaces configured as access ports. We also talked about show interfaces trunk , which provides information about interfaces configured as trunk ports. The show spanning-tree vlan <VLAN-ID#> command provides information on both access ports and trunk ports.

Specifically, you can use this command to see every switchport a VLAN is exiting.

We configured SwitchX with one access port in VLAN 10 (Eth0/0), and two trunk ports which are permitting VLAN 10 (Eth1/1 and Eth2/1). Looking at the output of the show spanning-tree vlan 10 command on SwitchX, we can see all three of the ports that VLAN 10 traffic is egressing.

You won’t easily be able to determine whether the port is configured as an access port or a trunk port. But you will be able to easily determine to what other devices a VLAN’s traffic is going to by comparing the output of show spanning-tree to show cdp neighbors :

We can see that VLAN 10 on SwitchX is going to Router1 and SwitchY, as well as a third device (which we know is Host A, who isn’t participating in CDP). VLAN 20 on SwitchY is only going to SwitchX. Using these two commands in conjunction with each other is a great way to trace the L2 path through a network between two devices.

Default Switchport Setting

Finally, before configuring VLANs with the commands discussed in this article, it is important to know the starting point for each interface.

Nearly all Cisco features come with a certain default configuration. These exist and are in place so that the device can perform (maybe with limited features, but nonetheless) without any configuration required.

Knowing the default configuration is crucial to be an effective engineer because if you know how something works innately, you know exactly what needs to change to get it to work the way you want it to. To that end, we will spend some time discussing the default switch port configuration applied to Cisco switches.

First, here is the output of show interfaces switchport for an unmodified interface. There are three items we must discuss from the output below:

The first items we will discuss from the default switch port configuration above have to do with the Dynamic Trunking Protocol, or DTP. Take a look at these lines from the output above:

As discussed before, the two modes correlate to the configured mode ( administrative ) and the negotiated mode ( operational ). The distinction exists as a result of the Dynamic Trunking Protocol (DTP).

Cisco created DTP to further the idea of ‘plug and play’ switches. They created a protocol where if two switches were linked to each other, they could automatically determine whether their interlink should be a trunk port or an access port. It works based upon four modes an interface can be set to:

• switchport mode dynamic desirable – actively attempt to negotiate trunk
• switchport mode dynamic auto – passively attempt to negotiate trunk
• switchport mode trunk – statically set as trunk
• switchport mode access – statically set as access

The configuration of both sides of the link will determine whether the link will negotiate as a trunk port or an access port. The table below lists every possible combination

The issue with DTP is it provides a means for the other side of a link to modify the behavior of your side of the link. When you control both sides this might not seem like a terrible feature, but if you are ever in a situation where you only control your device, DTP gives too much power to the other side.

As such, it is often recommended to avoid DTP automatically determining the trunk status and instead manually set a port as trunk or access using the commands we discussed earlier in this article ( switchport mode trunk or switchport mode access ).

Even with the switch port mode statically set, however, your switch will still send DTP frames. This is how the other side knows how your side is configured. Again, if you own both sides the risk is negligible, but if you might not control the other side, then this is undesirable.

You can disable the sending of DTP frames by also adding to the interface configuration this command: switchport nonegotiate . This will disable the periodic sending of DTP frames to advertise the switch port mode of the local switch.

You can view whether a switch port has negotiation disabled in the output of the command above. The specific line which indicates it is the following:

To summarize, the default DTP behavior of an unmodified interface is:

• switchport mode dynamic auto
• negotiation of DTP enabled

Which means the link will automatically become a trunk if the other side is configured with switchport mode dynamic desirable or if the other side is configured with switchport mode trunk and switchport nonegotiate is not applied.

From the output above, the following line correlates to the access port configuration:

Whether a switch port is statically set (or negotiated) as an access port or not, this attribute exists and is configurable via the switchport access vlan <#> command. Of course, it doesn’t affect the behavior of the switchport unless the switchport becomes an access port.

A potential use case is if you are transitioning a port from a trunk port to an access port, you can “preset” the access-port VLAN so that once you apply the switchport mode access command, it is already in the appropriate VLAN.

In any case, notice the default configuration has every switchport in VLAN 1.

A switch is a device which facilitates communication within networks . You can take a Cisco switch and simply connect two hosts and everything will “just work”. It will do so because all the ports start in VLAN 1, so that there is no L2 segregation between the switch ports on switch’s default configuration. This lines up with Cisco’s goal of making their switches “plug and play”.

Lastly, the following lines in the output above correlate to the trunk port configuration:

We discussed DTP earlier, but we did not mention that DTP also negotiates the encapsulation method.

Administrative Trunking Encapsulation indicates whether DTP will determine the encapsulation method or whether it is statically set via the switchport trunk encapsulation command.

Operational Trunking Encapsulation indicates the chosen or configured encapsulation method. If the port becomes a trunk port, there are only two options for this attribute: the ubiquitous 802.1q and the archaic ISL. On an access port, this line will display native (as above), indicating no VLAN tag will be added to traffic leaving this switch port .

Trunking Native Mode VLAN indicates the Native VLAN on the port. Once again, this setting will only take place if the port becomes a trunk port. This setting can be modified with the switchport trunk native vlan <#> command.

Trunking VLANs Enabled reflects the Allowed VLAN list applied to the port. ALL indicates no VLANs have been restricted from the trunk, and therefore every VLAN in the VLAN database will traverse down the trunk. As with the other trunk configurations, this has no effect if the port is in access mode.

Configuring VLANs — Summary

This article is meant to follow the article discussing VLANs as a concept . The focus of this article was to understand the different configuration and verification commands that exist to modify or validate how a switch is behaving in regards to its VLANs.

As with all written guides, practice is key. We encourage you to build out the topology above in a lab or emulator (GNS3 / Packet-Tracer) and to practice configuring VLANs using the commands described above.

If you want an additional challenge, build out the topology in the VLAN Challenge from the other article. Note, you will need to disable CDP and DTP on most of your interfaces to avoid warnings.

If you are able to successfully build out that topology (as well as answer the two challenge questions in the previous article), then you can rest assured knowing you have mastered the concept of Configuring VLANs on Cisco switches.

Configuring VLANs on Cisco Switches – Contents:

Related posts:.

The Post was Awesome!!

Hi, very helpful this post. I have a question, what software use to drar the network diagrams?.

I meant “draw”

Hi Cesar, glad you enjoyed the post. I draw and animate everything in PowerPoint (don’t laugh! ;p). If I need clipart, I grab them from openclipart.org.

Thanks for this great article, I have shared it on Facebook.

Thanks for the share! I’m glad you liked the article!

Yes wonderful article. I have shared on FB as well! One question if you could be so kind to provide some insight. When you issue Switchport Trunk Allowed VLAN 20, 30 on an interface is the native VLAN automatically applied (say it’s still default VLAN 1) or do you need to also add it to the allowed list in order for the trunk to pass I tagged traffic?

Hi Brandon,

Good Question. It is best to think of the Native VLAN and the Allowed VLAN List as two independent functions.

The Native VLAN configuration determines which VLAN traverses a Trunk link without a VLAN Tag. The Allowed VLAN List determines which VLANs are allowed to traverse a trunk.

If the Allowed VLAN List is only allowing VLAN 20 and 30, then only those VLANs can traverse the trunk. The Native VLAN happens to be 10, then it will not be allowed across the trunk.

Hope this helps!

Nice article. Guess the routers may confuse some peoples as they are not to work like that without any L3 redundancy.

Thanks so much for this great article! It really clarifies vlans in the Cisco world. Although I’ve worked with vlans, I’ve not worked with Cisco switches in years. Do you really have to add access ports one at a time? Is there a command to add a group of ports? Example using another vendor on a VoIP vlan: #conf vlan VoIP add ports 1:1-48 tagged Is there a similar command for Cisco switches? If not, it seems that adding access ports would be tedious on a switch stack.

Hi Dav1917. You have the option of using the interface range to apply commands to multiple interfaces at the same time. Here is an example of configuring multiple Access ports at once.

Thank you, Ed! That is awesome – and a relief.

Mate article is amazing and so so helpful thank you. One thing – above the ‘show interfaces status’ heading, you’ve repeated the quick intro paragraph, probs should be deleted. It’s like –

intro paragraph incorrectly placed ‘show interfaces status’ heading repeated intro paragraph but correctly placed

Thanks again, it will be you I thank in my CCNA acceptance speech!

Hi Rozak. Yikes, no clue how that slipped through, but good catch! I’ve fixed it. Thanks!

Glad you enjoyed the article and I’m looking forward to your CCNA acceptance speech =)

Hi, great tutorial! somehow I can`t get “Switch(config-if)# switchport trunk encapsulation dot1q” this command done in my switch, I just got 2 choices which are access/native after I typed “Switch(config-if)# switchport trunk”, it doesn`t link to “encapsulation dot1q”, any thought?

Switches that do not support ISL do not require designating the use of 802.1q.

If the switchport trunk encapsulation dot1q command is not applying, it is likely your switch only supports 802.1q.

This is great. Can i get a copy of the same in my email.

Hello Ed Harmoush

i have the following query what will be happened if the frame came to an access port and what will be happened if the same frame came to trunk port?

e.g.the access port it will retag the frame with the number on vlan that has assign it (for example vlan access 10) or it drop the packet ?

Informative article, exactly whhat I was looking for.

me sirvió muchismo muchas gracias.

in the description of Show interface Trunk cmd ,Vlan 1 is not showing in the allowed vlan as well as in the Vlan active in managment domain section for the port Et2/1 and 2/2, Reason?

Hi Jaseer. Because VLAN 1 was not added to the Allowed VLAN List:

https://www.practicalnetworking.net/stand-alone/configuring-vlans/#trunk_allowed_vlans

Hello Ed Harmoush,

Thank you for this wonderful article and great explanation. One thing – Under the heading “Show interfaces switchport” there is a table which describe each line of output. In the last row “ Notice SwitchX’s trunk port was limited to just VLANs 20 and 30, and this is reflected in the output above. ” I think that’s not SwitchX’ trunk port that’s SwitchY’s trunk port. Thank you.

Good catch! Thank you. I fixed it. =)

Great post! Very helpful. Good job.

I found this article to be very informative, thank you for this. I see it’s a couple years old already, yet still relevant.

Informative thread. Thanks for sharing…

• Skip to content
• Skip to search
• Skip to footer

Cisco Catalyst SD-WAN Systems and Interfaces Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x

Bias-free language.

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

• Read Me First
• What's New in Cisco IOS XE (SD-WAN)
• Cisco Catalyst SD-WAN Basic System Overview
• Configure System Logging
• Configure User Access and Authentication
• Role Based Access Control
• Role-Based Access Control (Cisco IOS XE Catalyst SD-WAN Release 17.12.x and Earlier)
• Configure Devices
• Configuration Groups and Feature Profiles
• Device Tagging
• Network Hierarchy and Resource Management
• Cisco Unified Communications Voice Services
• CUBE Configuration
• Configure Network Interfaces
• Hot Standby Router Protocol (HSRP)
• Configure a Cellular Gateway
• Configure Geofencing
• VRRP Interface Tracking
• Configure VDSL and G.SHDSL
• Dynamic On-Demand Tunnels
• Track Static Routes for Service VPNs
• NAT DIA Tracker for Cisco IOS XE Catalyst SD-WAN Devices
• Service-Side NAT on Cisco IOS XE Catalyst SD-WAN Devices
• DHCP Vendor Option Support
• IP DHCP Smart-Relay
• IPv6 Functionality
• IP Directed Broadcast
• Migrate Shared Templates to Cisco IOS XE Catalyst SD-WAN Templates
• CLI Templates for Cisco IOS XE Catalyst SD-WAN Devices
• CLI Add-On Feature Templates
• Cisco Catalyst SD-WAN EtherChannel
• Cisco Catalyst SD-WAN Multitenancy
• Flexible Tenant Placement on Multitenant Cisco Catalyst SD-WAN Controllers
• Multitenant WAN Edge Devices
• Cisco Catalyst SD-WAN Multitenancy (Cisco IOS XE Releases 17.4.x and 17.5.x)
• Cisco Catalyst SD-WAN Carrier Supporting Carrier
• Wireless Management on Cisco 1000 Series Integrated Services Routers
• Extended Visibility with Cisco SD-WAN and Cisco ThousandEyes

Layer 2 VPN

• Troubleshoot Cisco Catalyst SD-WAN Systems and Interfaces
• Appendix: Cisco SD-WAN Manager How-Tos

Chapter: Layer 2 VPN

Information about layer 2 vpn support within the cisco catalyst sd-wan overlay network, supported platforms for layer 2 vpn, restrictions for layer 2 vpn, configure an l2vpn on a cisco ios xe catalyst sd-wan device using cli template or cli add-on feature template, configure point-to-point layer 2 vpn using cli template or cli add-on feature template, configure point-to-multipoint layer 2 vpn using cli template or cli add-on feature template, configure layer 2 vpn switchport, advanced layer 2 configuration, verify a layer 2 vpn using cli, monitor configured layer 2 vpn using cli.

The ​ Cisco Catalyst SD-WAN solution provides Layer 3 services with security, segmentation, and scalability across the overlay network. Considering the importance of Layer 2 (L2) connectivity, particularly for legacy systems and non-IP applications, Layer 2 services are supported within the Cisco Catalyst SD-WAN overlay network. L2VPN support enables using legacy applications that require Layer 2 connectivity in the Cisco Catalyst SD-WAN fabric.

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.14.1a , the following L2VPN features are supported:

Point-to-point L2VPN Service (P2P)

Point-to-Multipoint L2VPN Service (P2MP)

Single homing

Flood and Learn in WAN and LAN

Ingress replication for Broadcast, Unknown-unicast and Multicast (BUM)

Full mesh topology only

Network Topology for Layer 2 Connections

This illustration shows three sites and shows P2P (green line) and P2MP (red lines) connections between edge routers at the sites.

Point-to-Point (P2P): Connects sites 500 and 502 with a dedicated Layer 2 VPN. The L2VPN between the two sites allow Host 1 and Host 2 to interact.

Point-to-Multipoint (P2MP): Connects sites 500, 502, and 503 with Layer 2 VPN. Host 1 communicates with both Host 2 and Host 3 across a Layer 2 multipoint network.

Minimum software releases: Cisco IOS XE Catalyst SD-WAN Release 17.14.1a

All Cisco IOS XE Catalyst SD-WAN device s.

Minimum software releases: Cisco IOS XE Catalyst SD-WAN Release 17.14.1a and Cisco Catalyst SD-WAN Control Components Release 20.14.1

Hub-and-spoke topology is currently not supported for L2VPN.

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.14.1a and Cisco Catalyst SD-WAN Control Components Release 20.14.1

This section provides CLI configurations to configure L2VPN on a Cisco IOS XE Catalyst SD-WAN device .

Before You Begin

When configuring a device to support L2VPN services, we recommend using a single CLI add-on template for all the required configuration commands. The tasks are described separately, but you can combine the configuration commands into one template.

To configure L2VPN on an edge device, configure an instance, a bridge-domain, and an interface. Add the configuration pieces, as shown in the following configuration, into your CLI add-on feature template or CLI template.

Configure an L2VPN Instance, Bridge-Domain, and Interfaces

Configure an L2VPN instance for P2P and P2MP connections.

The instance ID is a unique identifier for each L2VPN connection, and must not overlap or be shared with any L3 VRFs in the Cisco Catalyst SD-WAN fabric. For example, you cannot use L2VPN instance 10 and vrf definition 10.

Configure a bridge-domain.

If you have not configured rewrite under service instance, dot1q must be the same at all sites participating in the Layer 2 network. For more information on configuring rewrite, see Advanced Layer 2 Configuration .

For more information about the preceding commands, see Cisco IOS XE SD-WAN Qualified Command Reference .

Minimum supported releases: Cisco Catalyst SD-WAN Manager Release 20.14.1 , Cisco IOS XE Catalyst SD-WAN Release 17.14.1a

For more information about using CLI templates, see CLI Add-On Feature Templates and CLI Templates .

By default, CLI templates execute commands in global config mode.

You can use one L2VPN instance ID for one or more bridge domains. To identify a particular bridge-domain, use Virtual Circuit (VC) ID. This ID is the identifier of the virtual circuit between the Cisco IOS XE Catalyst SD-WAN device s. It must be the same at both ends of the circuit.

To create a P2P pseudowire, L2VPN instance ID, and VC ID must be the same on different Cisco IOS XE Catalyst SD-WAN device s.

Remote-site-id is only supported for P2P configuration.

The difference between P2P and P2MP is that, in P2MP there are no target sites.

This section provides the CLI configuration to configure P2P L2VPN services between two sites (sites A and B) on the Cisco Catalyst SD-WAN overlay network.

Configure an Edge Router at Site A

Site A uses an edge router and connects the Ethernet interface to the L2 network that bridges to Site B.

• Define the L2VPN instance for point-to-point service: l2vpn sdwan instance instance-id point-to-point

Configure the Ethernet interface:

• Define the bridge domain and associate it with the interface and L2VPN instance: bridge-domain bridge-id member vlan-name service-instance instance-id member sdwan instance instance-id remote-site remote-site-id vc-id virtual-circuit-id single homing

Configure an Edge Router at Site B

Site B uses an edge router and Switchport Ethernet interface.

• Define the VLAN for the L2VPN: vlan vlan-id name L2vpn
• Configure the VLAN interface: interface interface-name service instance instance-id ethernet encapsulation dot1q vlan-id no shutdown
• Configure the Ethernet interface as an access port for VLAN: interface interface-name switchport access vlan vlan-id
• Define the bridge-domain for Site B and associate it with the VLAN and L2VPN instance: bridge-domain bridge-id member vlan-name service-instance instance-id member sdwan instance instance-id remote-site remote-site-id vc-id virtual-circuit-id single homing

Site 500 is using a Cisco Catalyst 8000V Edge Software, where GigabitEthernet5 is connected to the Layer 2 network that bridges to Site 502.

Use Switchport GigabitEthernet 0/1/7 at Site 502 with a Cisco ISR1100-8P.

After configuring the point-to-point L2VPN service on both sites, you can integrate these configuration blocks into your CLI Template or CLI Add-On Feature Template. This template can then be used to deploy the configuration across the relevant devices in the ​Cisco Catalyst SD-WAN fabric. Verify the connectivity and functionality of the L2VPN service following the deployment to confirm that the bridge between Site 500 and Site 502 is operational.

One L2VPN instance ID can be used by one or more bridge domains. VC ID is used to identify a particular bridge-domain.

L2VPN instance ID and VC ID must be the same on different edge devices.

This following section provides steps for configuring P2MP L2VPN over Cisco Catalyst SD-WAN overlay, connecting a local Layer 2 network at site A to multiple remote sites (B and C). Site A uses Gigabit Ethernet interface to connect to the Layer 2 network for bridging.

Configuration an Edge Router at Sites A, B, and C

Site A is using an edge router, where an Ethernet interface is connected to the Layer 2 network that bridges to Site B and Site C.

• Define the L2VPN instance for the multipoint service on the data center router: l2vpn sdwan instance instance-id multipoint

Configure the Ethernet interface on the data center router:

• Define the bridge-domain on the data center router and associate it with the interface and L2VPN instance: bridge-domain bridge-id member vlan-name service-instance instance-id member sdwan instance instance-id remote-site remote-site-id vc-id virtual-circuit-id single homing

Configuration for an Edge Router at Site B

• Define the L2VPN instance for multipoint service on the branch router: l2vpn sdwan instance instance-id multipoint
• Define the VLAN for the L2VPN on the branch router: vlan vlan-id name L2vpn
• Configure the VLAN interface on the branch router: interface interface-name service instance instance-id ethernet encapsulation dot1q vlan-id no shutdown
• Configure the Ethernet interface on the branch router as an access port for VLAN: interface interface-name switchport access vlan vlan-id
• Define the bridge-domain on the branch router and associate it with the VLAN and L2VPN instance: bridge-domain bridge-id member vlan-name service-instance instance-id member sdwan instance instance-id remote-site remote-site-id vc-id virtual-circuit-id single homing

Configuration for an Edge Router at Branch Router C

Repeat the same steps as for branch router B, substituting the specific interface used on router C. In this example, we have used the Ethernet interface.

This section provides an example configuration for P2MP L2VPN service within the Cisco Catalyst SD-WAN overlay network, connecting a local Layer 2 network at site 500 to multiple remote sites (502 and 503). Site 500 uses GigabitEthernet6 interface to connect to the L2 network for bridging.

Verify the connectivity and functionality of the P2MP L2VPN service and ensure that all sites are correctly bridged.

Site 500 is using a Cisco Catalyst 8000V edge router, where GigabitEthernet6 is connected to the Layer 2 network that bridges to site 502 and site 503.

Configuration for the branch router 502:

Configure Branch Router 503:

Repeat the same steps as for branch router 502, substituting the specific interface used on router 503. In this example, we have used the GigabitEthernet 0/1/6 interface.

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.14.1a , Cisco Catalyst SD-WAN Control Components Release 20.14.1

If your device has embedded switchports such as Cisco ISR1121-8P or similar and you want to use one of them for the L2VPN services, then you need to configure a VLAN interface first and then assign that VLAN to your switchport as described in this section.

To support a Layer 2 switchport, configure a service instance in the VLAN interface. In the VLAN interface, a packet always has the dot1q tag even when the Layer 2 switchport is configured with switchport mode access. Therefore, the dot1q tag is mandatory in the service instance of the VLAN interface.

This following section provides steps to configure a Layer 2 switchport for P2MP (applicable for devices with embedded switchports). You can also configure a Layer 2 switchport for P2P by updating the L2VPN ​instance command.

Configure an Edge Router at Sites A, B, and C

Site A is using an edge router, where the Ethernet interface is connected to the Layer 2 network that bridges to Site B and Site C.

• Define the L2VPN instance for multipoint service on the branch routers: l2vpn sdwan instance instance-id multipoint
• Define the VLAN for the L2VPN on the branch routers: vlan vlan-id name L2vpn

Configure the Ethernet interface on the routers:

• Set the switch port access VLAN and switchport mode to access to accept traffic only from the specified VLAN: switchport access Vlan vlan-id switchport mode access
• Configure the VLAN interface on the router and disable the IP address assignment: interface interface-name no ip address service instance instance-id ethernet encapsulation dot1q vlan-id

For advanced Layer 2 configuration options such as 802.1Q tunneling (Q-in-Q), or rewrite, you need to configure Ethernet Virtual Connections (EVCs) on edge routers (Cisco ASR 1000 Series). EVC is a Layer 2 platform-independent bridging architecture that supports Ethernet services. For more information about configuring an EVC, see Configuring Ethernet Virtual Connections on a Cisco Router .

Show L2VPN Status

The following command shows the details of a specific local instance.

The following command shows the remote peer information, system ip, color, status, and so on.

Show L2VPN Information in OMP on a Cisco IOS XE Catalyst SD-WAN Device

The following command shows Layer 2 routes learned through OMP from all VPNs across the Cisco Catalyst SD-WAN fabric.

The following command shows specific L2-routes learned in that VPN ID tied to the L2 instance on the Cisco IOS XE Catalyst SD-WAN device s.

The following command shows the specific L2-route or path learned in the specific VPN and virtual circuit.

The following is a sample output from the show omp l2-routes command displaying Layer 2 routes learned through OMP from all VPNs across the Cisco Catalyst SD-WAN fabric.

Show L2VPN Information in OMP on a Cisco Catalyst SD-WAN Controller

The following command shows specific L2-routes learned in that VPN ID tied to the L2 instance on the Cisco SD-WAN Controller s.

The following is a sample output from the show omp l2-routes command displaying Layer 2 routes learned through OMP for Cisco Catalyst SD-WAN Controller s.

Show Bridge-Domain Information

The following is a sample output from the show platform software sdwan ftmd bridge-domain command that displays information related to bridge domains within the context of Forwarding Table Management Daemon (FTMD).

Show Cisco Catalyst SD-WAN Flood List Information and Packet Counters in Data Plane

Show packet counters in data plane.

The following is a sample output from the show l2vpn sdwan all command. The following examples show the configuration and status information for L2VPN instances within a ​Cisco Catalyst SD-WAN overlay network. The output includes details for both point-to-point (P2P) and point-to-multipoint (P2MP) topologies.

The following is a sample output from the show l2vpn sdwan instance instance-id vc-id vc-id peers command. The following examples show information about a specific ​Cisco Catalyst SD-WAN L2VPN instance (instance 200) and its associated virtual circuit (vc-id 200), including details about its peer connections.

Was this Document Helpful?

Contact Cisco

• (Requires a Cisco Service Contract )

Sample configuration of Windows virtual machine VLAN Tagging (VGT Mode) in ESX

Article id: 324529, updated on:, issue/introduction, environment.

• 802.1Q VLAN trunking driver is required inside the virtual machine
• 64bit Windows guest operating system automatically loads the 802.1q E1000 driver
• 32bit guest Operating Systems require manual configuration of the VMX file to point to the E1000 driver
• Physical switch is set to trunk mode by using VLAN ID 4095
• Windows: Only 64-bit Windows ships with the E1000 Drivers

Configuration of VirtualSwitch (vSwitch)

To set a standard vSwitch portgroup to trunk mode:

• Edit host networking via the Virtual infrastructure Client.
• Navigate to Host > Configuration > Networking > vSwitch > Properties .
• Click Ports > Portgroup > Edit .
• Click the General tab.
• Set the VLAN ID to 4095. A VLAN ID of 4095 represents all trunked VLANs.

To set a distributed vSwitch portgroup to trunk mode:

• Navigate to Home > Inventory > Networking .
• Right-click on the dvPortGroup and select Edit Settings .
• Within that dvPortGroup, go to Policies > VLAN .
• Set VLAN type to VLAN Trunking and specify a range of VLANs or specificy a list of VLANs to be passed to the Virtual machines connected to this portgroup. Note: To improve security, virtual Distributed Switches allow you to specify a range or selection of VLANs to trunk rather than allowing all VLANS via VLAN 4095.

Configuration of Windows TCP/IP

• Download the e1000 NIC drivers from the Intel website into the 32-bit Windows virtual machine. Note: The preceding link was correct as of September 15, 2015. If you find the link is broken, provide feedback and a VMware employee will update the link.  
• Power off the virtual machine.
• Configure the virtual machine to use the e1000 virtual NIC. Enter a new line (or replace the existing virtual NIC) in the .vmx file of the virtual machine: Ethernet n .virtualDev = "e1000" Replace n with the number of the Ethernet adapter. For example, the entry for the first Ethernet adapter that has number 0 is: Ethernet0.virtualDev = "e1000"  
• Power on the virtual machine.
• Configure the e1000 network connection.

• Download ProWinx64 from Intel located here Network Adapter Driver for Windows Note : Intel has moved some drivers to historical status, if the above link does not have the correct driver, see this link for specific driver versions: http://www.intel.com/support/network/sb/CS-023752.htm?wapkw=e1g6032e Note : The preceding link was correct as of September 15, 2015. If you find the link is broken, provide feedback and a VMware employee will update the link.  
• Run this command to extract the Intel drivers downloaded to the temp folder: Prowinx64.exe /s /e /f "C:\temp If 7zip is installed, run this as alternate command on Windows PowerShell Get-ChildItem "*.exe" | foreach { C:\Windows\System32\7z.exe e -y $_.fullname  
• Right-click the network adapter and click Update Driver Software .
• Click Browse my computer for driver software .
• Click Let me pick from a list of device drivers on my computer .
• Click Have Disk .
• Click Browse .
• Browse to C:\temp\pro1000\winx64\ndis61\e1g6032e.inf .
• Click Next to install the driver.
• Repeat Steps 2-8 for each network adapter you have for the virtual machine.
• After all the adapters are updated, run the Intel setup program. You should now be able to install the advanced network services software with VLANs.
• You can also find the instructions in the manual/readme file for the driver.
• The Intel driver download contains ProWin64.exe . This is not a separate install.
• This process applies to the vmxnet3 driver as well. However to have multiple vlans you need to use multiple vmxnet3 NIC's.

Additional Information