Skip to content
AsterNOS
Ask AI

VLAN Configuration

show vlan summary

Section titled “show vlan summary”

[Command]

show vlan summary

[Purpose]

Display VLAN summary information

[View]

System view

[Use Cases]

sonic# show vlan summary
+-----------+----------------+-----------+----------------+---------------------+
| VLAN ID   | IP Address     | Ports     | Port Tagging   | DHCP Helper Address |
+===========+================+===========+================+=====================+
| 1000      | 192.168.0.1/21 | Ethernet0 | untagged       | 192.0.0.1           |
|           |                | Ethernet1 | untagged       | 192.0.0.2           |
|           |                | Ethernet2 | untagged       | 192.0.0.3           |
|           |                | Ethernet3 | untagged       | 192.0.0.4           |
+-----------+----------------+-----------+----------------+---------------------+

Description of the

ItemDescription
VLAN IDVLAN ID
IP addressIP address for SVI interface
PortsVLAN member interface
Port TaggingVLAN member interface properties
DHCP Helper AddressIf the device has DHCP relay enabled and this VLAN is added as a downlink interface to a DHCP instance, then this section displays the DHCP Server IP address for that instance.

show vlan vid

Section titled “show vlan vid”

[Command]

show vlan vid vlan_id

show vlan all

[Purpose]

Display VLAN specific information

[View]

System view

[Use Cases]

sonic# show vlan vid 300
VLAN ID: 300
Route interface:
Name: VLAN 300
Tagged ports:
Untagged ports:
  Ethernet1
MAC-learning: enable

show vlan mac-trigger

Section titled “show vlan mac-trigger”

[Command]

show vlan mac-trigger [ vlan_id ]

[Purpose]

Show all VLAN mac-trigger details

[View]

System view

[Use Cases]

sonic# show vlan mac-trigger
+----------+----------+
| VLANID   | STATUS   |
+==========+==========+
| 10       | enabled |
+----------+----------+
sonic# show vlan mac-trigger vlan-id 10
+----------+----------+
| VLANID   | STATUS   |
+==========+==========+
| 10       | enabled  |
+----------+----------+

show counters vlan

Section titled “show counters vlan”

[Command] show counters vlan

[Purpose] Show statistics based on VLAN

[View] System View

[Use Cases]

Terminal window
sonic# show counters vlan
  IFACE    RX_OK     RX_PPS    TX_OK    TX_PPS
-------  -------  ---------  -------  --------
  Vlan9    71601  7159.69/s        0    0.00/s

show vlan bum action

Section titled “show vlan bum action”

[Command] show vlan bum action

[Purpose] Show BUM configuration based on VLAN

[View] System View

[Use Cases]

Terminal window
sonic# show vlan bum action
VLAN ID    Broadcast    Unknown-uni    Unre-multi
---------  -----------  -------------  ------------
Vlan10     flood        drop           flood
Vlan20     drop         flood          drop
Vlan500    flood        flood          flood

show vlan pool

Section titled “show vlan pool”

[Command] show vlan pool

[Purpose] Show VLAN pool configuration

[View] System View

[Use Cases]

Terminal window
sonic# show vlan pool
Pool Name    Assignment    VLAN IDs
-----------  ------------  ----------
a            even          10-15
b            hash          16-20

vlan

Section titled “vlan”

[Command]

vlan vlan_id

no vlan vlan_id

[Purpose]

Create VLAN

[Parameter]

ParameterDescription
vlan-idvid(1-4094)

[View]

System configuration view

[Use Cases]

sonic# configure terminal
sonic(config)# vlan 300
sonic(config-vlan-300)# show this
!
vlan 300

vlan pool

Section titled “vlan pool”

[Command]

vlan pool* name*****no vlan pool* name*

[Purpose]

Create a VLAN Pool for use in dynamic VLAN authorization scenarios with Dot1x.

[Parameter]

ParameterDescription
namePool name by string

[View]

System Configuration View

[Usage Scenario]

In a Dot1x authenticated wired network, after authentication succeeds, the authentication server authorizes a VLAN by returning a pool_name to the switch. The switch then dynamically selects a VLAN from the VLAN Pool according to an algorithm and adds it as an access VLAN to the terminal’s physical port.

[Comment]

If a VLAN exists in a VLAN Pool, you must first remove it from the VLAN Pool before deleting it in the system view; otherwise, deletion will fail. Similarly, before binding a VLAN to a VLAN Pool, you must first create the VLAN in the system view. When Dot1x authorizes a VLAN, the switch resolves the authorized VLAN in the order of VLAN Name → VLAN Pool → VLAN ID, and then binds it to the physical interface.

[Use Cases]

sonic# configure terminal
sonic(config)# vlan pool aaa
sonic(config-vlan-pool-aaa)# vlan 10-20,30-40

assignment pool {even|hash}

Section titled “assignment pool {even|hash}”

[Command]

assignment {even|hash} no assignment {even|hash}

[Purpose]

Configure the dynamic VLAN allocation algorithm within the VLAN Pool.

[Parameter]

ParameterDescription
evenAllocate VLANs in round-robin mode (default method)
hashAllocate VLANs based on hash calculation using the terminal’s MAC address

[View]

VLAN View

[Comment]

When using round-robin allocation, if members are added to or removed from the VLAN Pool, the allocation restarts from the beginning, but previously assigned VLANs remain unaffected. When using hash-based allocation, if members are added to or removed from the VLAN Pool, previously assigned VLANs are affected, and terminals will be re-assigned a VLAN via hash calculation upon re-authentication.

[Use Cases]

sonic# configure terminal
sonic(config)# vlan pool aaa
sonic(config-vlan-pool-aaa)# assignment hash

name

Section titled “name”

[Command]

name* string*no name[Purpose] Configure the VLAN name for use in dynamic VLAN authorization scenarios with Dot1x.[Parameter]|Parameter|Description | | ------------------ | ------------------- | | *string * | VLAN name by string |

[View]

VLAN View

[Usage Scenario]

In a Dot1x authenticated wired network, after authentication succeeds, the authentication server authorizes a VLAN by returning a string (name) to the switch. The switch then adds the corresponding VLAN as an access VLAN to the terminal’s physical port based on this name.

[Comment]

When Dot1x authorizes a VLAN, the switch resolves the authorized VLAN in the order of VLAN Name → VLAN Pool → VLAN ID and then binds it to the physical interface.

[Use Cases]

sonic# configure terminal
sonic(config)# vlan 10
sonic(config-vlan-10)# name test

switchport {trunk|access} vlan

Section titled “switchport {trunk|access} vlan”

[Command]

switchport {trunk|access} vlan vlan_id

[Purpose]

Add interface to VLAN

[Parameter]

ParameterDescription
trunkAdd interface to VLAN with trunk mode
accessAdd interface to VLAN with access mode

[View]

Interface view

[Usage Scenario] Frames sent by user hosts are untagged, and frames received by the interface from the peer device may be tagged. Therefore, the device should be configured with different modes when adding interfaces to VLANs, depending on the actual use case.

[Notes]

Access Mode: An interface can only be added to one VLAN in access mode. When an interface is added to a VLAN in access mode, as an incoming interface, it can receive frames without VLAN tags or with VLAN IDs equal to the access value. As an outgoing interface, it compares the VLAN tag carried by the frame with the access value. If they are equal, it strips the VLAN tag from the frame; if they are not equal, it takes no action. Trunk Mode: An interface can be added to multiple VLANs in trunk mode, indicating that it allows traffic to pass through without modifying the VLAN tag on the frame. A physical interface can be added to different VLANs in both access and trunk modes.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# switchport access vlan 10

vlan-group

Section titled “vlan-group”

[Command]

vlan-group vlan_id - vlan_id

[Purpose]

Bulk create VLANs and enter VLAN configuration view

[Parameter]

ParameterDescription
vlan_id - vlan_idSpecify the VLAN range

[View]

System configuration view

[Usage Scenario]

When there is a need to configure a large number of VLANs with similar properties, this command allows entering the VLAN creation process and VLAN configuration view for modifying the configuration of these VLANs.

[Use Cases]

sonic(config)# vlan-group 10-20,30,40

broadcast {flood|drop}

Section titled “broadcast {flood|drop}”

[Command]

broadcast {flood|drop}

[Purpose]

Configure broadcast function handling

[Parameter]

ParameterDescription
floodBroadcast packets within a VLAN
dropDrop broadcast packets

[View]

VLAN view

[Usage Scenario]

Broadcast forwarding is a method of sending a data packet to all devices within the same VLAN. It can be used for sending ARP requests, DHCP requests, and similar functions. In a VLAN, whether broadcast packets are forwarded can be configured on the switch.

[Use Cases]

sonic# configure terminal
sonic(config)# vlan 40
sonic(config-vlan-40)# broadcast drop

unknown-uni {flood|drop}

Section titled “unknown-uni {flood|drop}”

[Command]

unknown-uni {flood|drop}

[Purpose]

Configure the processing of unknown unicast packets

[Parameter]

ParameterDescription
floodBroadcast packets within a VLAN
dropDrop unknown unicast packets

[View]

VLAN view

[Usage Scenario]

Unknown unicast refers to unicast data packets for which the switch cannot determine the VLAN in which the destination MAC address resides. If a VLAN needs to receive unknown unicast data, it can be configured in unknown unicast forwarding mode. If a VLAN does not need to forward unknown unicast data packets within it, it can be configured in discard mode.

[Use Cases]

sonic# configure terminal
sonic(config)# vlan 40
sonic(config-vlan-40)# unknown-uni drop

unre-multi {flood|drop}

Section titled “unre-multi {flood|drop}”

[Command]

unre-multi {flood|drop}

[Purpose]

Configure the processing of unknown multicast packets

[Parameter]

ParameterDescription
floodBroadcast packets within a VLAN
dropDrop unknown multicast packets

[View]

VLAN view

[Usage Scenario]

Multicast is a method of sending packets to a group of devices in the same VLAN. It is used for multimedia streaming, routing protocols, and more. In a VLAN, multicast forwarding can be achieved by configuring the switch’s IGMP snooping feature. However, if you want to prevent the forwarding of unknown multicast within that VLAN, you can use the “drop” parameter for implementation.

[Use Cases]

sonic# configure terminal
sonic(config)# vlan 40
sonic(config-vlan-40)# unre-multi drop

mac-trigger enable

Section titled “mac-trigger enable”

[Command]

mac-trigger enable

no mac-trigger enable

[Purpose]

Enable the vlan mac-trigger function

[View]

VLAN view

[Usage Scenario]

This function is used in the fast migration scenario. The first packet sent by a terminal when migrating to a new device may not be an ARP/ND packet and cannot trigger the ARP/ND learning function. After enabling this command, when the MAC address of the terminal does not exist in the MAC address table on the device, the device can trigger mac-trigger to learn the neighbor table entry when it receives an IP packet from the terminal to complete the online operation of the terminal. Usually used in combination with DHCP Snooping and other features to ensure security.

[Use Cases]

sonic# configure terminal
sonic(config)# vlan 40
sonic(config-vlan-40)# mac-trigger enable

batch-vlan-group

Section titled “batch-vlan-group”

[Command]

batch-vlan-group group_id

no batch-vlan-group group_id

[Purpose]

Configure the batch VLAN feature

[View]

System configuration view

[Usage Scenario]

When you need to create multiple VLANs and add interfaces in bulk, use the batch-vlan-group command to enter the batch VLAN view, which simplifies the configuration process.

[Notes]

VLANs created through batch-vlan can only be used for Layer 2 functionality. If you need to create an interface VLAN for Layer 3 operations, please still use the VLAN command to create the VLAN.

[Use Cases]

sonic# configure terminal
sonic(config)# batch-vlan-group 1
sonic(config-batch-vlan-group-1)#

switchport trunk ethernet

Section titled “switchport trunk ethernet”

[Command]

switchport trunk ethernet interface_name

no switchport trunk ethernet interface_name

[Purpose]

In the batch VLAN view, add interfaces in bulk

[View]

Batch-VLAN view

[Use Cases]

sonic# configure terminal
sonic(config)# batch-vlan-group 1
sonic(config-batch-vlan-group-1)# switchport trunk ethernet 8,10-52

vlan-ids

Section titled “vlan-ids”

[Command]

vlan-ids vlan_id

no vlan-ids vlan_id

[Purpose]

In the batch VLAN view, add vlan in bulk

[View]

Batch-VLAN view

[Notes]

Regular VLANs and Batch VLANs are mutually exclusive. To create VLANs or interface VLANs in the normal way, you need to remove the desired VLANs from the Batch VLAN.

[Use Cases]

sonic# configure terminal
sonic(config)# batch-vlan-group 1
sonic(config-batch-vlan-group-1)# switchport trunk ethernet 8,10-52
sonic(config-batch-vlan-group-1)# vlan-ids 1-1024

arp-trap enable

Section titled “arp-trap enable”

[Command]

arp-trap enable

no arp-trap enable

[Purpose]

Configure the ARP packets under this VLAN to only be sent to the CPU

[View]

VLAN view

[Use Cases]

sonic(config-vlan-1000)# arp-trap enable

isolate enable

Section titled “isolate enable”

[Command] isolate enable no isolate enable

[Purpose] Configure port-level Layer 2 isolation within the VLAN. Data packets incoming from service ports in this VLAN can only be forwarded through the VXLAN tunnel interface; data packets incoming from the VXLAN tunnel are forwarded normally by table lookup within the VLAN.

[View] VLAN view

[Use Cases]

Terminal window
sonic(config)# vlan 10
sonic(config-vlan-10)# isolate enable