What is Dynamic VLAN Assignment?
Written by Sean Blanton on May 24, 2021
Share This Article
When it comes to the modern enterprise, few things are more important than network and identity security. With bad actors lurking around every corner (even inside of an organization itself), maintaining a strong, secure network along with keeping credentials safe is of utmost importance to the IT admin. Several network securing tools and techniques are being employed by IT admins today, especially during the global pandemic, but one that has been a foundational approach for many years is dynamic VLAN assignment. Since IT admins are dramatically stepping up the security of their IT environments, some are asking: what is dynamic VLAN assignment and how can it help secure the network?
Network Security with Dynamic VLAN Assignment
The simple answer is that dynamic VLAN assignment (or VLAN steering as it is sometimes called) is an excellent technique used to build on the underlying core strategy to control network access. VLAN assignments build on the use of RADIUS to control access to the network.
Via RADIUS integration, a WiFi access point (WAP) requires not only an SSID and passphrase, but a user’s unique set of credentials to access the network. Once a user has passed credentials through to the WAP to the RADIUS server and directory service, the RADIUS server will reply to the WAP that the user has been authenticated and inform what VLAN they are assigned to.
IT admins configure the system to identify which users and/or groups are assigned to which VLAN. Those VLANs can be set up on the WiFi network for any number of reasons including security and compliance. By segmenting users and authenticating them with their unique credentials, IT admins can increase security significantly. This approach helps separate out critical areas of the network, and can be especially helpful in compliance situations where, for example, the cardholder data environment (CDE) can be separated from the rest of the network making PCI Compliance far easier.
Challenges with Dynamic VLAN Assignments
The challenge with this approach is the overhead for IT admins. Traditionally, to implement dynamic VLAN assignments would require a great deal of infrastructure, configuration, and administration. For starters, IT organizations would need to set up their own FreeRADIUS server and connect that instance to the wireless access points and the identity provider (IdP), often, Microsoft ® Active Directory ® .
In many networks, the IT group would also need to configure endpoints with supplicants so that they could talk to the RADIUS server over the proper protocols. All of this ended up being a significant disincentive for IT admins, and that is why many WiFi networks are secured simply with an SSID and passphrase.
With the introduction of modern cloud RADIUS solutions, however, IT admins can virtually outsource the entire process for RADIUS authentication to WiFi and dynamic VLAN assignments. This Cloud RADIUS offering doesn’t focus on RADIUS only, but also acts as the identity management source of truth that can replace an on-prem Active Directory instance. It is available from the JumpCloud Directory Platform .
Cloud RADIUS and More
JumpCloud Directory Platform is everything a directory service was, and reimagines it for the cloud era. This includes endpoint management , identity and access management, single sign-on, multi-factor authentication, and network authentication tools such as Cloud RADIUS. Relatively new to the JumpCloud Suite is dynamic VLAN assignment functionality, so network administrators can better authorize their users’ access to crucial network resources. This feature just adds one more log to the bright flame of this cloud directory.
Interested in dynamic VLAN assignment and the rest of what the platform has to offer? Contact us , or check out our knowledge base to learn more.
- Remote Work
- User Access
Reduce IT costs and complexity
Sean Blanton is the Director of Content at JumpCloud and has spent the past decade in the wide world of security, networking and IT and Infosec administration. When not at work Sean enjoys spending time with his young kids and geeking out on table top games.
Continue Learning with Related Posts
Continue learning with our newsletter.
- Skip to content
- Skip to search
- Skip to footer
VLAN Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)
Bias-free language.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Configuring VTP
- Configuring VLANs
Configuring VLAN Trunks
- Configuring Voice VLANs
- Configuring Private VLANs
Chapter: Configuring VLAN Trunks
Finding feature information, prerequisites for vlan trunks, restrictions for vlan trunks, trunking overview, trunking modes, layer 2 interface modes, allowed vlans on a trunk, network load sharing using stp priorities, network load sharing using stp path cost, feature interactions, configuring a trunk port (cli), defining the allowed vlans on a trunk (cli), changing the pruning-eligible list (cli), configuring the native vlan for untagged traffic (cli), configuring load sharing using stp port priorities (cli), configuring load sharing using stp path cost (cli), where to go next, additional references, feature history and information for vlan trunks.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn . An account on Cisco.com is not required.
The IEEE 802.1Q trunks impose these limitations on the trunking strategy for a network:
In a network of Cisco devices connected through IEEE 802.1Q trunks, the devices maintain one spanning-tree instance for each VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs.
When you connect a Cisco device to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco device combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q device . However, spanning-tree information for each VLAN is maintained by Cisco devices separated by a cloud of non-Cisco IEEE 802.1Q devices . The non-Cisco IEEE 802.1Q cloud separating the Cisco devices is treated as a single trunk link between the devices .
Make sure the native VLAN for an IEEE 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result.
Disabling spanning tree on the native VLAN of an IEEE 802.1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning-tree loops. We recommend that you leave spanning tree enabled on the native VLAN of an IEEE 802.1Q trunk or disable spanning tree on every VLAN in the network. Make sure your network is loop-free before disabling spanning tree.
A trunk port cannot be a secure port.
Trunk ports can be grouped into EtherChannel port groups, but all trunks in the group must have the same configuration. When a group is first created, all ports follow the parameters set for the first port to be added to the group. If you change the configuration of one of these parameters, the device propagates the setting that you entered to all ports in the group:
Allowed-VLAN list.
STP port priority for each VLAN.
STP Port Fast setting.
Trunk status:
If one port in a port group ceases to be a trunk, all ports cease to be trunks.
If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed.
A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable IEEE 802.1x on a dynamic port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to dynamic, the port mode is not changed.
Dynamic Trunking Protocol (DTP) is not supported on tunnel ports.
The device does not support Layer 3 trunks; you cannot configure subinterfaces or use the encapsulation keyword on Layer 3 interfaces. The device does support Layer 2 trunks and Layer 3 VLAN interfaces, which provide equivalent capabilities.
Information About VLAN Trunks
A trunk is a point-to-point link between one or more Ethernet device interfaces and another networking device such as a router or a device . Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network.
The following trunking encapsulations are available on all Ethernet interfaces:
IEEE 802.1Q— Industry-standard trunking encapsulation.
Ethernet trunk interfaces support different trunking modes. You can set an interface as trunking or nontrunking or to negotiate trunking with the neighboring interface. To autonegotiate trunking, the interfaces must be in the same VTP domain.
Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a Point-to-Point Protocol (PPP). However, some internetworking devices might forward DTP frames improperly, which could cause misconfigurations.
| Mode | Function |
|---|---|
| switchport mode access | Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface. |
| switchport mode dynamic auto | Makes the interface able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. The default switchport mode for all Ethernet interfaces is dynamic auto . |
| switchport mode dynamic desirable | Makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk , desirable , or auto mode. |
| switchport mode trunk | Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface is not a trunk interface. |
| switchport nonegotiate | Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk . You must manually configure the neighboring interface as a trunk interface to establish a trunk link. |
| switchport mode private-vlan | Configures the private VLAN mode. |
By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4094, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk.
To reduce the risk of spanning-tree loops or storms, you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to send and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.
If a trunk port with VLAN 1 disabled is converted to a nontrunk port, it is added to the access VLAN. If the access VLAN is set to 1, the port will be added to VLAN 1, regardless of the switchport trunk allowed setting. The same is true for any VLAN that has been disabled on the port.
A trunk port can become a member of a VLAN if the VLAN is enabled, if VTP knows of the VLAN, and if the VLAN is in the allowed list for the port. When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port, the trunk port automatically becomes a member of the enabled VLAN. When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port, the trunk port does not become a member of the new VLAN.
Load Sharing on Trunk Ports
Load sharing divides the bandwidth supplied by parallel trunks connecting devices . To avoid loops, STP normally blocks all but one parallel link between devices . Using load sharing, you divide the traffic between the links according to which VLAN the traffic belongs.
You configure load sharing on trunk ports by using STP port priorities or STP path costs. For load sharing using STP port priorities, both load-sharing links must be connected to the same device . For load sharing using STP path costs, each load-sharing link can be connected to the same device or to two different devices .
When two ports on the same device form a loop, the device uses the STP port priority to decide which port is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN. The trunk port with the higher priority (lower values) for a VLAN is forwarding traffic for that VLAN. The trunk port with the lower priority (higher values) for the same VLAN remains in a blocking state for that VLAN. One trunk port sends or receives all traffic for the VLAN.
You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs, blocking different ports for different VLANs. The VLANs keep the traffic separate and maintain redundancy in the event of a lost link.
Trunking interacts with other features in these ways:
How to Configure VLAN Trunks
To avoid trunking misconfigurations, configure interfaces connected to devices that do not support DTP to not forward DTP frames, that is, to turn off DTP.
If you do not intend to trunk across those links, use the switchport mode access interface configuration command to disable trunking.
To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames.
Configuring an Ethernet Interface as a Trunk Port
Because trunk ports send and receive VTP advertisements, to use VTP you must ensure that at least one trunk port is configured on the device and that this trunk port is connected to the trunk port of a second device . Otherwise, the device cannot receive any VTP advertisements.
Before you begin
By default, an interface is in Layer 2 mode. The default mode for Layer 2 interfaces is switchport mode dynamic auto . If the neighboring interface supports trunking and is configured to allow trunking, the link is a Layer 2 trunk or, if the interface is in Layer 3 mode, it becomes a Layer 2 trunk when you enter the switchport interface configuration command.
| Command or Action | Purpose | |
|---|---|---|
| enable > | ||
| configure terminal # | ||
| interface (config)# | ||
| switchport mode {dynamic {auto | desirable} | trunk} (config-if)# | —Sets the interface to a trunk link if the neighboring interface is set to trunk or desirable mode. This is the default. —Sets the interface to a trunk link if the neighboring interface is set to trunk, desirable, or auto mode. —Sets the interface in permanent trunking mode and negotiate to convert the link to a trunk link even if the neighboring interface is not a trunk interface. | |
| switchport access vlan (config-if)# | ||
| switchport trunk native vlan (config-if)# | ||
| end (config)# | ||
| show interfaces switchport # | and the fields of the display. | |
| show interfaces trunk # | ||
| copy running-config startup-config # |
VLAN 1 is the default VLAN on all trunk ports in all Cisco devices , and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
| Command or Action | Purpose | |
|---|---|---|
| enable > | ||
| configure terminal # | ||
| interface (config)# | ||
| switchport mode trunk (config-if)# | ||
| switchport trunk allowed vlan { | add | all | except | none | remove} (config-if)# | The parameter is either a single VLAN number from 1 to 4094 or a range of VLANs described by two VLAN numbers, the lower one first, separated by a hyphen. Do not enter any spaces between comma-separated VLAN parameters or in hyphen-specified ranges. All VLANs are allowed by default. | |
| end (config)# | ||
| show interfaces switchport # | field of the display. | |
| copy running-config startup-config # |
The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning must be enabled for this procedure to take effect.
| Command or Action | Purpose | |
|---|---|---|
| enable > | ||
| configure terminal # | ||
| interface (config)# | ||
| switchport trunk pruning vlan {add | except | none | remove} [, [, [,,,]] | For explanations about using the add , except , none , and remove keywords, see the command reference for this release. Separate non-consecutive VLAN IDs with a comma and no spaces; use a hyphen to designate a range of IDs. Valid IDs are 2 to 1001. Extended-range VLANs (VLAN IDs 1006 to 4094) cannot be pruned. VLANs that are pruning-ineligible receive flooded traffic. The default list of VLANs allowed to be pruned contains VLANs 2 to 1001. | |
| end (config)# | ||
| show interfaces switchport # | field of the display. | |
| copy running-config startup-config # |
A trunk port configured with IEEE 802.1Q tagging can receive both tagged and untagged traffic. By default, the device forwards untagged traffic in the native VLAN configured for the port. The native VLAN is VLAN 1 by default.
The native VLAN can be assigned any VLAN ID.
If a packet has a VLAN ID that is the same as the outgoing port native VLAN ID, the packet is sent untagged; otherwise, the device sends the packet with a tag.
| Command or Action | Purpose | |
|---|---|---|
| enable > | ||
| configure terminal # | ||
| interface (config)# | ||
| switchport trunk native vlan (config-if)# | For , the range is 1 to 4094. | |
| end (config-if)# | ||
| show interfaces switchport # | field. | |
| copy running-config startup-config # |
Configuring Trunk Ports for Load Sharing
If your device is a member of a device stack, you must use the spanning-tree [ vlan vlan-id ] cost cost interface configuration command instead of the spanning-tree [ vlan vlan-id ] port-priority priority interface configuration command to select an interface to put in the forwarding state. Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
These steps describe how to configure a network with load sharing using STP port priorities.
| Command or Action | Purpose | |
|---|---|---|
| enable > | ||
| configure terminal # | A. | |
| vtp domain (config)# | The domain name can be 1 to 32 characters. | |
| vtp mode server (config)# | A as the VTP server. | |
| end (config)# | ||
| show vtp status # | A and Device B. In the display, check the and the fields. | |
| show vlan # | A. | |
| configure terminal # | ||
| interface (config)# | ||
| switchport mode trunk (config-if)# | ||
| end (config-if)# | ||
| show interfaces switchport # | ||
| Repeat the above steps on Device A for a second port in the device or device stack. | ||
| Repeat the above steps on Device B to configure the trunk ports that connect to the trunk ports configured on Device A. | ||
| show vlan # | B. This command verifies that Device B has learned the VLAN configuration. | |
| configure terminal # | A. | |
| interface (config)# | ||
| spanning-tree vlan port-priority (config-if)# | ||
| exit (config-if)# | ||
| interface (config)# | ||
| spanning-tree vlan port-priority (config-if)# | ||
| end (config-if)# | ||
| show running-config # | ||
| copy running-config startup-config # |
These steps describe how to configure a network with load sharing using STP path costs.
| Command or Action | Purpose | |
|---|---|---|
| enable > | ||
| configure terminal # | A. | |
| interface (config)# | ||
| switchport mode trunk (config-if)# | ||
| exit (config-if)# | ||
| Repeat Steps 2 through 4 on a second interface in Device A or in Device A stack. | ||
| end (config)# | ||
| show running-config # | ||
| show vlan # | A receives the VTP information from the other devices. This command verifies that Device A has learned the VLAN configuration. | |
| configure terminal # | ||
| interface (config)# | ||
| spanning-tree vlan cost (config-if)# | ||
| end (config-if)# | ||
| Repeat Steps 9 through 13 on the other configured trunk interface on Device A, and set the spanning-tree path cost to 30 for VLANs 8, 9, and 10. | ||
| exit (config)# | ||
| show running-config # | ||
| copy running-config startup-config # |
After configuring VLAN trunks, you can configure the following:
Voice VLANs
Private VLANs
Related Documents
| Related Topic | Document Title |
|---|---|
| For complete syntax and usage information for the commands used in this chapter. |
|
Error Message Decoder
| Description | Link |
|---|---|
| To help you research and resolve system error messages in this release, use the Error Message Decoder tool. |
|
Standards and RFCs
| Standard/RFC | Title |
|---|---|
| RFC 1573 | Evolution of the Interfaces Group of MIB-II |
| RFC 1757 | Remote Network Monitoring Management |
| RFC 2021 | SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 |
| MIB | MIBs Link |
|---|---|
| All the supported MIBs for this release. | To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
|
Technical Assistance
| Description | Link |
|---|---|
| The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
|
| Release | Modification |
|---|---|
| Cisco IOS XE Everest 16.5.1a | This command was introduced. |
Was this Document Helpful?
Contact Cisco
- (Requires a Cisco Service Contract )
COMMENTS
Dynamic VLANs pushed from the Authentication, Authorization, and Accounting (AAA) server is not supported on private VLAN ports. The data client session is expected to authorize on the secondary VLAN of the private VLAN dot1x port. ... Dynamic assignment of critical voice VLAN is not supported with nested service templates. It causes the device ...
With VTP version 1 and 2, if the device is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database. The device supports only Ethernet interfaces. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP ...
Configuring Dynamic ARP Inspection; Configuring IPv6 First Hop Security; Configuring Switch Integrated Security Features; ... The IEEE 802.1X VLAN Assignment feature is automatically enabled when IEEE 802.1X authentication is configured for an access port, which allows the RADIUS server to send a VLAN assignment to the device port. ...
MS390s and C9300-Ms support multi-vlan assignment, when using Multi-Auth as the host mode. This means that multiple client devices connected in the Data domain on the same port can be mapped to different VLANs through RADIUS assignment. ... Dynamic assignment of the VLAN for the Voice domain requires an additional attribute, device-traffic ...
Common Dynamic VLAN Assignment Use Cases Network and security administrator most commonly encounter these use cases for dynamic VLAN assignment: 1. The Sales & Marketing department does not need access to R&D resources, while R&D should not have access to the Finance Department resources. Using dynamic VLANs, each department will be
DOT1X Dynamic VLAN assignment. Hi Team, Our dot1x is used for dyamic VLAN assignement and it works using this config: int fa0/12. switchport access vlan A. switchport mode access. switchport nonegotiate. authentication event fail action authorize vlan A. authentication event no-response action authorize vlan A.
Configuring the ISE to Assign the Interface Template ... Wired Dynamic PVLAN feature uses a private VLAN to isolate the clients and provide Zero-Trust. This methods blocks peer to peer communication within a subnet/VLAN. The client is assigned to a PVLAN which isolates a single wired client connected on a port from other ports.
The simple answer is that dynamic VLAN assignment (or VLAN steering as it is sometimes called) is an excellent technique used to build on the underlying core strategy to control network access. VLAN assignments build on the use of RADIUS to control access to the network. Via RADIUS integration, a WiFi access point (WAP) requires not only an ...
Setting the priority for egress VLAN assignment. Starting in FortiSwitchOS 7.4.2, you can change how FortiSwitchOS searches for VLANs with names (specified in the set description command) that match the Egress-VLAN-Name attribute.. Before FortiSwitchOS 7.4.2, if there was more than one VLAN with the same name (specified in the set description command), FortiSwitchOS selected the VLAN with the ...
Complete these steps: From the ISE GUI, navigate to Administration > Identity Management > Identities and select Add. Complete the configuration with the username, password, and user group as shown in the image: Step 3. Configure the RADIUS (IETF) attributes used for dynamic VLAN Assignment.
C9300-24T-M: 24 port Gbe Data Only. Modular Uplinks: 350W AC: C9300-24P-M: 24 port Gbe Data with 30W PoE+. ... Note: To utilize any VLANs outside of 1-1000 on a Catalyst Meraki C9300, the switch or switch stack must have ALL of its trunk interfaces set to an allowed vlan list that contains a total that is less than or equal to 1000 VLANs ...
In the CLI (host)(config) # interface vlan < id> ip address < address> < netmask> Configuring a VLAN to Receive a Dynamic Address. In a branch office, you can connect a controller to an uplink switch or server that dynamically assigns IP addresses to connected devices. For example, you can connect the controller to a DSL or cable modem, or a broadband remote access server (BRAS).
Example: dynamic VLAN. To assign VLAN dynamically for a port on which a user is authenticated, configure the RADIUS server attributes to return the VLAN ID when the user is authenticated. Assuming that the port security mode is set to 802.1X, the FortiSwitch unit will change the native VLAN of the port to the value returned by the server.
Configuring Dynamic Access Ports on a VMPS Client. To configure a dynamic access port on a VMPS client switch, perform this task: Enters global configuration mode. Enters interface configuration mode and specifies the port to be configured. Sets the port to access mode. Configures the port as eligible for dynamic VLAN access.
The PC behind the Cisco phone uses 802.1X authentication with dynamic VLAN assignment. RADIUS dynamic VLAN assignment for the voice VLAN has to match the voice VLAN configured in the LLDP-MED profile for Cisco phone 802.1X authentication. The VLAN ID from the RADIUS dynamic VLAN assignment for the PC has to be added in the untagged VLAN list on ...
If your device is a member of a device stack, you must use the spanning-tree [vlan vlan-id] cost cost interface configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface configuration command to select an interface to put in the forwarding state. Assign lower cost values to interfaces that you want ...