VLAN and VE pre-provisioning

Create VLAN without ports feature creates VLAN and puts it in INUSE mode, once you configure the VLAN. This allows applications to configure any feature under VLAN even before adding ports to it.

Some features needs to change VLAN control settings in the hardware when they are configured. So if VLAN is present even before adding ports to it, you should be able to program VLAN control settings when you are configuring the feature under VLAN. You can retain the software configuration and the hardware VLAN control settings even after removing all the ports from the VLAN.

You can remove all the ports from a port-based VLAN without losing the rest of the VLAN configuration. However, you cannot configure an IP address on a virtual routing interface unless the VLAN contains ports. If the VLAN has a virtual routing interface, the virtual routing interface IP address is deleted when the ports associated with the interface are deleted. The rest of the VLAN configuration is retained. Ports cannot be moved from or moved to a private VLAN.

Following are few limitations:

  • In MRP, ring-interface configuration is not allowed when ports are not part of the VLAN. Ring-interfaces configuration will be lost when all ports removed from VLAN.
  • Enabling UDLD for tagged ports requires port to be part of VLAN. Removal of all ports from the VLAN is not allowed when UDLD is enabled on tagged ports.
  • Port based IGMP and MLD are not supported.
  • In MCT, you can configure keep-alive and session VLANs configuration under cluster configuration, without having any ports in VLAN. However, ICL configuration mandates to have ports in the session VLAN.
  • Once MCT cluster is deployed, you are not allowed to remove ports from either session or keep-alive VLANs. You must un-deploy the cluster if there is any change of ports in session or keep-alive VLANs.
  • You are allowed to remove all ports from MCT-VLAN but have to deploy the client again after adding ports back to MCT-VLAN.

Sample configuration

Following is a sample configuration for creating VLAN without ports.
device(config)#vlan 500
device(config-vlan-500)#int ve 500
device(config-vif-500)#ip address 3.3.3.3/8
device(config-vif-500)#sh run vlan 500
vlan 500 by port
 router-interface ve 500
!
device(config-vif-500)#sh run int ve 500
interface ve 500
 ip address 3.3.3.3 255.0.0.0
Note: When there are no ports in the VLAN with VE interface configured in it, the interface status is show as DOWN.
device(config-vif-34)#show int ve 34
ve34 is down, line protocol is down
When an active port is added to the related VLAN, the VE interface status is shown as UP.
device(config-vlan-34)#show int ve 34
ve34 is up, line protocol is up 

Pre-provisioning ACL on a VE

The support for VE without ports in VLAN allows you to configure the ACL on the VE interface. As VE is attached to a VLAN without ports, the hardware realization will not happen with this feature, with ACL applied on VE.

With the VLAN without ports feature, both VLAN and VE (if configured) is active and valid even without ports. Hence any security or ACL feature allows configuration on VE or under VLAN and store them in software data structure, without realizing configuration in TCAM.

When first port is added to VLAN, you must program the hardware for that port if anything was applied on VE or under VLAN before adding the port. Similarly, while deleting last port from the VLAN, you should retain the ACL configuration in the software data structure that was earlier applied on VE or under VLAN as you will not have anything applied in hardware as there was no port in VLAN.

The VLAN without ports feature allows CLIs which take physical or lag ports with no membership in the VLAN, as parameter. Following is an example of the capability.
device(config)#show run vlan 1000
vlan 1000 by port
router-interface ve 1000
!
device(config-vlan-1000)#source-guard en
enable   Config IP Source-Guard
spx-2(config-vlan-1000)#source-guard enable 

device(config)#show run vlan 1000
vlan 1000 by port
 source-guard enable
 router-interface ve 1000
!
spx-2(config)#int ve 1000
spx-2(config-vif-1000)#ip acc 100 in
spx-2(config-vif-1000)#ex
spx-2(config)#show run int ve 1000
interface ve 1000
 ip access-group 100 in
!