VLAN

VLAN (Virtual Local Area Network) configuration enables logical network segmentation by creating isolated broadcast domains within a single physical infrastructure. It supports advanced features including private VLANs for additional security isolation, EVPN integration for overlay networking, and VXLAN Network Identifier (VNI) mapping for network virtualization. VLAN management includes access control through VLAN access maps, traffic filtering, grouping for simplified management, and integration with spanning tree protocols and remote SPAN for monitoring. VLAN configuration is fundamental for network design, enabling multi-tenancy, security segmentation, broadcast domain control, and scalable network architecture in enterprise and data center environments.

Diagram

Classes

configuration (iosxe.devices)

Name	Type	Constraint	Mandatory	Default Value
vlan	Class	`[vlan]`	No

vlan (iosxe.devices.configuration)

Name	Type	Constraint	Mandatory
access_maps	List	`[access_maps]`	No
vlans	List	`[vlans]`	No
filters	List	`[filters]`	No
groups	List	`[groups]`	No

access_maps (iosxe.devices.configuration.vlan)

Name	Type	Constraint	Mandatory
name	String		Yes
sequence	Integer	min: `0`, max: `65535`	Yes
match_ipv6_addresses	List	String	No
match_ipv4_addresses	List	String	No
action	Choice	`forward`, `drop`	No

vlans (iosxe.devices.configuration.vlan)

Name	Type	Constraint	Mandatory
id	Integer	min: `1`, max: `4094`	Yes
vni	Integer	min: `4096`, max: `16777215`	No
access_vfi	String		No
evpn_instance	Integer	min: `1`, max: `65535`	No
evpn_instance_vni	Integer	min: `4096`, max: `16777215`	No
remote_span	Boolean	`true`, `false`	No
private_vlan_primary	Boolean	`true`, `false`	No
private_vlan_association	String		No
private_vlan_community	Boolean	`true`, `false`	No
private_vlan_isolated	Boolean	`true`, `false`	No
name	String		No
shutdown	Boolean	`true`, `false`	No

filters (iosxe.devices.configuration.vlan)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
vlan_lists	List	Integer	No

groups (iosxe.devices.configuration.vlan)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
vlan_lists	List	Integer	No

By segmenting a physical network into multiple logical broadcast domains, VLANs enhance security, improve performance, and simplify network management.

VLAN Parameters

Key Components:

VLAN ID (id): The unique identifier for the VLAN.
VLAN Name (name): A descriptive name for the VLAN.
Shutdown State (shutdown): Indicates whether the VLAN is administratively shut down.
Private VLAN Type (private_vlan_primary, private_vlan_community, private_vlan_isolated): Specifies the VLAN’s role in private VLAN configuration.
Private VLAN Association (private_vlan_association): Associates primary VLANs with community or isolated VLANs.
EVPN Instance and VNI (evpn_instance, evpn_instance_vni): Integrates VLANs with EVPN overlays and VXLAN Network Identifiers.
VXLAN Network Identifier (vni): Maps VLANs to VXLAN overlays for network virtualization.
Access Maps (access_maps): Defines VLAN access control lists for traffic filtering.
Filters (filters): Applies VLAN filters for traffic management.
Groups (groups): Groups VLANs for simplified management.
Remote SPAN (remote_span): Enables remote SPAN for VLAN traffic monitoring.

Key Parameters Briefly Explained:

id: Sets the VLAN identifier.
name: Assigns a name to the VLAN.
shutdown: Shuts down or enables the VLAN.
private_vlan_primary, private_vlan_community, private_vlan_isolated: Configure private VLAN roles.
private_vlan_association: Associates VLANs in private VLAN setups.
evpn_instance, evpn_instance_vni: Integrate VLANs with EVPN overlays.
vni: Maps VLANs to VXLAN overlays.
access_maps: Defines VLAN ACLs.
filters: Applies VLAN filters.
groups: Groups VLANs for management.
remote_span: Enables remote SPAN monitoring.

You can use these VLAN parameters to define and manage logical network segments on your device. Customize VLAN IDs, names, private VLAN settings, and access control policies to fit your network’s segmentation, security, and operational needs. Adjusting these parameters lets you tailor traffic isolation and management for various network services and user groups.

Sample Configuration

The following configuration describes how to set up VLANs on a Cisco IOS-XE device, including basic VLAN creation, naming, private VLANs, EVPN integration, VXLAN VNI mapping, access maps, filters, and groups for robust network segmentation.

vlan 10
 name Data
!
vlan 20
 name Voice
!
vlan 31
 evpn instance 1
 vni 4098
!
vlan 32
 vni 5000
!
vlan 51
 private-vlan community
!
vlan 52
 private-vlan isolated
!
vlan 53
 private-vlan primary
 private-vlan association 51,52
!
vlan 56
 remote-span
!
vlan access-map test_map1 10
 action drop
 match ip address 10
!
vlan access-map test_map2 20
 action forward
 match ip address v4acl1
!
vlan filter map1 vlan-list 101,201,301,401
!
vlan group test_group1 vlan-list 101,201,301,401

Example YAML Code

The following YAML code sets up VLANs on an IOS-XE device, defining various VLANs with their IDs, names, shutdown states, private VLAN configurations, EVPN/VXLAN parameters, and also includes examples for VLAN access maps, filters, and groups.

iosxe:
  devices:
    - name: Device1
      configuration:
        vlan:
          vlans:
            - id: 31
              name: vlan_31
              evpn_instance: 1
              evpn_instance_vni: 4098
              shutdown: False
            - id: 32
              vni: 5000
              shutdown: False
            - id: 33
              vni: 5001
              shutdown: False
            - id: 34
              access_vfi: test
              shutdown: False
            - id: 51
              private_vlan_community: true
              shutdown: False
            - id: 52
              private_vlan_isolated: true
              shutdown: False
            - id: 53
              private_vlan_primary: true
              shutdown: False
            - id: 54
              private_vlan_association: 55
              shutdown: False
            - id: 55
              shutdown: False
            - id: 56
              remote_span: true
              shutdown: False
          access_maps:
            - name: test_map1
              sequence: 10
              action: drop
              match_ipv4_addresses: ['10', '20']
            - name: test_map2
              sequence: 20
              action: forward
              match_ipv4_addresses: [v4acl1,v4acl2]
            - name: v6_test_map1
              sequence: 30
              action: drop
              match_ipv6_addresses: [v6acl1, v6acl2]
            - name: v6_test_map2
              sequence: 40
              action: forward
              match_ipv6_addresses: [v6acl3]
          filters:
            - word: map1
              vlan_lists: [101,201,301,401]
            - word: map2
              vlan_lists: [101]
          groups:
            - name: test_group1
              vlan_lists: [101,201,301,401]
            - name: test_group2
              vlan_lists: [101]