Defining internal VLANs, what they do, plus the problems and safety measures to be aware of.
Tech.Bit: What’s the deal with internal VLANs?
Have you ever seen this command as part of the default configuration of a switch?
vlan internal allocation policy ascending
Let me give you a rundown of what they’re all about …
Switches automatically assign themselves virtual local area network numbers (VLAN) for internal usage.
Funnily enough, these are called ‘internal VLANs’.
Behind the scenes, switches do some sneaky things using internal VLANs
For example, when you convert a Layer 2 switch port into a Layer 3 routed port, the switch really just puts the port into access mode on an automatically generated VLAN. An IP address is then assigned to that VLAN’s switched virtual interface (SVI).
The switch can then route traffic between SVIs as you’d expect when using a regular SVI. This helps to explain why you can’t configure sub-interfaces on a switch. Layer 3 ports essentially run as access ports and send untagged frames.
If you now tried to use this internal VLAN, the switch would reject your command and throw up an error. To free up this VLAN, the Layer 3 port would need to be shutdown.
So that’s what internal VLANs are, but how are they chosen?
They’re always chosen from the extended VLAN range (1006–4095) in a next-available fashion. Depending on the switch model and configuration, it can be chosen from low VLAN numbers and work its way up, or from the high VLAN numbers and work its way down.
Now, without telling you, I bet you can guess what these commands do:
vlan internal allocation policy ascending
vlan internal allocation policy descending
To check the allocated VLANs, just run the show vlan internal usage command.
SW1#show run interface fastethernet 0/3 <<<<<<<< Converted to an L3 port
interface FastEthernet0/3
no switchportip address 1.1.1.1 255.255.255.0 <<<<<<<< IP address assigned
SW1#show vlan internal usage <<<<<<<< Internal VLAN assigned
VLAN Usage
1006 FastEthernet0/3
My recommendation for playing it safe
If you use the extended VLAN numbers, make sure that you’re aware of the allocation policy in use.
This needs to be checked across all platforms as they use different methods for allocation: ascending or descending. If possible, change the policy to descending and stick to the lower VLAN numbers.