VLAN

A Virtual LAN (VLAN) is a logical switched LAN formed by segmenting physical Local Area Networks (LANs).

Segmenting a switched LAN as one or more VLANs provides the following advantages:

Multicast and broadcast floods are limited only to the required segments of the LAN to save LAN bandwidth.
Secured LAN access is provided by limiting traffic to specific LAN segments.
Management is improved by logically grouping ports across multiple switches.

VLANs work in same way as physical LANs. The packets from the end stations of a VLAN are switched only to other end stations or network devices inside that VLAN.

Figure 1. VLANs on a Switched LAN

To reach devices in another VLAN, the packets must be routed from one VLAN to another.

SONiC switches support such inter-VLAN routing to route packets across different VLANs.

Inter-VLAN routing is achieved by creating a Layer 3 VLAN interface.

VLAN Numbers

SONiC supports VLAN identifiers 1–4094 for user-created VLANs.

VLAN Defaults

There is no default VLAN configuration in SONiC switches.

Creating VLANs

Follow the steps below to create VLANs in SONiC.

Step	Command	Description
1	config vlan add <vid>	Create a VLAN. vid: A VLAN number in the range of 1–4094.
2	show vlan config	Display the configured VLANs.
3	show vlan brief	Display all bridge information.
4	sudo config save –y	Optional: Save the current configuration to be part of the startup configuration.

The following example shows how to create a VLAN.

admin@sonic: ~$ sudo config vlan add 100
admin@sonic: ~$ show vlan config
Name	VID
vlan100	100
admin@sonic: ~$ show vlan brief
- - -	- - -	- - -	- - -	- - -	- - -
VLAN ID	IP Address	Ports	Port Tagging	Proxy ARP	DHCP Helper Address
___	___	___	___	___	___
100				disabled
- - -	- - -	- - -	- - -	- - -	- - -

Removing VLANs

Follow the steps below to remove VLANs from SONiC.

Step	Command	Description
1	config vlan del <vid>	Remove a VLAN. vid: A VLAN number in the range of 1–4094.
2	show vlan config	Display the configured VLANs.
3	show vlan brief	Display all bridge information.
4	sudo config save –y	Optional: Save the current configuration to be part of the startup configuration.

The following example shows how to remove a VLAN.

admin@sonic: ~$ sudo config vlan del 100
admin@sonic: ~$ show vlan config
Name	VID	Member	Mode
- - -	- - -	- - -	- - -
admin@sonic: ~$ show vlan brief
- - -	- - -	- - -	- - -	- - -	- - -
VLAN ID	IP Address	Ports	Port Tagging	Proxy ARP	DHCP Helper Address
___	___	___	___	___	___
- - -	- - -	- - -	- - -	- - -	- - -

Port-Based VLANs

Port-based VLANs are the simplest and most useful type of VLAN.

In port-based VLAN deployment, switch ports are associated with one or more VLANs as member ports.

The VLAN traffic sent on the ports is decided by the VLAN membership modes of the ports. In most cases, ports are associated with VLANs as either “untagged (access)” port members or “tagged (trunk)” port members.

Note: Port Channel interfaces can also be configured as VLAN member ports.

Figure 2. Port-based VLANs

Untagged (Access) Ports

Access ports carry the traffic of only one VLAN. Any switch ports can be configured as access ports. In most cases, switch ports connected to end stations (computers/servers) that have only one type of traffic are configured as access ports.

When a switch port is configured as an access port to any VLAN, that port is added as an untagged member port of the given VLAN. Also, the Port-based VLAN Identifier (PVID) of that port is configured as the given VLAN. Each port can be configured as untagged member of only one VLAN.

The switch strips the VLAN tag header from all packets sent out on an access port. Hence, access ports are also called untagged ports.

When a packet is received on an access port, the switch identifies the VLAN for the received packet from the packet’s VLAN tag header. If the received packet did not have a VLAN identifier, the port PVID is used as VLAN for all the received untagged members.

Follow the steps below to add a member port as untagged port in a VLAN.

Step	Command	Description
1	config vlan member add [-u \| --untagged] <vlan_id> <member_portname>	Add an untagged member port to an existing VLAN by using the option -u or --untagged. vlan_id: Any VLAN number. member_portname: Any interface name which is not a router interface.
2	show vlan config	Display the configured VLANs.
3	show vlan brief	Display all bridge information.
4	sudo config save –y	Optional: Save the current configuration to be part of the startup configuration.

The following example shows how to add an untagged port in a VLAN.

admin@sonic: ~$ sudo config vlan member add -u 100 Ethernet48
admin@sonic: ~$ show vlan config
Name	VID	Member	Mode
- - -	- - -	- - -	- - -
vlan100	100	Ethernet48	untagged
vlan200	200
admin@sonic: ~$ show vlan brief
- - -	- - -	- - -	- - -	- - -	- - -
VLAN ID	IP Address	Ports	Port Tagging	Proxy ARP	DHCP Helper Address
___	___	___	___	___	___
100		Ethernet48	untagged	disabled
- - -	- - -	- - -	- - -	- - -	- - -
200				disabled
- - -	- - -	- - -	- - -	- - -	- - -

Tagged (Trunk) Port

Tagged (trunk) ports carry the traffic of one or more VLANs. Any switch ports can be configured as trunk ports. In most cases, switch ports connected between switches are configured as trunk ports to carry multi-VLAN traffic across switches. Switch ports connected to end stations (computers/servers) that have multiple VLANs are also configured as trunk ports.

The switch adds the VLAN tag header to all packets sent out on the trunk port. When a packet is received on a trunk port, the switch identifies the VLAN for the received packet from the packet’s VLAN tag header. If the received packet did not have a VLAN, the port PVID is used to determine the VLAN for all untagged and priority tagged packets that are received.

Follow the steps below to add a member port as a tagged port in a VLAN.

Step	Command	Description
1	config vlan member add <vlan_id> <member_portname>	Add a tagged member port to an existing VLAN. vlan_id: Any VLAN number. member_portname: Any interface name which is not a router interface.
2	show vlan config	Display the configured VLANs.
3	show vlan brief	Display all bridge information.
4	sudo config save –y	Optional: Save the current configuration to be part of the startup configuration.

The following example shows how to add a tagged port in a VLAN.

admin@sonic: ~$ sudo config vlan member add 100 Ethernet52
admin@sonic: ~$ show vlan config
Name	VID	Member	Mode
- - -	- - -	- - -	- - -
vlan100	100	Ethernet48	untagged
vlan100	100	Ethernet52	tagged
vlan200	200
admin@sonic: ~$ show vlan brief
- - -	- - -	- - -	- - -	- - -	- - -
VLAN ID	IP Address	Ports	Port Tagging	Proxy ARP	DHCP Helper Address
___	___	___	___	___	___
100		Ethernet48	untagged	disabled
		Ethernet52	tagged
- - -	- - -	- - -	- - -	- - -	- - -
200				disabled
- - -	- - -	- - -	- - -	- - -	- - -

Important:

Ensure the port configuration of the VLAN member is not a router port. If the router port is configured as a VLAN member, the following error is displayed:

admin@sonic: ~$ sudo config vlan member add 100 Ethernet52

Usage: config vlan member add [OPTIONS] <vid> port

Try "config vlan member add -h" for help.

Error: Ethernet52 is a L3 interface!

Remove Port from VLAN

Follow the steps below to remove an untagged or tagged member port from a VLAN.

Step	Command	Description
1	config vlan member del <vlan_id> <member_portname>	Remove a member port from a VLAN. vlan_id: Any VLAN number. member_portname: Any interface name which is not a router interface.
2	show vlan config	Display the configured VLANs.
3	show vlan brief	Display all bridge information.
4	sudo config save –y	Optional: Save the current configuration to be part of the startup configuration.

The following examples show how to delete an untagged or tagged member port from a VLAN.

admin@sonic: ~$ sudo config vlan member del 100 Ethernet48
admin@sonic: ~$ show vlan config
Name	VID	Member	Mode
- - -	- - -	- - -	- - -
vlan100	100	Ethernet52	tagged
vlan200	200
admin@sonic: ~$ show vlan brief
- - -	- - -	- - -	- - -	- - -	- - -
VLAN ID	IP Address	Ports	Port Tagging	Proxy ARP	DHCP Helper Address
___	___	___	___	___	___
		Ethernet52	tagged
- - -	- - -	- - -	- - -	- - -	- - -
200				disabled
- - -	- - -	- - -	- - -	- - -	- - -
Remove interface Ethernet52 from a VLAN 100
admin@sonic: ~$ sudo config vlan member del 100 Ethernet52
admin@sonic: ~$ show vlan config
Name	VID	Member	Mode
- - -	- - -	- - -	- - -
vlan100	100
vlan200	200
admin@sonic: ~$ show vlan brief
- - -	- - -	- - -	- - -	- - -	- - -
VLAN ID	IP Address	Ports	Port Tagging	Proxy ARP	DHCP Helper Address
___	___	___	___	___	___
100				disabled
- - -	- - -	- - -	- - -	- - -	- - -
200				disabled
- - -	- - -	- - -	- - -	- - -	- - -

VLAN Configuration Example

Configure the following requirements on SONiC as shown in the figure below.

Ports Ethernet1–Ethernet3 are untagged access ports for VLAN 10.
Port Ethernet4 is a trunk/tagged port connected to storage, which carries VLANs 20 and 30.
Ports Ethernet5–Ethernet7 are tagged/trunk ports connected to servers that have VLANs 20, 30 and 10. Here, VLAN 10 is untagged.
Ports Ethernet48 and Ethernet52 are part of a tagged/trunk port channel that carries all the VLANs to other switches with untagged VLAN 10.

Figure 3. VLAN Configuration Example

Configure VLANs 10, 20, and 30:

admin@sonic: ~$ sudo config vlan add 10

admin@sonic: ~$ sudo config vlan add 20

admin@sonic: ~$ sudo config vlan add 30

Configure Ethernet1–Ethernet3 as an untagged port in VLAN 10:

admin@sonic: ~$ sudo config vlan member add 10 -u Ethernet1

admin@sonic: ~$ sudo config vlan member add 10 -u Ethernet2

admin@sonic: ~$ sudo config vlan member add 10 -u Ethernet3

Configure Ethernet4 as a tagged port in VLANs 20 and 30:

admin@sonic: ~$ sudo config vlan member add 20 Ethernet4

admin@sonic: ~$ sudo config vlan member add 30 Ethernet4

Configure Ethernet5–Ethernet7 as a tagged port in VLANs 10, 20, and 30:

admin@sonic: ~$ sudo config vlan member add 20 Ethernet5

admin@sonic: ~$ sudo config vlan member add 20 Ethernet6

admin@sonic: ~$ sudo config vlan member add 20 Ethernet7

admin@sonic: ~$ sudo config vlan member add 30 Ethernet7

admin@sonic: ~$ sudo config vlan member add 30 Ethernet6

admin@sonic: ~$ sudo config vlan member add 30 Ethernet5

admin@sonic: ~$ sudo config vlan member add 10 Ethernet7

admin@sonic: ~$ sudo config vlan member add 10 Ethernet6

admin@sonic: ~$ sudo config vlan member add 10 Ethernet5

Configure Ethernet48 and Ethernet49 in port channel PortChannel0004 and configure the port channel as a tagged port in VLAN 10:

admin@sonic: ~$ sudo config portchannel add PortChannel0004
admin@sonic: ~$ sudo config portchannel member add PortChannel0004 Ethernet48
admin@sonic: ~$ sudo config portchannel member add PortChannel0004 Ethernet49
admin@sonic: ~$ sudo config vlan member add 10 Portchannel0004
admin@sonic: ~$ show vlan config
Name	VID	Member	Mode
- - -	- - -	- - -	- - -
Vlan10	10	Ethernet1	untagged
Vlan10	10	Ethernet2	untagged
Vlan10	10	Ethernet3	untagged
Vlan10	10	Ethernet4	tagged
Vlan10	10	Ethernet6	tagged
Vlan10	10	Ethernet7	tagged
Vlan10	10	PortChannel0004	tagged
Vlan20	20	Ethernet4	tagged
Vlan20	20	Ethernet5	tagged
Vlan20	20	Ethernet6	tagged
Vlan20	20	Ethernet7	tagged
Vlan30	30	Ethernet4	tagged
Vlan30	30	Ethernet5	tagged
Vlan30	30	Ethernet6	tagged
Vlan30	30	Ethernet7	tagged
Vlan100	100
Vlan200	200
admin@sonic: ~$ show vlan brief
- - -	- - -	- - -	- - -	- - -	- - -
VLAN ID	IP Address	Ports	Port Tagging	Proxy ARP	DHCP Helper Address
___	___	___	___	___	___
10		Ethernet1	untagged	disabled
		Ethernet2	untagged
		Ethernet3	untagged
		Ethernet5	tagged
		Ethernet6	tagged
		Ethernet7	tagged
		PortChannel0004	tagged
- - -	- - -	- - -	- - -	- - -	- - -
20		Ethernet4	tagged	disabled
		Ethernet5	tagged
		Ethernet6	tagged
		Ethernet7	tagged
- - -	- - -	- - -	- - -	- - -	- - -
30		Ethernet4	tagged	disabled
		Ethernet5	tagged
		Ethernet6	tagged
		Ethernet7	tagged
- - -	- - -	- - -	- - -	- - -	- - -
100				disabled
- - -	- - -	- - -	- - -	- - -	- - -
200				disabled
- - -	- - -	- - -	- - -	- - -	- - -
admin@sonic: ~$ sudo bridge vlan
port	vlan ids
docker0	1	PVID Egress Untagged
Bridge	10
	20
	30
	100
	200
dummy	1	PVID Egress Untagged
Ethernet1	10	PVID Egress Untagged
Ethernet2	10	PVID Egress Untagged
Ethernet3	10	PVID Egress Untagged
Ethernet4	20
	30
Ethernet5	10
	20
	30
Ethernet6	10
	20
	30
Ethernet7	10
	20
	30
PortChannel0004	10

This manual was last published June 12, 2026.
This page was last updated November 25, 2025.