Tagging Virtual IP Pools with VLANs

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 4 minute(s) read
Prev Next

VLAN tagging enables you to control which virtual IPs are exposed to which VLANs on your network. VLAN tagging is per virtual IP pool.

To implement VLAN tagging on the cluster, do all of the following:

Create VLAN Tagged Virtual IP Pools

For each VLAN, create a virtual IP pool for the virtual IPs that you want to expose to that VLAN and tag it with the VLAN.Managing Virtual IP (VIP) Pools

Configure Uplinks on Client Data Network in Hybrid Mode

Make sure the uplink interfaces on the client data network's switches are configured in hybrid mode (or trunk mode if you only need to allow tagged traffic through).

Configure the Cluster's Data Switches to Allow the VLANs

This configuration must be done on each switch in every switch pair in the cluster.

The configuration can be done during cluster installation if the VLANs are already known. Otherwise, it can be done any time after installation.

Configuring VLANs on Switches at Installation Stage

When you run the switch_conf.py script on each data switch, include the --external-vlans EXTERNAL_VLANS parameter and specify the VLANs as a comma separated list. This must be done on every data switch. It will activate the VLANs on the switches and configure the uplink interfaces on the switches to allow the VLAN tagged traffic through.

Configuring VLANs on Switches During Cluster Operation

The VLANs need to be activated on all data switches in the cluster.

In addition to activating the VLANs, on the data switches that connect directly to the client data network, which is all data switches in a single switch pair deployment and only the 'spine' switches in a spine-leaf topology with more than one switch pair, the uplink interfaces need to be configured to allow the VLAN-tagged traffic through. The uplink interfaces are MLAG interfaces. There is usually one MLAG per pair of data switches, although sometimes there may be two MLAGs.

As with all configuration of Mellanox switch pairs, both switches in each switch pair must be configured identically and this is the responsibility of the user.

On every data switch:

  1. Connect to the switch CLI: Open an SSH connection to admin@SWITCH_IP (where SWITCH_IP is the IP of the switch) and then enter the password for the admin user when prompted. The default password is admin.

  2. Run enable to enter Enable mode and then run configure terminal to move into Config mode.

  3. Run vlan VLAN once for each VLAN to create the VLANs.

  4. For spine switches only: Run interface mlag-port-channel 1 switchport mode hybrid to configure the MLAG interface in hybrid mode. If there is another MLAG on the switch pair, run this also for the second MLAG interface: interface mlag-port-channel 2 switchport mode hybrid.

  5. For spine switches only: Run interface mlag-port-channel 1 switchport hybrid allowed-vlan VLAN per VLAN to allow each VLAN on the MLAG interface. Also run this command for the other MLAG interface if there is a second one on the switch pair.

  6. Run configuration write twice to save the configuration.

For example, to create and allow VLAN 99 if you have one MLAG per switch pair, run these commands on the spine switches...

switch > enable
switch # configure terminal
switch (config) # vlan 99
switch (config) # interface mlag-port-channel 1 switchport mode hybrid
switch (config) # interface mlag-port-channel 1 switchport hybrid allowed-vlan 99
switch (config) # conf write
switch (config) # conf write

...and these commands on any leaf switches if applicable:

switch > enable
switch # configure terminal
switch (config) # vlan 99
switch (config) # conf write
switch (config) # conf write

To create and allow VLAN 99 if you have two MLAGs on the switch pair, run these commands on the spine switches...

switch > enable
switch # configure terminal
switch (config) # vlan 99
switch (config) # interface mlag-port-channel 1 switchport mode hybrid
switch (config) # interface mlag-port-channel 1 switchport hybrid allowed-vlan 99
switch (config) # interface mlag-port-channel 2 switchport mode hybrid
switch (config) # interface mlag-port-channel 2 switchport hybrid allowed-vlan 99
switch (config) # conf write
switch (config) # conf write

...and these commands on any leaf switches if applicable:

switch > enable
switch # configure terminal
switch (config) # vlan 99
switch (config) # conf write
switch (config) # conf write

To create two VLANs (99 and 100) if you have one MLAG on the switch pair, run these commands on the spine switches...

switch > enable
switch # configure terminal
switch (config) # vlan 99
switch (config) # vlan 100
switch (config) # interface mlag-port-channel 1 switchport mode hybrid
switch (config) # interface mlag-port-channel 1 switchport hybrid allowed-vlan 99
switch (config) # interface mlag-port-channel 1 switchport hybrid allowed-vlan 100
switch (config) # conf write
switch (config) # conf write

...and these commands on any leaf switches if applicable:

switch > enable
switch # configure terminal
switch (config) # vlan 99
switch (config) # vlan 100
switch (config) # conf write
switch (config) # conf write
Related articles