VLAN Management

--- title: VLAN Management tags: Cisco IOS, networking, manual, reference, router, switch, technical --- <header> <h6><abbr title="Virtual Local Area Network">VLAN</abbr> Management</h6> > [toc] </header> --- Virtual Local Area Networks (VLANs) provide segmentation and organizational flexibility in a switched network, and allow an administrator to segment networks based on factors such as function, team, or application, without regard for the physical location of the users or devices. A group of devices within a VLAN **communicate as if each device was attached to the same cable**. VLANs are based on logical connections, instead of physical connections; any switch port can belong to a VLAN. However, **each switch port can be assigned to only one VLAN** (except for a port connected to an IP phone or to another switch). Unicast, broadcast, and multicast packets are forwarded and flooded only to end devices within the VLAN where the packets are sourced. **Packets initiated within a VLAN that are destined for devices outside of the VLAN must be forwarded through a device that supports routing.** Multiple IP subnets can exist on a switched network, without the use of multiple VLANs. However, the devices will be in the same Layer 2 broadcast domain. This means that any Layer 2 broadcasts, such as an ARP request, will be received by all devices on the switched network, even by those not intended to receive the broadcast. Therefore, **VLANs improve network performance** by separating large broadcast domains into smaller ones. The standard Ethernet frame header does not contain information about the VLAN to which the frame belongs. Therefore, when Ethernet frames are placed on a trunk, information about the VLANs to which they belong must be added. This process, called **tagging**, is accomplished by using the IEEE 802.1Q header, specified in the IEEE 802.1Q standard. **The 802.1Q header includes a 4-byte tag** inserted within the original Ethernet frame header, **specifying the VLAN** to which the frame belongs. # Types of VLAN ## Default The default VLAN on a Cisco switch is VLAN 1. Therefore, all switch ports are on VLAN 1 unless it is explicitly configured to be on another VLAN. By default, all Layer 2 control traffic is associated with VLAN 1. Important facts to remember about VLAN 1 include the following: * All ports are assigned to VLAN 1 by default. * The native VLAN is VLAN 1 by default. * The management VLAN is VLAN 1 by default. * VLAN 1 cannot be renamed or deleted. ## Data Data VLANs are VLANs configured to separate user-generated traffic. They are also referred to as **user VLANs** because they **separate the network into groups of users or devices**. A modern network might have many data VLANs depending on organizational requirements. :::info Voice and network management traffic should not be permitted on data VLANs. ::: ## Native User traffic from a VLAN must be tagged with its VLAN ID when it is sent to another switch. Trunk ports are used between switches to support the transmission of tagged traffic. A switch may also have to send untagged traffic across a trunk link. For example, control traffic sent on the native VLAN should not be tagged. The 802.1Q trunk port places untagged traffic on the native VLAN. :::success It is a best practice to configure the native VLAN as an unused VLAN, distinct from VLAN 1 and other VLANs. ::: ## Management A management VLAN is a data VLAN configured specifically for **network management traffic including SSH, Telnet, HTTPS, HTTP, and SNMP**. By default, VLAN 1 is configured as the management VLAN on a Layer 2 switch. Management frames that are sent between switches is an example of traffic that is typically **untagged**. ## Voice A separate VLAN is needed to support Voice over IP (VoIP). VoIP traffic requires the following: * Assured bandwidth to ensure voice quality * Transmission priority over other types of network traffic * Ability to be routed around congested areas on the network * Delay of less than 150 ms across the network # VLAN Configuration When VLANs are implemented on a switch, the transmission of unicast, multicast, and broadcast traffic from a host in a particular VLAN are restricted to the devices that are in that VLAN. A VLAN is the equivalent to an IP network (or subnet). VLANs are configured on the switch, whereas IP addressing is configured on the device. ```pug S1# configure terminal S1(config)# vlan 100,102,105-107 S1(config-vlan)# name student S1(config-vlan)# exit S1(config)# S1(config)# interface range fa 0/6 - 8, gig 1/1 - 2 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 20 % Access VLAN does not exist. Creating vlan 20 ``` :::info Naming each VLAN is considered a best practice in switch configuration. ::: :::danger **The network administrator must configure the other devices on the vlan to be in the same subnet.** ::: ## VLAN Ranges Different Cisco Catalyst switches support various numbers of VLANs. For example, the Catalyst 2960 and 3650 Series switches support over 4,000 VLANs. Normal range VLANs on these switches are numbered 1 to 1,005 and extended range VLANs are numbered 1,006 to 4,094. ### Normal Range VLANs The following are characteristics of normal range VLANs: * They are used in all small- and medium-sized business and enterprise networks. * They are identified by a VLAN ID between 1 and 1005. * IDs 1002 through 1005 are reserved for legacy network technologies (i.e., Token Ring and Fiber Distributed Data Interface). * IDs 1 and 1002 to 1005 are automatically created and cannot be removed. * Configurations are stored in the switch flash memory in a VLAN database file called vlan.dat. * When configured, VLAN trunking protocol (VTP), helps synchronize the VLAN database between switches. ### Extended Range VLANs The following are characteristics of extended range VLANs: * They are used by service providers to service multiple customers and by global enterprises large enough to need extended range VLAN IDs. * They are identified by a VLAN ID between 1006 and 4094. * Configurations are saved, by default, in the running configuration. * They support fewer VLAN features than normal range VLANs. * Requires VTP transparent mode configuration to support extended range VLANs. :::info 4096 is the upper boundary for the number of VLANs available on Catalyst switches, because there are 12 bits in the VLAN ID field of the IEEE 802.1Q header. ::: ## VLAN Management Interface ```pug S1(config)# vlan 99 S1(config-vlan)# name Management S1(config-vlan)# interface vlan 99 S1(config-if)# ip add 192.168.99.2 255.255.255.0 S1(config-if)# no shut S1(config-if)# exit S1(config)# ip default-gateway 192.168.99.1 ``` ## Voice-over-IP (VoIP) A **separate voice VLAN is required** to support VoIP. This enables **quality of service** (QoS) and **security policies** to be applied to voice traffic. A Cisco IP phone connects directly to a switch port. An IP host can connect to the IP phone to gain network connectivity as well. The access port connected to the Cisco IP phone can be configured to use two separate VLANs. One VLAN is for voice traffic and the other is a data VLAN to support the host traffic. The link between the switch and the IP phone simulates a trunk link to carry both voice VLAN traffic and data VLAN traffic. :::info :speaking_head_in_silhouette:&ensp;The connected switch sends CDP packets instructing the attached IP phone to send voice traffic in **one of three ways**. The method used varies based on the type of traffic: 1. **Voice VLAN** traffic must be tagged with an appropriate Layer 2 class of service (CoS) priority value. 1. **Access VLAN** traffic can also be tagged with a Layer 2 CoS priority value. 1. **Access VLAN** is not tagged (no Layer 2 CoS priority value). ::: ```pug S1(config)# vlan 150 S1(config-vlan)# name VOICE S1(config-vlan)# interface fa0/10 S1(config-if)# switchport mode access S1(config-if)# mls qos trust cos S1(config-if)# switchport voice vlan 150 S1(config-if)# end ``` Voice traffic must be labeled as trusted as soon as it enters the network. Use the `mls qos trust` interface configuration command to set the trusted state of an interface, and to indicate which fields of the packet are used to classify traffic. ```pug Switch(config-if)# mls qos trust [cos | device cisco-phone | dscp | ip-precedence] ``` ## Deleting VLANs The <code><b>no vlan</b> <i>vlan-id</i></code> global configuration mode command is used to remove a VLAN from the switch vlan.dat file. :::danger Before deleting a VLAN, reassign all member ports to a different VLAN first. Any ports that are not moved to an active VLAN are unable to communicate with other hosts after the VLAN is deleted and until they are assigned to an active VLAN. ::: The entire vlan.dat file can be deleted using the **`delete flash:vlan.dat`** privileged EXEC mode command. The abbreviated command version (**`delete vlan.dat`**) can be used if the vlan.dat file has not been moved from its default location. After issuing this command and reloading the switch, any previously configured VLANs are no longer present. # Port Configuration – Negotiated Interface Modes VLANs are associated with and configured on individual switch ports. **Devices attached to those ports have no concept of VLANs**. However, these devices are configured with IP addressing and are members of a specific IP network. When a switch receives a frame on a port configured in access mode and assigned a VLAN, the switch inserts a VLAN tag in the frame header, recalculates the Frame Check Sequence (FCS), and sends the tagged frame out of a trunk port. After creating a VLAN, the next step is to assign ports to the VLAN. An access port can belong to only **one data VLAN** at a time. The following example displays the syntax for defining a port to be an access port and assigning it to a VLAN. ```pug S1(config)# interface fa0/1 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 20 % Access VLAN does not exist. Creating vlan 20 ``` :::success The **`switchport mode access`** command is optional, but strongly recommended as a security best practice. Access mode indicates that the port belongs to a single VLAN and will not negotiate to become a trunk link. ::: The configuration options available to the **`switchport mode`** interface configuration command are as follows: ```pug Switch(config-if)# switchport mode { access | dynamic { auto | desirable } | trunk } ``` | Option | Description | | ------ | ----------- | | <div class='mono'>**access**</div> | <ul><li>Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link.</li><li>The interface becomes a nontrunk interface, regardless of whether the neighboring interface is a trunk interface.</li></ul> | | <div class='mono'>**dynamic auto**</div> | <ul><li>Makes the interface able to convert the link to a trunk link.</li><li>The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode.</li><li>The default switchport mode for all Ethernet interfaces is dynamic auto.</li></ul> | | <div class='mono'>**dynamic desirable**</div> | <ul><li>Makes the interface actively attempt to convert the link to a trunk link.</li><li>The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or dynamic auto mode.</li></ul> | | <div class='mono'>**trunk**</div> | <ul><li>Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link.</li><li>The interface becomes a trunk interface even if the neighboring interface is not a trunk interface.</li></ul> | ## Change VLAN Port Membership There are a number of ways to change VLAN port membership. If the switch access port has been incorrectly assigned to a VLAN, then simply re-enter the <code><b>switchport access vlan</b> <i>vlan-id</i></code> interface configuration command with the correct VLAN ID. The **`switchport access vlan`** command forces the creation of a VLAN if it does not already exist on the switch. ```pug S1(config)# vlan 150 S1(config-vlan)# name VOICE S1(config-vlan)# interface fa0/10 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 20 ! % Access VLAN does not exist. Creating vlan 20 S1(config-if)# mls qos trust cos S1(config-if)# switchport voice vlan 150 S1(config-if)# end ``` To change the membership of a port back to the default VLAN 1, use the **`no switchport access`** vlan interface configuration mode command as shown. # Trunk Ports A trunk is a **point-to-point link** between two network devices that **carries more than one VLAN**. This enables devices connected to different switches but in the same VLAN to **communicate without going through a router**. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces. If an 802.1Q trunk port receives a **tagged frame with the native VLAN ID**, it **drops the frame**. Devices from other vendors that support tagged frames on the native VLAN include IP phones, servers, routers, and non-Cisco switches. When a Cisco switch trunk port receives **untagged frames** (which are unusual in a well-designed network), it **forwards those frames to the native VLAN**. If there are **no devices associated with the native VLAN** (which is not unusual) and there are **no other trunk ports** (which is not unusual), then **the frame is dropped**. ## Trunk Configuration <ol class='step-list'> <li>Configure the interface as a trunk.</li> ```pug S1(config)# interface fastEthernet 0/1 S1(config-if)# switchport mode trunk S1(config-if)# switchport nonegotiate ``` <li>Configure both ends of a trunk link with the same native VLAN.</li> ```pug S1(config-if)# switchport trunk native vlan 99 ``` <li>Restrict the interface to only allow relevant VLANs (ex. 10, 20, 30, and 99).</li> ```pug S1(config-if)# switchport trunk allowed vlan 10,20,30,99 ``` </ol> :::info When configuring an 802.1Q trunk port, a default Port VLAN ID (PVID) is assigned the value of the native VLAN ID. All untagged traffic coming in or out of the 802.1Q port is forwarded based on the PVID value. ::: ## Reset the Trunk to the Default State Use the **`no switchport trunk allowed vlan`** and the **`no switchport trunk native vlan`** commands to remove the allowed VLANs and reset the native VLAN of the trunk. When it is reset to the default state, the trunk allows all VLANs and uses VLAN 1 as the native VLAN. ## Dynamic Trunking Protocol Some Cisco switches have a proprietary protocol that lets them automatically **negotiate trunking** with a neighboring device. This protocol is called Dynamic Trunking Protocol (DTP). Ethernet trunk interfaces support different trunking modes. An interface can be set to **trunking** or **nontrunking**, or to **negotiate trunking** with the neighbor interface. Trunk negotiation is managed by DTP, which operates on a **point-to-point basis** only, between network devices. :::warning Some internetworking devices might forward DTP frames improperly, which can cause misconfigurations. To avoid this, turn off DTP on Cisco switch interfaces that are connected to devices that do not support DTP. ::: To enable trunking from a Cisco switch to a device that does not support DTP, use the **`switchport mode trunk`** and **`switchport nonegotiate`** interface configuration mode commands. This causes the interface to become a trunk, but it will not generate DTP frames. If the ports connecting two switches are configured to ignore all DTP advertisements with the **`switchport mode trunk`** and the **`switchport nonegotiate`** commands, the ports will stay in trunk port mode. If the connecting ports are set to dynamic auto, they will not negotiate a trunk and will stay in the access mode state, creating an inactive trunk link. When configuring a port to be in trunk mode, use the **`switchport mode trunk`** command. Then there is no ambiguity about which state the trunk is in; it is always on. # Inter-VLAN Routing VLANs are used to segment switched Layer 2 networks for a variety of reasons. Regardless of the reason, **hosts in one VLAN cannot communicate with hosts in another VLAN** unless there is a router or a Layer 3 switch to provide routing services. Inter-VLAN routing is **the process of forwarding network traffic from one VLAN to another**. There are three inter-VLAN routing options: * **Legacy Inter-VLAN routing** - This is a legacy solution. It does not scale well. * **Router-on-a-Stick** - This is an acceptable solution for a small to medium-sized network. * **Layer 3 switch using switched virtual interfaces (SVIs)** - This is the most scalable solution for medium to large organizations. ## Legacy Inter-VLAN Routing The first inter-VLAN routing solution relied on using a router with multiple Ethernet interfaces. Each router interface was connected to a switch port in different VLANs. The router interfaces served as the default gateways to the local hosts on the VLAN subnet. ![](https://i.imgur.com/wnnZ92P.png) In this example, the MAC address table of switch S1 is populated as follows: | Port | MAC Address | VLAN | | ----- | ------------- |:----:| | F0/1 | R1 G0/0/0 MAC | 10 | | F0/11 | PC1 MAC | 10 | | F0/12 | R1 G0/0/1 MAC | 20 | | F0/24 | PC2 MAC | 20 | Legacy inter-VLAN routing using physical interfaces works, but it has a significant limitation. It is not reasonably scalable because routers have a limited number of physical interfaces. Requiring one physical router interface per VLAN quickly exhausts the physical interface capacity of a router. :::info This method of inter-VLAN routing is no longer implemented in switched networks. ::: ## Router-on-a-Stick Scenario The ‘router-on-a-stick’ inter-VLAN routing method overcomes the limitation of the legacy inter-VLAN routing method. It **only requires one physical Ethernet interface** to route traffic between multiple VLANs on a network. Specifically, the router interface is configured using **subinterfaces** to **identify routable VLANs**. The configured subinterfaces are **software-based virtual interfaces**. Each is associated with a single physical Ethernet interface. Each subinterface is **independently configured** with an **IP address** and **VLAN assignment**. This facilitates logical routing. If the exit interface is configured as an 802.Q subinterface, the data frames are **VLAN-tagged** with the new VLAN and **sent back out** the physical interface. :::warning The router-on-a-stick method of inter-VLAN routing cannot scale beyond 50 VLANs. ::: Virtual subinterfaces are defined by entering the interface configuration command <code><b>interface</b> <i>interface-id</i><b>.</b><i>vlan-id</i></code> and are then configured like a standard VLAN port. **Configure physical interface G0/1 as a Router-on-a-Stick:** (assume VLANs 10, 20, and 99 are already configured) ```pug R1(config)# interface G0/1.10 R1(config-subif)# description Default Gateway for VLAN 10 R1(config-subif)# encapsulation dot1Q 10 R1(config-subif)# ip add 192.168.10.1 255.255.255.0 R1(config-subif)# exit R1(config)# R1(config)# interface G0/1.20 R1(config-subif)# description Default Gateway for VLAN 20 R1(config-subif)# encapsulation dot1Q 20 R1(config-subif)# ip add 192.168.20.1 255.255.255.0 R1(config-subif)# exit R1(config)# R1(config)# interface G0/1.99 R1(config-subif)# description Default Gateway for Native VLAN 99 R1(config-subif)# encapsulation dot1Q 99 native R1(config-subif)# ip add 192.168.99.1 255.255.255.0 R1(config-subif)# exit R1(config)# R1(config)# interface G0/1 R1(config-if)# description Trunk link to S1 R1(config-if)# no shut R1(config-if)# end R1# ``` ## Layer 3 Switch (SVI Routing) The modern method of performing inter-VLAN routing is to use Layer 3 switches and switched virtual interfaces (SVI). An SVI is a virtual interface that is configured on a Layer 3 switch, as shown in the figure. :::info A Layer 3 switch is also called a **multilayer switch** as it operates at **both Layer 2 and Layer 3**. ::: Although virtual, the SVI performs the same functions for the VLAN as a router interface would. Specifically, it provides Layer 3 processing for packets that are sent to or from all switch ports associated with that VLAN. The following are advantages of using Layer 3 switches for inter-VLAN routing: * They are much faster than router-on-a-stick because everything is hardware switched and routed. * There is no need for external links from the switch to the router for routing. * They are not limited to one link because Layer 2 EtherChannels can be used as trunk links between the switches to increase bandwidth. * Latency is much lower because data does not need to leave the switch in order to be routed to a different network. * They more commonly deployed in a campus LAN than routers. The only disadvantage is that Layer 3 switches are more expensive. ## Layer 3 Switch – SVI Configuration Inter-VLAN SVIs are created the same way that the management VLAN interface is configured. The SVI is created for a VLAN that exists on the switch. <ol class='step-list'> <li><b>Create VLANs 10 and 20.</b></li> ```pug D1(config)# vlan 10 D1(config-vlan)# name LAN10 D1(config-vlan)# vlan 20 D1(config-vlan)# name LAN20 D1(config-vlan)# exit D1(config)# ``` <li><b>Configure the SVI for VLANs 10 and 20. The IP addresses that are configured will serve as the default gateways to the hosts in the respective VLANs.</b></li> ```pug D1(config)# interface vlan 10 D1(config-if)# description Default Gateway SVI for 192.168.10.0/24 D1(config-if)# ip add 192.168.10.1 255.255.255.0 D1(config-if)# no shut D1(config-if)# int vlan 20 D1(config-if)# description Default Gateway SVI for 192.168.20.0/24 D1(config-if)# ip add 192.168.20.1 255.255.255.0 D1(config-if)# no shut D1(config-if)# exit D1(config)# ``` <li><b>Configure the access ports connecting to the hosts and assign them to their respective VLANs.</b></li> ```pug D1(config)# interface GigabitEthernet1/0/6 D1(config-if)# description Access port to PC1 D1(config-if)# switchport mode access D1(config-if)# switchport access vlan 10 D1(config)# interface GigabitEthernet1/0/18 D1(config-if)# description Access port to PC2 D1(config-if)# switchport mode access D1(config-if)# switchport access vlan 20 D1(config-if)# exit D1(config)# ``` <li><b>Enable IPv4 routing with the ip routing global configuration command to allow traffic to be exchanged between VLANs 10 and 20.</b></li> ```pug D1(config)# ip routing D1(config)# ``` </ol> ## Layer 3 Switch Port Routing <ol class='step-list'> <li><b>Configure G1/0/1 to be a routed port, assign it an IPv4 address, and enable it.</b></li> ```pug D1(config)# interface GigabitEthernet1/0/1 D1(config-if)# description routed Port Link to R1 D1(config-if)# no switchport D1(config-if)# ip address 10.10.10.2 255.255.255.0 D1(config-if)# no shut D1(config-if)# exit D1(config)# ``` <li><b>Ensure IPv4 routing is enabled with the ip routing global configuration command.</b></li> ```pug D1(config)# ip routing D1(config)# ``` <li><b>Configure the OSPF routing protocol to advertise the VLAN 10 and VLAN 20 networks, along with the network that is connected to an adjacent WAN router.</b></li> ```pug D1(config)# router ospf 10 D1(config-router)# network 192.168.10.0 0.0.0.255 area 0 D1(config-router)# network 192.168.20.0 0.0.0.255 area 0 D1(config-router)# network 10.10.10.0 0.0.0.3 area 0 D1(config-router)# end D1# ``` </ol> :::warning **ospf** configuration is beyond the scope of this guide. ::: ## Troubleshooting | Issue Type | How to Fix | How to Verify | | ---------- | ---------- | ------------- | | **Missing VLANs** | <div style="min-width: 300px"><ul><li>Create (or re-create) the VLAN if it does not exist.</li><li>Ensure host port is assigned to the correct VLAN.</li></ul></div> | <div class="code">`show vlan [brief]`<br><code>show interface <i>interface-id</i> switchport</code><br>`ping`</div> | | **Switch Trunk Port Issues** | <ul><li>Ensure trunks are configured correctly.</li><li>Ensure port is a trunk port and enabled.</li></ul> | <div class="code">`show interfaces trunk`<br><code>show running-config interface <i>interface-id</i></code></div> | | **Switch Access Port Issues** | <ul><li>Assign correct VLAN to access port.</li><li>Ensure port is an access port and enabled.</li><li>Host is incorrectly configured in the wrong subnet.</li></ul> | <div class="code"><code>show interface <i>interface-id</i> switchport</code><br><code>show running-config | include interface <i>interface-id</i></code><br>`ipconfig`</div> | | **Router Configuration Issues** | <ul><li>Router subinterface IPv4 address is incorrectly configured.</li><li>Router subinterface is assigned to the VLAN ID.</li></ul> | <div class="code">`show ip interface brief`<br>`show interfaces | include Gig|Fa|802.1Q`<br><code>show running-config interface <i>interface-id</i></code></div> | # Private VLANs VLANs are configured as broadcast domains. However, in some situations, it may useful to break this rule and allow only the minimum required L2 connectivity within the VLAN. Private VLANs (PVLAN) provide Layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports: * **Promiscuous** - A promiscuous port can **talk to everyone**. It can communicate with all interfaces, including the isolated and community ports within a PVLAN. * **Isolated** - An isolated port has complete **Layer 2 separation** from all other ports within the same PVLAN, except for **promiscuous** ports. * **Community** - Community ports can talk to other community ports (within the PVLAN) and promiscuous ports (regardless of which PVLAN). :::info PVLANs are used mainly in service provider co-location sites. Another typical application can be found in hotels where each room would be connected on its own isolated port. ::: ## PVLAN Edge Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch, so that one neighbor cannot see the traffic generated by another neighbor. In such an environment, the use of the **PVLAN Edge** feature ensures that there is no exchange of unicast, broadcast, or multicast traffic between PVLAN **edge ports** on the switch. The PLVAN Edge feature is also called **Protected Ports**. A **protected port** does not forward any **data traffic**, such as unicast, multicast, or broadcast, to any other port that is also a protected port; only **control traffic is forwarded** because these packets are processed by the CPU and forwarded in software. Instead, all data traffic being passed between protected ports must be forwarded through a Layer 3 device. However, forwarding behavior between a protected port and a non-protected port proceeds as usual. :::warning The PVLAN edge protection applies only to the ports that are local to a switch: there is no isolation provided between two protected ports located on different switches. ::: To configure the PVLAN Edge feature, enter the **`switchport protected`** interface configuration mode command. The PVLAN Edge feature can be configured on a physical interface or an EtherChannel group. When the PVLAN Edge feature is enabled for a port channel, it is enabled for all ports in the port-channel group. --- --- {%hackmd 7PGmjAHeTXak2VUM3iw5Wg %}