cisco switch vlan port assignment

Configuring VLANs on Cisco Switches

We’ve before written about VLANs and what they can do as a concept . This article will focus on configuring VLANs on Cisco switches.

We will look at each command necessary to configure the topology below. If this topology looks familiar, it is because you saw it in the article which described how VLANs operated on a conceptual level.

We will first look at what goes into configuring the access ports in the topology above, followed by what goes into configuring the trunk ports. Then we will look at some verification and show commands to validate what is configured. Finally, we will look at the default configuration for a switch port, so we know our starting point when we are applying the commands we discuss.

Contents: Configuring VLANs on Cisco Switches

• Creating the VLAN in the VLAN Database
• Assigning the Switchport to a VLAN
• Native VLAN
• Allowed VLAN List
• show vlan brief
• show interfaces trunk
• show interfaces switchport
• show interfaces status
• show spanning-tree
• Dynamic Trunking Protocol
• Default Access Port Settings
• Default Trunk Port Settings

Access Ports

An access port is a switch port that is a member of only one VLAN . There are two parts to configuring an access port: creating the VLAN in the switch’s VLAN Database and assigning the switch port to a VLAN.

Before a switch will accept or forward traffic for a VLAN, the VLAN must exist in the switch’s VLAN Database. Adding a VLAN to the VLAN database requires only one command:

From this point, you can also optionally name the VLAN. While not explicitly necessary for traffic to flow, it is best practice to provide a name for each VLAN. This will make the VLAN easier to identify.

To name a VLAN, simply use the name ; command directly after creating it.

For VLAN 20, we will create and name the VLAN on SwitchX:

Now that the VLAN is in the VLAN database, we can configure a switch port to be an access port for a particular VLAN. There are two commands within the interface configuration mode for this step:

The switchport mode access command sets the port as an access port, and the switchport access vlan <#> command designates the port as a member of VLAN 10.

Some versions of Cisco switches automatically create the VLAN in the VLAN Database when you assign an access port to a VLAN:

However, it is not recommended that you depend on this. Some switches will do it, some will not. Some switches will not create the VLAN and also not report any errors, leaving you confused as to why traffic might not be flowing. Moreover, this creates the VLAN with a generic name – the name for VLAN 30 above defaults to VLAN0030 , which is not very helpful.

As such, we always recommend to create and name a VLAN before assigning it anywhere. If you happen to forget to name it first, you can always update the name of a VLAN in that database after the fact:

In summary, the two steps to configure an access port:

• Create and optionally (but ideally) name the VLAN
• Set a switch port as an access port and designate it as a member of a VLAN

Both steps will also need to be accomplished for each VLAN and switch port on SwitchY. First we will create and name each VLAN:

Then we will set Eth0/2 and Eth0/3 as access ports in VLANs 10 and 30, respectively:

The commands above created the following configuration in the running-configuration for each switch:

Trunk Ports

As discussed before, a trunk port is a switch port that is carrying more than one VLAN .

Traffic traversing a trunk port is still in the form of 1 s and 0 s. To designate which 1 s and 0 s belong to which VLANs, a VLAN Tag is added to all traffic leaving a trunk port. The 802.1q standard specifies the ubiquitous format for the VLAN tag.

Creating a trunk port involves only one command:

Just like switchport mode access set the port as an access port, switchport mode trunk will set the port as a trunk port.

Some switches support more than one method for adding the VLAN tag. Namely, some switches support the antiquated ISL method of VLAN tagging. Before these switches allow you to set a port as a trunk port, they force you to set a tagging method, also called an encapsulation method:

For these switches, you simply use the switchport trunk encapsulation dot1q command before setting the switchport as a trunk port:

We will also configure Eth2/1 and Eth2/2 on SwitchX as trunk ports:

This is all you need to create a trunk port. With the configuration above, the switch will forward traffic from all VLANs in the VLAN Database out the configured trunk port.

That being said, there are some additional helpful settings you can apply to a trunk port to modify the default behavior. We will discuss two of them in the sections that follow.

The Native VLAN is the one VLAN on a trunk port which is allowed to remain untagged . By default, this is set to VLAN 1, but this can be changed by an administrator.

To set the Native VLAN, you use this command:

After setting this command, any time SwitchX is sending traffic on VLAN 2 out the trunk port Eth1/1, it will do so without adding a VLAN tag. Moreover, anytime SwitchX receives untagged traffic on trunk port Eth1/1, SwitchX will assign that traffic to VLAN 2.

An important point to remember: both switches on either end of the same trunk must have the same Native VLAN. Otherwise, you easily run the risk of a host in one VLAN being able to communicate with a host in another VLAN.

Therefore, we will set the same Native VLAN on SwitchY:

We will also set another VLAN as the Native VLAN for Eth2/1 and Eth2/2 ports, facing Router1 and Router2, respectively. This is to show that the Native VLAN configuration is a per- interface configuration, not a per- device configuration. But keep in mind, in most deployments the Native VLAN is typically consistent across all ports.

By default, when an interface is set as a trunk port, traffic from all the VLANs in the VLAN database is forwarded out that switch port.

There are times, however, where it is wise to limit which VLAN’s traffic is traversing a particular trunk. This can be done by applying what is known as an Allowed VLAN list . An Allowed VLAN list allows the administrator to manually select which VLANs are traversing a trunk port .

Take a look at the illustration . Notice that the trunk port to Router1 is only processing traffic for VLAN 10 and 20, but if the trunk port is left to its default behavior, SwitchX will be forwarding traffic to Router1 from VLANs 10, 20, and 30. The VLAN 30 traffic will simply be dropped by Router1, but it does needlessly add congestion to the link.

To solve this, we will add an Allowed VLAN list to Eth2/1 on SwitchX to restrict which VLANs are traversing the trunk port:

This will limit the VLANs which are traversing the trunk port to Router1 to only the VLANs which actually need to be on that link.

The trunk port to Router2 can also be limited to only carry traffic for VLAN 20 and 30. Below is another way of applying an Allowed VLAN list which shows how to add VLANs to the list after initially creating it:

Notice the important keyword add in the second command above. This instructs the switch to add VLAN 30 traffic to whatever VLANs are already allowed on the link.

Had the keyword add been omitted, the switch will have replaced the current Allowed VLAN List (which was allowing just VLAN 20) with the new one (which was allowing just VLAN 30). If Router1 was the gateway for the traffic in VLAN 20, all that traffic would now be dropped – creating a decidedly poor experience for the users in that VLAN.

As such, it is very important to either apply the full list of VLANs in one command (as in the first example), or to use the add command to add VLANs to the current allowed VLAN list.

You also have the option of using the remove keyword to remove individual VLANs from the allowed VLAN list.

In fact, the remove keyword provides one more way to apply an allowed VLAN list to a trunk port. Take a look at the link between SwitchX and SwitchY. Notice VLAN 20 does not need to be traversing that link.

Rather than simply adding an Allowed VLAN list with VLANs 10 and 30, you can also simply remove VLAN 20 from the default configuration. We’ll show you how it works with the trunk port between the switches (Eth1/1):

This automatically applies an Allowed VLAN list for every VLAN except VLAN 20:

Since the default trunk port behavior was to allow all VLANs, removing VLAN 20 caused the switch to apply an Allowed VLAN list which included every VLAN (1 – 4094), except VLAN 20.

That said, this is typically not the way you would apply a new Allowed VLAN list to an interface – the remove keyword is more often used to remove individual VLANs from an already added Allowed VLAN list. We will remove the Allowed VLAN list on Eth1/1, and leave that port configured as a default trunk port – allowing traffic for all VLANs to traverse the trunk:

Show Commands

The commands above explain the steps for configuring VLANs on Cisco Switches. The output at the end of each section displayed the way the configurations appears in the running-configuration . However, the running-configuration will only show how a device is configured – it will not show how a device operates .

This is an important distinction – a talented network engineer needs to not only know how to configure VLANs, but also how to validate their operation as well. To that end, we will discuss five show commands that can be used to verify a device’s operation – how it is actually handling traffic.

The show vlan brief command provides two main pieces of information:

• The VLANs which exist in the switch’s VLAN Database
• The access ports configured in each VLAN

Here is what the output from both our switches:

For both switches, the command displays VLANs 1, 10, 20, and 30. These are the only VLANs that were created in the VLAN database. Should the switch receive traffic tagged for a VLAN other than these, that traffic will be discarded.

For each VLAN, the VLAN’s name is also provided. Notice VLANs 10, 20, and 30 are named RED , ORANGE , and BLUE , respectively.

Also notice VLAN 1 exists and is named default , despite us not explicitly creating it. This is because VLAN 1 is the default configuration that every switch port starts out in. The switch will not allow you to delete VLAN 1 or change its name.

The Status column reflects whether the VLAN is active on the switch. A VLAN can become inactive for two reasons. The first is explicitly using the shutdown command within the VLAN configuration mode. The second is a VLAN existing in the database, but having no access ports or trunk ports utilizing that VLAN.

On the far right of output, under the Ports column, you get a list of each access port in each VLAN. We configured SwitchX’s Eth0/0 interface in VLAN 10, and the output reflects that. Also notice the port Eth1/1 is nowhere to be found. This is because Eth1/1 was configured as a trunk port, and will not be visible in the output of show vlan brief .

If show vlan brief is the go-to command to show you information about access ports on a switch, then show interfaces trunk is the go-to command to show you information about trunk ports on a switch.

There are four sections to the output of this command. To the untrained eye, it might appear like some of the information is duplicate – but this is not the case.

The first section of the output lists each interface which is operationally behaving like a trunk port. This will make more sense a little later in the article when we discuss a mechanism that lets a switch port automatically determine whether it should be a trunk port. In the case above, we explicitly configured ports Eth1/1, Eth2/1, and Eth2/2 on SwitchX and port Eth1/1 on SwitchY as trunk ports.

The first section also lists what method of Encapsulation is in use (i.e., what method of VLAN tagging ), as well as the VLAN configured as the Native VLAN for each trunk.

The second section, labeled Vlans allowed on trunk , is a reflection of which VLANs have made it through any configured Allowed VLAN lists on each trunk port. On SwitchX, we created two Allowed VLAN lists, one allowing VLAN 10 and 20 on Eth2/1, and another allowing VLANs 20 and 30 on Eth2/2. Interface Eth1/1 did not have any VLANs restricted, so therefore all possible VLANs are listed as allowed on the trunk port – VLANs IDs can only be 1 – 4094.

The third section, labeled Vlans allowed and active in management domain , is a combination of the section before it ( Vlans allowed on trunk ) and the VLANs which are created in the VLAN database (i.e., visible in show vlan brief ). Despite all VLANs being allowed on Eth1/1 (as indicated by the 1-4094 in the second section), only VLANs 1, 10, 20, and 30 exist in the VLAN database.

The fourth section, labeled Vlans in spanning tree forwarding state and not pruned , is a combination of the last two sections and the ports the Spanning Tree Protocol deems as safe to forward traffic.

The Spanning Tree Protocol (STP) exists to ensure the L2 domain does not contain any loops. If any are detected, those ports are disabled. In our topology, there are no loops, so the output of the fourth section looks identical to the output of the third section because STP did not disable any ports. STP is a fascinating protocol, but its operation is outside the scope of this article – it will be the subject of a future article.

The show interfaces switchport command can give you an overwhelming amount of information. Using the command by itself shows you 26 pieces of information for each interface on your switch (or more, depending on the code version you are using).

Rather than try to sift through all that, you can specify a particular interface to get those same 26 pieces of information for just the desired interface using the command show interfaces <intf> switchport .

For the sake of brevity and relevance, the output below has been trimmed to just show the lines which relate to something discussed in this article. There is an example of the full output of this command later in this article .

The description of each line in the output above is in the table that follows.

Typically, the show interfaces status command is associated with seeing whether devices are plugged into a switchport or not ( connected vs notconnect in the Status column). However, this command can also reveal some information about the VLAN configuration of a switchport.

Namely, if you see a number in the VLAN column, then the switchport is an access Port in the provided VLAN. And if you see the word trunk , then the switchport is configured as a trunk port.

The show spanning-tree command is obviously mostly associated with verifying the Spanning Tree Protocol, but it can also provide useful VLAN configuration information.

Earlier we talked about show vlan brief , which provides information about interfaces configured as access ports. We also talked about show interfaces trunk , which provides information about interfaces configured as trunk ports. The show spanning-tree vlan <VLAN-ID#> command provides information on both access ports and trunk ports.

Specifically, you can use this command to see every switchport a VLAN is exiting.

We configured SwitchX with one access port in VLAN 10 (Eth0/0), and two trunk ports which are permitting VLAN 10 (Eth1/1 and Eth2/1). Looking at the output of the show spanning-tree vlan 10 command on SwitchX, we can see all three of the ports that VLAN 10 traffic is egressing.

You won’t easily be able to determine whether the port is configured as an access port or a trunk port. But you will be able to easily determine to what other devices a VLAN’s traffic is going to by comparing the output of show spanning-tree to show cdp neighbors :

We can see that VLAN 10 on SwitchX is going to Router1 and SwitchY, as well as a third device (which we know is Host A, who isn’t participating in CDP). VLAN 20 on SwitchY is only going to SwitchX. Using these two commands in conjunction with each other is a great way to trace the L2 path through a network between two devices.

Default Switchport Setting

Finally, before configuring VLANs with the commands discussed in this article, it is important to know the starting point for each interface.

Nearly all Cisco features come with a certain default configuration. These exist and are in place so that the device can perform (maybe with limited features, but nonetheless) without any configuration required.

Knowing the default configuration is crucial to be an effective engineer because if you know how something works innately, you know exactly what needs to change to get it to work the way you want it to. To that end, we will spend some time discussing the default switch port configuration applied to Cisco switches.

First, here is the output of show interfaces switchport for an unmodified interface. There are three items we must discuss from the output below:

The first items we will discuss from the default switch port configuration above have to do with the Dynamic Trunking Protocol, or DTP. Take a look at these lines from the output above:

As discussed before, the two modes correlate to the configured mode ( administrative ) and the negotiated mode ( operational ). The distinction exists as a result of the Dynamic Trunking Protocol (DTP).

Cisco created DTP to further the idea of ‘plug and play’ switches. They created a protocol where if two switches were linked to each other, they could automatically determine whether their interlink should be a trunk port or an access port. It works based upon four modes an interface can be set to:

• switchport mode dynamic desirable – actively attempt to negotiate trunk
• switchport mode dynamic auto – passively attempt to negotiate trunk
• switchport mode trunk – statically set as trunk
• switchport mode access – statically set as access

The configuration of both sides of the link will determine whether the link will negotiate as a trunk port or an access port. The table below lists every possible combination

The issue with DTP is it provides a means for the other side of a link to modify the behavior of your side of the link. When you control both sides this might not seem like a terrible feature, but if you are ever in a situation where you only control your device, DTP gives too much power to the other side.

As such, it is often recommended to avoid DTP automatically determining the trunk status and instead manually set a port as trunk or access using the commands we discussed earlier in this article ( switchport mode trunk or switchport mode access ).

Even with the switch port mode statically set, however, your switch will still send DTP frames. This is how the other side knows how your side is configured. Again, if you own both sides the risk is negligible, but if you might not control the other side, then this is undesirable.

You can disable the sending of DTP frames by also adding to the interface configuration this command: switchport nonegotiate . This will disable the periodic sending of DTP frames to advertise the switch port mode of the local switch.

You can view whether a switch port has negotiation disabled in the output of the command above. The specific line which indicates it is the following:

To summarize, the default DTP behavior of an unmodified interface is:

• switchport mode dynamic auto
• negotiation of DTP enabled

Which means the link will automatically become a trunk if the other side is configured with switchport mode dynamic desirable or if the other side is configured with switchport mode trunk and switchport nonegotiate is not applied.

From the output above, the following line correlates to the access port configuration:

Whether a switch port is statically set (or negotiated) as an access port or not, this attribute exists and is configurable via the switchport access vlan <#> command. Of course, it doesn’t affect the behavior of the switchport unless the switchport becomes an access port.

A potential use case is if you are transitioning a port from a trunk port to an access port, you can “preset” the access-port VLAN so that once you apply the switchport mode access command, it is already in the appropriate VLAN.

In any case, notice the default configuration has every switchport in VLAN 1.

A switch is a device which facilitates communication within networks . You can take a Cisco switch and simply connect two hosts and everything will “just work”. It will do so because all the ports start in VLAN 1, so that there is no L2 segregation between the switch ports on switch’s default configuration. This lines up with Cisco’s goal of making their switches “plug and play”.

Lastly, the following lines in the output above correlate to the trunk port configuration:

We discussed DTP earlier, but we did not mention that DTP also negotiates the encapsulation method.

Administrative Trunking Encapsulation indicates whether DTP will determine the encapsulation method or whether it is statically set via the switchport trunk encapsulation command.

Operational Trunking Encapsulation indicates the chosen or configured encapsulation method. If the port becomes a trunk port, there are only two options for this attribute: the ubiquitous 802.1q and the archaic ISL. On an access port, this line will display native (as above), indicating no VLAN tag will be added to traffic leaving this switch port .

Trunking Native Mode VLAN indicates the Native VLAN on the port. Once again, this setting will only take place if the port becomes a trunk port. This setting can be modified with the switchport trunk native vlan <#> command.

Trunking VLANs Enabled reflects the Allowed VLAN list applied to the port. ALL indicates no VLANs have been restricted from the trunk, and therefore every VLAN in the VLAN database will traverse down the trunk. As with the other trunk configurations, this has no effect if the port is in access mode.

Configuring VLANs — Summary

This article is meant to follow the article discussing VLANs as a concept . The focus of this article was to understand the different configuration and verification commands that exist to modify or validate how a switch is behaving in regards to its VLANs.

As with all written guides, practice is key. We encourage you to build out the topology above in a lab or emulator (GNS3 / Packet-Tracer) and to practice configuring VLANs using the commands described above.

If you want an additional challenge, build out the topology in the VLAN Challenge from the other article. Note, you will need to disable CDP and DTP on most of your interfaces to avoid warnings.

If you are able to successfully build out that topology (as well as answer the two challenge questions in the previous article), then you can rest assured knowing you have mastered the concept of Configuring VLANs on Cisco switches.

Configuring VLANs on Cisco Switches – Contents:

Related posts:.

The Post was Awesome!!

Hi, very helpful this post. I have a question, what software use to drar the network diagrams?.

I meant “draw”

Hi Cesar, glad you enjoyed the post. I draw and animate everything in PowerPoint (don’t laugh! ;p). If I need clipart, I grab them from openclipart.org.

Thanks for this great article, I have shared it on Facebook.

Thanks for the share! I’m glad you liked the article!

Yes wonderful article. I have shared on FB as well! One question if you could be so kind to provide some insight. When you issue Switchport Trunk Allowed VLAN 20, 30 on an interface is the native VLAN automatically applied (say it’s still default VLAN 1) or do you need to also add it to the allowed list in order for the trunk to pass I tagged traffic?

Hi Brandon,

Good Question. It is best to think of the Native VLAN and the Allowed VLAN List as two independent functions.

The Native VLAN configuration determines which VLAN traverses a Trunk link without a VLAN Tag. The Allowed VLAN List determines which VLANs are allowed to traverse a trunk.

If the Allowed VLAN List is only allowing VLAN 20 and 30, then only those VLANs can traverse the trunk. The Native VLAN happens to be 10, then it will not be allowed across the trunk.

Hope this helps!

Nice article. Guess the routers may confuse some peoples as they are not to work like that without any L3 redundancy.

Thanks so much for this great article! It really clarifies vlans in the Cisco world. Although I’ve worked with vlans, I’ve not worked with Cisco switches in years. Do you really have to add access ports one at a time? Is there a command to add a group of ports? Example using another vendor on a VoIP vlan: #conf vlan VoIP add ports 1:1-48 tagged Is there a similar command for Cisco switches? If not, it seems that adding access ports would be tedious on a switch stack.

Hi Dav1917. You have the option of using the interface range to apply commands to multiple interfaces at the same time. Here is an example of configuring multiple Access ports at once.

Thank you, Ed! That is awesome – and a relief.

Mate article is amazing and so so helpful thank you. One thing – above the ‘show interfaces status’ heading, you’ve repeated the quick intro paragraph, probs should be deleted. It’s like –

intro paragraph incorrectly placed ‘show interfaces status’ heading repeated intro paragraph but correctly placed

Thanks again, it will be you I thank in my CCNA acceptance speech!

Hi Rozak. Yikes, no clue how that slipped through, but good catch! I’ve fixed it. Thanks!

Glad you enjoyed the article and I’m looking forward to your CCNA acceptance speech =)

Hi, great tutorial! somehow I can`t get “Switch(config-if)# switchport trunk encapsulation dot1q” this command done in my switch, I just got 2 choices which are access/native after I typed “Switch(config-if)# switchport trunk”, it doesn`t link to “encapsulation dot1q”, any thought?

Switches that do not support ISL do not require designating the use of 802.1q.

If the switchport trunk encapsulation dot1q command is not applying, it is likely your switch only supports 802.1q.

This is great. Can i get a copy of the same in my email.

Hello Ed Harmoush

i have the following query what will be happened if the frame came to an access port and what will be happened if the same frame came to trunk port?

e.g.the access port it will retag the frame with the number on vlan that has assign it (for example vlan access 10) or it drop the packet ?

Informative article, exactly whhat I was looking for.

me sirvió muchismo muchas gracias.

in the description of Show interface Trunk cmd ,Vlan 1 is not showing in the allowed vlan as well as in the Vlan active in managment domain section for the port Et2/1 and 2/2, Reason?

Hi Jaseer. Because VLAN 1 was not added to the Allowed VLAN List:

https://www.practicalnetworking.net/stand-alone/configuring-vlans/#trunk_allowed_vlans

Hello Ed Harmoush,

Thank you for this wonderful article and great explanation. One thing – Under the heading “Show interfaces switchport” there is a table which describe each line of output. In the last row “ Notice SwitchX’s trunk port was limited to just VLANs 20 and 30, and this is reflected in the output above. ” I think that’s not SwitchX’ trunk port that’s SwitchY’s trunk port. Thank you.

Good catch! Thank you. I fixed it. =)

Great post! Very helpful. Good job.

I found this article to be very informative, thank you for this. I see it’s a couple years old already, yet still relevant.

Informative thread. Thanks for sharing…

CCNA 200-301 v1.1

• CCNA 200-301 Labs
• CCNP 350-401 ENCOR
• CCNP 350-401 ENCOR Labs
• CCNP 300-410 ENARSI
• CCIE Enterprise Infrastructure
• Cisco Packet Tracer Lab Course
• NRS II IRP Course
• NRS II MPLS Course
• NRS II Service Architecture
• Nokia Configuration Course
• Nokia SRC Program
• JNCIA Junos
• HCIA (HCNA)
• HCIA Configuration Course
• What is Huawei R&S Certification?
• Huawei ICT Certifications
• Python Course
• IPv6 Course
• IP Multicast Course
• NRS I Configuration Course
• Cisco Packet Tracer How To Guide
• Online Courses
• Udemy Courses
• CCNA Flashcard Questions
• Protocol Cheat Sheets
• Subnetting Cheat Sheet
• Linux Cheat Sheet
• Python Cheat Sheet
• CLI Commands Cheat Sheets
• Miscellaneous Cheat Sheets
• Cisco Packet Tracer Labs
• Cisco GNS3 Labs
• Huawei eNSP Labs
• Nokia GNS3 Labs
• Short Config Videos
• Network Tools
• IPCisco on Social Media
• Network Engineer Interview Questions
• Personality Interview Training
• Sign In/Up | Members
• Lost password
• Sign In/Sign Up
• ENROLL HERE

• VLAN Port Assignment and VLAN Port Types

In this lesson, we will focus on some of the key lessons of VLANs. We will learn how to assign ports to VLAN, VLAN Port types and VLAn Tagging.

Table of Contents

Static and Dynamic VLAN Assignments

VLANs can be assigned statically and dynamically . Static configuration is more common, but dynamic is also used.

Static VLAN assignment is like its name. You will statically assign the ports to the VLAN.

Dynamic VLAN assignment can be done by VLAN Membership Policy Server(VMPS) . VMPS needs VLAN-MAC address relationship database. Here, we will use the static one, like many network engineer.

VLAN Port Types

There are two type port used in VLANs. These are: – Access Ports, – Trunk Ports

Access ports are the ports that are member of a single VLAN . Host devices are connected to it. This is also default Cisco switch port type.

Trunk ports are the ports that are member of more than one VLAN or all VLANs . This ports are used between switches. To span VLANs between more than one switch, some ports are needed to carry VLAN information accross the switches. These ports are trunk ports. You can also carry each VLAN without using any trunk port. But this way is not efficient and not common.

VLAN Frame Tagging

While carrying the frames between VLANs across multiple swithes, frame tagging is required. Because the other end switch need to understand that where the frame will go ( to which VLAN) on the other end. And tagging is used only for the frames going out a trunk port. This is not used for access ports, and anyway this is not necessary.

No VLAN Frame Tagging Require

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Network Fundamentals

• Collision Domain vs Broadcast Domain
• Coaxial Cable Details
• Types of Networks
• Top Internet Access Technologies
• WAN Topology Types
• Network Topology Architectures
• Power Over Ethernet (PoE)
• Ethernet Collisions and Troubleshooting
• Cisco NGFW and Cisco NGIPS
• Networking Connectors
• Ping Command
• Basic Cisco Router Configuration on Packet Tracer
• ICMP (Internet Control Message Protocol)
• Address Resolution Protocol (ARP)
• Network Cabling
• Network Devices
• TCP/IP Model
• OSI Referance Model

IPv4 Addressing

• Verify IP Parameters for Client OS
• Wildcard Mask
• VLSM Subnetting
• IPv4 vs IPv6 Comparison
• Cisco IP Address Configuration
• APIPA Address
• Private IP Address Ranges
• Subnetting Examples
• IP Addressing (IPv4)
• IP Subnetting and Subnetting Examples

IPv6 Addressing

• IPv6 Unique Local Address
• IPv6 Global Unicast Address

TCP and UDP

• TCP Header : Sequence & Acknowledgement Number
• TCP Handshake
• TCP versus UDP
• UDP (User Datagram Protocol)
• TCP (Transmission Control Protocol)
• TCP Header : TCP Options
• TCP Header : TCP Window Size, Checksum &amp; Urgent Pointer
• TCP Header : TCP Flags
• Voice VLAN Configuration
• Packet Tracer VLAN Example 2
• How to Configure Cisco VLANs
• VTP Configuration with Packet Tracer
• VTP (VLAN Trunking Protocol)
• DTP and VLAN Frame Tagging protocols ISL, dot1.q
• Cisco Packet Tracer VLAN Configuration Example
• VLANs (Virtual Local Area Networks)

Switching and LANs

• Ethernet Basics
• Cisco Switch Configuration on Cisco Packet Tracer
• MAC Address Lookup
• What is a mac address
• Local Area Networks
• Network Topologies
• Hubs, Switches and Routers

Spanning Tree Protocol

• Loop Guard, Uplink Fast, Backbone Fast and UDLD
• STP Loop Guard
• STP BPDU Filter
• STP BPDU Guard
• STP Root Guard
• Portfast, Root Guard, BPDU Filter and BPDU Guard
• PVST+ and Rapid PVST+
• STP (Spanning Tree Protocol) Example on Packet Tracer
• RSTP Configuration on Packet Tracer
• STP Portfast Configuration with Packet Tracer
• Spanning Tree Protocol Operation
• Rapid Spanning Tree Protocol (RSTP)
• Spanning Tree Protocol (STP)

Neighbor Discovery

• LLDP Configuration on Cisco IOS
• Neighbour Discovery Protocols
• CDP Configuration with Packet Tracer

EtherChannels

• PAgP Configuration on Cisco Devices
• LACP Configuration on Cisco Devices
• Link Aggregation Control Protocol (LACP)

Routing Fundamentals

• Route Summarization
• Routing Path Determination
• Routing Table
• Static Routes
• IPv4 Floating Static Routes
• Inter VLAN Routing Configuration on Packet Tracer
• Switch Virtual Interface Configuration on Packet Tracer
• Switch Virtual Interfaces
• Inter VLAN Routing with Router on Stick
• IP and Layer 3 Overview
• Static Route Configuration on Cisco Routers
• Dynamic Routing Protocols
• OSPF Cost and SPF Algorithm
• OSPFv3 Configuration Example on Cisco IOS
• OSPFv3 (Open Shortest Path First Version 3)
• Cisco Single Area OSPF Configuration
• Other OSPF Key Points
• OSPF Network Types
• OSPF Area Types
• OSPF LSA Types
• OSPF Packet Types
• OSPF Adjacency
• OSPF(Open Shortest Path First) Overview

WAN (Wide Area Networks)

• MLPPP Configuration on Cisco Packet Tracer
• What is MLPPP?
• Metro Ethernet Technology
• WAN and WAN Technologies

DHCP and DNS

• DNS Configuration on Cisco Routers
• Domain Name System Overview
• Router DHCP Configuration with Packet Tracer
• DHCP IP Allocation Operation
• DHCP (Dynamic Host Configuration Protocol)
• NAT (Network Address Translation)
• PAT Configuration with Packet Tracer
• Dynamic NAT Configuration with Packet Tracer
• Static NAT Configuration with Packet Tracer

First Hop Redundancy

• HSRP Configuration on Cisco IOS
• HSRP (Hot Standby Router Protocol)
• First Hop Redundancy Protocols (FHRPs)

Network Management

• Syslog Overview
• Configuration Register
• TFTP, FTP, SFTP and SCP
• SSH Configuration on Packet Tracer
• Syslog Configuration Cisco
• Cisco NTP Configuration
• NTP (Network Time Protocol)
• SNMP Overview
• SNMP Configuration On Cisco IOS
• Cisco Router Password Recovery
• IPv6 Floating Static Routes
• IPv6 Static and Default Route Configuration
• Stateless Address Auto Configuration
• IPv6 NDP (Neighbour Discovery Protocol)
• IPv6 Configuration on Cisco Packet Tracer
• What does IPv6 bring?
• Subnetting in IPv6
• IPv6 Address Types
• IPv4 and IPv6 Headers
• IPv6 and IPv6 Addresses

Quality of Service

• Network Traffic Types
• Policing and Shaping in QoS
• Classification and Marking in QoS
• Quality of Service Overview
• Radius Configuration for Wireless Users
• Cisco RADIUS Server Configuration on Packet Tracer
• TACACS+ Overview
• RADIUS Overview
• AAA Protocols : RADIUS and TACACS+
• Authentication, Authorization, Accounting (AAA)
• WLAN Frequency Bands
• Other Wireless Network Extention Types
• Wireless Principles
• WLAN Components
• Wireless Network Design Models
• WLC Management Access Connections
• Wireless Access Point Modes
• Wireless Security Protocols
• WLAN Configuration on Packet Tracer

Security Fundamentals

• DHCP Snooping Configuration on Packet Tracer
• Cisco Banner Configuration on Packet Tracer
• What is DHCP Snooping?
• Access Control Lists
• Multifactor Authentication (MFA)
• Dynamic ARP Inspection
• Cyber Attacks, Network Attacks, Threats and Mitigation
• 802.1x (Port Based Network Access Control)
• Switch Port Security Configuration on Cisco Packet Tracer
• Switch Port Security
• Extended Access List Configuration With Packet Tracer
• Standard Access List Configuration With Packet Tracer
• Basic Cisco Router Security Configuration

Automation and Programmability

• Ansible vs Puppet vs Chef
• Generative AI vs Predictive AI
• Chef Overview
• Puppet Overview
• Ansible Overview
• Network Automation Tools
• Interpret JSON Encoded Data
• Cisco DNA Center
• Cisco SD-Access
• Data Serialization Languages: JSON, YAML, XML
• Traditional Network Management versus Cisco DNA Center
• Cisco DNA and Intent-Based Networking (IBN)
• How Network Automation Impacts Network Management

SDN (Software Defined Networking)

• What is SDN ?
• Traditional Network Drawbacks Versus SDN
• What Will SDN Bring?
• SDN Architecture Components
• SDN Terminology
• Virtualization
• Virtual Network Structure

Latest Lessons

• STP Loop Guard Part of: CCNA 200-301 v1.1
• STP BPDU Filter Part of: CCNA 200-301 v1.1
• STP BPDU Guard Part of: CCNA 200-301 v1.1
• STP Root Guard Part of: CCNA 200-301 v1.1
• Generative AI vs Predictive AI Part of: CCNA 200-301 v1.1
• IPv6 Global Unicast Address Part of: CCNA 200-301 v1.1
• IPv6 Unique Local Address Part of: CCNA 200-301 v1.1
• Wildcard Mask Part of: CCNA 200-301 v1.1
• SNMP Community Strings Part of: CCIE Enterprise Infrastructure
• Dynamic ARP Inspection Juniper Configuration Part of: JNCIE
• More Lessons

Latest Blog Posts

WHAT YOU WILL FIND?

• 250.000+ Students All Over The World
• 8.000+ Questions & Answers
• 100+ Lab Files & Cheat Sheets
• 30+ IT/Network Courses
• A Real Desire To Help You
• Daily Social Media Shares
• %100 Satisfaction
• CISCO Courses
• NOKIA Courses
• HUAWEI Courses
• JUNIPER Courses
• PYTHON Course
• KEY Courses
• VIDEO Courses
• UDEMY Courses
• Cheat Sheets
• Configuration Files
• Interview Questions
• IPCisco On Social Media
• Pärnu mnt. 139c – 14, 11317, Tallinn, Estonia
• [email protected]

• Basic Networking
• CCNA Security
• Network Security
• Windows 2003
• Windows 2008
• Windows 2022
• Windows Server 2025

How to configure and assign a Cisco switch access port to a VLAN

Access ports in switches are normally used to connect end devices like workstations and printers. Access ports belong to only a single VLAN and do not provide any identifying marks on the Ethernet frames . When configuring an access port , you also want to define which VLAN the port belongs to.

To configure and assign a switch access port to a VLAN , open a console connection to the switch and run the following IOS commands from interface configuration mode .

Assign VLAN to Port

I am a Cisco novice, now that we have got that out of the way I need your help.

I need to assign a VLAN to a port on my layer 2 switch.

I have a port that has the configuration that I need but I need to copy that to 2 other ports.

I can log into my switch but from there I am lost, I would appreciate your help I am sure for someone who knows this is a doddle.

So far I have learned I could use two commands - ‘show VLAN’ which will list all of my VLANs and which interfaces are assigned them.

And I read on a website interface switchport access vlan #

I have never used CLI before so please talk to me as such.

interface fast 0/10 (where 0/10 is the fast etherenet port you want to configure)

switchport mode access

switchport access vlan 10 (where 10 is the vlan you want to assign

duplex auto

repeat for other ports. there is a lot more to it than that but that should get you started assuming your vlans were built properly.

How do I write this config to memory and do I need to go to elevated mode?

This is great btw.

yes… you need to be in enable mode the prompt will look like this

then when you are done you just do a “write mem” or “copy run start”. then you should occasionally copy the configs to a tftp server so if the switch catches fire you can just drop your existing config on a new switch and be rolling as fast as possible. it can be done with spiceworks though i have not done that quite yet.

This is exactly what I need, thank-you very much, Im running out the door to go see Gravity but I will try this on Monday.

http://community.spiceworks.com/how_to/show/1709-set-up-spiceworks-configuration-backup-with-cisco-ios-via-ssh

gain access to the switch

enter enable mode

command “enable”

provide password if required

enter configuration terminal

Enter the interface that needs the vlan assigned

SW1(config) #interface fastethernet 0/0 (for example)

Now you are in line config mode enter the switchport access vlan (vlan number)

SW(config-if)switchport access vlan (vlan number)

Something that may make your life much easier is ciscos network assistant its a gui style interface for switches… makes life a little easier for novices

The CNA and CCP are both decent enough, but the Command Line is sooo much easier and faster.

I agree with TCOB but I would add a couple of things. In an office network where hosts are less likely to change, I would configure speed and duplex settings manually. In an environment where the host devices frequently change then speed and duplex on auto are fine.

I would also add spanning-tree portfast. So the complete config for adding an interface to a VLAN looks like this, assuming we are starting from user mode:

========================================================================

switch>enable

switch#conf t

switch(config) #int fa o/x (or int gig0/x for a Gigabit switch) where x is the port number.

switch(config-if) #switchport mode access

switch(config-if) #switchport access vlan x (where x is the number of the VLAN)

switch(config-if) #spanning-tree portfast (you will get a 2 paragraph, 5 line warning about portfast at this point. Don’t worry about it)

switch(config-if) #speed 100 (for a 10/100 switch. speed 1000 for a gigabit switch)

switch(config-if) #duplex full

switch(config-if) #end

switch#copy run start (or wr if you like)

=========================================================================

If you make a mistake and want to set the interface back to it’s default settings and try again, you can do this:

switch(config) #default int fa 0/x (or int gig 0/x for a Gigabit switch)

Or you can simply overwrite the commands by going back in to the interface and re-doing the command line that is wrong. You do NOT have to redo all the commands, just the one that’s wrong. And let me tell you, typo’s will drive you mad so be careful and make sure you verify your commands every so often

I can’t add much to the good advice above, but I would re-emphasize mark9586’s to watch for typo’s. They were my biggest source of pain while studying for the CCNA.

Thanks everyone this was ideal, got in there and got it nailed within an hour. I feel like I learned allot and enjoyed the experience.

Related Topics

• Skip to content
• Skip to search
• Skip to footer

VLAN Configuration Guide, Cisco IOS XE 17.15.x (Catalyst 9600 Switches)

Bias-free language.

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

• Configuring VTP
• Configuring VLANs
• Configuring VLAN Trunks

Configuring Voice VLANs

• Configuring Private VLANs
• Configuring Layer 3 Subinterfaces

Chapter: Configuring Voice VLANs

Prerequisites for voice vlans, restrictions for voice vlans, voice vlans, cisco ip phone voice traffic, cisco ip phone data traffic, voice vlan configuration guidelines, configuring cisco ip phone voice traffic, configuring the priority of incoming data frames, monitoring voice vlan, where to go next, additional references, feature history for voice vlan.

The following are the prerequisites for voice VLANs:

Voice VLAN configuration is only supported on device access ports; voice VLAN configuration is not supported on trunk ports.

Before you enable voice VLAN, enable QoS on the device by entering the trust device cisco-phone interface configuration command. If you use the auto QoS feature, these settings are automatically configured.

You must enable CDP on the device port connected to the Cisco IP Phone to send the configuration to the phone. (CDP is globally enabled by default on all device interfaces.)

You cannot configure static secure MAC addresses in the voice VLAN.

Information About Voice VLAN

The following sections provide information about Voice VLAN:

The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the device is connected to a Cisco  7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the device supports quality of service (QoS) based on IEEE 802.1p CoS. QoS uses classification and scheduling to send network traffic from the device in a predictable manner.

The Cisco  7960 IP Phone is a configurable device, and you can configure it to forward traffic with an IEEE 802.1p priority. You can configure the device to trust or override the traffic priority assigned by a Cisco IP Phone.

You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on the device to send Cisco Discovery Protocol (CDP) packets that instruct an attached phone to send voice traffic to the device in any of these ways:

In the voice VLAN tagged with a Layer 2 CoS priority value

In the access VLAN tagged with a Layer 2 CoS priority value

In the access VLAN, untagged (no Layer 2 CoS priority value)

The device can also process tagged data traffic (traffic in IEEE 802.1Q or IEEE 802.1p frame types) from the device attached to the access port on the Cisco IP Phone. You can configure Layer 2 access ports on the device to send CDP packets that instruct the attached phone to configure the phone access port in one of these modes:

In trusted mode, all traffic received through the access port on the Cisco IP Phone passes through the phone unchanged.

In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames received through the access port on the Cisco IP Phone receive a configured Layer 2 CoS value. The default Layer 2 CoS value is 0. Untrusted mode is the default.

Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the device to a Cisco IP Phone can carry mixed traffic. You can configure a port to decide how the Cisco IP Phone carries voice traffic and data traffic.

The voice VLAN should be present and active on the device for the IP phone to correctly communicate on the voice VLAN. Use the show vlan privileged EXEC command to see if the VLAN is present (listed in the display). If the VLAN is not listed, create the voice VLAN.

The Power over Ethernet (PoE) devices are capable of automatically providing power to Cisco pre-standard and IEEE 802.3af-compliant powered devices if they are not being powered by an AC power source.

The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.

If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN:

They both use IEEE 802.1p or untagged frames.

The Cisco IP Phone uses IEEE 802.1p frames, and the device uses untagged frames.

The Cisco IP Phone uses untagged frames, and the device uses IEEE 802.1p frames.

The Cisco IP Phone uses IEEE 802.1Q frames, and the voice VLAN is the same as the access VLAN.

The Cisco IP Phone and a device attached to the phone cannot communicate if they are in the same VLAN and subnet but use different frame types because traffic in the same subnet is not routed (routing would eliminate the frame type difference).

Voice VLAN ports can also be these port types:

Dynamic access port.

IEEE 802.1x authenticated port.

Protected port.

A source or destination port for a SPAN or RSPAN session.

Secure port.

How to Configure Voice VLANs

The following sections provide information about configuring Voice VLANs:

You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority and forward all voice traffic through the native (access) VLAN. The Cisco IP Phone can also send untagged voice traffic or use its own configuration to send voice traffic in the access VLAN. In all configurations, the voice traffic carries a Layer 3 IP precedence value (the default is 5).

You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the device to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone. The PC can generate packets with an assigned CoS value. You can configure the phone to not change (trust) or to override (not trust) the priority of frames arriving on the phone port from connected devices.

Follow these steps to set the priority of data traffic received from the non-voice port on the Cisco IP Phone:

To display voice VLAN configuration for an interface, use the show interfaces interface-id switchport privileged EXEC command.

After configuring voice VLANs, you can configure the following:

VLAN Trunking

Related Documents

Standards and RFCs

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com/ .

Was this Document Helpful?

Contact Cisco

• (Requires a Cisco Service Contract )

3.4.6 Lab – Configure VLANs and Trunking (Answers)

Lab – configure vlans and trunking (instructor version).

Addressing Table

Part 1: Build the Network and Configure Basic Device Settings

Part 2: create vlans and assign switch ports, part 3: maintain vlan port assignments and the vlan database.

• Part 4: Configure an 802.1Q Trunk between the Switches

Part 5: Delete the VLAN Database

Background / scenario.

Modern switches use virtual local-area networks (VLANs) to improve network performance by separating large Layer 2 broadcast domains into smaller ones. VLANs can also be used as a security measure by controlling which hosts can communicate. In general, VLANs make it easier to design a network to support the goals of an organization.

VLAN trunks are used to span VLANs across multiple devices. Trunks allow the traffic from multiple VLANS to travel over a single link, while keeping the VLAN identification and segmentation intact.

In this lab, you will create VLANs on both switches in the topology, assign VLANs to switch access ports, verify that VLANs are working as expected, and then create a VLAN trunk between the two switches to allow hosts in the same VLAN to communicate through the trunk, regardless of which switch the host is actually attached to.

Note: The switches used with CCNA hands-on labs are Cisco Catalyst 2960s with Cisco IOS Release 15.2(2) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers.

Note: Ensure that the routers and switches have been erased and have no startup configurations. If you are unsure contact your instructor.

Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices.

Required Resources

• 2 Switches (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable)
• 2 PCs (Windows with a terminal emulation program, such as Tera Term)
• Console cables to configure the Cisco IOS devices via the console ports
• Ethernet cables as shown in the topology

Instructions

In Part 1, you will set up the network topology and configure basic settings on the PC hosts and switches.

Step 1: Cable the network as shown in the topology.

Attach the devices as shown in the topology diagram, and cable as necessary.

Step 2: Configure basic settings for each switch.

a. Console into the switch and enable privileged EXEC mode.

b. Enter configuration mode.

c. Assign a device name to the switch.

d. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as though they were host names.

e. Assign class as the privileged EXEC encrypted password.

f. Assign cisco as the console password and enable login.

g. Assign cisco as the vty password and enable login.

h. Encrypt the plaintext passwords.

i. Create a banner that warns anyone accessing the device that unauthorized access is prohibited.

j. Configure the IP address listed in the Addressing Table for VLAN 1 on the switch.

k. Shut down all interfaces that will not be used.

l. Set the clock on the switch.

m. Save the running configuration to the startup configuration file.

Step 3: Configure PC hosts.

Refer to the Addressing Table for PC host address information.

Step 4: Test connectivity.

Verify that the PC hosts can ping one another.

Note: It may be necessary to disable the PCs firewall to ping between PCs.

Can PC-A ping PC-B? Yes

Can PC-A ping S1? No

Can PC-B ping S2? No

Can S1 ping S2? Yes

If you answered no to any of the above questions, why were the pings unsuccessful? Pings were unsuccessful when trying to ping a device on a different subnet. For those pings to be successful, a default gateway must exist to route traffic from one subnet to another.

In Part 2, you will create Management, Operations, Parking_Lot, and Native VLANs on both switches. You will then assign the VLANs to the appropriate interface. The show vlan command is used to verify your configuration settings.

Step 1: Create VLANs on the switches.

a. Create the VLANs on S1.

b. Create the same VLANs on S2.

c. Issue the show vlan brief command to view the list of VLANs on S1.

What is the default VLAN? VLAN 1

What ports are assigned to the default VLAN? All switch ports are assigned to VLAN 1 by default.

Step 2: Assign VLANs to the correct switch interfaces.

a. Assign VLANs to the interfaces on S1.

1) Assign PC-A to the Operation VLAN.

2) Move the switch IP address VLAN 99.

b. Issue the show vlan brief command and verify that the VLANs are assigned to the correct interfaces.

c. Issue the show ip interface brief command.

What is the status of VLAN 99? Explain. The status of VLAN 99 is up/down, up because the VLAN exists in the database but down because the VLAN has not been assigned to an active port yet.

d. Assign PC-B to the Operations VLAN on S2.

e. Remove the IP address for VLAN 1 on S2.

f. Configure an IP address for VLAN 99 on S2 according to the Addressing Table.

g. Use the show vlan brief command to verify that the VLANs are assigned to the correct interfaces.

Is S1 able to ping S2? Explain. No. The IP addresses for the switches now reside in VLAN 99. VLAN 99 traffic will not be sent over interface F0/1.

Is PC-A able to ping PC-B? Explain. No. Interface F0/1 is not assigned to VLAN 10, so VLAN 10 traffic will not be sent over it.

In Part 3, you will change VLAN assignments to ports and remove VLANs from the VLAN database.

Step 1: Assign a VLAN to multiple interfaces.

a. On S1, assign interfaces F0/11 – 24 to VLAN99.

b. Issue the show vlan brief command to verify VLAN assignments.

c. Reassign F0/11 and F0/21 to VLAN 10.

d. Verify that VLAN assignments are correct.

Step 2: Remove a VLAN assignment from an interface.

a. Use the no switchport access vlan command to remove the VLAN 99 assignment to F0/24.

b. Verify that the VLAN change was made.

Which VLAN is F0/24 now associated with? VLAN 1, the default VLAN.

Step 3: Remove a VLAN ID from the VLAN database.

a. Add VLAN 30 to interface F0/24 without issuing the global VLAN command.

Note: Current switch technology no longer requires that the vlan command be issued to add a VLAN to the database. By assigning an unknown VLAN to a port, the VLAN will be created and added to the VLAN database.

b. Verify that the new VLAN is displayed in the VLAN table.

What is the default name of VLAN 30? VLAN0030

c. Use the no vlan 30 command to remove VLAN 30 from the VLAN database.

d. Issue the show vlan brief command. F0/24 was assigned to VLAN 30.

After deleting VLAN 30 from the VLAN database, what VLAN is port F0/24 assigned to? What happens to the traffic destined to the host attached to F0/24?

When you delete a VLAN, any ports assigned to that VLAN become inactive. So Port F0/24 is still -associated to VLAN 30. However, VLAN 30 is now inactive because it does not exist in the VLAN database. Additionally, the port will not transfer any traffic.

e. Issue the no switchport access vlan command on interface F0/24.

f. Issue the show vlan brief command to determine the VLAN assignment for F0/24.

To which VLAN is F0/24 assigned? The default VLAN, VLAN 1

Note: Before removing a VLAN from the database, it is recommended that you reassign all the ports assigned to that VLAN.

Why should you reassign a port to another VLAN before removing the VLAN from the VLAN database? The interfaces assigned to a VLAN that is the removed from the VLAN database become inactive and are unavailable for use until they are reassigned to another VLAN. This can be a tricky thing to troubleshoot as trunked interfaces do not show up in the port list as well (Part 4 contains more information about trunked interfaces).

Part 4: Configure an 802.1Q Trunk Between the Switches

In Part 4, you will configure interface F0/1 to use the Dynamic Trunking Protocol (DTP) to allow it to negotiate the trunk mode. After this has been accomplished and verified, you will disable DTP on interface F0/1 and manually configure it as a trunk.

Step 1: Use DTP to initiate trunking on F0/1.

The default DTP mode of a 2960 switch port is dynamic auto. This allows the interface to convert the link to a trunk if the neighboring interface is set to trunk or dynamic desirable mode.

a. Set F0/1 on S1 to negotiate trunk mode.

You should also receive link status messages on S2.

b. Issue the show vlan brief command on S1 and S2. Interface F0/1 is no longer assigned to VLAN 1. Trunked interfaces are not listed in the VLAN table.

c. Issue the show interfaces trunk command to view trunked interfaces. Notice that the mode on S1 is set to desirable, and the mode on S2 is set to auto.

Note: By default, all VLANs are allowed on a trunk. The switchport trunk command allows you to control what VLANs have access to the trunk. For this lab, keep the default settings which allows all VLANs to traverse F0/1.

d. Verify that VLAN traffic is traveling over trunk interface F0/1.

If you answered no to any of the above questions, explain below. The switches are in VLAN 99 and the PCs are in VLAN 10; therefore, the pings between VLANs were unsuccessful.

Step 2: Manually configure trunk interface F0/1.

The switchport mode trunk command is used to manually configure a port as a trunk. This command should be issued on both ends of the link.

a. Change the switchport mode on interface F0/1 to force trunking. Make sure to do this on both switches.

b. Issue the show interfaces trunk command to view the trunk mode. Notice that the mode changed from desirable to on .

c. Modify the trunk configuration on both switches by changing the native VLAN from VLAN 1 to VLAN 1000.

d. Issue the show interfaces trunk command to view the trunk. Notice the Native VLAN information is updated.

Why might you want to manually configure an interface to trunk mode instead of using DTP? Not all equipment uses DTP. Using the switchport mode trunk command ensures that the port will become a trunk no matter what type of equipment is connected to the other end of the link.

Why might you want to change the native VLAN on a trunk? Using VLAN 1, the default VLAN, as the native VLAN is a security risk. All the different control protocols that are exchanged between switches are exchanged via the native VLAN 1 untagged, and that information could be exposed if default settings are used on ports that users connect to.

In Part 5, you will delete the VLAN Database from the switch. It is necessary to do this when initializing a switch back to its default settings.

Step 1: Determine if the VLAN database exists.

Issue the show flash command to determine if a vlan.dat file exists in flash.

Note: If there is a vlan.dat file located in flash, then the VLAN database does not contain its default settings.

Step 2: Delete the VLAN database.

a. Issue the delete vlan.dat command to delete the vlan.dat file from flash and reset the VLAN database back to its default settings. You will be prompted twice to confirm that you want to delete the vlan.dat file. Press Enter both times.

b. Issue the show flash command to verify that the vlan.dat file has been deleted.

To initialize a switch back to its default settings, what other commands are needed? To get a switch back to its default settings, the erase startup-config and reload commands need to be issued after the delete vlan.dat command.

Reflection Questions

1. What is needed to allow hosts on VLAN 10 to communicate to hosts on VLAN 99? Answers will vary, but to allow Inter-VLAN routing requires a Layer 3 device is needed to route traffic between VLANs.

2. What are some primary benefits that an organization can receive through effective use of VLANs? Answers will vary, but VLAN benefits include: better security, cost savings (efficient use of bandwidth and uplinks), higher performance (smaller broadcast domains), broadcast storm mitigation, improved IT staff efficiency, simpler project and application management.

Device Configs – Final

Download packet tracer (.pka) file:, 3.4.6 lab - configure vlans and trunking - physical mode.

it still doesnt wrk

The download does not work. why?

• NIST 800-53
• Common Controls Hub

The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.