Skip to content
Practical TLS - October Sale
October is my birthday month, which makes for a good excuse to discount my most popular course: Practical TLS.

Use code OctBDAY2024b to get the course for $58 (originally $297).

Purchase here. Or, for more info on the top rated course on TLS, click here.

Code expires Oct 14, 2024.

Configuring VLANs on Cisco Switches

    Configuring VLANs on Cisco Switches

    We’ve before written about VLANs and what they can do as a concept. This article will focus on configuring VLANs on Cisco switches.

    We will look at each command necessary to configure the topology below. If this topology looks familiar, it is because you saw it in the article which described how VLANs operated on a conceptual level.

    Configuring VLANs on Cisco Switches

    We will first look at what goes into configuring the access ports in the topology above, followed by what goes into configuring the trunk ports. Then we will look at some verification and show commands to validate what is configured. Finally, we will look at the default configuration for a switch port, so we know our starting point when we are applying the commands we discuss.

    Contents: Configuring VLANs on Cisco Switches

    Access Ports

    An access port is a switch port that is a member of only one VLAN. There are two parts to configuring an access port: creating the VLAN in the switch’s VLAN Database and assigning the switch port to a VLAN.

    Creating the VLAN in the VLAN Database

    Before a switch will accept or forward traffic for a VLAN, the VLAN must exist in the switch’s VLAN Database. Adding a VLAN to the VLAN database requires only one command:

    SwitchX(config)# vlan 10
    

    From this point, you can also optionally name the VLAN. While not explicitly necessary for traffic to flow, it is best practice to provide a name for each VLAN. This will make the VLAN easier to identify.

    To name a VLAN, simply use the name; command directly after creating it.

    SwitchX(config-vlan)# name RED
    

    For VLAN 20, we will create and name the VLAN on SwitchX:

    SwitchX(config)# vlan 20
    SwitchX(config-vlan)# name ORANGE
    

    Note that a VLAN only has to be added to the database once. If a VLAN already exists in the VLAN database, it is not necessary to re-create it – you can jump directly to the next step. Later in this article we will look at some show commands used to determine if a VLAN has already been created.

     

    Assigning the Switchport to a VLAN

    Now that the VLAN is in the VLAN database, we can configure a switch port to be an access port for a particular VLAN. There are two commands within the interface configuration mode for this step:

    SwitchX(config)# interface Ethernet 0/0
    SwitchX(config-if)# switchport mode access
    SwitchX(config-if)# switchport access vlan 10
    

    The switchport mode access command sets the port as an access port, and the switchport access vlan <#> command designates the port as a member of VLAN 10.

    Some versions of Cisco switches automatically create the VLAN in the VLAN Database when you assign an access port to a VLAN:

    SwitchX(config)# interface Ethernet 0/1
    SwitchX(config-if)# switchport mode access	
    SwitchX(config-if)# switchport access vlan 30
    % Access VLAN does not exist. Creating vlan 30
    

    However, it is not recommended that you depend on this. Some switches will do it, some will not. Some switches will not create the VLAN and also not report any errors, leaving you confused as to why traffic might not be flowing. Moreover, this creates the VLAN with a generic name – the name for VLAN 30 above defaults to VLAN0030, which is not very helpful.

    As such, we always recommend to create and name a VLAN before assigning it anywhere. If you happen to forget to name it first, you can always update the name of a VLAN in that database after the fact:

    SwitchX(config)# vlan 30	
    SwitchX(config-vlan)# name BLUE
    

    In summary, the two steps to configure an access port:

    • Create and optionally (but ideally) name the VLAN
    • Set a switch port as an access port and designate it as a member of a VLAN

    Both steps will also need to be accomplished for each VLAN and switch port on SwitchY. First we will create and name each VLAN:

    SwitchY(config)# vlan 10
    SwitchY(config-vlan)# name RED
    SwitchY(config-vlan)# exit
    SwitchY(config)# vlan 20
    SwitchY(config-vlan)# name ORANGE
    SwitchY(config-vlan)# exit
    SwitchY(config)# vlan 30
    SwitchY(config-vlan)# name BLUE
    SwitchY(config-vlan)# exit
    

    Then we will set Eth0/2 and Eth0/3 as access ports in VLANs 10 and 30, respectively:

    SwitchY(config)# interface Ethernet 0/2	
    SwitchY(config-if)# switchport mode access
    SwitchY(config-if)# switchport access vlan 10
    SwitchY(config-if)# exit
    SwitchY(config)# interface Ethernet 0/3
    SwitchY(config-if)# switchport mode access
    SwitchY(config-if)# switchport access vlan 30
    SwitchY(config-if)# exit
    

     

    The commands above created the following configuration in the running-configuration for each switch:

    SwitchXSwitchY
    SwitchX# show running-config
    ...	
    vlan 10
     name RED
    !
    vlan 20
     name ORANGE
    !
    vlan 30
     name BLUE
    ...
    interface Ethernet0/0
     switchport access vlan 10
     switchport mode access
    !
    interface Ethernet0/1
     switchport access vlan 30
     switchport mode access
    ...
    
    

    SwitchY# show running-config
    ...
    vlan 10
     name RED
    !
    vlan 20
     name ORANGE
    !
    vlan 30
     name BLUE
    ...
    interface Ethernet0/2
     switchport access vlan 10
     switchport mode access
    !
    interface Ethernet0/3
     switchport access vlan 30
     switchport mode access
    ...
    
    

    Note, if you are following along with this configuration guide in your own lab, you may not see the creation and naming of the VLANs appear in the running configuration. This is because the default VTP mode causes VLAN database information to appear in another file (vlan.dat). To force the configuration to appear in your running-configuration, use the command vtp mode transparent. Beyond that, VTP’s operation is outside the scope of this article.

     

    Trunk Ports

    As discussed before, a trunk port is a switch port that is carrying more than one VLAN.

    Traffic traversing a trunk port is still in the form of 1s and 0s. To designate which 1s and 0s belong to which VLANs, a VLAN Tag is added to all traffic leaving a trunk port. The 802.1q standard specifies the ubiquitous format for the VLAN tag.

    Creating a trunk port involves only one command:

    SwitchY(config)# interface Ethernet1/1
    SwitchY(config-if)# switchport mode trunk
    

    Just like switchport mode access set the port as an access port, switchport mode trunk will set the port as a trunk port.

    Some switches support more than one method for adding the VLAN tag. Namely, some switches support the antiquated ISL method of VLAN tagging. Before these switches allow you to set a port as a trunk port, they force you to set a tagging method, also called an encapsulation method:

    SwitchX(config)# interface Ethernet1/1
    SwitchX(config-if)# switchport mode trunk
    Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
    

    For these switches, you simply use the switchport trunk encapsulation dot1q command before setting the switchport as a trunk port:

    SwitchX(config)# interface Ethernet1/1
    SwitchX(config-if)# switchport trunk encapsulation dot1q
    SwitchX(config-if)# switchport mode trunk
    

    We will also configure Eth2/1 and Eth2/2 on SwitchX as trunk ports:

    SwitchX(config)# interface Ethernet 2/1
    SwitchX(config-if)# switchport trunk encapsulation dot1q
    SwitchX(config-if)# switchport mode trunk
    SwitchX(config-if)# exit
    SwitchX(config)# interface Ethernet 2/2
    SwitchX(config-if)# switchport trunk encapsulation dot1q
    SwitchX(config-if)# switchport mode trunk
    SwitchX(config-if)# exit
    

    This is all you need to create a trunk port. With the configuration above, the switch will forward traffic from all VLANs in the VLAN Database out the configured trunk port.

    That being said, there are some additional helpful settings you can apply to a trunk port to modify the default behavior. We will discuss two of them in the sections that follow.

    Native VLAN

    The Native VLAN is the one VLAN on a trunk port which is allowed to remain untagged. By default, this is set to VLAN 1, but this can be changed by an administrator.

    To set the Native VLAN, you use this command:

    SwitchX(config)# interface Ethernet 1/1
    SwitchX(config-if)# switchport trunk native vlan 2
    

    After setting this command, any time SwitchX is sending traffic on VLAN 2 out the trunk port Eth1/1, it will do so without adding a VLAN tag. Moreover, anytime SwitchX receives untagged traffic on trunk port Eth1/1, SwitchX will assign that traffic to VLAN 2.

    An important point to remember: both switches on either end of the same trunk must have the same Native VLAN. Otherwise, you easily run the risk of a host in one VLAN being able to communicate with a host in another VLAN.

    Therefore, we will set the same Native VLAN on SwitchY:

    SwitchY(config)# interface Ethernet 1/1
    SwitchY(config-if)# switchport trunk native vlan 2
    

    We will also set another VLAN as the Native VLAN for Eth2/1 and Eth2/2 ports, facing Router1 and Router2, respectively. This is to show that the Native VLAN configuration is a per-interface configuration, not a per-device configuration. But keep in mind, in most deployments the Native VLAN is typically consistent across all ports.

    SwitchX(config)# interface Ethernet 2/1
    SwitchX(config-if)# switchport trunk native vlan 3
    SwitchX(config-if)# exit
    SwitchX(config)# interface Ethernet 2/2
    SwitchX(config-if)# switchport trunk native vlan 3
    SwitchX(config-if)# exit
    

    Allowed VLAN List

    By default, when an interface is set as a trunk port, traffic from all the VLANs in the VLAN database is forwarded out that switch port.

    There are times, however, where it is wise to limit which VLAN’s traffic is traversing a particular trunk. This can be done by applying what is known as an Allowed VLAN list. An Allowed VLAN list allows the administrator to manually select which VLANs are traversing a trunk port.

    Take a look at the illustration. Notice that the trunk port to Router1 is only processing traffic for VLAN 10 and 20, but if the trunk port is left to its default behavior, SwitchX will be forwarding traffic to Router1 from VLANs 10, 20, and 30. The VLAN 30 traffic will simply be dropped by Router1, but it does needlessly add congestion to the link.

    To solve this, we will add an Allowed VLAN list to Eth2/1 on SwitchX to restrict which VLANs are traversing the trunk port:

    SwitchX(config)# interface Ethernet 2/1
    SwitchX(config-if)# switchport trunk allowed vlan 10,20
    

    This will limit the VLANs which are traversing the trunk port to Router1 to only the VLANs which actually need to be on that link.

    The trunk port to Router2 can also be limited to only carry traffic for VLAN 20 and 30. Below is another way of applying an Allowed VLAN list which shows how to add VLANs to the list after initially creating it:

    SwitchX(config)# interface Ethernet 2/2
    SwitchX(config-if)# switchport trunk allowed vlan 20
    SwitchX(config-if)# switchport trunk allowed vlan add 30
    

    Notice the important keyword add in the second command above. This instructs the switch to add VLAN 30 traffic to whatever VLANs are already allowed on the link.

    Had the keyword add been omitted, the switch will have replaced the current Allowed VLAN List (which was allowing just VLAN 20) with the new one (which was allowing just VLAN 30). If Router1 was the gateway for the traffic in VLAN 20, all that traffic would now be dropped – creating a decidedly poor experience for the users in that VLAN.

    As such, it is very important to either apply the full list of VLANs in one command (as in the first example), or to use the add command to add VLANs to the current allowed VLAN list.

    You also have the option of using the remove keyword to remove individual VLANs from the allowed VLAN list.

    In fact, the remove keyword provides one more way to apply an allowed VLAN list to a trunk port. Take a look at the link between SwitchX and SwitchY. Notice VLAN 20 does not need to be traversing that link.

    Rather than simply adding an Allowed VLAN list with VLANs 10 and 30, you can also simply remove VLAN 20 from the default configuration. We’ll show you how it works with the trunk port between the switches (Eth1/1):

    SwitchX(config)# interface Ethernet1/1
    SwitchX(config-if)# switchport trunk allowed vlan remove 20
    

    This automatically applies an Allowed VLAN list for every VLAN except VLAN 20:

    SwitchX# show running-config interface Ethernet 1/1
    interface Ethernet1/1
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 2
     switchport trunk allowed vlan 1-19,21-4094
     switchport mode trunk
    end 
    

    Since the default trunk port behavior was to allow all VLANs, removing VLAN 20 caused the switch to apply an Allowed VLAN list which included every VLAN (1 – 4094), except VLAN 20.

    That said, this is typically not the way you would apply a new Allowed VLAN list to an interface – the remove keyword is more often used to remove individual VLANs from an already added Allowed VLAN list. We will remove the Allowed VLAN list on Eth1/1, and leave that port configured as a default trunk port – allowing traffic for all VLANs to traverse the trunk:

    SwitchX(config)# interface Ethernet1/1
    SwitchX(config-if)# no switchport trunk allowed vlan
    

     

    The commands above created the following configuration in the running-configuration for each switch:

    SwitchXSwitchY
    SwitchX# show running-config
    ...
    interface Ethernet1/1
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 2
     switchport mode trunk
    !
    interface Ethernet2/1
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 3
     switchport trunk allowed vlan 10,20
     switchport mode trunk
    !
    interface Ethernet2/2
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 3
     switchport trunk allowed vlan 20,30
     switchport mode trunk
    !
    ...
    

    SwitchY# show running-config
    ...
    interface Ethernet1/1
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 2
     switchport mode trunk
    !
    ...
    

     

    Show Commands

    The commands above explain the steps for configuring VLANs on Cisco Switches. The output at the end of each section displayed the way the configurations appears in the running-configuration. However, the running-configuration will only show how a device is configured – it will not show how a device operates.

    This is an important distinction – a talented network engineer needs to not only know how to configure VLANs, but also how to validate their operation as well. To that end, we will discuss five show commands that can be used to verify a device’s operation – how it is actually handling traffic.

    show vlan brief

    The show vlan brief command provides two main pieces of information:

    • The VLANs which exist in the switch’s VLAN Database
    • The access ports configured in each VLAN

    Here is what the output from both our switches:

    SwitchXSwitchY
    SwitchX# show vlan brief
    
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    1    default                          active    Et0/2, Et0/3, Et1/0, Et1/2
                                                    Et1/3, Et2/0, Et2/3, Et3/0
                                                    Et3/1, Et3/2, Et3/3
    10   RED                              active    Et0/0
    20   ORANGE                           active
    30   BLUE                             active    Et0/1
    

    SwitchY# show vlan brief
    
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    1    default                          active    Et0/0, Et0/1, Et1/0, Et1/2
                                                    Et1/3, Et2/0, Et2/1, Et2/2
                                                    Et2/3, Et3/0, Et3/1, Et3/2
                                                    Et3/3
    10   RED                              active    Et0/2
    20   ORANGE                           active
    30   BLUE                             active    Et0/3
    

    For both switches, the command displays VLANs 1, 10, 20, and 30. These are the only VLANs that were created in the VLAN database. Should the switch receive traffic tagged for a VLAN other than these, that traffic will be discarded.

    For each VLAN, the VLAN’s name is also provided. Notice VLANs 10, 20, and 30 are named RED, ORANGE, and BLUE, respectively.

    Also notice VLAN 1 exists and is named default, despite us not explicitly creating it. This is because VLAN 1 is the default configuration that every switch port starts out in. The switch will not allow you to delete VLAN 1 or change its name.

    The Status column reflects whether the VLAN is active on the switch. A VLAN can become inactive for two reasons. The first is explicitly using the shutdown command within the VLAN configuration mode. The second is a VLAN existing in the database, but having no access ports or trunk ports utilizing that VLAN.

    On the far right of output, under the Ports column, you get a list of each access port in each VLAN. We configured SwitchX’s Eth0/0 interface in VLAN 10, and the output reflects that. Also notice the port Eth1/1 is nowhere to be found. This is because Eth1/1 was configured as a trunk port, and will not be visible in the output of show vlan brief.

    show interfaces trunk

    If show vlan brief is the go-to command to show you information about access ports on a switch, then show interfaces trunk is the go-to command to show you information about trunk ports on a switch.

    There are four sections to the output of this command. To the untrained eye, it might appear like some of the information is duplicate – but this is not the case.

    SwitchXSwitchY
    SwitchX# show interfaces trunk
    
    Port        Mode             Encapsulation  Status        Native vlan
    Et1/1       on               802.1q         trunking      2
    Et2/1       on               802.1q         trunking      3
    Et2/2       on               802.1q         trunking      3
    
    Port        Vlans allowed on trunk
    Et1/1       1-4094
    Et2/1       10,20
    Et2/2       20,30
    
    Port        Vlans allowed and active in management domain
    Et1/1       1,10,20,30
    Et2/1       10,20
    Et2/2       20,30
    
    Port        Vlans in spanning tree forwarding state and not pruned
    Et1/1       1,10,20,30
    Et2/1       10,20
    Et2/2       20,30
    
    

    SwitchY# show interfaces trunk
    
    Port        Mode             Encapsulation  Status        Native vlan
    Et1/1       on               802.1q         trunking      2
    
    Port        Vlans allowed on trunk
    Et1/1       1-4094
    
    Port        Vlans allowed and active in management domain
    Et1/1       1,10,20,30
    
    Port        Vlans in spanning tree forwarding state and not pruned
    Et1/1       1,10,20,30
    
    

    The first section of the output lists each interface which is operationally behaving like a trunk port. This will make more sense a little later in the article when we discuss a mechanism that lets a switch port automatically determine whether it should be a trunk port. In the case above, we explicitly configured ports Eth1/1, Eth2/1, and Eth2/2 on SwitchX and port Eth1/1 on SwitchY as trunk ports.

    The first section also lists what method of Encapsulation is in use (i.e., what method of VLAN tagging), as well as the VLAN configured as the Native VLAN for each trunk.

    The second section, labeled Vlans allowed on trunk, is a reflection of which VLANs have made it through any configured Allowed VLAN lists on each trunk port. On SwitchX, we created two Allowed VLAN lists, one allowing VLAN 10 and 20 on Eth2/1, and another allowing VLANs 20 and 30 on Eth2/2. Interface Eth1/1 did not have any VLANs restricted, so therefore all possible VLANs are listed as allowed on the trunk port – VLANs IDs can only be 1 – 4094.

    The third section, labeled Vlans allowed and active in management domain, is a combination of the section before it (Vlans allowed on trunk) and the VLANs which are created in the VLAN database (i.e., visible in show vlan brief). Despite all VLANs being allowed on Eth1/1 (as indicated by the 1-4094 in the second section), only VLANs 1, 10, 20, and 30 exist in the VLAN database.

    The fourth section, labeled Vlans in spanning tree forwarding state and not pruned, is a combination of the last two sections and the ports the Spanning Tree Protocol deems as safe to forward traffic.

    The Spanning Tree Protocol (STP) exists to ensure the L2 domain does not contain any loops. If any are detected, those ports are disabled. In our topology, there are no loops, so the output of the fourth section looks identical to the output of the third section because STP did not disable any ports. STP is a fascinating protocol, but its operation is outside the scope of this article – it will be the subject of a future article.

    show interfaces switchport

    The show interfaces switchport command can give you an overwhelming amount of information. Using the command by itself shows you 26 pieces of information for each interface on your switch (or more, depending on the code version you are using).

    Rather than try to sift through all that, you can specify a particular interface to get those same 26 pieces of information for just the desired interface using the command show interfaces <intf> switchport.

    For the sake of brevity and relevance, the output below has been trimmed to just show the lines which relate to something discussed in this article. There is an example of the full output of this command later in this article.

    SwitchX Eth0/1SwitchY Eth2/2
    SwitchX# show interfaces Ethernet 0/1 switchport
    Switchport: Enabled
    Administrative Mode: static access
    Operational Mode: static access
    Administrative Trunking Encapsulation: negotiate
    Operational Trunking Encapsulation: native
    Negotiation of Trunking: Off
    Access Mode VLAN: 30 (BLUE)
    Trunking Native Mode VLAN: 1 (default)
    Trunking VLANs Enabled: ALL
    

    SwitchY# show interfaces Ethernet 2/2 switchport
    Switchport: Enabled
    Administrative Mode: trunk
    Operational Mode: trunk
    Administrative Trunking Encapsulation: dot1q
    Operational Trunking Encapsulation: dot1q
    Negotiation of Trunking: On	
    Access Mode VLAN: 1 (default)
    Trunking Native Mode VLAN: 3 (Inactive)
    Trunking VLANs Enabled: 20,30

    The description of each line in the output above is in the table that follows.

    Line(s) Description
    Switchport Enabled if the port is functioning as a L2 port. Disabled if the port is functioning as a L3 port.
    Administrative Mode and Operational Mode These two tell you how the switchport is configured and how the switchport is operating. In our case, we configured ports as access Ports and trunk Ports and they are reflected above. But as alluded to before, there is a protocol called DTP which allows switchports to automatically negotiate becoming a trunk port. In DTP’s case, you might have a particular Administrative mode set and the Operational mode will reflect whether the switchport is actually acting as a trunk or access port. This will make more sense when we get into the specifics of DTP below.
    Administrative Trunking Encapsulation and Operational Trunking Encapsulation DTP not only negotiates trunk status, it also negotiates encapsulation method. These two commands show you what encapsulation method is configured (Administrative) and what encapsulation method is negotiated (Operational).
    Negotiation of Trunking This indicates the switchport’s participation in DTP. Again, it will again make more sense below when we elaborate on DTP.
    Access Mode VLAN This displays the VLAN membership if the port is configured or negotiated as an access port. Note that even our trunk port (SwitchY’s Eth 2/2) has an entry for this attribute, but it doesn’t have an effect until the interface becomes an access port.
    Trunking Native VLAN This displays the Native VLAN setting for the port. Again, even an access port will have an entry for this setting (see SwitchX’s Eth0/1), but it will only have an effect if the interface is configured or negotiated as a trunk port.
    Trunking VLANs Enabled This is a reflection of the VLANs permitted via an Allowed VLAN list. Notice SwitchX’s trunk port was limited to just VLANs 20 and 30, and this is reflected in the output above.

    show interfaces status

    Typically, the show interfaces status command is associated with seeing whether devices are plugged into a switchport or not (connected vs notconnect in the Status column). However, this command can also reveal some information about the VLAN configuration of a switchport.

    Namely, if you see a number in the VLAN column, then the switchport is an access Port in the provided VLAN. And if you see the word trunk, then the switchport is configured as a trunk port.

    SwitchXSwitchY
    SwitchX#   show interfaces status
    
    Port      Name               Status       Vlan       Duplex  Speed Type
    Et0/0                        connected    10           auto   auto unknown
    Et0/1                        connected    30           auto   auto unknown
    Et1/1                        connected    trunk        auto   auto unknown
    Et2/1                        connected    trunk        auto   auto unknown
    Et2/2                        connected    trunk        auto   auto unknown
    

    SwitchY# show interfaces status
    	
    Port      Name               Status       Vlan       Duplex  Speed Type
    Et0/2                        connected    10           auto   auto unknown
    Et0/3                        connected    30           auto   auto unknown
    Et1/1                        connected    trunk        auto   auto unknown
    

    Note, the output of the command show interfaces status above has been trimmed to focus on just the interfaces that were configured in this article.

     

    show spanning-tree

    The show spanning-tree command is obviously mostly associated with verifying the Spanning Tree Protocol, but it can also provide useful VLAN configuration information.

    Earlier we talked about show vlan brief, which provides information about interfaces configured as access ports. We also talked about show interfaces trunk, which provides information about interfaces configured as trunk ports. The show spanning-tree vlan <VLAN-ID#> command provides information on both access ports and trunk ports.

    Specifically, you can use this command to see every switchport a VLAN is exiting.

    SwitchXSwitchY
    SwitchX# show spanning-tree vlan 10
    
    Interface           Role Sts Cost      Prio.Nbr Type
    ------------------- ---- --- --------- -------- --------------------------------
    Et0/0               Desg FWD 100       128.1    Shr
    Et1/1               Desg FWD 100       128.6    Shr
    Et2/1               Desg FWD 100       128.10   Shr
    
    SwitchX# show spanning-tree vlan 20
    
    Interface           Role Sts Cost      Prio.Nbr Type
    ------------------- ---- --- --------- -------- --------------------------------
    Et1/1               Desg FWD 100       128.6    Shr
    Et2/1               Desg FWD 100       128.10   Shr
    Et2/2               Desg FWD 100       128.11   Shr
    
    SwitchX# show spanning-tree vlan 30
    
    Interface           Role Sts Cost      Prio.Nbr Type
    ------------------- ---- --- --------- -------- --------------------------------
    Et0/1               Desg FWD 100       128.2    Shr
    Et1/1               Desg FWD 100       128.6    Shr
    Et2/2               Desg FWD 100       128.11   Shr
    

    SwitchY# show spanning-tree vlan 10	
    
    Interface           Role Sts Cost      Prio.Nbr Type
    ------------------- ---- --- --------- -------- --------------------------------
    Et0/2               Desg FWD 100       128.3    Shr
    Et1/1               Root FWD 100       128.6    Shr
    
    SwitchY# show spanning-tree vlan 20
    
    Interface           Role Sts Cost      Prio.Nbr Type
    ------------------- ---- --- --------- -------- --------------------------------
    Et1/1               Root FWD 100       128.6    Shr
    
    
    SwitchY# show spanning-tree vlan 30
    
    Interface           Role Sts Cost      Prio.Nbr Type
    ------------------- ---- --- --------- -------- --------------------------------
    Et0/3               Desg FWD 100       128.4    Shr
    Et1/1               Root FWD 100       128.6    Shr
    

    We configured SwitchX with one access port in VLAN 10 (Eth0/0), and two trunk ports which are permitting VLAN 10 (Eth1/1 and Eth2/1). Looking at the output of the show spanning-tree vlan 10 command on SwitchX, we can see all three of the ports that VLAN 10 traffic is egressing.

    You won’t easily be able to determine whether the port is configured as an access port or a trunk port. But you will be able to easily determine to what other devices a VLAN’s traffic is going to by comparing the output of show spanning-tree to show cdp neighbors:

    SwitchXSwitchY
    SwitchX# show cdp neighbors
    Capability Codes: R - Router, B - Source Route Bridge, S - Switch, I - IGMP
    	
    Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
    router2          Eth 2/2           172              R B   Linux Uni Eth 0/2
    router1          Eth 2/1           131              R B   Linux Uni Eth 0/1
    SwitchY          Eth 1/1           169             R S I  Linux Uni Eth 1/1
    

    SwitchY# show cdp neighbors	
    Capability Codes: R - Router, B - Source Route Bridge, S - Switch, I - IGMP
    
    Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
    SwitchX          Eth 1/1           143             R S I  Linux Uni Eth 1/1
    

    We can see that VLAN 10 on SwitchX is going to Router1 and SwitchY, as well as a third device (which we know is Host A, who isn’t participating in CDP). VLAN 20 on SwitchY is only going to SwitchX. Using these two commands in conjunction with each other is a great way to trace the L2 path through a network between two devices.

    Note, the output of the command show spanning-tree vlan <#> above has been trimmed to focus on just the features discussed in this article.

     

    Default Switchport Setting

    Finally, before configuring VLANs with the commands discussed in this article, it is important to know the starting point for each interface.

    Nearly all Cisco features come with a certain default configuration. These exist and are in place so that the device can perform (maybe with limited features, but nonetheless) without any configuration required.

    Knowing the default configuration is crucial to be an effective engineer because if you know how something works innately, you know exactly what needs to change to get it to work the way you want it to. To that end, we will spend some time discussing the default switch port configuration applied to Cisco switches.

    First, here is the output of show interfaces switchport for an unmodified interface. There are three items we must discuss from the output below:

    SwitchX# show interfaces eth0/2 switchport
    Name: Et0/2
    Switchport: Enabled
    Administrative Mode: dynamic auto
    Operational Mode: down
    Administrative Trunking Encapsulation: negotiate
    Operational Trunking Encapsulation: native
    Negotiation of Trunking: On
    Access Mode VLAN: 1 (default)
    Trunking Native Mode VLAN: 1 (default)
    Administrative Native VLAN tagging: enabled
    Voice VLAN: none
    Administrative private-vlan host-association: none
    Administrative private-vlan mapping: none
    Administrative private-vlan trunk native VLAN: none
    Administrative private-vlan trunk Native VLAN tagging: enabled
    Administrative private-vlan trunk encapsulation: dot1q
    Administrative private-vlan trunk normal VLANs: none
    Administrative private-vlan trunk associations: none
    Administrative private-vlan trunk mappings: none
    Operational private-vlan: none
    Trunking VLANs Enabled: ALL
    Pruning VLANs Enabled: 2-1001
    Capture Mode Disabled
    Capture VLANs Allowed: ALL
    
    Appliance trust: none
    

    Dynamic Trunking Protocol

    The first items we will discuss from the default switch port configuration above have to do with the Dynamic Trunking Protocol, or DTP. Take a look at these lines from the output above:

    Administrative Mode: dynamic auto
    Operational Mode: down

    As discussed before, the two modes correlate to the configured mode (administrative) and the negotiated mode (operational). The distinction exists as a result of the Dynamic Trunking Protocol (DTP).

    Cisco created DTP to further the idea of ‘plug and play’ switches. They created a protocol where if two switches were linked to each other, they could automatically determine whether their interlink should be a trunk port or an access port. It works based upon four modes an interface can be set to:

    • switchport mode dynamic desirable – actively attempt to negotiate trunk
    • switchport mode dynamic auto – passively attempt to negotiate trunk
    • switchport mode trunk – statically set as trunk
    • switchport mode access – statically set as access

    The configuration of both sides of the link will determine whether the link will negotiate as a trunk port or an access port. The table below lists every possible combination

    One side of Link Other side of Link Result
    Dynamic Desirable Dynamic Desirable Trunk
    Dynamic Desirable Dynamic Auto Trunk
    Dynamic Desirable Static Trunk Trunk
    Dynamic Desirable Static Access Access
    Dynamic Auto Dynamic Auto Access
    Dynamic Auto Static Trunk Trunk
    Dynamic Auto Static Access Access
    Static Trunk Static Trunk Trunk
    Static Trunk Static Access Misconfiguration
    Static Access Static Access Access

    The issue with DTP is it provides a means for the other side of a link to modify the behavior of your side of the link. When you control both sides this might not seem like a terrible feature, but if you are ever in a situation where you only control your device, DTP gives too much power to the other side.

    As such, it is often recommended to avoid DTP automatically determining the trunk status and instead manually set a port as trunk or access using the commands we discussed earlier in this article (switchport mode trunk or switchport mode access).

    Even with the switch port mode statically set, however, your switch will still send DTP frames. This is how the other side knows how your side is configured. Again, if you own both sides the risk is negligible, but if you might not control the other side, then this is undesirable.

    You can disable the sending of DTP frames by also adding to the interface configuration this command: switchport nonegotiate. This will disable the periodic sending of DTP frames to advertise the switch port mode of the local switch.

    You can view whether a switch port has negotiation disabled in the output of the command above. The specific line which indicates it is the following:

    Negotiation of Trunking: On

    To summarize, the default DTP behavior of an unmodified interface is:

    • switchport mode dynamic auto
    • negotiation of DTP enabled

    Which means the link will automatically become a trunk if the other side is configured with switchport mode dynamic desirable or if the other side is configured with switchport mode trunk and switchport nonegotiate is not applied.

    Default Access Port Settings

    From the output above, the following line correlates to the access port configuration:

    Access Mode VLAN: 1 (default)

    Whether a switch port is statically set (or negotiated) as an access port or not, this attribute exists and is configurable via the switchport access vlan <#> command. Of course, it doesn’t affect the behavior of the switchport unless the switchport becomes an access port.

    A potential use case is if you are transitioning a port from a trunk port to an access port, you can “preset” the access-port VLAN so that once you apply the switchport mode access command, it is already in the appropriate VLAN.

    In any case, notice the default configuration has every switchport in VLAN 1.

    A switch is a device which facilitates communication within networks. You can take a Cisco switch and simply connect two hosts and everything will “just work”. It will do so because all the ports start in VLAN 1, so that there is no L2 segregation between the switch ports on switch’s default configuration. This lines up with Cisco’s goal of making their switches “plug and play”.

    Default Trunk Port Settings

    Lastly, the following lines in the output above correlate to the trunk port configuration:

    Administrative Trunking Encapsulation: negotiate
    Operational Trunking Encapsulation: native
    ...
    Trunking Native Mode VLAN: 1 (default)
    ...
    Trunking VLANs Enabled: ALL
    

    We discussed DTP earlier, but we did not mention that DTP also negotiates the encapsulation method.

    Administrative Trunking Encapsulation indicates whether DTP will determine the encapsulation method or whether it is statically set via the switchport trunk encapsulation command.

    Operational Trunking Encapsulation indicates the chosen or configured encapsulation method. If the port becomes a trunk port, there are only two options for this attribute: the ubiquitous 802.1q and the archaic ISL. On an access port, this line will display native (as above), indicating no VLAN tag will be added to traffic leaving this switch port.

    Trunking Native Mode VLAN indicates the Native VLAN on the port. Once again, this setting will only take place if the port becomes a trunk port. This setting can be modified with the switchport trunk native vlan <#> command.

    Trunking VLANs Enabled reflects the Allowed VLAN list applied to the port. ALL indicates no VLANs have been restricted from the trunk, and therefore every VLAN in the VLAN database will traverse down the trunk. As with the other trunk configurations, this has no effect if the port is in access mode.

     

    Configuring VLANs — Summary

    This article is meant to follow the article discussing VLANs as a concept. The focus of this article was to understand the different configuration and verification commands that exist to modify or validate how a switch is behaving in regards to its VLANs.

    As with all written guides, practice is key. We encourage you to build out the topology above in a lab or emulator (GNS3 / Packet-Tracer) and to practice configuring VLANs using the commands described above.

    If you want an additional challenge, build out the topology in the VLAN Challenge from the other article. Note, you will need to disable CDP and DTP on most of your interfaces to avoid warnings.

    If you are able to successfully build out that topology (as well as answer the two challenge questions in the previous article), then you can rest assured knowing you have mastered the concept of Configuring VLANs on Cisco switches.

    This article explains the knowledge necessary for these CCNA exam objectives:
    • 2.1 Configure and verify VLANs (normal range) spanning multiple switches
      • 2.1.a Access ports (data and voice)
      • 2.1.b Default VLAN
      • 2.1.c Connectivity
    • 2.2 Configure and verify interswitch connectivity
      • 2.2.a Trunk ports
      • 2.2.b 802.1Q
      • 2.2.c Native VLAN

    4.4 23 votes
    Article Rating
    Subscribe
    Notify of

    30 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments

    The Post was Awesome!!

    Hi, very helpful this post. I have a question, what software use to drar the network diagrams?.

    I meant “draw”

    Thanks for this great article, I have shared it on Facebook.

    Yes wonderful article. I have shared on FB as well! One question if you could be so kind to provide some insight. When you issue Switchport Trunk Allowed VLAN 20, 30 on an interface is the native VLAN automatically applied (say it’s still default VLAN 1) or do you need to also add it to the allowed list in order for the trunk to pass I tagged traffic?

    untagged*

    Nice article. Guess the routers may confuse some peoples as they are not to work like that without any L3 redundancy.

    Thanks so much for this great article! It really clarifies vlans in the Cisco world. Although I’ve worked with vlans, I’ve not worked with Cisco switches in years. Do you really have to add access ports one at a time? Is there a command to add a group of ports? Example using another vendor on a VoIP vlan:
    #conf vlan VoIP add ports 1:1-48 tagged
    Is there a similar command for Cisco switches? If not, it seems that adding access ports would be tedious on a switch stack.

    Thank you, Ed! That is awesome – and a relief.

    Mate article is amazing and so so helpful thank you. One thing – above the ‘show interfaces status’ heading, you’ve repeated the quick intro paragraph, probs should be deleted. It’s like –

    intro paragraph incorrectly placed
    ‘show interfaces status’ heading
    repeated intro paragraph but correctly placed

    Thanks again, it will be you I thank in my CCNA acceptance speech!

    Hi, great tutorial! somehow I can`t get “Switch(config-if)# switchport trunk encapsulation dot1q” this command done in my switch, I just got 2 choices which are access/native after I typed “Switch(config-if)# switchport trunk”, it doesn`t link to “encapsulation dot1q”, any thought?

    This is great. Can i get a copy of the same in my email.

    Hello Ed Harmoush

    i have the following query what will be happened if the frame came to an access port and what will be happened if the same frame came to trunk port?

    e.g.the access port it will retag the frame with the number on vlan that has assign it (for example vlan access 10) or it drop the packet ?

    Informative article, exactly whhat I was looking for.

    me sirvió muchismo muchas gracias.

    in the description of Show interface Trunk cmd ,Vlan 1 is not showing in the allowed vlan as well as in the Vlan active in managment domain section for the port
    Et2/1 and 2/2, Reason?

    Hello Ed Harmoush,

    Thank you for this wonderful article and great explanation. One thing – Under the heading “Show interfaces switchport” there is a table which describe each line of output. In the last row “Notice SwitchX’s trunk port was limited to just VLANs 20 and 30, and this is reflected in the output above.” I think that’s not SwitchX’ trunk port that’s SwitchY’s trunk port. Thank you.

    Great post

    Great post! Very helpful. Good job.

    I found this article to be very informative, thank you for this. I see it’s a couple years old already, yet still relevant.

    Informative thread. Thanks for sharing…