We’ve before written about VLANs and what they can do as a concept. This article will focus on configuring VLANs on Cisco switches.
We will look at each command necessary to configure the topology below. If this topology looks familiar, it is because you saw it in the article which described how VLANs operated on a conceptual level.
We will first look at what goes into configuring the access ports in the topology above, followed by what goes into configuring the trunk ports. Then we will look at some verification and show
commands to validate what is configured. Finally, we will look at the default configuration for a switch port, so we know our starting point when we are applying the commands we discuss.
Contents: Configuring VLANs on Cisco Switches
Access Ports
An access port is a switch port that is a member of only one VLAN. There are two parts to configuring an access port: creating the VLAN in the switch’s VLAN Database and assigning the switch port to a VLAN.
Creating the VLAN in the VLAN Database
Before a switch will accept or forward traffic for a VLAN, the VLAN must exist in the switch’s VLAN Database. Adding a VLAN to the VLAN database requires only one command:
SwitchX(config)# vlan 10
From this point, you can also optionally name the VLAN. While not explicitly necessary for traffic to flow, it is best practice to provide a name for each VLAN. This will make the VLAN easier to identify.
To name a VLAN, simply use the name
; command directly after creating it.
SwitchX(config-vlan)# name RED
For VLAN 20, we will create and name the VLAN on SwitchX:
SwitchX(config)# vlan 20 SwitchX(config-vlan)# name ORANGE
show
commands used to determine if a VLAN has already been created.
Assigning the Switchport to a VLAN
Now that the VLAN is in the VLAN database, we can configure a switch port to be an access port for a particular VLAN. There are two commands within the interface configuration mode for this step:
SwitchX(config)# interface Ethernet 0/0 SwitchX(config-if)# switchport mode access SwitchX(config-if)# switchport access vlan 10
The switchport mode access
command sets the port as an access port, and the switchport access vlan <#>
command designates the port as a member of VLAN 10.
Some versions of Cisco switches automatically create the VLAN in the VLAN Database when you assign an access port to a VLAN:
SwitchX(config)# interface Ethernet 0/1 SwitchX(config-if)# switchport mode access SwitchX(config-if)# switchport access vlan 30 % Access VLAN does not exist. Creating vlan 30
However, it is not recommended that you depend on this. Some switches will do it, some will not. Some switches will not create the VLAN and also not report any errors, leaving you confused as to why traffic might not be flowing. Moreover, this creates the VLAN with a generic name – the name for VLAN 30 above defaults to VLAN0030
, which is not very helpful.
As such, we always recommend to create and name a VLAN before assigning it anywhere. If you happen to forget to name it first, you can always update the name of a VLAN in that database after the fact:
SwitchX(config)# vlan 30 SwitchX(config-vlan)# name BLUE
In summary, the two steps to configure an access port:
- Create and optionally (but ideally) name the VLAN
- Set a switch port as an access port and designate it as a member of a VLAN
Both steps will also need to be accomplished for each VLAN and switch port on SwitchY. First we will create and name each VLAN:
SwitchY(config)# vlan 10 SwitchY(config-vlan)# name RED SwitchY(config-vlan)# exit SwitchY(config)# vlan 20 SwitchY(config-vlan)# name ORANGE SwitchY(config-vlan)# exit SwitchY(config)# vlan 30 SwitchY(config-vlan)# name BLUE SwitchY(config-vlan)# exit
Then we will set Eth0/2 and Eth0/3 as access ports in VLANs 10 and 30, respectively:
SwitchY(config)# interface Ethernet 0/2 SwitchY(config-if)# switchport mode access SwitchY(config-if)# switchport access vlan 10 SwitchY(config-if)# exit SwitchY(config)# interface Ethernet 0/3 SwitchY(config-if)# switchport mode access SwitchY(config-if)# switchport access vlan 30 SwitchY(config-if)# exit
The commands above created the following configuration in the running-configuration
for each switch:
SwitchX# show running-config ... vlan 10 name RED ! vlan 20 name ORANGE ! vlan 30 name BLUE ... interface Ethernet0/0 switchport access vlan 10 switchport mode access ! interface Ethernet0/1 switchport access vlan 30 switchport mode access ...
SwitchY# show running-config ... vlan 10 name RED ! vlan 20 name ORANGE ! vlan 30 name BLUE ... interface Ethernet0/2 switchport access vlan 10 switchport mode access ! interface Ethernet0/3 switchport access vlan 30 switchport mode access ...
vlan.dat
). To force the configuration to appear in your running-configuration
, use the command vtp mode transparent
. Beyond that, VTP’s operation is outside the scope of this article.
Trunk Ports
As discussed before, a trunk port is a switch port that is carrying more than one VLAN.
Traffic traversing a trunk port is still in the form of 1
s and 0
s. To designate which 1
s and 0
s belong to which VLANs, a VLAN Tag is added to all traffic leaving a trunk port. The 802.1q standard specifies the ubiquitous format for the VLAN tag.
Creating a trunk port involves only one command:
SwitchY(config)# interface Ethernet1/1 SwitchY(config-if)# switchport mode trunk
Just like switchport mode access
set the port as an access port, switchport mode trunk
will set the port as a trunk port.
Some switches support more than one method for adding the VLAN tag. Namely, some switches support the antiquated ISL method of VLAN tagging. Before these switches allow you to set a port as a trunk port, they force you to set a tagging method, also called an encapsulation method:
SwitchX(config)# interface Ethernet1/1 SwitchX(config-if)# switchport mode trunk Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
For these switches, you simply use the switchport trunk encapsulation dot1q
command before setting the switchport as a trunk port:
SwitchX(config)# interface Ethernet1/1 SwitchX(config-if)# switchport trunk encapsulation dot1q SwitchX(config-if)# switchport mode trunk
We will also configure Eth2/1 and Eth2/2 on SwitchX as trunk ports:
SwitchX(config)# interface Ethernet 2/1 SwitchX(config-if)# switchport trunk encapsulation dot1q SwitchX(config-if)# switchport mode trunk SwitchX(config-if)# exit SwitchX(config)# interface Ethernet 2/2 SwitchX(config-if)# switchport trunk encapsulation dot1q SwitchX(config-if)# switchport mode trunk SwitchX(config-if)# exit
This is all you need to create a trunk port. With the configuration above, the switch will forward traffic from all VLANs in the VLAN Database out the configured trunk port.
That being said, there are some additional helpful settings you can apply to a trunk port to modify the default behavior. We will discuss two of them in the sections that follow.
Native VLAN
The Native VLAN is the one VLAN on a trunk port which is allowed to remain untagged. By default, this is set to VLAN 1, but this can be changed by an administrator.
To set the Native VLAN, you use this command:
SwitchX(config)# interface Ethernet 1/1 SwitchX(config-if)# switchport trunk native vlan 2
After setting this command, any time SwitchX is sending traffic on VLAN 2 out the trunk port Eth1/1, it will do so without adding a VLAN tag. Moreover, anytime SwitchX receives untagged traffic on trunk port Eth1/1, SwitchX will assign that traffic to VLAN 2.
An important point to remember: both switches on either end of the same trunk must have the same Native VLAN. Otherwise, you easily run the risk of a host in one VLAN being able to communicate with a host in another VLAN.
Therefore, we will set the same Native VLAN on SwitchY:
SwitchY(config)# interface Ethernet 1/1 SwitchY(config-if)# switchport trunk native vlan 2
We will also set another VLAN as the Native VLAN for Eth2/1 and Eth2/2 ports, facing Router1 and Router2, respectively. This is to show that the Native VLAN configuration is a per-interface configuration, not a per-device configuration. But keep in mind, in most deployments the Native VLAN is typically consistent across all ports.
SwitchX(config)# interface Ethernet 2/1 SwitchX(config-if)# switchport trunk native vlan 3 SwitchX(config-if)# exit SwitchX(config)# interface Ethernet 2/2 SwitchX(config-if)# switchport trunk native vlan 3 SwitchX(config-if)# exit
Allowed VLAN List
By default, when an interface is set as a trunk port, traffic from all the VLANs in the VLAN database is forwarded out that switch port.
There are times, however, where it is wise to limit which VLAN’s traffic is traversing a particular trunk. This can be done by applying what is known as an Allowed VLAN list. An Allowed VLAN list allows the administrator to manually select which VLANs are traversing a trunk port.
Take a look at the illustration. Notice that the trunk port to Router1 is only processing traffic for VLAN 10 and 20, but if the trunk port is left to its default behavior, SwitchX will be forwarding traffic to Router1 from VLANs 10, 20, and 30. The VLAN 30 traffic will simply be dropped by Router1, but it does needlessly add congestion to the link.
To solve this, we will add an Allowed VLAN list to Eth2/1 on SwitchX to restrict which VLANs are traversing the trunk port:
SwitchX(config)# interface Ethernet 2/1 SwitchX(config-if)# switchport trunk allowed vlan 10,20
This will limit the VLANs which are traversing the trunk port to Router1 to only the VLANs which actually need to be on that link.
The trunk port to Router2 can also be limited to only carry traffic for VLAN 20 and 30. Below is another way of applying an Allowed VLAN list which shows how to add VLANs to the list after initially creating it:
SwitchX(config)# interface Ethernet 2/2 SwitchX(config-if)# switchport trunk allowed vlan 20 SwitchX(config-if)# switchport trunk allowed vlan add 30
Notice the important keyword add
in the second command above. This instructs the switch to add VLAN 30 traffic to whatever VLANs are already allowed on the link.
Had the keyword add
been omitted, the switch will have replaced the current Allowed VLAN List (which was allowing just VLAN 20) with the new one (which was allowing just VLAN 30). If Router1 was the gateway for the traffic in VLAN 20, all that traffic would now be dropped – creating a decidedly poor experience for the users in that VLAN.
As such, it is very important to either apply the full list of VLANs in one command (as in the first example), or to use the add
command to add VLANs to the current allowed VLAN list.
You also have the option of using the remove
keyword to remove individual VLANs from the allowed VLAN list.
In fact, the remove
keyword provides one more way to apply an allowed VLAN list to a trunk port. Take a look at the link between SwitchX and SwitchY. Notice VLAN 20 does not need to be traversing that link.
Rather than simply adding an Allowed VLAN list with VLANs 10 and 30, you can also simply remove VLAN 20 from the default configuration. We’ll show you how it works with the trunk port between the switches (Eth1/1):
SwitchX(config)# interface Ethernet1/1 SwitchX(config-if)# switchport trunk allowed vlan remove 20
This automatically applies an Allowed VLAN list for every VLAN except VLAN 20:
SwitchX# show running-config interface Ethernet 1/1 interface Ethernet1/1 switchport trunk encapsulation dot1q switchport trunk native vlan 2 switchport trunk allowed vlan 1-19,21-4094 switchport mode trunk end
Since the default trunk port behavior was to allow all VLANs, removing VLAN 20 caused the switch to apply an Allowed VLAN list which included every VLAN (1 – 4094), except VLAN 20.
That said, this is typically not the way you would apply a new Allowed VLAN list to an interface – the remove
keyword is more often used to remove individual VLANs from an already added Allowed VLAN list. We will remove the Allowed VLAN list on Eth1/1, and leave that port configured as a default trunk port – allowing traffic for all VLANs to traverse the trunk:
SwitchX(config)# interface Ethernet1/1 SwitchX(config-if)# no switchport trunk allowed vlan
The commands above created the following configuration in the running-configuration
for each switch:
SwitchX# show running-config ... interface Ethernet1/1 switchport trunk encapsulation dot1q switchport trunk native vlan 2 switchport mode trunk ! interface Ethernet2/1 switchport trunk encapsulation dot1q switchport trunk native vlan 3 switchport trunk allowed vlan 10,20 switchport mode trunk ! interface Ethernet2/2 switchport trunk encapsulation dot1q switchport trunk native vlan 3 switchport trunk allowed vlan 20,30 switchport mode trunk ! ...
SwitchY# show running-config ... interface Ethernet1/1 switchport trunk encapsulation dot1q switchport trunk native vlan 2 switchport mode trunk ! ...
Show Commands
The commands above explain the steps for configuring VLANs on Cisco Switches. The output at the end of each section displayed the way the configurations appears in the running-configuration
. However, the running-configuration
will only show how a device is configured – it will not show how a device operates.
This is an important distinction – a talented network engineer needs to not only know how to configure VLANs, but also how to validate their operation as well. To that end, we will discuss five show
commands that can be used to verify a device’s operation – how it is actually handling traffic.
- show vlan brief
- show interfaces trunk
- show interfaces switchport
- show interfaces status
- show spanning-tree
show vlan brief
The show vlan brief
command provides two main pieces of information:
- The VLANs which exist in the switch’s VLAN Database
- The access ports configured in each VLAN
Here is what the output from both our switches:
SwitchX# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Et0/2, Et0/3, Et1/0, Et1/2 Et1/3, Et2/0, Et2/3, Et3/0 Et3/1, Et3/2, Et3/3 10 RED active Et0/0 20 ORANGE active 30 BLUE active Et0/1
SwitchY# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Et0/0, Et0/1, Et1/0, Et1/2 Et1/3, Et2/0, Et2/1, Et2/2 Et2/3, Et3/0, Et3/1, Et3/2 Et3/3 10 RED active Et0/2 20 ORANGE active 30 BLUE active Et0/3
For both switches, the command displays VLANs 1, 10, 20, and 30. These are the only VLANs that were created in the VLAN database. Should the switch receive traffic tagged for a VLAN other than these, that traffic will be discarded.
For each VLAN, the VLAN’s name is also provided. Notice VLANs 10, 20, and 30 are named RED
, ORANGE
, and BLUE
, respectively.
Also notice VLAN 1 exists and is named default
, despite us not explicitly creating it. This is because VLAN 1 is the default configuration that every switch port starts out in. The switch will not allow you to delete VLAN 1 or change its name.
The Status
column reflects whether the VLAN is active on the switch. A VLAN can become inactive for two reasons. The first is explicitly using the shutdown
command within the VLAN configuration mode. The second is a VLAN existing in the database, but having no access ports or trunk ports utilizing that VLAN.
On the far right of output, under the Ports
column, you get a list of each access port in each VLAN. We configured SwitchX’s Eth0/0 interface in VLAN 10, and the output reflects that. Also notice the port Eth1/1 is nowhere to be found. This is because Eth1/1 was configured as a trunk port, and will not be visible in the output of show vlan brief
.
show interfaces trunk
If show vlan brief
is the go-to command to show you information about access ports on a switch, then show interfaces trunk
is the go-to command to show you information about trunk ports on a switch.
There are four sections to the output of this command. To the untrained eye, it might appear like some of the information is duplicate – but this is not the case.
SwitchX# show interfaces trunk Port Mode Encapsulation Status Native vlan Et1/1 on 802.1q trunking 2 Et2/1 on 802.1q trunking 3 Et2/2 on 802.1q trunking 3 Port Vlans allowed on trunk Et1/1 1-4094 Et2/1 10,20 Et2/2 20,30 Port Vlans allowed and active in management domain Et1/1 1,10,20,30 Et2/1 10,20 Et2/2 20,30 Port Vlans in spanning tree forwarding state and not pruned Et1/1 1,10,20,30 Et2/1 10,20 Et2/2 20,30
SwitchY# show interfaces trunk Port Mode Encapsulation Status Native vlan Et1/1 on 802.1q trunking 2 Port Vlans allowed on trunk Et1/1 1-4094 Port Vlans allowed and active in management domain Et1/1 1,10,20,30 Port Vlans in spanning tree forwarding state and not pruned Et1/1 1,10,20,30
The first section of the output lists each interface which is operationally behaving like a trunk port. This will make more sense a little later in the article when we discuss a mechanism that lets a switch port automatically determine whether it should be a trunk port. In the case above, we explicitly configured ports Eth1/1, Eth2/1, and Eth2/2 on SwitchX and port Eth1/1 on SwitchY as trunk ports.
The first section also lists what method of Encapsulation is in use (i.e., what method of VLAN tagging), as well as the VLAN configured as the Native VLAN for each trunk.
The second section, labeled Vlans allowed on trunk
, is a reflection of which VLANs have made it through any configured Allowed VLAN lists on each trunk port. On SwitchX, we created two Allowed VLAN lists, one allowing VLAN 10 and 20 on Eth2/1, and another allowing VLANs 20 and 30 on Eth2/2. Interface Eth1/1 did not have any VLANs restricted, so therefore all possible VLANs are listed as allowed on the trunk port – VLANs IDs can only be 1 – 4094.
The third section, labeled Vlans allowed and active in management domain
, is a combination of the section before it (Vlans allowed on trunk
) and the VLANs which are created in the VLAN database (i.e., visible in show vlan brief
). Despite all VLANs being allowed on Eth1/1 (as indicated by the 1-4094 in the second section), only VLANs 1, 10, 20, and 30 exist in the VLAN database.
The fourth section, labeled Vlans in spanning tree forwarding state and not pruned
, is a combination of the last two sections and the ports the Spanning Tree Protocol deems as safe to forward traffic.
The Spanning Tree Protocol (STP) exists to ensure the L2 domain does not contain any loops. If any are detected, those ports are disabled. In our topology, there are no loops, so the output of the fourth section looks identical to the output of the third section because STP did not disable any ports. STP is a fascinating protocol, but its operation is outside the scope of this article – it will be the subject of a future article.
show interfaces switchport
The show interfaces switchport
command can give you an overwhelming amount of information. Using the command by itself shows you 26 pieces of information for each interface on your switch (or more, depending on the code version you are using).
Rather than try to sift through all that, you can specify a particular interface to get those same 26 pieces of information for just the desired interface using the command show interfaces <intf> switchport
.
For the sake of brevity and relevance, the output below has been trimmed to just show the lines which relate to something discussed in this article. There is an example of the full output of this command later in this article.
SwitchX# show interfaces Ethernet 0/1 switchport Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 30 (BLUE) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL
SwitchY# show interfaces Ethernet 2/2 switchport Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 3 (Inactive) Trunking VLANs Enabled: 20,30
The description of each line in the output above is in the table that follows.
Line(s) | Description |
Switchport |
Enabled if the port is functioning as a L2 port. Disabled if the port is functioning as a L3 port. |
Administrative Mode and Operational Mode |
These two tell you how the switchport is configured and how the switchport is operating. In our case, we configured ports as access Ports and trunk Ports and they are reflected above. But as alluded to before, there is a protocol called DTP which allows switchports to automatically negotiate becoming a trunk port. In DTP’s case, you might have a particular Administrative mode set and the Operational mode will reflect whether the switchport is actually acting as a trunk or access port. This will make more sense when we get into the specifics of DTP below. |
Administrative Trunking Encapsulation and Operational Trunking Encapsulation |
DTP not only negotiates trunk status, it also negotiates encapsulation method. These two commands show you what encapsulation method is configured (Administrative) and what encapsulation method is negotiated (Operational). |
Negotiation of Trunking |
This indicates the switchport’s participation in DTP. Again, it will again make more sense below when we elaborate on DTP. |
Access Mode VLAN |
This displays the VLAN membership if the port is configured or negotiated as an access port. Note that even our trunk port (SwitchY’s Eth 2/2) has an entry for this attribute, but it doesn’t have an effect until the interface becomes an access port. |
Trunking Native VLAN |
This displays the Native VLAN setting for the port. Again, even an access port will have an entry for this setting (see SwitchX’s Eth0/1), but it will only have an effect if the interface is configured or negotiated as a trunk port. |
Trunking VLANs Enabled |
This is a reflection of the VLANs permitted via an Allowed VLAN list. Notice SwitchX’s trunk port was limited to just VLANs 20 and 30, and this is reflected in the output above. |
show interfaces status
Typically, the show interfaces status
command is associated with seeing whether devices are plugged into a switchport or not (connected
vs notconnect
in the Status
column). However, this command can also reveal some information about the VLAN configuration of a switchport.
Namely, if you see a number in the VLAN column, then the switchport is an access Port in the provided VLAN. And if you see the word trunk
, then the switchport is configured as a trunk port.
SwitchX# show interfaces status Port Name Status Vlan Duplex Speed Type Et0/0 connected 10 auto auto unknown Et0/1 connected 30 auto auto unknown Et1/1 connected trunk auto auto unknown Et2/1 connected trunk auto auto unknown Et2/2 connected trunk auto auto unknown
SwitchY# show interfaces status Port Name Status Vlan Duplex Speed Type Et0/2 connected 10 auto auto unknown Et0/3 connected 30 auto auto unknown Et1/1 connected trunk auto auto unknown
show interfaces status
above has been trimmed to focus on just the interfaces that were configured in this article.
show spanning-tree
The show spanning-tree
command is obviously mostly associated with verifying the Spanning Tree Protocol, but it can also provide useful VLAN configuration information.
Earlier we talked about show vlan brief
, which provides information about interfaces configured as access ports. We also talked about show interfaces trunk
, which provides information about interfaces configured as trunk ports. The show spanning-tree vlan <VLAN-ID#>
command provides information on both access ports and trunk ports.
Specifically, you can use this command to see every switchport a VLAN is exiting.
SwitchX# show spanning-tree vlan 10 Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Desg FWD 100 128.1 Shr Et1/1 Desg FWD 100 128.6 Shr Et2/1 Desg FWD 100 128.10 Shr SwitchX# show spanning-tree vlan 20 Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et1/1 Desg FWD 100 128.6 Shr Et2/1 Desg FWD 100 128.10 Shr Et2/2 Desg FWD 100 128.11 Shr SwitchX# show spanning-tree vlan 30 Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/1 Desg FWD 100 128.2 Shr Et1/1 Desg FWD 100 128.6 Shr Et2/2 Desg FWD 100 128.11 Shr
SwitchY# show spanning-tree vlan 10 Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/2 Desg FWD 100 128.3 Shr Et1/1 Root FWD 100 128.6 Shr SwitchY# show spanning-tree vlan 20 Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et1/1 Root FWD 100 128.6 Shr SwitchY# show spanning-tree vlan 30 Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/3 Desg FWD 100 128.4 Shr Et1/1 Root FWD 100 128.6 Shr
We configured SwitchX with one access port in VLAN 10 (Eth0/0), and two trunk ports which are permitting VLAN 10 (Eth1/1 and Eth2/1). Looking at the output of the show spanning-tree vlan 10
command on SwitchX, we can see all three of the ports that VLAN 10 traffic is egressing.
You won’t easily be able to determine whether the port is configured as an access port or a trunk port. But you will be able to easily determine to what other devices a VLAN’s traffic is going to by comparing the output of show spanning-tree
to show cdp neighbors
:
SwitchX# show cdp neighbors Capability Codes: R - Router, B - Source Route Bridge, S - Switch, I - IGMP Device ID Local Intrfce Holdtme Capability Platform Port ID router2 Eth 2/2 172 R B Linux Uni Eth 0/2 router1 Eth 2/1 131 R B Linux Uni Eth 0/1 SwitchY Eth 1/1 169 R S I Linux Uni Eth 1/1
SwitchY# show cdp neighbors Capability Codes: R - Router, B - Source Route Bridge, S - Switch, I - IGMP Device ID Local Intrfce Holdtme Capability Platform Port ID SwitchX Eth 1/1 143 R S I Linux Uni Eth 1/1
We can see that VLAN 10 on SwitchX is going to Router1 and SwitchY, as well as a third device (which we know is Host A, who isn’t participating in CDP). VLAN 20 on SwitchY is only going to SwitchX. Using these two commands in conjunction with each other is a great way to trace the L2 path through a network between two devices.
show spanning-tree vlan <#>
above has been trimmed to focus on just the features discussed in this article.
Default Switchport Setting
Finally, before configuring VLANs with the commands discussed in this article, it is important to know the starting point for each interface.
Nearly all Cisco features come with a certain default configuration. These exist and are in place so that the device can perform (maybe with limited features, but nonetheless) without any configuration required.
Knowing the default configuration is crucial to be an effective engineer because if you know how something works innately, you know exactly what needs to change to get it to work the way you want it to. To that end, we will spend some time discussing the default switch port configuration applied to Cisco switches.
First, here is the output of show interfaces switchport
for an unmodified interface. There are three items we must discuss from the output below:
SwitchX# show interfaces eth0/2 switchport Name: Et0/2 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: down Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Appliance trust: none
Dynamic Trunking Protocol
The first items we will discuss from the default switch port configuration above have to do with the Dynamic Trunking Protocol, or DTP. Take a look at these lines from the output above:
Administrative Mode: dynamic auto Operational Mode: down
As discussed before, the two modes correlate to the configured mode (administrative
) and the negotiated mode (operational
). The distinction exists as a result of the Dynamic Trunking Protocol (DTP).
Cisco created DTP to further the idea of ‘plug and play’ switches. They created a protocol where if two switches were linked to each other, they could automatically determine whether their interlink should be a trunk port or an access port. It works based upon four modes an interface can be set to:
switchport mode dynamic desirable
– actively attempt to negotiate trunkswitchport mode dynamic auto
– passively attempt to negotiate trunkswitchport mode trunk
– statically set as trunkswitchport mode access
– statically set as access
The configuration of both sides of the link will determine whether the link will negotiate as a trunk port or an access port. The table below lists every possible combination
One side of Link | Other side of Link | Result |
---|---|---|
Dynamic Desirable | Dynamic Desirable | Trunk |
Dynamic Desirable | Dynamic Auto | Trunk |
Dynamic Desirable | Static Trunk | Trunk |
Dynamic Desirable | Static Access | Access |
Dynamic Auto | Dynamic Auto | Access |
Dynamic Auto | Static Trunk | Trunk |
Dynamic Auto | Static Access | Access |
Static Trunk | Static Trunk | Trunk |
Static Trunk | Static Access | Misconfiguration |
Static Access | Static Access | Access |
The issue with DTP is it provides a means for the other side of a link to modify the behavior of your side of the link. When you control both sides this might not seem like a terrible feature, but if you are ever in a situation where you only control your device, DTP gives too much power to the other side.
As such, it is often recommended to avoid DTP automatically determining the trunk status and instead manually set a port as trunk or access using the commands we discussed earlier in this article (switchport mode trunk
or switchport mode access
).
Even with the switch port mode statically set, however, your switch will still send DTP frames. This is how the other side knows how your side is configured. Again, if you own both sides the risk is negligible, but if you might not control the other side, then this is undesirable.
You can disable the sending of DTP frames by also adding to the interface configuration this command: switchport nonegotiate
. This will disable the periodic sending of DTP frames to advertise the switch port mode of the local switch.
You can view whether a switch port has negotiation disabled in the output of the command above. The specific line which indicates it is the following:
Negotiation of Trunking: On
To summarize, the default DTP behavior of an unmodified interface is:
- switchport mode dynamic auto
- negotiation of DTP enabled
Which means the link will automatically become a trunk if the other side is configured with switchport mode dynamic desirable
or if the other side is configured with switchport mode trunk
and switchport nonegotiate
is not applied.
Default Access Port Settings
From the output above, the following line correlates to the access port configuration:
Access Mode VLAN: 1 (default)
Whether a switch port is statically set (or negotiated) as an access port or not, this attribute exists and is configurable via the switchport access vlan <#>
command. Of course, it doesn’t affect the behavior of the switchport unless the switchport becomes an access port.
A potential use case is if you are transitioning a port from a trunk port to an access port, you can “preset” the access-port VLAN so that once you apply the switchport mode access command, it is already in the appropriate VLAN.
In any case, notice the default configuration has every switchport in VLAN 1.
A switch is a device which facilitates communication within networks. You can take a Cisco switch and simply connect two hosts and everything will “just work”. It will do so because all the ports start in VLAN 1, so that there is no L2 segregation between the switch ports on switch’s default configuration. This lines up with Cisco’s goal of making their switches “plug and play”.
Default Trunk Port Settings
Lastly, the following lines in the output above correlate to the trunk port configuration:
Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native ... Trunking Native Mode VLAN: 1 (default) ... Trunking VLANs Enabled: ALL
We discussed DTP earlier, but we did not mention that DTP also negotiates the encapsulation method.
Administrative Trunking Encapsulation
indicates whether DTP will determine the encapsulation method or whether it is statically set via the switchport trunk encapsulation
command.
Operational Trunking Encapsulation
indicates the chosen or configured encapsulation method. If the port becomes a trunk port, there are only two options for this attribute: the ubiquitous 802.1q and the archaic ISL. On an access port, this line will display native
(as above), indicating no VLAN tag will be added to traffic leaving this switch port.
Trunking Native Mode VLAN
indicates the Native VLAN on the port. Once again, this setting will only take place if the port becomes a trunk port. This setting can be modified with the switchport trunk native vlan <#>
command.
Trunking VLANs Enabled
reflects the Allowed VLAN list applied to the port. ALL
indicates no VLANs have been restricted from the trunk, and therefore every VLAN in the VLAN database will traverse down the trunk. As with the other trunk configurations, this has no effect if the port is in access mode.
Configuring VLANs — Summary
This article is meant to follow the article discussing VLANs as a concept. The focus of this article was to understand the different configuration and verification commands that exist to modify or validate how a switch is behaving in regards to its VLANs.
As with all written guides, practice is key. We encourage you to build out the topology above in a lab or emulator (GNS3 / Packet-Tracer) and to practice configuring VLANs using the commands described above.
If you want an additional challenge, build out the topology in the VLAN Challenge from the other article. Note, you will need to disable CDP and DTP on most of your interfaces to avoid warnings.
If you are able to successfully build out that topology (as well as answer the two challenge questions in the previous article), then you can rest assured knowing you have mastered the concept of Configuring VLANs on Cisco switches.
Configuring VLANs on Cisco Switches – Contents:
- 2.1 Configure and verify VLANs (normal range) spanning multiple switches
- 2.1.a Access ports (data and voice)
- 2.1.b Default VLAN
- 2.1.c Connectivity
- 2.2 Configure and verify interswitch connectivity
- 2.2.a Trunk ports
- 2.2.b 802.1Q
- 2.2.c Native VLAN
The Post was Awesome!!
Hi, very helpful this post. I have a question, what software use to drar the network diagrams?.
I meant “draw”
Hi Cesar, glad you enjoyed the post. I draw and animate everything in PowerPoint (don’t laugh! ;p). If I need clipart, I grab them from openclipart.org.
Thanks for this great article, I have shared it on Facebook.
Thanks for the share! I’m glad you liked the article!
Yes wonderful article. I have shared on FB as well! One question if you could be so kind to provide some insight. When you issue Switchport Trunk Allowed VLAN 20, 30 on an interface is the native VLAN automatically applied (say it’s still default VLAN 1) or do you need to also add it to the allowed list in order for the trunk to pass I tagged traffic?
untagged*
Hi Brandon,
Good Question. It is best to think of the Native VLAN and the Allowed VLAN List as two independent functions.
The Native VLAN configuration determines which VLAN traverses a Trunk link without a VLAN Tag. The Allowed VLAN List determines which VLANs are allowed to traverse a trunk.
If the Allowed VLAN List is only allowing VLAN 20 and 30, then only those VLANs can traverse the trunk. The Native VLAN happens to be 10, then it will not be allowed across the trunk.
Hope this helps!
Nice article. Guess the routers may confuse some peoples as they are not to work like that without any L3 redundancy.
Thanks so much for this great article! It really clarifies vlans in the Cisco world. Although I’ve worked with vlans, I’ve not worked with Cisco switches in years. Do you really have to add access ports one at a time? Is there a command to add a group of ports? Example using another vendor on a VoIP vlan:
#conf vlan VoIP add ports 1:1-48 tagged
Is there a similar command for Cisco switches? If not, it seems that adding access ports would be tedious on a switch stack.
Hi Dav1917. You have the option of using the
interface range
to apply commands to multiple interfaces at the same time. Here is an example of configuring multiple Access ports at once.Thank you, Ed! That is awesome – and a relief.
Mate article is amazing and so so helpful thank you. One thing – above the ‘show interfaces status’ heading, you’ve repeated the quick intro paragraph, probs should be deleted. It’s like –
intro paragraph incorrectly placed
‘show interfaces status’ heading
repeated intro paragraph but correctly placed
Thanks again, it will be you I thank in my CCNA acceptance speech!
Hi Rozak. Yikes, no clue how that slipped through, but good catch! I’ve fixed it. Thanks!
Glad you enjoyed the article and I’m looking forward to your CCNA acceptance speech =)
Hi, great tutorial! somehow I can`t get “Switch(config-if)# switchport trunk encapsulation dot1q” this command done in my switch, I just got 2 choices which are access/native after I typed “Switch(config-if)# switchport trunk”, it doesn`t link to “encapsulation dot1q”, any thought?
Switches that do not support ISL do not require designating the use of 802.1q.
If the
switchport trunk encapsulation dot1q
command is not applying, it is likely your switch only supports 802.1q.This is great. Can i get a copy of the same in my email.
Hello Ed Harmoush
i have the following query what will be happened if the frame came to an access port and what will be happened if the same frame came to trunk port?
e.g.the access port it will retag the frame with the number on vlan that has assign it (for example vlan access 10) or it drop the packet ?
Informative article, exactly whhat I was looking for.
me sirvió muchismo muchas gracias.
De nada =)
in the description of Show interface Trunk cmd ,Vlan 1 is not showing in the allowed vlan as well as in the Vlan active in managment domain section for the port
Et2/1 and 2/2, Reason?
Hi Jaseer. Because VLAN 1 was not added to the Allowed VLAN List:
https://www.practicalnetworking.net/stand-alone/configuring-vlans/#trunk_allowed_vlans
Hello Ed Harmoush,
Thank you for this wonderful article and great explanation. One thing – Under the heading “Show interfaces switchport” there is a table which describe each line of output. In the last row “Notice SwitchX’s trunk port was limited to just VLANs 20 and 30, and this is reflected in the output above.” I think that’s not SwitchX’ trunk port that’s SwitchY’s trunk port. Thank you.
Good catch! Thank you. I fixed it. =)
Great post
Great post! Very helpful. Good job.
I found this article to be very informative, thank you for this. I see it’s a couple years old already, yet still relevant.
Informative thread. Thanks for sharing…