VLAN configuration process

First, let’s review the overall configuration flow. By default, VLAN1 is present on the switch. All ports are in a specific DTP mode, depending on the model of the Catalyst; on the Catalyst 3560/3750, the mode is Dynamic auto. Therefore, when no Catalyst switch is connected, all ports will act as access ports. When operating as an access port, the VLAN membership is VLAN1.

From here, you can create a new VLAN or change the DTP mode as needed to make it work as an access port/trunk port. For access ports, determine the VLAN membership, and for trunk ports, specify the trunk encapsulation protocol, etc.

By default, VLANs 1002 through 1005 are also present. Since these are not VLANs for Ethernet, you usually do not need to consider them.

The following is the configuration flow for VLANs on Catalyst switches.

  1. Create VLANs
    By default, VLAN1 is present. Create additional VLANs as needed.
  2. Switchport Configuration
    Change the DTP mode to act as an access port or trunk port.
    For access ports, configure VLAN membership.
    On the trunk port, configure the trunk protocol and the VLANs to be allowed on the trunk and native VLANs.

Create VLANs

To create new VLANs on the switch, use the following command in global configuration mode.

Create VLANs

(config)#vlan <vlan-id>
(config-vlan)#name <vlan-name>

<vlan-id> : VLAN ID
<vlan-name> :VLAN name

The VLAN name configuration is optional. If omitted, the default name is “VLANx” (x: 4-digit VLAN number).There are two types of VLAN ID: standard VLAN ID and extended VLAN ID.

  • standard VLAN ID
    • 1 to 1005
    • 1002 to 1005 are reserved for Token Ring or FDDI
  • extended VLAN ID
    • 1006~4094
    • To create a VLAN with an extended VLAN ID, you need to be in VTP transparent mode.
    • VLANs with extended VLAN ID will not be advertised in VTP and will not be synchronized with other switches.
    • VLANs with extended VLAN ID are not stored in the VLAN database.

Deleting VLNAs

To delete VLANs, you can use the no command.

Deleting VLANs

(config)#no vlan <vlan-id>

Note that if you delete a VLAN, the access port for that VLAN will no longer be available.
The previous Catalyst switches are configured in VLAN database mode instead of global configuration mode.
#vlan database
(config-vlan)#vlan <vlan-id> name <vlan-name>

Switchport Configuration

DTP mode can be configured in interface configuration mode with the following command

DTP mode configuration

(config-if)#switchport mode {dynamic {auto | desirable} | trunk |access}

Configure the DTP mode appropriately to operate as an access port or trunk port.

Access port

To make a port on the switch a static access port and determine its VLAN membership, configure it in interface configuration mode as follows

Access port configuration

(config-if)#switchport mode access
(config-if)#switchport access vlan <vlan-id>

<vlan-id> : VLAN ID to be assigned

If you want to use a static access port, it is better to disable DTP.

Disable DTP

(config-if)#switchport nonegotiate

Trunk port

To configure a port on the switch as a static trunk port, configure it as follows

Trunk port configuration

(config-if)#switchport trunk encapsulation {dot1q | isl}
(config-if)#switchport mode trunk

If you want to use a static trunk port, it is still better to disable DTP.
The switchport trunk encapsulation command is required only when both 1Q and ISL trunk protocols are supported.

The trunk port is connected to all VLANs inside the switch by default. If necessary, you can limit the VLANs that are connected to the trunk port. The command to do so is as follows

allowed VLAN configuration

(config-if)#switchport trunk allowed vlan [add | all | except | remove] <vlan-list>

<vlan-list> : List of VLAN IDs to be allowed on the trunk

Also, for IEEE802.1Q trunks, specify the native VLAN. To specify the native VLAN, configure it in interface configuration mode as follows

Native VLAN configuration

(config-if)#switchport trunk native vlan <vlan-id>

<vlan-id> : VLAN ID of the native VLAN

In addition, the following command adds a VLAN tag to the Ethernet frame of the native VLAN.

Native VLAN tagging

(config)#vlan dot1q tag native

Native VLANs are explained in the following article.

N-Study
Native VLAN
https://www.n-study.com/en/vlan-detail/native-vlan
Ethernet frames with native VLANs do not have a VLAN tag added when they are forwarded over the trunk. This section explains how native VLANs work.

Verify the VLAN and switchport configuration.

The following table lists the commands for verifying the VLAN and access port and trunk port configurations.

Table Major commands for VLAN verification.

Command

Information

#show vlan brief

Display the VLANs that exist on the switch and the access ports for each VLAN

#show interface trunk

Display summary information for trunk ports on the switch

#show interface {interface} switchport

Switch port information. Displays details on whether the switch is operating as an access port or a trunk port.

Example of VLAN and switchport configuration

The following figure models the internal structure of a Catalyst switch in its default state, assuming a Catalyst 2970 series switch.

Fig. Default VLAN and Port Correspondence
Fig. Default VLAN and Port Correspondence

Configure the following on the Catalyst switch in the default state.

  • Create VLAN2
  • Make Fa0/2 the access port for VLAN2
  • Make Fa0/3 a trunk port for IEEE802.11Q

Create VLAN2

First, create VLAN2.

vlan 2

This configuration will create VLAN2 inside the switch. You can name the VLAN for clarity if you want.

Make Fa0/2 the access port for VLAN2

Then, to make Fa0/2 the access port for VLAN2, use the following command

interface FastEthernet0/2
 switchport mode access
 switchport access vlan 2

This configuration will connect Fa0/2 and VLAN2.

Make Fa0/3 a trunk port for IEEE802.11Q

To make Fa0/3 a trunk port for IEEE802.1Q, configure as follows

interface FastEthernet0/3
 switchport mode trunk

Then Fa0/3 will be connected to both VLAN1 and VLAN2, and the frame can be forwarded with the identification information of each VLAN added.The Catalyst 2970 series supports only IEEE802.1Q. switchport trunk The encapsulation command is not required.

With the configuration so far, the internal connections of the Catalyst switch are shown in the following figure.

Fig. Configuration example of VLAN and switchport
Fig. Configuration example of VLAN and switchport

Looking at the internal connections in this way, it is easy to see why Fa0/1, the access port for VLAN1, and Fa0/2, the access port for VLAN2, cannot communicate directly with each other. This is because although they are ports on the same switch, Fa0/1 and Fa0/2 are not connected inside the switch.

In order to allow ports of different VLANs to communicate with each other, it is necessary to use a Layer 3 switch or router to perform inter-VLAN routing.

Sample output of verification command

Let’s look at the actual verification command for the above configuration.

show vlan brief

First, use the show vlan brief command to verify the VLANs and access ports inside the switch.

Switch#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gi0/1, Gi0/2
2    VLAN0002                         active    Fa0/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

You can see that VLAN2 exists and Fa0/2 is its access port.

Note that Fa0/3 is not included as an access port in the default VLAN1; Fa0/3 will not appear in the show vlan brief because it is configured as a trunk port.

show interface trunk

To verify the trunk ports, use the show interface trunk command. With this command, you can verify the summary information of all trunk ports on the switch. The sample output in the configuration example is shown below.

Switch#show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/3       on           802.1q         trunking      1

Port      Vlans allowed on trunk
Fa0/3       1-4094

Port        Vlans allowed and active in management domain
Fa0/3       1-2

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/3       1-2

You can see the trunk protocol of Fa0/3 configured on the trunk port and the VLAN information to be forwarded on the trunk port. Each item in the command output represents the following information.

  • Vlans allowed on trunk
    The contents of the switchport trunk allowed vlan command will be reflected. The default is all VLANs from 1-4094.
  • Vlans allowed and active in management domain
    Of the allowed VLANs, the active VLANs that are actually connected to the trunk port will be displayed.
  • Vlans in spanning tree forwarding state and not pruned
    The VLAN IDs that are actually forwarded from the trunk port, based on the spanning tree calculation and VTP pruning, is displayed. To verify the VLANs that will be forwarded from the trunk port, look at this part

show interface switchport

Also, to verify the detailed information as a switch port, use the show interface switchport command. show interface switchport command for Fa0/2 and Fa0/3 is as follows

Switch#show interfaces fa 0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 2 (VLAN0002)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
-- omitted --

Switch#show interfaces fa 0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
-- omitted --
Trunking VLANs Enabled: ALL
-- omitted --

In addition to the information as an access port or trunk port, you can verify various Layer 2 level functions, which are displayed differently depending on the Catalyst switch model and IOS version, but the main items are explained below.

  • Administrative Mode
    Indicates the configured DTP mode.
  • Operational Mode
    Indicates whether the port is actually operating as a trunk port or as an access port.
  • Administrative Trunking Encapsulation
    Indicates the trunk protocol configuration.
  • Operational Trunking Encapsulation
    Indicates the trunk protocol that is actually being used.
  • Negotiation of Trunking
    Indicates whether negotiation by DTP is enabled.
  • Access Mode VLAN
    Indicates the VLAN ID for VLAN membership when that port becomes an access port.
  • Trunking Native Mode VLAN
    Indicates the VLAN number of the native VLAN for 1Q trunks. The native VLAN is meaningful only for IEEE802.1Q trunks.
  • Voice VLAN
    Indicates the VLAN ID of the Voice VLAN to which the IP Phone is connected.
  • Trunking VLANs Enabled
    Indicates the VLAN IDs allowed by the switchport trunk allowed vlan command. The default is 1-4904 (all).

VLAN(Virtual LAN)