Overview

This section details the configuration and verification commands for VLANs on Cisco IOS.When creating a VLAN, the key is to imagine the association between the VLAN and the port inside the Layer 2 switch.

Figure: Key Points for Configuration of VLANs
Figure: Key Points for Configuration of VLANs

VLAN Configuration Process

First, let’s review the overall configuration flow. The following is the configuration flow for VLANs on Catalyst switches.

Create VLANs

By default, VLAN1 is present. Create additional VLANs as needed. A VLAN is a virtual Layer 2 switch that is created by configuration inside the Layer 2 switch.

STEP
1

Configure Switchport

Assign ports to the created VLANs, i.e., virtual Layer 2 switches. An access port is a port that is assigned to only one VLAN. Trunk ports are ports that are assigned to multiple VLANs.

STEP
2

By default, VLAN1 is present on the switch. All ports are in a specific DTP mode, depending on the model of the Catalyst; on the Catalyst 3560/3750, the mode is Dynamic auto. Therefore, when no Catalyst switch is connected, all ports will act as access ports. When operating as an access port, the VLAN membership is VLAN1.

From here, you can create a new VLAN or change the DTP mode as needed to make it work as an access port/trunk port. For access ports, determine the VLAN membership, and for trunk ports, specify the trunk encapsulation protocol, etc.

By default, VLANs 1002 through 1005 are also present. Since these are not VLANs for Ethernet, you usually do not need to consider them.

Related articl

Please refer to the following articles for more information about access ports and trunk ports.

N-Study
Access port : Port assigned to only one VLAN
https://www.n-study.com/en/vlan-detail/accessport
There are two types of ports on a switch: access ports and trunk ports, depending on how the ports and VLANs are assigned. This section explains access ports in detail.
N-Study
Trunk port : Port assigned to multiple VLANs
https://www.n-study.com/en/vlan-detail/trunkport
A trunk port is a port that can be assigned to multiple VLANs. When you want to create VLANs across switches, it is efficient to use trunk ports to connect between switches.

Create VLANs

To create new VLANs on the switch, use the following command in global configuration mode.

Create VLANs

(config)#vlan <vlan-id>
(config-vlan)#name <vlan-name>

<vlan-id> : VLAN ID
<vlan-name> :VLAN Name

The VLAN name configuration is optional. If omitted, the default name is “VLANxxxx” (xxxx: 4-digit VLAN number string).There are two types of VLAN ID: standard VLAN ID and extended VLAN ID.

  • standard VLAN ID
    • 1 to 1005
    • 1002 to 1005 are reserved for Token Ring or FDDI
  • extended VLAN ID
    • 1006~4094
    • To create a VLAN with an extended VLAN ID, you need to be in VTP transparent mode.
    • VLANs with extended VLAN ID will not be advertised in VTP and will not be synchronized with other switches.
    • VLANs with extended VLAN ID are not stored in the VLAN database.

Multiple VLANs can also be created in a batch. Multiple VLANs with consecutive VLAN numbers can be created in a batch by using “-” (hyphen). Multiple VLANs with non-consecutive VLAN numbers separated by “,” (comma) can be created in a batch. For example, to create VLAN 5 and VLAN 10 from VLAN 2 in one batch, enter the following command.

Example of batch creation of multiple VLANs

vlan 2-5,10

Deleting VLANs

Since VLANs are created by configuration, they can of course be deleted; to delete a VLAN, simply follow Cisco’s command delete format and enter the command with a “no”.

Deleting VLANs

(config)#no vlan <vlan-id>

<vlan-id> : 削除したいVLAN番号

You can also delete multiple VLANs at once by using “- (hyphen)” or “, (comma)”. Note that deleting a VLAN will disable the access port for that VLAN.

Related article

The following article explains in detail what to do when deleting a VLAN.

N-Study
Notes on deleting VLANs
https://www.n-study.com/en/vlan-detail/notes-on-deleting-vlans
Even if a VLAN is deleted, the configuration of the ports assigned to that VLAN will remain.This section explains the precautions to be taken when deleting a VLAN.

Switchport Configuration

DTP mode can be configured in interface configuration mode with the following command. This means assigning ports to virtual Layer 2 switch.

DTP mode configuration

(config)#interface <interface-name>
(config-if)#switchport mode {dynamic {auto | desirable} | trunk |access}

<interface-name> : interface name

Configure the DTP mode appropriately to operate as an access port or trunk port. Most configurations will be static access ports/trunk ports rather than setting the DTP mode to dynamic auto/desirable and dynamically determining the access port/trunk port.

Related article

The following article explains DTP mode in detail.

N-Study
Cisco DTP
https://www.n-study.com/en/vlan-detail/cisco-dtp
Cisco Catalyst switches can automatically determine the trunk port/access port according to the opposite port with DTP (Dynamic Trunking Protocol).

Access port

To make a port on the switch a static access port and determine its VLAN membership, configure it in interface configuration mode as follows

Access port configuration

(config)#interface <interface-name>
(config-if)#switchport mode access
(config-if)#switchport access vlan <vlan-id>

<interface-name> : interface name
<vlan-id> : VLAN ID to be assigned

If you want to use a static access port, it is better to disable DTP.

Disable DTP

(config-if)#switchport nonegotiate

Trunk port

To configure a port on the switch as a static trunk port, configure it as follows.

Trunk port configuration

(config)#interface <interface-name>
(config-if)#switchport trunk encapsulation {dot1q | isl}
(config-if)#switchport mode trunk

<interface-name> : interface name

The switchport trunk encapsulation command is required only when both 1Q and ISL trunk protocols are supported. Also, it is still better to disable DTP when static trunk ports are used.

The trunk port is connected to all VLANs inside the switch by default. If necessary, you can limit the VLANs that are connected to the trunk port. The command to do so is as follows

allowed vlan

(config-if)#switchport trunk allowed vlan [add | all | except | remove] <vlan-list>

<vlan-list> : List of VLAN IDs allowed on the trunk

Also, for IEEE802.1Q trunks, specify the native VLAN. To specify the native VLAN, configure it in interface configuration mode as follows

Native VLAN

(config-if)#switchport trunk native vlan <vlan-id>

<vlan-id> : VLAN ID of the native VLAN

In addition, the following command adds a VLAN tag to the Ethernet frame of the native VLAN.

Native VLAN tagging

(config)#vlan dot1q tag native

Related article

Native VLANs are explained in the following article.

N-Study
Native VLAN
https://www.n-study.com/en/vlan-detail/native-vlan
Ethernet frames with native VLANs do not have a VLAN tag added when they are forwarded over the trunk. This section explains how native VLANs work.

Verify the VLAN and switchport configuration.

The following table lists the commands for verifying the VLAN and access port and trunk port configurations.

show commandsDisplay Contents
#show vlan [brief]Displays the VLANs present on the switch and the access ports assigned to each VLAN.
#show interface trunkDisplays summary information for trunk ports on the switch.
#show interface <interface-name> switchportDisplays detailed switch port (access port/trunk port) status.
Table: Key show commands for VLANs and switch ports

Example of VLAN and switchport configuration

The following figure models the internal structure of a Catalyst switch in its default state, assuming a Catalyst 2970 series switch.

Figure: Default VLAN and Port Correspondence
Figure: Default VLAN and Port Correspondence

Configure the following on the Catalyst switch in the default state.

  • Create VLAN2
  • Make Fa0/2 the access port for VLAN2
  • Make Fa0/3 a trunk port for IEEE802.11Q

Create VLAN2

First, create VLAN2.

Create VLAN2

vlan 2

This configuration creates a virtual VLAN 2 switch inside the switch. You can name the VLAN for clarity if you want.

Make Fa0/2 the access port for VLAN2

Then, assign ports to the virtual switch of VLAN2 that you created. To make Fa0/2 the access port for VLAN2, use the following command.

Fa0/2 VLAN2 access port configuration

interface FastEthernet0/2
 switchport mode access
 switchport access vlan 2

This configuration will connect Fa0/2 and VLAN2.

Make Fa0/3 a trunk port for IEEE802.11Q

To make Fa0/3 a trunk port for IEEE802.1Q, configure as follows.

Fa0/3 Trunk port configuration

interface FastEthernet0/3
 switchport mode trunk

Then Fa0/3 will be connected to both VLAN1 and VLAN2, and the frame can be forwarded with the identification information of each VLAN added.The Catalyst 2970 series supports only IEEE802.1Q. switchport trunk The encapsulation command is not required.

With the configuration so far, the internal connections of the Catalyst switch are shown in the following figure.

Figure: Configuration example of VLAN and switchport
Figure: Configuration example of VLAN and switchport

Looking at the internal connections in this way, it is easy to see why Fa0/1, the access port for VLAN1, and Fa0/2, the access port for VLAN2, cannot communicate directly with each other. This is because although they are ports on the same switch, Fa0/1 and Fa0/2 are not connected inside the switch.

In order to allow ports of different VLANs to communicate with each other, it is necessary to use a Layer 3 switch or router to perform inter-VLAN routing.

Related article

See also the following article regarding inter-VLAN routing.

N-Study
Inter VLAN routing overview
https://www.n-study.com/en/vlan-detail/intervlanrouting-overview
When Layer 2 switches divide a network by VLANs, communication between VLANs becomes impossible, and inter-VLAN routing is used to interconnect VLANs and enable communication between them.

Sample output of verification command

Let’s look at the actual verification command for the above configuration.

show vlan brief

First, use the show vlan brief command to verify the VLANs and access ports inside the switch.

show vlan brief

Switch#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gi0/1, Gi0/2
2    VLAN0002                         active    Fa0/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

You can see that VLAN2 exists and Fa0/2 is its access port.

Note that Fa0/3 is not included as an access port in the default VLAN1; Fa0/3 will not appear in the show vlan brief because it is configured as a trunk port.

show interface trunk

To verify the trunk ports, use the show interface trunk command. With this command, you can verify the summary information of all trunk ports on the switch. The sample output in the configuration example is shown below.

show interface trunk

Switch#show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/3       on           802.1q         trunking      1

Port      Vlans allowed on trunk
Fa0/3       1-4094

Port        Vlans allowed and active in management domain
Fa0/3       1-2

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/3       1-2

You can see the trunk protocol of Fa0/3 configured on the trunk port and the VLAN information to be forwarded on the trunk port. Each item in the command output represents the following information.

  • Vlans allowed on trunk
    The contents of the switchport trunk allowed vlan command will be reflected. The default is all VLANs from 1-4094.
  • Vlans allowed and active in management domain
    Of the allowed VLANs, the active VLANs that are actually connected to the trunk port will be displayed.
  • Vlans in spanning tree forwarding state and not pruned
    The VLAN IDs that are actually forwarded from the trunk port, based on the spanning tree calculation and VTP pruning, is displayed. To verify the VLANs that will be forwarded from the trunk port, look at this part

show interface switchport

Also, to verify the detailed information as a switch port, use the show interface switchport command. show interface switchport command for Fa0/2 and Fa0/3 is as follows

show interface switchport

Switch#show interfaces fa 0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 2 (VLAN0002)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
-- omitted --

Switch#show interfaces fa 0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
-- omitted --
Trunking VLANs Enabled: ALL
-- omitted --

In addition to the information as an access port or trunk port, you can verify various Layer 2 level functions, which are displayed differently depending on the Catalyst switch model and IOS version, but the main items are explained below.

  • Administrative Mode
    Indicates the configured DTP mode.
  • Operational Mode
    Indicates whether the port is actually operating as a trunk port or as an access port.
  • Administrative Trunking Encapsulation
    Indicates the trunk protocol configuration.
  • Operational Trunking Encapsulation
    Indicates the trunk protocol that is actually being used.
  • Negotiation of Trunking
    Indicates whether negotiation by DTP is enabled.
  • Access Mode VLAN
    Indicates the VLAN ID for VLAN membership when that port becomes an access port.
  • Trunking Native Mode VLAN
    Indicates the VLAN number of the native VLAN for 1Q trunks. The native VLAN is meaningful only for IEEE802.1Q trunks.
  • Voice VLAN
    Indicates the VLAN ID of the Voice VLAN to which the IP Phone is connected.
  • Trunking VLANs Enabled
    Indicates the VLAN IDs allowed by the switchport trunk allowed vlan command. The default is 1-4904 (all).

まとめ

Points

  1. When configuring VLANs, it is important to imagine the association between VLANs and ports inside the Layer 2 switch.
  2. Flow of VLAN configuration
    1. Creating VLANs
    2. Assigning ports to the created VLANs

VLAN(Virtual LAN)