August 16, 2019

Master VLAN Configuration in Cisco Switches – Updated 2025

Master VLAN Configuration in Cisco Switches – Updated 2025

//

Virtual Local Area Networks (VLANs) are a fundamental concept in network engineering, allowing network administrators to segment a physical network into multiple logical networks. This segmentation enhances security, optimizes traffic flow, and simplifies network management. For CCNA and CCNP students, mastering VLAN configuration on Cisco switches is critical, as it forms the backbone of many enterprise network designs.

In this article, we’ll explore how to configure, verify, and manage VLANs on Cisco switches using Cisco IOS commands. We’ll cover normal and extended-range VLANs, port assignments, verification techniques, and best practices to ensure a robust network setup. Whether you’re preparing for your CCNA/CCNP exams or managing real-world networks, this guide provides practical, step-by-step instructions to enhance your skills.

Step-by-Step Guide to Configuring VLANs on Cisco Switches

Follow these steps to configure VLANs and assign ports on a Cisco switch (e.g., Sw-2). This example creates VLANs 10, 20, 30, 40, and 50–60, and assigns ports to VLAN 10 and VLAN 20.

Diagram showing a network setup with two switches, Sw-1 and Sw-2, connected via a trunk link. Sw-1 connects to PCs 1, 2, and 3 in VLAN-20 and VLAN-10, while Sw-2 connects to PCs 4, 5, and 6 in VLAN-20. A table from the "show vlan brief" command displays VLAN details: VLAN 1 (default) is active on ports Fa0/13 to Fa0/24 and Gig0/1 to Gig0/2; VLAN 10 (IT_Department) is active on ports Fa0/1 to Fa0/7; VLAN 20 (Admin_Department) is active on ports Fa0/8 to Fa0/12; and VLANs 1002 to 1005 (fddi-default, token-ring-default, fddinet-default, trnet-default) are active with no specific ports listed.

Enter Global Configuration Mode

Sw-2> enable
Sw-2# configure terminal

Create VLANs Individually or in a Range

Sw-2(config)# vlan 10
Sw-2(config-vlan)# name SALES
Sw-2(config-vlan)# exit
Sw-2(config)# vlan 20
Sw-2(config-vlan)# name ENGINEERING
Sw-2(config-vlan)# exit
Sw-2(config)# vlan 30,40
Sw-2(config-vlan)# name MANAGEMENT
Sw-2(config-vlan)# exit
Sw-2(config)# vlan 50-60
Sw-2(config-vlan)# name GUEST
Sw-2(config-vlan)# exit

Assign Ports to VLANs

Once the VLAN configuration is done, the next step is assigning ports to the VLAN. A port in access mode can belong to only one VLAN at a time. Only in one case, when the access port is connected to an IP phone, two VLANs are associated with this port, one for voice and one for data. The following is the syntax for defining a port as an access port and assigning it to a VLAN.


Configure FastEthernet 0/1 for VLAN 10 and FastEthernet 0/2–0/3 for VLAN 20.

Sw-2(config)# interface fastEthernet 0/1
Sw-2(config-if)# switchport mode access
Sw-2(config-if)# switchport access vlan 10
Sw-2(config-if)# exit
Sw-2(config)# interface range fastEthernet 0/2 – 3
Sw-2(config-if-range)# switchport mode access
Sw-2(config-if-range)# switchport access vlan 20
Sw-2(config-if-range)# exit

Save the Configuration

Sw-2(config)# exit
Sw-2# write memory

This configuration ensures VLANs are created, named, and assigned to the appropriate ports, with changes saved to the startup configuration.

Changing VLAN Port Membership

There are several ways to change the VLAN port association. The table below shows the syntax for changing a switch port membership to VLAN 1 with the no switchport access vlaninterface configuration mode command.

VLAN 10 has been assigned to interface Fa0/1. The no switchport access vlan command is entered for interface Fa0/1 in interface configuration mode, now check the output in the show vlan brief command that instantly follows as shown in the Figure.

VLAN 10 is still active, but there are no ports in it. The command show interfaces f0/1 switchport verifies that the access VLAN for the Fa0/1 interface has been reset to VLAN 1. First, removing a port from a VLAN is not required to change its membership. Now, we can assign these ports to any VLAN again.

Verifying VLAN Information

After configuring VLANs, use Cisco IOS show commands to validate the setup. Below are the key commands, their purposes, and example outputs:

show vlan brief

  • Purpose: Displays a summary of all VLANs, including VLAN ID, name, status, and assigned ports.
  • Example:
Screenshot of a Cisco switch CLI displaying the output of the show vlan brief command from device Sw-2#. The VLAN summary table includes VLAN IDs, names, statuses, and assigned ports: VLAN 1 (default): active, ports Fa0/4 and Fa0/5 VLAN 10 (SALES): active, port Fa0/1 VLAN 20 (ENGINEERING): active, ports Fa0/2 and Fa0/3 VLANs 30 and 40 (both named MANAGEMENT): active, no ports assigned VLAN 50 (GUEST): active, no ports assigned. This output is useful for verifying VLAN configuration and port assignments on the switch.

show vlan id

  • Purpose: Displays detailed information about a specific VLAN by ID.
  • Example:
CLI output from Cisco switch Sw-2# showing the result of the show vlan id 10 command. The display indicates VLAN ID 10 with the name "SALES", status "active", and one assigned port: FastEthernet 0/1 (Fa0/1). This output helps verify the operational state and port membership of a specific VLAN on the switch.

show vlan name

  • Purpose: Displays information about a VLAN by its name.
  • Example:
Terminal output from Cisco switch Sw-2# showing the result of the show vlan name SALES command. The screen displays VLAN ID 10, named SALES, with an "active" status and one port assigned: FastEthernet 0/1 (Fa0/1). This view helps confirm VLAN naming, activation state, and interface participation for targeted VLAN identification.

show interfaces switchport

  • Purpose: Verifies the VLAN assignment and mode of a specific port.
  • Example:
Cisco switch CLI output displaying the result of the show interfaces fastEthernet 0/1 switchport command on device Sw-2#. The output reveals details for interface Fa0/1: Switchport enabled Administrative mode: static access Operational mode: static access Access VLAN: 10 (SALES) This interface configuration confirms Fa0/1 is functioning as an access port assigned to VLAN 10, useful for validating switchport settings and VLAN associations.

show interfaces vlan

  • Purpose: Displays IP address and status information for a VLAN interface.
  • Example:
CLI output from Cisco switch Sw-2# showing the result of the show interfaces vlan 10 command. The screen confirms that VLAN 10 is up, and the line protocol is also up. The interface type is EtherSVI with MAC address 001b.0c12.3456. The assigned IP address for VLAN 10 is 192.168.10.1/24. This output is useful for verifying VLAN 10’s Layer 3 interface status and IP configuration.

Best Practice: Use the show vlan brief and show vlan summary for quick verification. For detailed port analysis, use show interfaces <interface-id> switchport.

Deleting VLAN

We can delete VLANs with the “no vlan vlan-idcommand in global configuration mode. For example, “ no vlan 10 “ in global configuration mode will delete VLAN 10 from the switch Sw-2 database. The ports of VLAN 10 are not members of any VLAN now. You can verify it with the “show vlan brief” command that VLAN 10 is no longer present in the vlan.dat file after using the no vlan 10 command.

Best practice before deleting a VLAN is reassigning all member ports to a different VLAN because any port that is not moved to an active VLAN is unable to communicate with other hosts after the deletion VLAN and until it is assigned to an active VLAN.

We can delete the entire vlan.dat file using the “delete flash:vlan.dat” command in privileged EXEC, which is abbreviated “delete vlan.dat.” We can also delete a vlan.dat file if it is stored in its default location.

After executing this command and restarting the switch, the formerly configured VLANs are no longer present. This places the switch into its factory default condition for VLAN configurations.

Troubleshooting VLAN Configuration Issues

Here are common VLAN configuration issues and their solutions:

VLAN Not Appearing in <show vlan brief>

  • Cause: The VLAN may not have been created, or no ports are assigned to it.
  • Solution: Verify VLAN creation with <show vlan brief>. If missing, create the VLAN using vlan <vlan-id> in global configuration mode. Ensure ports are assigned using switchport access vlan <vlan-id>.

Ports Not Communicating in the Same VLAN

  • Cause: Ports may be in the wrong VLAN or not in access mode.
  • Solution: Use show interfaces <interface-id> switchport command to verify the VLAN assignment and mode. Correct with switchport mode access and switchport access vlan <vlan-id>.

VLAN Configuration Lost After Reboot

  • Cause: The running configuration was not saved to the startup configuration.
  • Solution: Save changes with write memory or copy running-config startup-config after configuring VLANs.

Error: “Access VLAN does not exist. Creating VLAN”

  • Cause: The VLAN was not preconfigured before assigning a port.
  • Solution: This is expected behavior. Verify the VLAN with show vlan brief and ensure it’s correctly configured.

Sw-2# show vlan brief
Sw-2# show interfaces switchport
Sw-2# show running-config

VLAN Security Best Practices

Securing VLANs is critical to prevent unauthorized access and network attacks. Here are key practices:

Disable Unused Ports: Disable all unused switch ports to prevent unauthorized devices from connecting.

Sw-2(config)# interface range fastEthernet 0/4 - 24 Sw-2(config-if-range)# shutdown

Use VLAN 1 as a Black Hole: Assign unused ports to VLAN 1 and ensure VLAN 1 is not used for user traffic.

Sw-2(config)# interface range fastEthernet 0/4 - 24 Sw-2(config-if-range)# switchport access vlan 1

Implement Private VLANs (PVLANs). PVLANs restrict communication within a VLAN. For example, configure VLAN 10 as a primary VLAN with isolated secondary VLANs:

Sw-2(config)# vlan 10 Sw-2(config-vlan)# private-vlan primary Sw-2(config-vlan)# exit Sw-2(config)# vlan 11 Sw-2(config-vlan)# private-vlan isolated Sw-2(config-vlan)# exit

Verify Security Settings: Use show running-config and show vlan brief to ensure unused ports are disabled and assigned to VLAN 1.

Conclusion

Configuring VLANs on Cisco switches is an essential aspect of network management. Proper naming, port assignment, and verification of VLAN configurations are crucial steps. Regularly using show commands helps ensure the correct setup of VLANs, and caution should be exercised when deleting VLANs to avoid network disruptions. Following best practices and utilizing recommended commands contributes to a secure and well-organized network infrastructure.

FAQs

Introduction to VLAN ID Range – Exclusive Explanation (Updated 2025)

Introduction to VLAN ID Range – Exclusive Explanation (Updated 2025)

//

Cisco Catalyst switches support a VLAN ID Range from 1 to 4094, divided into normal (1-1005) and extended (1006-4094) ranges. The normal range suits small to enterprise networks, with VLANs 1002-1005 reserved for Token Ring and FDDI, and cannot be removed. Extended ranges, stored in the running-config, support service providers but offer fewer features and no VTP support.

VLAN ID Range: Screenshot of Cisco switch CLI output showing the 'show vlan' command results, displaying VLAN 1 as the default with active status and associated ports (Fa0/1 to Fa0/24, Gig0/1, Gig0/2), along with VLAN types (enet, fddi, trnet) and their MTU, SAID, and other configuration details.

Normal VLANs Range 

The usual range of VLAN IDs is between 1 and 1005. IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. The automatically created VLANs (1, 1002, 1003, 1004, 1005) cannot be removed. VLAN database file (vlan.dat) stores VLAN configurations. The vlan.dat file is in the switch’s flash memory. The VTP (VLAN Trunking Protocol) helps manage VLAN configurations between switches. However, the VTP can only learn and store normal-range VLANs.

Extended VLAN ID Range

The extended VLAN range (1006-4094) supports service providers expanding to more customers. Configurations are stored in the running-config, not vlan.dat, and lack VTP synchronization due to its design for normal-range VLANs. Extended VLANs support basic functionality but exclude advanced features like VTP pruning.

Configuring VLAN ID Ranges on Cisco Switches

This section provides Cisco IOS commands to configure normal and extended VLANs on a Catalyst switch.

1. Configuring a Normal-Range VLAN

Switch> enable Switch# configure terminal Switch(config)# vlan 100 Switch(config-vlan)# name SALES Switch(config-vlan)# exit

2. Configuring an Extended-Range VLAN

Switch(config)# vlan 2000 Switch(config-vlan)# name GUEST Switch(config-vlan)# exit

3. Verifying VLAN Configuration

Switch# show vlan brief Switch# show running-config | include vlan

Note: Extended VLANs require manual configuration and are stored in the running-config, not vlan.dat.

Troubleshooting VLAN ID Range Issues

Resolve common VLAN range problems with these steps.

1. Missing VLAN in vlan.dat

Symptoms: Normal VLAN is not active.

Solution: Recreate the VLAN and save the config:

Switch# vlan 100

Switch# copy running-config startup-config

2. Extended VLAN Not Persisting

Symptoms: Extended VLAN is lost after reboot.

Solution: Ensure it’s in running-config:

Switch# show running-config | include vlan

3. VTP Sync Failure

Symptoms: VLANs not propagating.

Solution: Verify VTP mode and domain:

Switch# show vtp status

Conclusion

Understanding VLAN ID ranges is essential for effectively managing and optimizing network infrastructure. Cisco Catalyst switches offer a flexible range of VLAN support, catering to the diverse needs of organizations. Whether utilizing the Normal VLAN range for smaller networks or leveraging the Extended-Range VLANs for larger enterprises, proper VLAN configuration enhances network performance, security, and overall efficiency. As technology evolves, staying informed about VLAN capabilities ensures that networks remain adaptable to the dynamic requirements of modern businesses.