HomeCCNAMaster VLAN Configuration in Cisco Switches – Updated 2025
Design 373778919

Master VLAN Configuration in Cisco Switches – Updated 2025

August 16, 2019
Asad Ijaz
7 min read
CCNA

Virtual Local Area Networks (VLANs) are a fundamental concept in network engineering, allowing network administrators to segment a physical network into multiple logical networks. This segmentation enhances security, optimizes traffic flow, and simplifies network management. For CCNA and CCNP students, mastering VLAN configuration on Cisco switches is critical, as it forms the backbone of many enterprise network designs.

Table of Contents

In this article, we’ll explore how to configure, verify, and manage VLANs on Cisco switches using Cisco IOS commands. We’ll cover normal and extended-range VLANs, port assignments, verification techniques, and best practices to ensure a robust network setup. Whether you’re preparing for your CCNA/CCNP exams or managing real-world networks, this guide provides practical, step-by-step instructions to enhance your skills.

Step-by-Step Guide to Configuring VLANs on Cisco Switches

Follow these steps to configure VLANs and assign ports on a Cisco switch (e.g., Sw-2). This example creates VLANs 10, 20, 30, 40, and 50–60, and assigns ports to VLAN 10 and VLAN 20.

Diagram showing a network setup with two switches, Sw-1 and Sw-2, connected via a trunk link. Sw-1 connects to PCs 1, 2, and 3 in VLAN-20 and VLAN-10, while Sw-2 connects to PCs 4, 5, and 6 in VLAN-20. A table from the "show vlan brief" command displays VLAN details: VLAN 1 (default) is active on ports Fa0/13 to Fa0/24 and Gig0/1 to Gig0/2; VLAN 10 (IT_Department) is active on ports Fa0/1 to Fa0/7; VLAN 20 (Admin_Department) is active on ports Fa0/8 to Fa0/12; and VLANs 1002 to 1005 (fddi-default, token-ring-default, fddinet-default, trnet-default) are active with no specific ports listed.
Master VLAN Configuration in Cisco Switches - Updated 2025 8

Enter Global Configuration Mode

Sw-2> enable
Sw-2# configure terminal

Create VLANs Individually or in a Range

Sw-2(config)# vlan 10
Sw-2(config-vlan)# name SALES
Sw-2(config-vlan)# exit
Sw-2(config)# vlan 20
Sw-2(config-vlan)# name ENGINEERING
Sw-2(config-vlan)# exit
Sw-2(config)# vlan 30,40
Sw-2(config-vlan)# name MANAGEMENT
Sw-2(config-vlan)# exit
Sw-2(config)# vlan 50-60
Sw-2(config-vlan)# name GUEST
Sw-2(config-vlan)# exit

Assign Ports to VLANs

Once the VLAN configuration is done, the next step is assigning ports to the VLAN. A port in access mode can belong to only one VLAN at a time. Only in one case, when the access port is connected to an IP phone, two VLANs are associated with this port, one for voice and one for data. The following is the syntax for defining a port as an access port and assigning it to a VLAN.


Configure FastEthernet 0/1 for VLAN 10 and FastEthernet 0/2–0/3 for VLAN 20.

Sw-2(config)# interface fastEthernet 0/1
Sw-2(config-if)# switchport mode access
Sw-2(config-if)# switchport access vlan 10
Sw-2(config-if)# exit
Sw-2(config)# interface range fastEthernet 0/2 – 3
Sw-2(config-if-range)# switchport mode access
Sw-2(config-if-range)# switchport access vlan 20
Sw-2(config-if-range)# exit

Save the Configuration

Sw-2(config)# exit
Sw-2# write memory

This configuration ensures VLANs are created, named, and assigned to the appropriate ports, with changes saved to the startup configuration.

Changing VLAN Port Membership

There are several ways to change the VLAN port association. The table below shows the syntax for changing a switch port membership to VLAN 1 with the no switchport access vlaninterface configuration mode command.

VLAN 10 has been assigned to interface Fa0/1. The no switchport access vlan command is entered for interface Fa0/1 in interface configuration mode, now check the output in the show vlan brief command that instantly follows as shown in the Figure.

VLAN 10 is still active, but there are no ports in it. The command show interfaces f0/1 switchport verifies that the access VLAN for the Fa0/1 interface has been reset to VLAN 1. First, removing a port from a VLAN is not required to change its membership. Now, we can assign these ports to any VLAN again.

Verifying VLAN Information

After configuring VLANs, use Cisco IOS show commands to validate the setup. Below are the key commands, their purposes, and example outputs:

show vlan brief

  • Purpose: Displays a summary of all VLANs, including VLAN ID, name, status, and assigned ports.
  • Example:
Screenshot of a Cisco switch CLI displaying the output of the show vlan brief command from device Sw-2#. The VLAN summary table includes VLAN IDs, names, statuses, and assigned ports: VLAN 1 (default): active, ports Fa0/4 and Fa0/5 VLAN 10 (SALES): active, port Fa0/1 VLAN 20 (ENGINEERING): active, ports Fa0/2 and Fa0/3 VLANs 30 and 40 (both named MANAGEMENT): active, no ports assigned VLAN 50 (GUEST): active, no ports assigned. This output is useful for verifying VLAN configuration and port assignments on the switch.
Master VLAN Configuration in Cisco Switches - Updated 2025 9

show vlan id

  • Purpose: Displays detailed information about a specific VLAN by ID.
  • Example:
CLI output from Cisco switch Sw-2# showing the result of the show vlan id 10 command. The display indicates VLAN ID 10 with the name "SALES", status "active", and one assigned port: FastEthernet 0/1 (Fa0/1). This output helps verify the operational state and port membership of a specific VLAN on the switch.
Master VLAN Configuration in Cisco Switches - Updated 2025 10

show vlan name

  • Purpose: Displays information about a VLAN by its name.
  • Example:
Terminal output from Cisco switch Sw-2# showing the result of the show vlan name SALES command. The screen displays VLAN ID 10, named SALES, with an "active" status and one port assigned: FastEthernet 0/1 (Fa0/1). This view helps confirm VLAN naming, activation state, and interface participation for targeted VLAN identification.
Master VLAN Configuration in Cisco Switches - Updated 2025 11

show interfaces switchport

  • Purpose: Verifies the VLAN assignment and mode of a specific port.
  • Example:
Cisco switch CLI output displaying the result of the show interfaces fastEthernet 0/1 switchport command on device Sw-2#. The output reveals details for interface Fa0/1: Switchport enabled Administrative mode: static access Operational mode: static access Access VLAN: 10 (SALES) This interface configuration confirms Fa0/1 is functioning as an access port assigned to VLAN 10, useful for validating switchport settings and VLAN associations.
Master VLAN Configuration in Cisco Switches - Updated 2025 12

show interfaces vlan

  • Purpose: Displays IP address and status information for a VLAN interface.
  • Example:
CLI output from Cisco switch Sw-2# showing the result of the show interfaces vlan 10 command. The screen confirms that VLAN 10 is up, and the line protocol is also up. The interface type is EtherSVI with MAC address 001b.0c12.3456. The assigned IP address for VLAN 10 is 192.168.10.1/24. This output is useful for verifying VLAN 10’s Layer 3 interface status and IP configuration.
Master VLAN Configuration in Cisco Switches - Updated 2025 13

Best Practice: Use the show vlan brief and show vlan summary for quick verification. For detailed port analysis, use show interfaces <interface-id> switchport.

Deleting VLAN

We can delete VLANs with the “no vlan vlan-idcommand in global configuration mode. For example, “ no vlan 10 “ in global configuration mode will delete VLAN 10 from the switch Sw-2 database. The ports of VLAN 10 are not members of any VLAN now. You can verify it with the “show vlan brief” command that VLAN 10 is no longer present in the vlan.dat file after using the no vlan 10 command.

Best practice before deleting a VLAN is reassigning all member ports to a different VLAN because any port that is not moved to an active VLAN is unable to communicate with other hosts after the deletion VLAN and until it is assigned to an active VLAN.

We can delete the entire vlan.dat file using the “delete flash:vlan.dat” command in privileged EXEC, which is abbreviated “delete vlan.dat.” We can also delete a vlan.dat file if it is stored in its default location.

After executing this command and restarting the switch, the formerly configured VLANs are no longer present. This places the switch into its factory default condition for VLAN configurations.

Troubleshooting VLAN Configuration Issues

Here are common VLAN configuration issues and their solutions:

VLAN Not Appearing in <show vlan brief>

  • Cause: The VLAN may not have been created, or no ports are assigned to it.
  • Solution: Verify VLAN creation with <show vlan brief>. If missing, create the VLAN using vlan <vlan-id> in global configuration mode. Ensure ports are assigned using switchport access vlan <vlan-id>.

Ports Not Communicating in the Same VLAN

  • Cause: Ports may be in the wrong VLAN or not in access mode.
  • Solution: Use show interfaces <interface-id> switchport command to verify the VLAN assignment and mode. Correct with switchport mode access and switchport access vlan <vlan-id>.

VLAN Configuration Lost After Reboot

  • Cause: The running configuration was not saved to the startup configuration.
  • Solution: Save changes with write memory or copy running-config startup-config after configuring VLANs.

Error: “Access VLAN does not exist. Creating VLAN”

  • Cause: The VLAN was not preconfigured before assigning a port.
  • Solution: This is expected behavior. Verify the VLAN with show vlan brief and ensure it’s correctly configured.

Sw-2# show vlan brief
Sw-2# show interfaces switchport
Sw-2# show running-config

VLAN Security Best Practices

Securing VLANs is critical to prevent unauthorized access and network attacks. Here are key practices:

Disable Unused Ports: Disable all unused switch ports to prevent unauthorized devices from connecting.

Sw-2(config)# interface range fastEthernet 0/4 - 24 Sw-2(config-if-range)# shutdown

Use VLAN 1 as a Black Hole: Assign unused ports to VLAN 1 and ensure VLAN 1 is not used for user traffic.

Sw-2(config)# interface range fastEthernet 0/4 - 24 Sw-2(config-if-range)# switchport access vlan 1

Implement Private VLANs (PVLANs). PVLANs restrict communication within a VLAN. For example, configure VLAN 10 as a primary VLAN with isolated secondary VLANs:

Sw-2(config)# vlan 10 Sw-2(config-vlan)# private-vlan primary Sw-2(config-vlan)# exit Sw-2(config)# vlan 11 Sw-2(config-vlan)# private-vlan isolated Sw-2(config-vlan)# exit

Verify Security Settings: Use show running-config and show vlan brief to ensure unused ports are disabled and assigned to VLAN 1.

Conclusion

Configuring VLANs on Cisco switches is an essential aspect of network management. Proper naming, port assignment, and verification of VLAN configurations are crucial steps. Regularly using show commands helps ensure the correct setup of VLANs, and caution should be exercised when deleting VLANs to avoid network disruptions. Following best practices and utilizing recommended commands contributes to a secure and well-organized network infrastructure.

FAQs

  • What is the difference between normal-range and extended-range VLANs?

    Normal-range VLANs (1–1005) are stored in the vlan.dat file in flash memory and don’t require saving the running configuration. Extended-range VLANs (1006–4094) are stored in the running configuration and require write memory to persist after a reboot.

  • How do I verify VLAN assignments on a Cisco switch?

    Use show vlan brief to see all VLANs and their assigned ports, or show interfaces <interface-id> switchport to check a specific port’s VLAN and mode.

  • What happens if I delete a VLAN without reassigning its ports?

    Ports in the deleted VLAN lose connectivity until reassigned to an active VLAN. Always reassign ports (e.g., to VLAN 1) before deleting a VLAN.

  • Can an access port belong to multiple VLANs?

    No, an access port can belong to only one VLAN at a time, except when connected to an IP phone, which uses one VLAN for voice and one for data.

  • How do I reset a switch’s VLAN configuration to factory defaults?

    Use delete flash:vlan.dat in privileged EXEC mode and restart the switch. This removes all VLANs, reverting ports to VLAN 1.

Avatar of Asad Ijaz

Asad Ijaz

NetworkUstad's lead networking architect with CCIE certification. Specializes in CCNA exam preparation and enterprise network design. Authored 2,800+ technical guides on Cisco systems, BGP routing, and network security protocols since 2018. Picture this: I'm not just someone who writes about tech; I'm a certified expert in the field. I proudly hold the titles of Cisco Certified Network Professional (CCNP) and Cisco Certified Network Associate (CCNA). So, when I talk about networking, I'm not just whistling in the dark; I know my stuff! My website is like a treasure trove of knowledge. You'll find a plethora of articles and tutorials covering a wide range of topics related to networking and cybersecurity. It's not just a website; it's a learning hub for anyone who's eager to dive into the world of bits, bytes, and secure connections. And here's a fun fact: I'm not a lone wolf in this journey. I'm a proud member and Editor of Team NetworkUstad. Together, we're on a mission to empower people with the knowledge they need to navigate the digital landscape safely and effectively. So, if you're ready to embark on a tech-savvy adventure, stick around with me, Asad Ijaz Khattak. We're going to unravel the mysteries of technology, one article at a time!"

Related Articles

OSI Model

OSI Model, including its 7 Layer Introduction

April 27, 2025
Hand pointing to a "Search" button next to "ICMPv6 NS and RA Messages" text, representing a guide to Neighbor Solicitation and Router Advertisement in IPv6 networks.

ICMPv6 NS and RA Messages: Boost Your CCNA Skills With This Details Guide and Interactive Simulator!

July 13, 2019
Network diagram illustration Host Default Gateway and Routing Table

Host Default Gateway and Routing Table Self-Assessment Quiz Test

March 7, 2025
HDLC frame type

HDLC Encapsulation Protocol

April 18, 2020
Network diagram showing Router1 configured with a default static route via FastEthernet0/1 to Router2, including 'ip route' command and 'show ip route' output with 'S*' entry.

How to configure Default Route

August 26, 2019

Introduction to “Router EIGRP” Command

January 4, 2020
Diagram illustrating the structure and function of a MAC address

Understanding MAC Addresses: Structure, Importance, and How to Find Them in 2025

June 4, 2019
Wireless Home Router

What is Wireless Access Points

November 19, 2019
Hand pointing to IPv6 diagram with OUI, Device ID, FFFE, and Interface ID elements on a screen.

EUI-64 Process and Randomly Generated IPv6- Easy to understand Guide

July 12, 2019