VLAN Configuration in Cisco Switches
In the previous article, we discussed normal and extended-range VLANs. Normal-range VLAN configuration is stored in the vlan.dat file, which is located in the switch’s flash memory. Flash memory does not need the copy running-config startup-config or write command.
But, other details are usually configured on a Cisco switch simultaneously when VLANs are created; it is best to save running configuration changes to the startup configuration. The figure below illustrates the Cisco IOS command syntax used to add a VLAN to a Cisco switch and give it a name. Naming each VLAN is the best practice in VLAN configuration.
Vlan <vlan ID>
Name <Name of the VLAN>
The figure below illustrates the topology where Sw-1 has already been configured with VLANs 10 and 20. We can check by using the Syntax Checker show vlan brief command in user exec mode to display the contents of the vlan.dat file. Now, we should create some VLANs, including VLAN-10 and VLAN-20, on Sw-2.
So, we can create VLANs individually, using a series of VLAN IDs and a range. The IDs can be entered separated by commas, and hyphens can separate the range of VLAN IDs, for example, “vlan vlan-id”. Use the following command to create VLANs 10, 20, 30, 40, and 50-60.
Sw-2(config)# vlan 10, 20, 30, 40
Sw-2(config)# vlan 50-60
Assigning Ports to VLAN
Once the VLAN configuration is done, the next step is assigning ports to the VLAN. Port in access mod can belong to only one VLAN at a time. Only in one case, when the access port is connected to an IP phone, two VLANs are associated with this port, one for voice and one for data. Following is the syntax for defining a port as an access port and assigning it to a VLAN.
| Enter into Global Configuration Mode | Sw-2# configure Terminal |
| Enter into interface Configuration Mode | Sw-2(Config)# interface interface_id |
| Set the Port to access Mode | Sw-2(Config-if)# switchport mode access |
| Assign Ports to VLAN | Sw-2(Config-if)# switchport access vlan vlan-id |
| Return to the Privileged EXEC Mode | Sw-2(Config-if)#end |
Access to the command switch port mode is optional, although it is strongly recommended for security. This command permanently changes the switch interface to access mode. We can use the interface range command to execute the command for multiple interfaces.
In the figure below, VLAN 10 is assigned to port Fa0/1 on switch1. As a result, PC4 became a member of VLAN 10. VLAN-20 is assigned ports fa 0/2 and fa0/3, so PC5 and PC6 are part of VLAN 20. We can use the Syntax Checker “show vlan brief” command to display the contents of the vlan.dat file.
If VLAN does not exist, the switchport access vlan command forces the creation of a VLAN on the switch. For example, VLAN 100 does not exist in the output of the show vlan brief command. If the switchport accesses vlan 30 commands entered on an interface without any prior configuration, then it will display the following:
% Access VLAN does not exist. Creating VLAN 100
Now we can show the vlan.dat file using show vlan brief command.
Changing VLAN Port Membership
There are several ways to change the VLAN port association. The table below shows the syntax for changing a switch port membership to VLAN 1 with the no switchport access vlan interface configuration mode command.
VLAN 10 has assigned interface Fa0/1. The no switchport access vlan command is entered for interface Fa0/1 in interface configuration mode, now check the output in the show vlan brief command that instantly follows as shown in Figure below.
The show vlan brief command displays the VLAN association and type for all switch ports. The show vlan brief command shows one line for every VLAN. The output for every VLAN includes the name, status, and switch ports.
| Enter into Global Configuration Mode | Sw-2# configure Terminal |
| Enter into interface Configuration Mode | Sw-2(Config)# interface interface_id |
| Delete Ports to VLAN | Sw-2(Config-if)# no switchport access vlan vlan-id |
| Return into the Privileged EXEC Mode | Sw-2(Config-if)#end |
VLAN 10 is still active, but there are no ports in it. The command show interfaces f0/1 switchport verify that the access VLAN for Fa0/1 interface has been reset to VLAN 1. First, removing a port from a VLAN is not required to change its membership. Now, we can assign these ports to any VLAN again.
Verifying VLAN Information
After a VLAN configuration or some changes in the VLAN configuration, we must validate the configuration using the Cisco IOS show commands. The command syntax is the following:-
- Show vlan [ brief | id vlan-id | name vlan-name | summary]
- Brief – it displays one line for every VLAN with the name of VLAN, status, and ports.
- Id vlan-id – This parameter displays the information about a specific VLAN with VLAN ID number.
- name vlan-name – Display the information of a specific VLAN with the name of VLAN.
- Show interfaces [interface-id | vlan vlan-name | switchport]
- Interface-id—This is a valid interface ID that includes a module, port numbers, and port channel. The port channel range is 1 to 6.
- Id vlan-id—This parameter displays information about a specific VLAN with a VLAN ID number. The range of VLAN ID is 1 to 4096.
- switchport—This parameter displays a switch port’s operational and administrative status, including whether it is blocked and what port protection settings are available.
Now, we will use the show VLAN command with a different parameter. The “show vlan name IT” command output is difficult to understand. The figure below illustrates the output of this command. The output parameter will be discussed in the coming articles.
The recommended commands for VLAN verification are “show vlan brief” and “show vlan summary.” These commands display the count of all configured VLANs. We can also use the “show interfaces” command with different parameters, such as “show interfaces fastEthernet 0/1 switchport.”
This will display all information about the switchport FastEthernet 0/1. If we enter the command “show interfaces switchport,” It will display all existing switchport information. We can also use “show interfaces vlan <vlan ID>” command to display the vlan interface information. This command will show the IP address information of this VLAN.
Deleting VLAN
We can delete VLANs with the “no vlan vlan-id” command in global configuration mode. For example, “ no vlan 10 “ in global configuration mode will delete VLAN 10 from switch Sw-2 database. The ports of VLAN 10 are not the members of any VLAN now. You can verify it with “show vlan brief” command that VLAN 10 is no longer present in the vlan.dat file after using the no vlan 10 commands.
Best practice before deleting a VLAN is reassigning all member ports to a different VLAN because any port that is not moved to an active VLAN is unable to communicate with other hosts after the deleting VLAN and until it is assigned to an active VLAN.
We can delete the entire vlan.dat file using the “delete flash:vlan.dat” command in privileged EXEC, which is abbreviated “delete vlan.dat.” We can also delete a vlan.dat file if it is stored in its default location.
After executing this command and restarting the switch, the formerly configured VLANs are no longer present. This places the switch into its factory default condition for VLAN configurations.
Conclusion
Configuring VLANs on Cisco switches is an essential aspect of network management. Proper naming, port assignment, and verification of VLAN configurations are crucial steps. Regularly using show commands helps ensure the correct setup of VLANs, and caution should be exercised when deleting VLANs to avoid network disruptions. Following best practices and utilizing recommended commands contribute to a secure and well-organized network infrastructure.
FAQs
- Why is naming each VLAN considered a best practice in VLAN configuration?
Naming each VLAN provides clarity and documentation for network administrators, making it easier to identify the purpose or function of a specific VLAN. - Can VLANs be created on a Cisco switch individually and in a range?
Yes, VLANs can be created on a Cisco switch individually by specifying VLAN IDs or using hyphens to set them in a range. For example, the command vlan 10, 20, 30, 40 creates VLANs 10, 20, 30, and 40, while vlan 50-60 creates VLANs 50 through 60. - What is the purpose of the ‘switchport mode access’ command in VLAN configuration?
The switchport mode access command is optional but recommended for security. It permanently sets the switch interface to access mode, ensuring the port can only belong to one VLAN. This command helps prevent unauthorized VLAN hopping. - How can I assign ports to a VLAN after VLAN configuration?
Ports can be assigned to a VLAN by entering the interface configuration mode and using the switchport access vlan [VLAN ID] command. This associates the specified VLAN with the port. - What happens if a VLAN does not exist when assigning it to a port?
If the VLAN does not exist, the switchport access vlan [VLAN ID] command forces the creation of the VLAN on the switch. For example, if VLAN 100 does not exist, entering the command will create VLAN 100. - How can I verify VLAN information on a Cisco switch?
VLAN information can be verified using the show vlan command with various parameters, such as brief, id [VLAN ID], name [VLAN Name], or summary. The show interfaces command can also display information about switch ports and VLAN assignments. - What is the recommended command for VLAN verification?
The recommended commands for VLAN verification are shown in the vlan brief and vlan summary. These commands provide a concise overview of all configured VLANs. - How can I delete a VLAN on a Cisco switch?
To delete a VLAN, use the no vlan [VLAN ID] command in global configuration mode. Before deleting a VLAN, it’s advisable to reassign member ports to a different VLAN to ensure uninterrupted communication.
Is it possible to delete the entire vlan.dat file on a Cisco switch?
The delete flash:vlan.dat command in privileged EXEC mode can delete the entire vlan.dat file. This action, followed by a switch restart, restores the switch to its factory default condition for VLAN configurations.
