VLAN Configuration CCNA
VLAN Configuration CCNA

VLAN Configuration

VLAN Configuration

Summary

This topic configure a switch port to be assigned to a VLAN based on requirements. Start learning CCNA 200-301 for free right now!!

Note: Welcome: This topic is part of Module 3 of the Cisco CCNA 2 course, for a better follow up of the course you can go to the CCNA 2 section to guide you through an order.

VLAN Ranges on Catalyst Switches

Creating VLANs, like most other aspects of networking, is a matter of entering the appropriate commands. This topic details how to configure and verify different types of VLANs.

Different Cisco Catalyst switches support various numbers of VLANs. The number of supported VLANs is large enough to accommodate the needs of most organizations. For example, the Catalyst 2960 and 3650 Series switches support over 4,000 VLANs. Normal range VLANs on these switches are numbered 1 to 1,005 and extended range VLANs are numbered 1,006 to 4,094. The figure illustrates the default VLANs on a Catalyst 2960 switch running Cisco IOS Release 15.x.

Switch# show vlan brief

VLAN Name Status Ports
---- ----------------- ------- --------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

Normal Range VLANs

The following are characteristics of normal range VLANs:

  • They are used in all small- and medium-sized business and enterprise networks.
  • They are identified by a VLAN ID between 1 and 1005.
  • IDs 1002 through 1005 are reserved for legacy network technologies (i.e., Token Ring and Fiber Distributed Data Interface).
  • IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
  • Configurations are stored in the switch flash memory in a VLAN database file called vlan.dat.
  • When configured, VLAN trunking protocol (VTP), helps synchronize the VLAN database between switches.

Extended Range VLANs

The following are characteristics of extended range VLANs:

  • They are used by service providers to service multiple customers and by global enterprises large enough to need extended range VLAN IDs.
  • They are identified by a VLAN ID between 1006 and 4094.
  • Configurations are saved, by default, in the running configuration.
  • They support fewer VLAN features than normal range VLANs.
  • Requires VTP transparent mode configuration to support extended range VLANs.

Note: 4096 is the upper boundary for the number of VLANs available on Catalyst switches, because there are 12 bits in the VLAN ID field of the IEEE 802.1Q header.

VLAN Creation Commands

When configuring normal range VLANs, the configuration details are stored in flash memory on the switch in a file called vlan.dat. Flash memory is persistent and does not require the copy running-config startup-config command. However, because other details are often configured on a Cisco switch at the same time that VLANs are created, it is good practice to save running configuration changes to the startup configuration.

The table displays the Cisco IOS command syntax used to add a VLAN to a switch and give it a name. Naming each VLAN is considered a best practice in switch configuration.

Task IOS Command
Enter global configuration mode.
Switch# configure terminal
Create a VLAN with a valid ID number.
Switch(config)# vlan vlan-id
Specify a unique name to identify the VLAN.
Switch(config-vlan)# name vlan-name
Return to the privileged EXEC mode.
Switch(config-vlan)# end

VLAN Creation Example

In the topology, the student computer (PC2) has not been associated with a VLAN yet, but it does have an IP address of 172.17.20.22, which belongs to VLAN 20.

VLAN Creation Example
VLAN Creation Example

The example shows how the student VLAN (VLAN 20) is configured on switch S1.

S1# configure terminal
S1(config)# vlan 20
S1(config-vlan)# name student
S1(config-vlan)# end

Note: In addition to entering a single VLAN ID, a series of VLAN IDs can be entered separated by commas, or a range of VLAN IDs separated by hyphens using the vlan vlan-id command. For example, entering the vlan 100,102,105-107 global configuration command would create VLANs 100, 102, 105, 106, and 107.

VLAN Port Assignment Commands

After creating a VLAN, the next step is to assign ports to the VLAN.

The table displays the syntax for defining a port to be an access port and assigning it to a VLAN. The switchport mode access command is optional, but strongly recommended as a security best practice. With this command, the interface changes to permanent access mode.

Task IOS Command
Enter global configuration mode.
Switch# configure terminal
Enter interface configuration mode.
Switch(config)# interface interface-id
Set the port to access mode.
Switch(config-if)# switchport mode access
Assign the port to a VLAN.
Switch(config-if)# switchport access vlan vlan-id
Return to the privileged EXEC mode.
Switch(config-if)# end

Note: Use the interface range command to simultaneously configure multiple interfaces.

VLAN Port Assignment Example

In the figure, port F0/6 on switch S1 is configured as an access port and assigned to VLAN 20. Any device connected to that port will be associated with VLAN 20. Therefore, in our example, PC2 is in VLAN 20.

VLAN Port Assignment Example
VLAN Port Assignment Example

The example shows the configuration for S1 to assign F0/6 to VLAN 20.

S1# configure terminal
S1(config)# interface fa0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# end

VLANs are configured on the switch port and not on the end device. PC2 is configured with an IPv4 address and subnet mask that is associated with the VLAN, which is configured on the switch port. In this example, it is VLAN 20. When VLAN 20 is configured on other switches, the network administrator must configure the other student computers to be in the same subnet as PC2 (172.17.20.0/24).

Data and Voice VLANs

An access port can belong to only one data VLAN at a time. However, a port can also be associated to a voice VLAN. For example, a port connected to an IP phone and an end device would be associated with two VLANs: one for voice and one for data.

Consider the topology in the figure. PC5 is connected to the Cisco IP phone, which in turn is connected to the FastEthernet 0/18 interface on S3. To implement this configuration, a data VLAN and a voice VLAN are created.

Data and Voice VLANs
Data and Voice VLANs

Data and Voice VLAN Example

Use the switchport voice vlan vlan-id interface configuration command to assign a voice VLAN to a port.

LANs supporting voice traffic typically also have quality of service (QoS) enabled. Voice traffic must be labeled as trusted as soon as it enters the network. Use the mls qos trust [cos | device cisco-phone | dscp | ip-precedence] interface configuration command to set the trusted state of an interface, and to indicate which fields of the packet are used to classify traffic.

The configuration in the example creates the two VLANs (i.e., VLAN 20 and VLAN 150) and then assigns the F0/18 interface of S3 as a switchport in VLAN 20. It also assigns voice traffic to VLAN 150 and enables QoS classification based on the class of service (CoS) assigned by the IP phone.

S3(config)# vlan 20
S3(config-vlan)# name student
S3(config-vlan)# vlan 150
S3(config-vlan)# name VOICE
S3(config-vlan)# exit
S3(config)# interface fa0/18
S3(config-if)# switchport mode access
S3(config-if)# switchport access vlan 20
S3(config-if)# mls qos trust cos
S3(config-if)# switchport voice vlan 150
S3(config-if)# end
S3#

Note: The implementation of QoS is beyond the scope of this course.

The switchport access vlan command forces the creation of a VLAN if it does not already exist on the switch. For example, VLAN 30 is not present in the show vlan brief output of the switch. If the switchport access vlan 30 command is entered on any interface with no previous configuration, then the switch displays the following:

% Access VLAN does not exist. Creating vlan 30

Verify VLAN Information

After a VLAN is configured, VLAN configurations can be validated using Cisco IOS show commands.

The show vlan command displays a list of all configured VLANs. The show vlan command can also be used with options. The complete syntax is show vlan [brief | id vlan-id | name vlan-name | summary].

The table describes the show vlan command options.

Task Command Option
Display VLAN name, status, and its ports one VLAN per line.
brief
Display information about the identified VLAN ID number. For vlan-id, the range is 1 to 4094.
id vlan-id
Display information about the identified VLAN name. The vlan-name is an ASCII string from 1 to 32 characters.
name vlan-name
Display VLAN summary information.
summary

The show vlan summary command displays the count of all configured VLANs.

S1# show vlan summary
Number of existing VLANs              : 7
Number of existing VTP VLANs          : 7
Number of existing extended VLANS     : 0

Other useful commands are the show interfaces interface-id switchport and the show interfaces vlan vlan-id command. For example, the show interfaces fa0/18 switchport command can be used to confirm that the FastEthernet 0/18 port has been correctly assigned to data and voice VLANs.

S1# show interfaces fa0/18 switchport
Name: Fa0/18
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 20 (student) 
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 150
Administrative private-vlan host-association: none
(Output omitted)

Change VLAN Port Membership

There are a number of ways to change VLAN port membership.

If the switch access port has been incorrectly assigned to a VLAN, then simply re-enter the switchport access vlan vlan-id interface configuration command with the correct VLAN ID. For instance, assume Fa0/18 was incorrectly configured to be on the default VLAN 1 instead of VLAN 20. To change the port to VLAN 20, simply enter switchport access vlan 20.

To change the membership of a port back to the default VLAN 1, use the no switchport access vlan interface configuration mode command as shown.

In the output for example, Fa0/18 is configured to be on the default VLAN 1 as confirmed by the show vlan brief command.

S1(config)# interface fa0/18
S1(config-if)# no switchport access vlan
S1(config-if)# end
S1#
S1# show vlan brief
VLAN Name Status Ports
---- ------------------ --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
20 student active 
1002 fddi-default act/unsup 
1003 token-ring-default act/unsup 
1004 fddinet-default act/unsup 
1005 trnet-default act/unsup

Notice that VLAN 20 is still active, even though no ports are assigned to it.

The show interfaces f0/18 switchport output can also be used to verify that the access VLAN for interface F0/18 has been reset to VLAN 1 as shown in the output.

S1# show interfaces fa0/18 switchport
Name: Fa0/18
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)

Delete VLANs

The no vlan vlan-id global configuration mode command is used to remove a VLAN from the switch vlan.dat file.

Caution: Before deleting a VLAN, reassign all member ports to a different VLAN first. Any ports that are not moved to an active VLAN are unable to communicate with other hosts after the VLAN is deleted and until they are assigned to an active VLAN.

The entire vlan.dat file can be deleted using the delete flash:vlan.dat privileged EXEC mode command. The abbreviated command version (delete vlan.dat) can be used if the vlan.dat file has not been moved from its default location. After issuing this command and reloading the switch, any previously configured VLANs are no longer present. This effectively places the switch into its factory default condition with regard to VLAN configurations.

Note: To restore a Catalyst switch to its factory default condition, unplug all cables except the console and power cable from the switch. Then enter the erase startup-config privileged EXEC mode command followed by the delete vlan.dat command.

Syntax Checker – VLAN Configuration

In this Syntax Checker activity, you will implement and verify a VLAN configuration for switch interfaces based on the specified requirements.

Complete the following steps to create a data VLAN:

  • Enter global configuration mode.
  • Create VLAN 20.
  • Name the VLAN student.
  • Return to privileged EXEC mode.
S1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)#vlan 20
S1(config-vlan)#name student
S1(config-vlan)#end
\*Mar 31, 08:55:14.5555: %SYS-5-CONFIG\_I: Configured from console by console

Display the brief VLAN information.

S1#show vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gi0/1, Gi0/2
20   student                          active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Complete the following steps to create a voice VLAN:

  • Enter global configuration mode.
  • Create VLAN 150.
  • Name the VLAN VOICE.
  • Return to global configuration mode.
S1#configure terminal
S1(config)#vlan 150
S1(config-vlan)#name VOICE
S1(config-vlan)#exit

Complete the following steps to assign the data and voice VLANs to a port:

  • Enter interface configuration mode. Use fa0/18 as the interface designation.
  • Configure the port as an access port.
  • Assign the data VLAN 20 to the port.
  • Enable QoS settings with the mls qos trust cos command.
  • Assign the voice VLAN 150 to the port.
  • Return to privileged EXEC mode.
S1(config)#interface fa0/18
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 20
S1(config-if)#mls qos trust cos
S1(config-if)#switchport voice vlan 150
S1(config-if)#end

Display the brief vlan information.

S1#show vlan brief
LAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
20   student                          active    Fa0/18
150  VOICE                            active    Fa0/18
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Complete the following steps to delete and verify a deleted VLAN on a port:

  • Enter global configuration mode.
  • Enter interface configuration mode. Use fa0/18 as the interface designation.
  • Remove the data VLAN from the port.
  • Use the do form of the command to display brief VLAN information.
S1#configure terminal
S1(config)#interface fa0/18
S1(config-if)#no switchport access vlan
S1(config-if)#do show vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gi0/1, Gi0/2
20   student                          active
150  VOICE                            active    Fa0/18
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Complete the following steps to assign VLAN 20 to another interface.

  • Enter interface configuration mode. Use fa0/11 as the interface designation.
  • Assign VLAN 20 to the port.
  • Return to privileged EXEC mode.
S1(config-if)#interface fa0/11
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 20
S1(config-if)#end

Display the brief VLAN information.

S1#show vlan brief
LAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig0/1, Gig0/2
20   student                          active    Fa0/11, Fa0/18
150  VOICE                            active    Fa0/18
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Display the VLAN information specifically for the student VLAN.

S1#show vlan name student
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
20   student                          active    Fa0/11, Fa0/18
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
20   enet  100020     1500  -      -      -        -    -        0      0

Display summary information for VLANs

S1#show vlan summary
Number of existing VLANs : 7 
Number of existing VTP VLANs : 7 
Number of existing extended VLANS : 0

Display the interface information for VLAN 20.

S1#show interfaces vlan 20
Vlan20 is up, line protocol is up 
  Hardware is CPU Interface, address is 0007.ec74.61d3 (bia 0007.ec74.61d3) 
  MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255 
  Encapsulation ARPA, loopback not set 
  ARP type: ARPA, ARP Timeout 04:00:00 
  Last input 21:40:21, output never, output hang never 
  Last clearing of "show interface" counters never 
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 
  Queueing strategy: fifo 
  Output queue: 0/40 (size/max) 
  5 minute input rate 0 bits/sec, 0 packets/sec 
  5 minute output rate 0 bits/sec, 0 packets/sec 
     1682 packets input, 530955 bytes, 0 no buffer 
     Received 0 broadcasts (0 IP multicast) 
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 
     563859 packets output, 0 bytes, 0 underruns 
     0 output errors, 23 interface resets 
     0 output buffer failures, 0 output buffers swapped out

Display the switchport information. Use fa0/11 for the interface designation.

S1#show interface fa0/11 switchport
Name: Fa0/11 
Switchport: Enabled 
Administrative Mode: static access 
Operational Mode: down 
Administrative Trunking Encapsulation: dot1q 
Operational Trunking Encapsulation: native 
Negotiation of Trunking: Off 
Access Mode VLAN: 20 (Students) 
Trunking Native Mode VLAN: 1 (default) 
Voice VLAN: none
(output omitted)

Packet Tracer – VLAN Configuration

In this Packet Tracer activity, you will perform the following:

  • Verify the Default VLAN Configuration
  • Configure VLANs
  • Assign VLANs to Ports

Glossary: If you have doubts about any special term, you can consult this computer network dictionary.

Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.

VLAN Trunks CCNA 200 301
Previous
VLAN Trunks