VLAN Configuration
Summary
This topic configure a switch port to be assigned to a VLAN based on requirements. Start learning CCNA 200-301 for free right now!!
Table of Contents
VLAN Ranges on Catalyst Switches
Creating VLANs, like most other aspects of networking, is a matter of entering the appropriate commands. This topic details how to configure and verify different types of VLANs.
Different Cisco Catalyst switches support various numbers of VLANs. The number of supported VLANs is large enough to accommodate the needs of most organizations. For example, the Catalyst 2960 and 3650 Series switches support over 4,000 VLANs. Normal range VLANs on these switches are numbered 1 to 1,005 and extended range VLANs are numbered 1,006 to 4,094. The figure illustrates the default VLANs on a Catalyst 2960 switch running Cisco IOS Release 15.x.
Switch# show vlan brief VLAN Name Status Ports ---- ----------------- ------- -------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
Normal Range VLANs
The following are characteristics of normal range VLANs:
- They are used in all small- and medium-sized business and enterprise networks.
- They are identified by a VLAN ID between 1 and 1005.
- IDs 1002 through 1005 are reserved for legacy network technologies (i.e., Token Ring and Fiber Distributed Data Interface).
- IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
- Configurations are stored in the switch flash memory in a VLAN database file called vlan.dat.
- When configured, VLAN trunking protocol (VTP), helps synchronize the VLAN database between switches.
Extended Range VLANs
The following are characteristics of extended range VLANs:
- They are used by service providers to service multiple customers and by global enterprises large enough to need extended range VLAN IDs.
- They are identified by a VLAN ID between 1006 and 4094.
- Configurations are saved, by default, in the running configuration.
- They support fewer VLAN features than normal range VLANs.
- Requires VTP transparent mode configuration to support extended range VLANs.
VLAN Creation Commands
When configuring normal range VLANs, the configuration details are stored in flash memory on the switch in a file called vlan.dat. Flash memory is persistent and does not require the copy running-config startup-config command. However, because other details are often configured on a Cisco switch at the same time that VLANs are created, it is good practice to save running configuration changes to the startup configuration.
The table displays the Cisco IOS command syntax used to add a VLAN to a switch and give it a name. Naming each VLAN is considered a best practice in switch configuration.
Task | IOS Command |
---|---|
Enter global configuration mode. |
Switch# configure terminal |
Create a VLAN with a valid ID number. |
Switch(config)# vlan vlan-id |
Specify a unique name to identify the VLAN. |
Switch(config-vlan)# name vlan-name |
Return to the privileged EXEC mode. |
Switch(config-vlan)# end |
VLAN Creation Example
In the topology, the student computer (PC2) has not been associated with a VLAN yet, but it does have an IP address of 172.17.20.22, which belongs to VLAN 20.
The example shows how the student VLAN (VLAN 20) is configured on switch S1.
S1# configure terminal S1(config)# vlan 20 S1(config-vlan)# name student S1(config-vlan)# end
VLAN Port Assignment Commands
After creating a VLAN, the next step is to assign ports to the VLAN.
The table displays the syntax for defining a port to be an access port and assigning it to a VLAN. The switchport mode access command is optional, but strongly recommended as a security best practice. With this command, the interface changes to permanent access mode.
Task | IOS Command |
---|---|
Enter global configuration mode. |
Switch# configure terminal |
Enter interface configuration mode. |
Switch(config)# interface interface-id |
Set the port to access mode. |
Switch(config-if)# switchport mode access |
Assign the port to a VLAN. |
Switch(config-if)# switchport access vlan vlan-id |
Return to the privileged EXEC mode. |
Switch(config-if)# end |
VLAN Port Assignment Example
In the figure, port F0/6 on switch S1 is configured as an access port and assigned to VLAN 20. Any device connected to that port will be associated with VLAN 20. Therefore, in our example, PC2 is in VLAN 20.
The example shows the configuration for S1 to assign F0/6 to VLAN 20.
S1# configure terminal S1(config)# interface fa0/6 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 20 S1(config-if)# end
VLANs are configured on the switch port and not on the end device. PC2 is configured with an IPv4 address and subnet mask that is associated with the VLAN, which is configured on the switch port. In this example, it is VLAN 20. When VLAN 20 is configured on other switches, the network administrator must configure the other student computers to be in the same subnet as PC2 (172.17.20.0/24).
Data and Voice VLANs
An access port can belong to only one data VLAN at a time. However, a port can also be associated to a voice VLAN. For example, a port connected to an IP phone and an end device would be associated with two VLANs: one for voice and one for data.
Consider the topology in the figure. PC5 is connected to the Cisco IP phone, which in turn is connected to the FastEthernet 0/18 interface on S3. To implement this configuration, a data VLAN and a voice VLAN are created.
Data and Voice VLAN Example
Use the switchport voice vlan vlan-id interface configuration command to assign a voice VLAN to a port.
LANs supporting voice traffic typically also have quality of service (QoS) enabled. Voice traffic must be labeled as trusted as soon as it enters the network. Use the mls qos trust [cos | device cisco-phone | dscp | ip-precedence] interface configuration command to set the trusted state of an interface, and to indicate which fields of the packet are used to classify traffic.
The configuration in the example creates the two VLANs (i.e., VLAN 20 and VLAN 150) and then assigns the F0/18 interface of S3 as a switchport in VLAN 20. It also assigns voice traffic to VLAN 150 and enables QoS classification based on the class of service (CoS) assigned by the IP phone.
S3(config)# vlan 20 S3(config-vlan)# name student S3(config-vlan)# vlan 150 S3(config-vlan)# name VOICE S3(config-vlan)# exit S3(config)# interface fa0/18 S3(config-if)# switchport mode access S3(config-if)# switchport access vlan 20 S3(config-if)# mls qos trust cos S3(config-if)# switchport voice vlan 150 S3(config-if)# end S3#
The switchport access vlan command forces the creation of a VLAN if it does not already exist on the switch. For example, VLAN 30 is not present in the show vlan brief output of the switch. If the switchport access vlan 30 command is entered on any interface with no previous configuration, then the switch displays the following:
% Access VLAN does not exist. Creating vlan 30
Verify VLAN Information
After a VLAN is configured, VLAN configurations can be validated using Cisco IOS show commands.
The show vlan command displays a list of all configured VLANs. The show vlan command can also be used with options. The complete syntax is show vlan [brief | id vlan-id | name vlan-name | summary].
The table describes the show vlan command options.
Task | Command Option |
---|---|
Display VLAN name, status, and its ports one VLAN per line. |
brief |
Display information about the identified VLAN ID number. For vlan-id, the range is 1 to 4094. |
id vlan-id |
Display information about the identified VLAN name. The vlan-name is an ASCII string from 1 to 32 characters. |
name vlan-name |
Display VLAN summary information. |
summary |
The show vlan summary command displays the count of all configured VLANs.
S1# show vlan summary Number of existing VLANs : 7 Number of existing VTP VLANs : 7 Number of existing extended VLANS : 0
Other useful commands are the show interfaces interface-id switchport and the show interfaces vlan vlan-id command. For example, the show interfaces fa0/18 switchport command can be used to confirm that the FastEthernet 0/18 port has been correctly assigned to data and voice VLANs.
S1# show interfaces fa0/18 switchport Name: Fa0/18 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 20 (student) Trunking Native Mode VLAN: 1 (default) Voice VLAN: 150 Administrative private-vlan host-association: none (Output omitted)
Change VLAN Port Membership
There are a number of ways to change VLAN port membership.
If the switch access port has been incorrectly assigned to a VLAN, then simply re-enter the switchport access vlan vlan-id interface configuration command with the correct VLAN ID. For instance, assume Fa0/18 was incorrectly configured to be on the default VLAN 1 instead of VLAN 20. To change the port to VLAN 20, simply enter switchport access vlan 20.
To change the membership of a port back to the default VLAN 1, use the no switchport access vlan interface configuration mode command as shown.
In the output for example, Fa0/18 is configured to be on the default VLAN 1 as confirmed by the show vlan brief command.
S1(config)# interface fa0/18 S1(config-if)# no switchport access vlan S1(config-if)# end S1# S1# show vlan brief VLAN Name Status Ports ---- ------------------ --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 20 student active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
Notice that VLAN 20 is still active, even though no ports are assigned to it.
The show interfaces f0/18 switchport output can also be used to verify that the access VLAN for interface F0/18 has been reset to VLAN 1 as shown in the output.
S1# show interfaces fa0/18 switchport Name: Fa0/18 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default)
Delete VLANs
The no vlan vlan-id global configuration mode command is used to remove a VLAN from the switch vlan.dat file.
Caution: Before deleting a VLAN, reassign all member ports to a different VLAN first. Any ports that are not moved to an active VLAN are unable to communicate with other hosts after the VLAN is deleted and until they are assigned to an active VLAN.
The entire vlan.dat file can be deleted using the delete flash:vlan.dat privileged EXEC mode command. The abbreviated command version (delete vlan.dat) can be used if the vlan.dat file has not been moved from its default location. After issuing this command and reloading the switch, any previously configured VLANs are no longer present. This effectively places the switch into its factory default condition with regard to VLAN configurations.
Syntax Checker – VLAN Configuration
In this Syntax Checker activity, you will implement and verify a VLAN configuration for switch interfaces based on the specified requirements.
Complete the following steps to create a data VLAN:
- Enter global configuration mode.
- Create VLAN 20.
- Name the VLAN student.
- Return to privileged EXEC mode.
S1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. S1(config)#vlan 20 S1(config-vlan)#name student S1(config-vlan)#end \*Mar 31, 08:55:14.5555: %SYS-5-CONFIG\_I: Configured from console by console
Display the brief VLAN information.
S1#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 20 student active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
Complete the following steps to create a voice VLAN:
- Enter global configuration mode.
- Create VLAN 150.
- Name the VLAN VOICE.
- Return to global configuration mode.
S1#configure terminal S1(config)#vlan 150 S1(config-vlan)#name VOICE S1(config-vlan)#exit
Complete the following steps to assign the data and voice VLANs to a port:
- Enter interface configuration mode. Use fa0/18 as the interface designation.
- Configure the port as an access port.
- Assign the data VLAN 20 to the port.
- Enable QoS settings with the mls qos trust cos command.
- Assign the voice VLAN 150 to the port.
- Return to privileged EXEC mode.
S1(config)#interface fa0/18 S1(config-if)#switchport mode access S1(config-if)#switchport access vlan 20 S1(config-if)#mls qos trust cos S1(config-if)#switchport voice vlan 150 S1(config-if)#end
Display the brief vlan information.
S1#show vlan brief LAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 20 student active Fa0/18 150 VOICE active Fa0/18 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
Complete the following steps to delete and verify a deleted VLAN on a port:
- Enter global configuration mode.
- Enter interface configuration mode. Use fa0/18 as the interface designation.
- Remove the data VLAN from the port.
- Use the do form of the command to display brief VLAN information.
S1#configure terminal S1(config)#interface fa0/18 S1(config-if)#no switchport access vlan S1(config-if)#do show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 20 student active 150 VOICE active Fa0/18 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
Complete the following steps to assign VLAN 20 to another interface.
- Enter interface configuration mode. Use fa0/11 as the interface designation.
- Assign VLAN 20 to the port.
- Return to privileged EXEC mode.
S1(config-if)#interface fa0/11 S1(config-if)#switchport mode access S1(config-if)#switchport access vlan 20 S1(config-if)#end
Display the brief VLAN information.
S1#show vlan brief LAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gig0/1, Gig0/2 20 student active Fa0/11, Fa0/18 150 VOICE active Fa0/18 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
Display the VLAN information specifically for the student VLAN.
S1#show vlan name student VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 20 student active Fa0/11, Fa0/18 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 20 enet 100020 1500 - - - - - 0 0
Display summary information for VLANs
S1#show vlan summary Number of existing VLANs : 7 Number of existing VTP VLANs : 7 Number of existing extended VLANS : 0
Display the interface information for VLAN 20.
S1#show interfaces vlan 20 Vlan20 is up, line protocol is up Hardware is CPU Interface, address is 0007.ec74.61d3 (bia 0007.ec74.61d3) MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 21:40:21, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1682 packets input, 530955 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 563859 packets output, 0 bytes, 0 underruns 0 output errors, 23 interface resets 0 output buffer failures, 0 output buffers swapped out
Display the switchport information. Use fa0/11 for the interface designation.
S1#show interface fa0/11 switchport Name: Fa0/11 Switchport: Enabled Administrative Mode: static access Operational Mode: down Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 20 (Students) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none (output omitted)
Packet Tracer – VLAN Configuration
In this Packet Tracer activity, you will perform the following:
- Verify the Default VLAN Configuration
- Configure VLANs
- Assign VLANs to Ports
Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.