2.1 VLANs — Configuration and Verification
Key Takeaways
- A VLAN (Virtual LAN) is a logical broadcast domain that can span multiple switches.
- Access ports carry traffic for a single VLAN; trunk ports carry traffic for multiple VLANs.
- VLAN 1 is the default VLAN on all Cisco switches—all ports are in VLAN 1 unless reassigned.
- Normal-range VLANs (1-1005) are stored in vlan.dat; extended-range VLANs (1006-4094) require VTP transparent mode.
- VLANs improve security by segmenting traffic—hosts in different VLANs cannot communicate without a Layer 3 device.
VLANs — Configuration and Verification
A VLAN (Virtual Local Area Network) is a logical grouping of switch ports that creates a separate broadcast domain. VLANs allow you to segment a physical network into multiple logical networks without requiring separate physical switches.
Why Use VLANs?
| Benefit | Explanation |
|---|---|
| Security | Sensitive traffic (e.g., management, finance) stays isolated |
| Broadcast control | Broadcasts are contained within the VLAN, reducing unnecessary traffic |
| Flexibility | Users can be grouped logically regardless of physical location |
| Performance | Smaller broadcast domains = less broadcast overhead |
| Simplified management | Move users between VLANs by reassigning switch ports |
VLAN Ranges
| Range | VLANs | Description |
|---|---|---|
| Normal range | 1-1005 | Standard VLANs, stored in vlan.dat |
| Extended range | 1006-4094 | Requires VTP transparent mode or VTP v3 |
| Reserved | 1002-1005 | FDDI and Token Ring (cannot be deleted) |
| Default | 1 | All ports belong to VLAN 1 by default |
| Native | 1 (default) | Untagged traffic on trunk links |
Access Ports
An access port belongs to a single VLAN and carries traffic for that VLAN only. Endpoints (PCs, printers, phones) connect to access ports.
Configuring an Access Port
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Configuring Multiple Ports at Once
Switch(config)# interface range GigabitEthernet0/1 - 12
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Creating VLANs
Switch(config)# vlan 10
Switch(config-vlan)# name SALES
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name ENGINEERING
Switch(config-vlan)# exit
Switch(config)# vlan 30
Switch(config-vlan)# name MANAGEMENT
Switch(config-vlan)# exit
Verification Commands
Switch# show vlan brief ! Shows all VLANs and port assignments
Switch# show vlan id 10 ! Shows details for VLAN 10
Switch# show interfaces GigabitEthernet0/1 switchport ! Shows port VLAN assignment
Switch# show mac address-table vlan 10 ! Shows MAC table for VLAN 10
Sample "show vlan brief" Output
VLAN Name Status Ports
---- ---- ------ -----
1 default active Gi0/13-24
10 SALES active Gi0/1-4
20 ENGINEERING active Gi0/5-8
30 MANAGEMENT active Gi0/9-12
Default VLAN Behavior
- All ports are in VLAN 1 by default
- VLAN 1 cannot be deleted or renamed
- It is a security best practice to move all user ports out of VLAN 1
- The default native VLAN for trunks is also VLAN 1
On the Exam: If a question asks "Which VLAN do all switch ports belong to by default?" the answer is always VLAN 1. Questions may also test whether you know that VLAN 1 cannot be deleted.
Voice VLAN
The voice VLAN feature allows a switch port to carry traffic for both a data VLAN and a voice VLAN simultaneously. This is used when an IP phone and a PC share the same switch port.
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10 ! Data VLAN
Switch(config-if)# switchport voice vlan 50 ! Voice VLAN
The IP phone receives voice traffic on VLAN 50 (tagged with 802.1Q) and passes data traffic from the connected PC on VLAN 10 (untagged).
What is the default VLAN on a Cisco switch, and can it be deleted?
Which command assigns a switch port to VLAN 20?
What is the normal range for VLAN IDs on a Cisco switch?