2.1 VLANs — Configuration and Verification

What a VLAN Actually Is

A VLAN (Virtual Local Area Network) is a logically separate broadcast domain created in switch software. Without VLANs, every port on a switch shares one broadcast domain, so a broadcast (such as an ARP request) floods to every device. A VLAN partitions that single domain into many, so a broadcast in VLAN 10 never reaches a port in VLAN 20. On the CCNA 200-301 v1.1 exam, expect the rule that a VLAN equals one broadcast domain and, by design, one IPv4 subnet.

VLANs deliver three benefits the exam tests directly: segmentation (separate Sales, Engineering, and VoIP traffic), security (a compromised host in VLAN 30 cannot ARP-spoof a host in VLAN 10), and flexibility (a user keeps the same VLAN regardless of which physical switch port they plug into). Devices in different VLANs require a router or Layer 3 switch to communicate, covered in section 2.8.

VLAN Ranges and Where They Live

Cisco divides VLAN IDs into two ranges. Memorize the exact numbers; the exam asks them as fill-in-blank.

VLAN 1 and 1002-1005 cannot be deleted. VLAN 1 is the default native and management VLAN; every access port belongs to it until you reassign it. A common trap: deleting vlan.dat (not the config) resets all normal-range VLANs, which is why delete flash:vlan.dat followed by reload is the way to fully wipe VLAN data.

Configuring an Access Port

Two steps create a VLAN and assign a port. Creating the VLAN in config mode is optional because assigning a port to a non-existent VLAN auto-creates it, but defining a name is best practice:

Switch(config)# vlan 20
Switch(config-vlan)# name SALES
Switch(config)# interface gi0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20

The order matters on the exam: switchport mode access hard-codes the port as an access port (disabling DTP negotiation), and switchport access vlan 20 places it in VLAN 20. If you skip the VLAN-creation step, IOS prints "Access VLAN does not exist. Creating vlan 20" and builds it for you.

Voice VLAN trap: an IP phone with a PC behind it uses one access (data) VLAN plus one voice VLAN on the same port: switchport voice vlan 150. This is the one sanctioned case of two VLANs on an access port — the phone tags voice frames, the PC sends untagged data frames.

Verification Commands

These commands appear constantly in exam simlets. Know what each reveals:

• show vlan brief — lists every VLAN and the access ports assigned to it. Trunk ports do not appear here.
• show vlan id 20 — details for one VLAN, including its ports and type.
• show interfaces gi0/1 switchport — shows administrative/operational mode, the access VLAN, and the voice VLAN for one port.
• show mac address-table vlan 20 — confirms learned MACs in a VLAN.

If a port is missing from show vlan brief, it is likely a trunk or is err-disabled. A frequent troubleshooting scenario: a PC cannot reach its gateway, and show interfaces switchport reveals the port is in VLAN 1 instead of the intended VLAN 20 — someone forgot switchport access vlan 20. Always confirm the Access Mode VLAN line matches the host's subnet.

VLAN Design and the Same-Subnet Rule

A durable mental model for the exam: one VLAN equals one IPv4 subnet equals one broadcast domain. If you put hosts 10.0.10.5 and 10.0.20.5 into the same VLAN, they will broadcast to each other but cannot communicate at Layer 3 because their addresses are in different subnets — and conversely, two hosts in the same subnet but different VLANs cannot reach each other without a router. Many simlet failures trace back to a host configured with an IP that does not match the subnet of the VLAN its switch port lives in.

Whenever a single host "can't reach anything," check both its VLAN assignment and that its IP/mask/gateway align with that VLAN's subnet.

Data, Voice, and Management VLANs

Real designs separate traffic types into distinct VLANs for security and quality of service. A typical layout uses a data VLAN for PCs, a voice VLAN for IP phones, a native VLAN (an unused ID) for untagged trunk traffic, and a management VLAN for switch SVIs, SSH, and SNMP. Keeping management off VLAN 1 is a security best practice because VLAN 1 carries control traffic (CDP, DTP, VTP, STP BPDUs) and is the default everywhere, making it a predictable target.

A common hardening recipe: move all access ports off VLAN 1, set an unused native VLAN, and assign management to its own VLAN with an access list restricting who can reach the SVI.

Common VLAN Exam Traps

Watch for these recurring trick points. First, deleting a VLAN does not move its member ports back to VLAN 1 — they become inactive and stop forwarding until reassigned, which silently isolates those hosts. Second, the switchport access vlan command alone does not make a port an access port; without switchport mode access, the port may still negotiate a trunk via DTP. Third, extended-range VLANs (1006-4094) will not save into vlan.dat and require VTP transparent mode or VTP version 3 — attempting to create VLAN 2000 in VTP server mode fails.

Fourth, the reserved VLANs 1002-1005 always appear in show vlan brief and cannot be removed, so do not be alarmed to see them. Finally, remember that show vlan brief never lists trunk ports, so a "missing" port there is frequently just a trunk doing its job.