How to Configure VLANs on Cisco Switches
Create VLANs, configure access and trunk ports, enable inter-VLAN routing — with IOS commands
VLANs are fundamental to every enterprise network design and one of the most heavily tested topics on CCNA. This guide covers VLAN configuration from scratch — creating VLANs, assigning ports, configuring trunks, and enabling inter-VLAN routing using a router-on-a-stick or Layer 3 switch.
Create VLANs in the VLAN database
VLANs must be created on the switch before they can be assigned to ports. The VLAN database stores VLAN information in vlan.dat.
SW1(config)# vlan 10
SW1(config-vlan)# name SALES
SW1(config-vlan)# exit
SW1(config)# vlan 20
SW1(config-vlan)# name IT
SW1(config-vlan)# exit
SW1(config)# vlan 30
SW1(config-vlan)# name MANAGEMENT
SW1(config-vlan)# exit
! Verify
SW1# show vlan briefAlways name your VLANs. 'VLAN0010' is meaningless in a troubleshooting session — 'SALES' is immediately clear. VLAN names only exist on the local switch; they are not propagated by 802.1Q trunking.
Configure access ports
Access ports carry traffic for a single VLAN and connect to end hosts (PCs, printers, servers). The host does not know it is on a VLAN.
SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10
SW1(config-if)# spanning-tree portfast
SW1(config-if)# no shutdown
! Verify
SW1# show interfaces GigabitEthernet0/1 switchport
! Look for: Administrative Mode: static access
! Operational Mode: static access
! Access Mode VLAN: 10 (SALES)'spanning-tree portfast' on access ports allows them to immediately enter forwarding state rather than going through STP listening/learning (15s + 15s delay). Never enable portfast on ports connected to other switches.
Configure trunk ports
Trunk ports carry traffic for multiple VLANs between switches, and between a switch and a router-on-a-stick. They use 802.1Q tagging to identify which VLAN each frame belongs to.
SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# switchport trunk encapsulation dot1q ! Not needed on Layer 3 switches
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk native vlan 99 ! Set native VLAN explicitly
SW1(config-if)# switchport trunk allowed vlan 10,20,30
! Verify
SW1# show interfaces GigabitEthernet0/24 trunk
! Check: VLANs allowed and active in management domainVLAN 1 is the default native VLAN on all Cisco switches. Best practice: change the native VLAN to an unused VLAN (e.g., VLAN 99) to prevent VLAN hopping attacks. Ensure both ends of a trunk agree on the native VLAN — a native VLAN mismatch causes CDP warnings and potential traffic leakage.
Disable DTP and prevent unauthorised trunking
Dynamic Trunking Protocol (DTP) allows switches to auto-negotiate trunking. This is a security risk on access ports — disable it explicitly.
! On all access ports — disable DTP
SW1(config)# interface range GigabitEthernet0/1-20
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport nonegotiate
! On trunk ports between switches — also disable DTP after manually configuring trunk
SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport nonegotiate'switchport nonegotiate' disables DTP frame generation on the port. Without it, a malicious device can send DTP frames and negotiate a trunk, potentially gaining access to all VLANs — a VLAN hopping attack.
Configure inter-VLAN routing (router-on-a-stick)
Devices in different VLANs cannot communicate directly — traffic must be routed. Router-on-a-stick uses subinterfaces on a single router interface to route between VLANs.
! On the router — create subinterfaces
R1(config)# interface GigabitEthernet0/0.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 192.168.10.1 255.255.255.0
R1(config)# interface GigabitEthernet0/0.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip address 192.168.20.1 255.255.255.0
R1(config)# interface GigabitEthernet0/0.99
R1(config-subif)# encapsulation dot1Q 99 native ! Native VLAN subinterface
R1(config-subif)# ip address 192.168.99.1 255.255.255.0
! Enable the physical interface
R1(config)# interface GigabitEthernet0/0
R1(config-if)# no shutdownThe subinterface number (e.g., .10) doesn't have to match the VLAN number, but making them match is best practice and avoids confusion. The 'encapsulation dot1Q' command is what maps the subinterface to the VLAN.
Verify VLAN operation
Use these show commands to confirm VLANs are configured correctly and traffic is flowing as expected.
! Check VLAN database
SW1# show vlan brief
! Check trunk port status
SW1# show interfaces trunk
! Check which VLANs are allowed on a specific trunk
SW1# show interfaces GigabitEthernet0/24 trunk
! Check MAC address table per VLAN
SW1# show mac address-table vlan 10
! Check VLAN membership per interface
SW1# show interfaces GigabitEthernet0/1 switchportKey tips
Always verify trunk ports with 'show interfaces trunk' — the 'VLANs allowed and active in management domain' column shows which VLANs are actually passing traffic.
Native VLAN mismatch is a common exam scenario — it causes CDP warning messages and can result in traffic from the native VLAN appearing untagged on the wrong VLAN.
Ports in VLAN 1 are active by default on all Cisco switches. Best practice: assign all unused ports to a dedicated 'dead' VLAN (e.g., VLAN 999) and shut them down.
If inter-VLAN routing fails, check that the router subinterface matches the VLAN number in the 'encapsulation dot1Q' command, and that the switch port connected to the router is configured as a trunk.
Frequently asked questions
What is the difference between an access port and a trunk port?
An access port belongs to a single VLAN and sends untagged frames. It connects to end hosts. A trunk port carries multiple VLANs simultaneously using 802.1Q tags to identify which VLAN each frame belongs to. It connects switches to each other or to a router.
What is the native VLAN?
The native VLAN is the VLAN whose frames are sent untagged across a trunk. Both ends of a trunk must agree on the native VLAN. Mismatches cause traffic to be received on the wrong VLAN. Best practice: change the native VLAN from VLAN 1 to an unused VLAN.
Can I use a Layer 3 switch instead of a router for inter-VLAN routing?
Yes — and it performs better. On a Layer 3 switch, create SVI (switched virtual interface) with 'interface vlan 10' and assign an IP address. Enable IP routing with 'ip routing'. SVIs route at hardware speed; router-on-a-stick routes in software.
Related glossary terms
Dynamic route
A route that is automatically learned and updated by a router using a routing protocol, rather than being manually configured.
Bash script
A Bash script is a text file containing a sequence of commands for the Unix shell Bash, allowing users to automate repetitive tasks and streamline system administration on Linux and macOS.
File Transfer Protocol
File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server over a TCP/IP network.
Public IP address
A globally unique IP address assigned to a device that allows it to communicate directly over the internet.
Persistent Disk
Persistent Disk is a durable, high-performance block storage service for Google Cloud virtual machines that retains data even after the VM is shut down or deleted.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is a flexible authentication framework used in network access control, particularly in wireless and point-to-point connections, that supports multiple authentication methods without requiring changes to the underlying protocol.
Practice with real exam questions
Apply what you just learned with exam-style practice questions.