VLANs (Virtual Local Area Networks) are the foundation of network segmentation in modern enterprise environments. By logically grouping devices into separate broadcast domains, VLANs improve security, reduce congestion, and simplify network management. 802.1Q trunking extends this capability across switches by tagging Ethernet frames with VLAN identifiers, allowing multiple VLANs to traverse a single physical link. This guide walks through the complete process of creating VLANs, configuring access and trunk ports, and verifying operations on Cisco IOS switches. Whether you are preparing for the CCNA or ENCOR certification, these hands-on skills are essential for any network professional managing switched networks.
Create VLANs on the Switch
Begin by entering global configuration mode and creating the VLANs you need. Use the 'vlan' command followed by the VLAN ID, then assign a descriptive name. VLAN 1 is the default and should not be used for user traffic. Create separate VLANs for different departments or functions, such as Data, Voice, and Management.
Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan)# name Data
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name Voice
Switch(config-vlan)# exit
Switch(config)# vlan 100
Switch(config-vlan)# name Management
Switch(config-vlan)# endAlways use descriptive VLAN names to make troubleshooting easier. Avoid VLAN 1 and VLANs 1002-1005 which are reserved.
Do not delete VLAN 1. It is the default VLAN and cannot be removed, but it should not carry user traffic for security reasons.
Assign Access Ports to VLANs
Configure individual switch ports as access ports and assign them to the appropriate VLAN. Access ports carry traffic for a single VLAN and strip any VLAN tags. Use the 'switchport mode access' command followed by 'switchport access vlan' to assign the VLAN. Repeat this for each port connecting to end devices.
Switch(config)# interface gigabitEthernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit
Switch(config)# interface gigabitEthernet 0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)# endUse the 'interface range' command to configure multiple ports at once, e.g., 'interface range gigabitEthernet 0/1-24'.
Ensure the connected device is configured for the same VLAN. Mismatched VLANs will cause connectivity issues.
Configure 802.1Q Trunk Ports
Trunk ports carry traffic for multiple VLANs between switches. On Cisco switches, set the interface to trunk mode using 'switchport mode trunk'. By default, all VLANs are allowed on the trunk, but you should restrict this to only the necessary VLANs for security and performance. Use 'switchport trunk allowed vlan' to specify the VLAN list.
Switch(config)# interface gigabitEthernet 0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 10,20,100
Switch(config-if)# endSet a native VLAN other than VLAN 1 (e.g., VLAN 99) to avoid security risks. The native VLAN is used for untagged traffic on the trunk.
Both ends of a trunk must have matching native VLANs and allowed VLAN lists. Mismatches can cause VLAN leaks or connectivity loss.
Verify VLAN and Trunk Configuration
Use show commands to verify your configuration. 'show vlan brief' displays all VLANs and their assigned ports. 'show interfaces trunk' shows trunk ports, allowed VLANs, and native VLAN. 'show interfaces status' provides a quick overview of port modes and VLAN assignments. These verification steps are critical for troubleshooting.
Switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/3, Gi0/4, Gi0/5
10 Data active Gi0/1
20 Voice active Gi0/2
100 Management active
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/24 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/24 10,20,100Use 'show running-config interface [interface]' to see the exact configuration applied to a specific port.
If a trunk port shows 'not-trunking', check that both sides are configured correctly and the cable is functional.
Configure Inter-VLAN Routing (Router-on-a-Stick)
To route traffic between VLANs, configure subinterfaces on a router connected to the trunk. Each subinterface corresponds to a VLAN and uses 802.1Q encapsulation. Assign an IP address from the respective VLAN subnet. This is known as Router-on-a-Stick and is a common CCNA lab scenario.
Router(config)# interface gigabitEthernet 0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0
Router(config-subif)# exit
Router(config)# interface gigabitEthernet 0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0
Router(config-subif)# exit
Router(config)# interface gigabitEthernet 0/0.100
Router(config-subif)# encapsulation dot1Q 100
Router(config-subif)# ip address 192.168.100.1 255.255.255.0
Router(config-subif)# endEnsure the router's physical interface is up with 'no shutdown'. The subinterface number does not have to match the VLAN ID, but it is best practice to match them.
Do not assign an IP address to the physical interface when using subinterfaces. The physical interface must remain in 'no shutdown' but without an IP.
Test and Validate Connectivity
Use ping and traceroute to verify connectivity between devices in different VLANs. From a PC in VLAN 10, ping the router subinterface for VLAN 10, then try pinging a device in VLAN 20. If inter-VLAN routing is configured correctly, the ping should succeed. Use 'debug ip icmp' on the router to see packet flow if needed.
PC1> ping 192.168.10.1
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
PC1> ping 192.168.20.10
Reply from 192.168.20.10: bytes=32 time=2ms TTL=127
Router# debug ip icmp
ICMP packet debugging is on
*Mar 1 00:05:23.123: ICMP: echo reply sent, src 192.168.10.1, dst 192.168.10.10Always verify the default gateway on end devices matches the router subinterface IP for that VLAN.
If pings fail, check ACLs on the router, verify VLANs are active, and ensure trunk ports are not in errdisable state.
Key tips
Use the 'switchport trunk allowed vlan remove' command to prune unnecessary VLANs from a trunk, reducing broadcast traffic and improving security.
Always configure a dedicated management VLAN (e.g., VLAN 99) and restrict SSH/HTTPS access to only that VLAN using a VTY access-class.
Enable Rapid PVST+ (Per-VLAN Spanning Tree) for faster convergence: 'spanning-tree mode rapid-pvst' on all switches.
Document your VLAN numbering scheme and keep a consistent standard across the network. For example, use VLAN 10-19 for Data, 20-29 for Voice, 100-109 for Management.
Use 'show mac address-table' to verify which MAC addresses are learned on which VLANs and ports, helping to identify misconfigurations.
In production, always configure 'switchport port-security' on access ports to limit the number of MAC addresses and prevent unauthorized devices.
Frequently asked questions
What is the difference between an access port and a trunk port?
An access port belongs to a single VLAN and carries untagged traffic for that VLAN. It is used to connect end devices like PCs and printers. A trunk port carries traffic for multiple VLANs by tagging frames with 802.1Q headers. Trunks are used to connect switches, routers, and servers that need to handle multiple VLANs.
Why should I change the native VLAN from the default VLAN 1?
VLAN 1 is the default VLAN and is often targeted in attacks like VLAN hopping. By changing the native VLAN to an unused VLAN (e.g., VLAN 999) and pruning VLAN 1 from trunks, you reduce the attack surface. Additionally, using a dedicated native VLAN makes it easier to identify untagged traffic.
Can I use the same VLAN ID on different switches?
Yes, VLAN IDs are locally significant but should be consistent across switches for the same broadcast domain. For example, VLAN 10 on Switch A and Switch B will be the same Layer 2 network if the trunk carries VLAN 10. Consistency simplifies management and troubleshooting.
What does 'switchport mode dynamic desirable' do?
This command enables Dynamic Trunking Protocol (DTP) on the port, allowing it to actively negotiate trunking with the connected device. If the other side is set to 'dynamic desirable' or 'trunk', the link becomes a trunk. For security, it is recommended to use 'switchport mode access' or 'switchport mode trunk' with 'switchport nonegotiate' to disable DTP.
How do I troubleshoot a trunk that is not working?
First, verify physical connectivity with 'show interfaces status'. Check that both ends are configured as trunk with matching native VLAN and allowed VLAN lists. Use 'show interfaces trunk' to see the trunk state. Look for errdisable state with 'show interfaces status err-disabled'. Also check for CDP/LLDP neighbor mismatches and spanning-tree blocking.
Related glossary terms
Dynamic route
A route that is automatically learned and updated by a router using a routing protocol, rather than being manually configured.
Bash script
A Bash script is a text file containing a sequence of commands for the Unix shell Bash, allowing users to automate repetitive tasks and streamline system administration on Linux and macOS.
File Transfer Protocol
File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server over a TCP/IP network.
Public IP address
A globally unique IP address assigned to a device that allows it to communicate directly over the internet.
Persistent Disk
Persistent Disk is a durable, high-performance block storage service for Google Cloud virtual machines that retains data even after the VM is shut down or deleted.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is a flexible authentication framework used in network access control, particularly in wireless and point-to-point connections, that supports multiple authentication methods without requiring changes to the underlying protocol.
Practice with real exam questions
Apply what you just learned with exam-style practice questions.