VLANs are the backbone of network segmentation in modern enterprise networks. Without VLANs, every device on a switch is in one flat broadcast domain, wasting bandwidth and compromising security. For the CCNA 200-301 exam, objective 2.1 requires you to configure, verify, and troubleshoot VLANs on Cisco switches. Mastering VLAN creation and assignment is not just an exam requirement—it's the first step toward building scalable, secure networks.
Jump to a section
Imagine a large apartment building with a single lobby (the switch). Without VLANs, every apartment (device) can hear every conversation in the lobby—a chaotic, insecure free-for-all. Now, the building manager installs separate locked doors on each floor (VLANs). Each floor has its own hallway (broadcast domain), and residents can only access their own floor. The manager creates a list: Floor 1 is for residents (VLAN 10), Floor 2 for offices (VLAN 20), Floor 3 for the gym (VLAN 30). Each apartment's door is labeled with its floor number (access port assigned to a VLAN). When a resident enters the lobby, the manager checks the list and directs them to their floor (switch forwards frames only within the same VLAN). If a resident from Floor 1 tries to go to Floor 3, they're stopped at the stairwell door (no inter-VLAN routing without a router). The manager also has a special elevator (trunk port) that can carry people from multiple floors, but only if they have a special badge (802.1Q tag) showing their floor. This way, the building is organized, secure, and efficient—exactly how VLANs work on a switch.
What is a VLAN?
A VLAN (Virtual Local Area Network) is a logical grouping of devices within a switched network, regardless of physical location. Devices in the same VLAN behave as if they are on the same physical segment, sharing a single broadcast domain. VLANs improve network performance by reducing broadcast traffic and enhance security by isolating sensitive traffic.
Why VLANs Exist
In a flat switched network, all devices belong to one broadcast domain. A broadcast from one device reaches every other device, wasting bandwidth and CPU cycles. VLANs segment the network into multiple broadcast domains. For example, separating voice traffic (VLAN 10), data traffic (VLAN 20), and management traffic (VLAN 99) prevents a broadcast storm in the data VLAN from affecting voice calls.
How VLANs Work at the Frame Level
When a switch receives an Ethernet frame, it examines the destination MAC address and forwards the frame only to ports in the same VLAN. The switch maintains a MAC address table that includes VLAN information. For frames traveling between switches, VLAN tagging is used. IEEE 802.1Q inserts a 4-byte tag into the Ethernet frame header, containing the VLAN ID (12 bits, allowing 4094 VLANs). The tag is removed before the frame exits an access port.
VLAN Ranges and Defaults
Normal range VLANs: 1–1005. VLANs 1, 1002–1005 are reserved (default VLANs for Token Ring and FDDI). VLAN 1 is the default VLAN for all ports.
Extended range VLANs: 1006–4094. These are not saved in the VLAN database file (vlan.dat) by default and require VTP transparent mode or no VTP.
Default VLAN: All ports are in VLAN 1 by default. It is recommended to change the native VLAN (used for untagged traffic on trunks) to an unused VLAN for security.
IOS CLI Configuration
To create a VLAN, use the vlan command in global configuration mode:
Switch(config)# vlan 10
Switch(config-vlan)# name Sales
Switch(config-vlan)# exitTo assign a port to a VLAN, enter interface configuration mode and set the switchport mode to access, then assign the VLAN:
Switch(config)# interface fastEthernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exitTo verify VLAN configuration:
Switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, ..., Fa0/24
10 Sales active Fa0/1
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsupInteraction with Trunking
Trunk ports carry traffic for multiple VLANs between switches. They use 802.1Q tagging. The native VLAN (default VLAN 1) is untagged on the trunk. To configure a trunk:
Switch(config)# interface gigabitEthernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99Verification:
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/1 1-4094
Port Vlans allowed and active in management domain
Gi0/1 1,10,20,99VLAN Trunking Protocol (VTP)
VTP is a Cisco proprietary protocol that distributes VLAN information across switches. For CCNA, VTP is often tested in the context of troubleshooting. VTP has three modes: server, client, and transparent. In transparent mode, the switch does not participate in VTP but forwards VTP advertisements. It is recommended to disable VTP or use transparent mode to prevent accidental VLAN deletions.
Security Considerations
Never use VLAN 1 for user traffic; change the native VLAN on trunks to an unused VLAN.
Disable unused ports and place them in a black-hole VLAN (unused VLAN).
Use private VLANs (beyond CCNA scope) for further isolation.
Common Pitfalls
Forgetting to set the port to access mode before assigning a VLAN.
Creating a VLAN but not assigning any ports to it—the VLAN exists but is unused.
Mismatched native VLANs on trunk links causing frames to be misclassified.
Create VLANs in Global Config
Enter global configuration mode and create the VLANs you need. Use the `vlan` command followed by the VLAN ID. Optionally, assign a name for clarity. For example: `vlan 10`, then `name Sales`. Repeat for each VLAN. VLANs 1 and 1002-1005 are reserved. For the exam, you'll typically create VLANs in the normal range (2-1001).
Assign Access Ports to VLANs
Enter interface configuration mode for each port that connects to end devices (PCs, printers). Set the port to access mode with `switchport mode access` and assign the VLAN with `switchport access vlan <vlan-id>`. For example: `interface fastEthernet 0/1`, then `switchport mode access`, then `switchport access vlan 10`. This ensures the port only carries traffic for that VLAN.
Configure Trunk Ports Between Switches
On interfaces connecting switches, configure trunking to carry multiple VLANs. Enter interface configuration mode, set the port to trunk with `switchport mode trunk`. Optionally, set the native VLAN to an unused VLAN (e.g., `switchport trunk native vlan 999`). Verify with `show interfaces trunk`. Trunk ports use 802.1Q tagging by default on modern switches.
Verify VLAN Configuration
Use `show vlan brief` to see all VLANs and which ports are assigned to them. Use `show interfaces status` to see the VLAN assigned to each port. For trunk ports, use `show interfaces trunk` to verify allowed VLANs and native VLAN. These commands are essential for troubleshooting.
Test Connectivity Within VLAN
Ping between devices in the same VLAN to verify they can communicate. If pings fail, check that ports are in the correct VLAN, that the VLAN exists, and that trunk links are properly configured. Use `show mac address-table` to see MAC addresses learned on each VLAN.
Troubleshoot VLAN Issues
Common issues: VLAN not created, port not in access mode, wrong VLAN assigned, trunk not passing VLAN, native VLAN mismatch. Use `show vlan` to confirm VLAN exists, `show running-config interface` to check port configuration, and `show interfaces trunk` to verify trunk status. A native VLAN mismatch will cause the trunk to not form (errdisable state).
In a typical enterprise network, VLANs are used to separate traffic by department, function, or security level. For example, a university might have VLAN 10 for faculty, VLAN 20 for students, VLAN 30 for administration, and VLAN 99 for management. Each building has access switches that connect end devices. Trunk links carry all VLANs between access switches and distribution switches. A network engineer would create VLANs on the distribution switches (often using VTP transparent mode to avoid propagation issues). Access ports are configured with the appropriate VLAN based on the user's role. For security, the native VLAN on trunks is changed from 1 to an unused VLAN (e.g., 999) to prevent VLAN hopping attacks. Unused ports are placed in a dead-end VLAN (e.g., VLAN 999) and shut down. When scaling, a network engineer must plan VLAN IDs to avoid overlap and ensure consistency across the network. Misconfiguration—like assigning a port to the wrong VLAN—can cause users to lose access to resources or inadvertently gain access to sensitive data. In one real scenario, a misconfigured trunk with native VLAN mismatch caused intermittent connectivity issues that took hours to diagnose because the trunk appeared up but dropped packets for the native VLAN.
For CCNA 200-301 objective 2.1, you must be able to configure, verify, and troubleshoot VLANs. The exam focuses on: (1) Creating VLANs and assigning access ports, (2) Configuring trunk ports with 802.1Q, (3) Understanding the default VLAN (VLAN 1) and native VLAN, (4) Verifying with show vlan brief, show interfaces trunk, and show interfaces switchport. Common wrong answers: (1) Thinking that switchport access vlan automatically sets the port to access mode—it doesn't; you must use switchport mode access first. (2) Believing that VLAN 1 can be deleted—it cannot. (3) Assuming that trunk ports use ISL by default—modern switches use 802.1Q. (4) Forgetting that the native VLAN is untagged and must match on both ends of a trunk. Trap: A question might show a switch with a trunk configured but the native VLAN mismatched; the trunk will still show up/up but will not pass traffic for the native VLAN. Decision rule: When a PC cannot communicate with another PC in the same VLAN, check if the ports are in the correct VLAN and if the VLAN exists. If across switches, check trunk configuration and allowed VLAN list.
VLANs create separate broadcast domains at Layer 2.
Normal VLAN range: 1-1005; VLAN 1 is default and cannot be deleted.
Use `switchport mode access` and `switchport access vlan X` to assign a port to a VLAN.
Trunk ports use 802.1Q tagging; native VLAN is untagged and must match on both ends.
Verify VLANs with `show vlan brief` and trunks with `show interfaces trunk`.
Change native VLAN on trunks to an unused VLAN for security.
VTP is not required; use transparent mode to avoid accidental VLAN deletions.
These come up on the exam all the time. Here's how to tell them apart.
Access Port
Belongs to a single VLAN.
Does not tag frames; frames are sent untagged.
Used to connect end devices (PCs, printers).
Configuration: switchport mode access, switchport access vlan X.
Verification: show vlan brief shows port in one VLAN.
Trunk Port
Carries multiple VLANs.
Tags frames with 802.1Q header (except native VLAN).
Used to connect switches, routers, or servers.
Configuration: switchport mode trunk, optionally switchport trunk native vlan X.
Verification: show interfaces trunk shows allowed VLANs.
Mistake
You can create VLANs by just assigning a port to a VLAN that doesn't exist.
Correct
The VLAN must be created first using the `vlan` command in global config. Assigning a port to a non-existent VLAN will cause the port to be inactive until the VLAN is created.
Candidates often think the VLAN is auto-created when assigned to a port, but it's not.
Mistake
`switchport access vlan 10` automatically sets the port to access mode.
Correct
You must explicitly set `switchport mode access` before or after assigning the VLAN. The access vlan command alone does not change the port mode.
The command 'switchport access vlan' seems to imply the port is an access port, but the mode must be set separately.
Mistake
VLAN 1 can be deleted or renamed.
Correct
VLAN 1 is the default VLAN and cannot be deleted. It can be renamed, but it's not recommended to use it for user traffic.
Some candidates think all VLANs are equal, but VLAN 1 is special.
Mistake
Trunk ports carry all VLANs by default; you don't need to configure allowed VLANs.
Correct
By default, trunk ports allow all VLANs (1-4094). However, you can restrict allowed VLANs with `switchport trunk allowed vlan` for security or traffic engineering.
Candidates may think trunk ports only carry the native VLAN or need explicit configuration for each VLAN.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Enter global configuration mode with `configure terminal`. Then type `vlan <vlan-id>` (e.g., `vlan 10`). Optionally, give it a name with `name <name>`. Exit with `end` or `exit`. The VLAN is now created but not assigned to any ports. Verify with `show vlan brief`.
An access port belongs to a single VLAN and sends frames untagged. It is used to connect end devices. A trunk port carries multiple VLANs and tags frames with 802.1Q (except the native VLAN). It is used to connect switches or routers. On the CCNA exam, know that access ports are configured with `switchport mode access` and trunk ports with `switchport mode trunk`.
The native VLAN is the VLAN that carries untagged traffic on a trunk port. By default, it is VLAN 1. For security, it should be changed to an unused VLAN to prevent VLAN hopping attacks. Both ends of a trunk must have the same native VLAN; otherwise, traffic for the native VLAN will be misdirected.
Technically, you can issue the `switchport access vlan 10` command even if VLAN 10 does not exist. However, the port will be in an inactive state until VLAN 10 is created. The switch will not dynamically create the VLAN. Always create the VLAN first.
Use `show interfaces <interface> switchport` to see the operational mode and access VLAN. For a quick overview, `show vlan brief` shows all ports in each VLAN. `show running-config interface <interface>` also shows the configuration.
VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that distributes VLAN information across switches. It can be useful in large networks but can also cause accidental VLAN deletions if a switch with a higher revision number is added. For CCNA, it's recommended to use VTP transparent mode or disable VTP to avoid issues.
Possible reasons: The VLAN is not allowed on the trunk (check `show interfaces trunk`), the native VLAN mismatch, the trunk port is not in trunking mode (check `show interfaces trunk`), or the destination device is in a different VLAN. Also verify that the VLAN exists on both switches.
You've just covered Lab: Create and Assign VLANs — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?