Skip to content

 Home
 Series
 Classes
 About

Configuring VLANs on Cisco

Switches

Configuring VLANs on Cisco

Switches
We’ve before written about VLANs and what they can do as a concept. This article will focus
on configuring VLANs on Cisco switches.

We will look at each command necessary to configure the topology below. If this topology looks
familiar, it is because you saw it in the article which described how VLANs operated on a
conceptual level.
 We will first look at what goes into configuring the access ports in the topology above, followed
by what goes into configuring the trunk ports. Then we will look at some verification
and show commands to validate what is configured. Finally, we will look at the default
configuration for a switch port, so we know our starting point when we are applying the
commands we discuss.

Contents: Configuring VLANs on Cisco

Switches
 Access Ports
o Creating the VLAN in the VLAN Database
o Assigning the Switchport to a VLAN
 Trunk Ports
o Native VLAN
o Allowed VLAN List
 Show Commands
o show vlan brief
o show interfaces trunk
o show interfaces switchport
o show interfaces status
o show spanning-tree
 Default Switchport Setting
o Dynamic Trunking Protocol
o Default Access Port Settings
o Default Trunk Port Settings
 Summary

Access Ports
An access port is a switch port that is a member of only one VLAN. There are two parts to
configuring an access port: creating the VLAN in the switch’s VLAN Database and assigning the
switch port to a VLAN.

Creating the VLAN in the VLAN Database

Before a switch will accept or forward traffic for a VLAN, the VLAN must exist in the switch’s
VLAN Database. Adding a VLAN to the VLAN database requires only one command:

SwitchX(config)# vlan 10

From this point, you can also optionally name the VLAN. While not explicitly necessary for
traffic to flow, it is best practice to provide a name for each VLAN. This will make the VLAN
easier to identify.

To name a VLAN, simply use the name; command directly after creating it.

SwitchX(config-vlan)# name RED

For VLAN 20, we will create and name the VLAN on SwitchX:

SwitchX(config)# vlan 20
SwitchX(config-vlan)# name ORANGE

Note that a VLAN only has to be added to the database once. If a VLAN already exists in the VLAN
database, it is not necessary to re-create it – you can jump directly to the next step. Later in this
article we will look at some show commands used to determine if a VLAN has already been created.
 Assigning the Switchport to a VLAN
Now that the VLAN is in the VLAN database, we can configure a switch port to be an access
port for a particular VLAN. There are two commands within the interface configuration mode
for this step:

SwitchX(config)# interface Ethernet 0/0

SwitchX(config-if)# switchport mode access
SwitchX(config-if)# switchport access vlan 10

The switchport mode access command sets the port as an access port, and the switchport
access vlan <#> command designates the port as a member of VLAN 10.

Some versions of Cisco switches automatically create the VLAN in the VLAN Database when
you assign an access port to a VLAN:

SwitchX(config)# interface Ethernet 0/1

SwitchX(config-if)# switchport mode access
SwitchX(config-if)# switchport access vlan 30
% Access VLAN does not exist. Creating vlan 30

However, it is not recommended that you depend on this. Some switches will do it, some will
not. Some switches will not create the VLAN and also not report any errors, leaving you
confused as to why traffic might not be flowing. Moreover, this creates the VLAN with a generic
name – the name for VLAN 30 above defaults to VLAN0030, which is not very helpful.

As such, we always recommend to create and name a VLAN before assigning it anywhere. If
you happen to forget to name it first, you can always update the name of a VLAN in that
database after the fact:

SwitchX(config)# vlan 30
SwitchX(config-vlan)# name BLUE

In summary, the two steps to configure an access port:

 Create and optionally (but ideally) name the VLAN
 Set a switch port as an access port and designate it as a member of a VLAN
Both steps will also need to be accomplished for each VLAN and switch port on SwitchY. First
we will create and name each VLAN:

SwitchY(config)# vlan 10
SwitchY(config-vlan)# name RED
SwitchY(config-vlan)# exit
SwitchY(config)# vlan 20
SwitchY(config-vlan)# name ORANGE
SwitchY(config-vlan)# exit
SwitchY(config)# vlan 30
SwitchY(config-vlan)# name BLUE
SwitchY(config-vlan)# exit

Then we will set Eth0/2 and Eth0/3 as access ports in VLANs 10 and 30, respectively:

SwitchY(config)# interface Ethernet 0/2

SwitchY(config-if)# switchport mode access
SwitchY(config-if)# switchport access vlan 10
SwitchY(config-if)# exit
SwitchY(config)# interface Ethernet 0/3
SwitchY(config-if)# switchport mode access
SwitchY(config-if)# switchport access vlan 30
SwitchY(config-if)# exit

The commands above created the following configuration in the running-configuration for
each switch:

SwitchXSwitchY

SwitchX# show running-config

...
vlan 10
name RED
!
vlan 20
name ORANGE
!
vlan 30
name BLUE
...
interface Ethernet0/0
switchport access vlan 10
switchport mode access
!
interface Ethernet0/1
switchport access vlan 30
switchport mode access
...

Note, if you are following along with this configuration guide in your own lab, you may not see the
creation and naming of the VLANs appear in the running configuration. This is because the default
VTP mode causes VLAN database information to appear in another file ([Link]). To force the
configuration to appear in your running-configuration, use the command vtp mode
transparent. Beyond that, VTP’s operation is outside the scope of this article.

Trunk Ports
As discussed before, a trunk port is a switch port that is carrying more than one VLAN.

Traffic traversing a trunk port is still in the form of 1s and 0s. To designate which 1s and 0s
belong to which VLANs, a VLAN Tag is added to all traffic leaving a trunk port. The 802.1q
standard specifies the ubiquitous format for the VLAN tag.

Creating a trunk port involves only one command:

SwitchY(config)# interface Ethernet1/1

SwitchY(config-if)# switchport mode trunk

Just like switchport mode access set the port as an access port, switchport mode trunk will
set the port as a trunk port.
 Some switches support more than one method for adding the VLAN tag. Namely, some switches
support the antiquated ISL method of VLAN tagging. Before these switches allow you to set a
port as a trunk port, they force you to set a tagging method, also called an encapsulation method:

SwitchX(config)# interface Ethernet1/1

SwitchX(config-if)# switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured
to "trunk" mode.

For these switches, you simply use the switchport trunk encapsulation
dot1q command before setting the switchport as a trunk port:

SwitchX(config)# interface Ethernet1/1

SwitchX(config-if)# switchport trunk encapsulation dot1q
SwitchX(config-if)# switchport mode trunk

We will also configure Eth2/1 and Eth2/2 on SwitchX as trunk ports:

SwitchX(config)# interface Ethernet 2/1

SwitchX(config-if)# switchport trunk encapsulation dot1q
SwitchX(config-if)# switchport mode trunk
SwitchX(config-if)# exit
SwitchX(config)# interface Ethernet 2/2
SwitchX(config-if)# switchport trunk encapsulation dot1q
SwitchX(config-if)# switchport mode trunk
SwitchX(config-if)# exit

This is all you need to create a trunk port. With the configuration above, the switch will forward
traffic from all VLANs in the VLAN Database out the configured trunk port.

That being said, there are some additional helpful settings you can apply to a trunk port to
modify the default behavior. We will discuss two of them in the sections that follow.

Native VLAN
 The Native VLAN is the one VLAN on a trunk port which is allowed to remain untagged. By
default, this is set to VLAN 1, but this can be changed by an administrator.

To set the Native VLAN, you use this command:

SwitchX(config)# interface Ethernet 1/1

SwitchX(config-if)# switchport trunk native vlan 2

After setting this command, any time SwitchX is sending traffic on VLAN 2 out the trunk port
Eth1/1, it will do so without adding a VLAN tag. Moreover, anytime SwitchX receives untagged
traffic on trunk port Eth1/1, SwitchX will assign that traffic to VLAN 2.

An important point to remember: both switches on either end of the same trunk must have the
same Native VLAN. Otherwise, you easily run the risk of a host in one VLAN being able to
communicate with a host in another VLAN.

Therefore, we will set the same Native VLAN on SwitchY:

SwitchY(config)# interface Ethernet 1/1

SwitchY(config-if)# switchport trunk native vlan 2

We will also set another VLAN as the Native VLAN for Eth2/1 and Eth2/2 ports, facing Router1
and Router2, respectively. This is to show that the Native VLAN configuration is a per-
interface configuration, not a per-device configuration. But keep in mind, in most deployments
the Native VLAN is typically consistent across all ports.

SwitchX(config)# interface Ethernet 2/1

SwitchX(config-if)# switchport trunk native vlan 3
SwitchX(config-if)# exit
SwitchX(config)# interface Ethernet 2/2
SwitchX(config-if)# switchport trunk native vlan 3
SwitchX(config-if)# exit
 Allowed VLAN List
By default, when an interface is set as a trunk port, traffic from all the VLANs in the VLAN
database is forwarded out that switch port.

There are times, however, where it is wise to limit which VLAN’s traffic is traversing a
particular trunk. This can be done by applying what is known as an Allowed VLAN list. An
Allowed VLAN list allows the administrator to manually select which VLANs are
traversing a trunk port.

Take a look at the illustration. Notice that the trunk port to Router1 is only processing traffic for
VLAN 10 and 20, but if the trunk port is left to its default behavior, SwitchX will be forwarding
traffic to Router1 from VLANs 10, 20, and 30. The VLAN 30 traffic will simply be dropped by
Router1, but it does needlessly add congestion to the link.

To solve this, we will add an Allowed VLAN list to Eth2/1 on SwitchX to restrict which VLANs
are traversing the trunk port:

SwitchX(config)# interface Ethernet 2/1

SwitchX(config-if)# switchport trunk allowed vlan 10,20

This will limit the VLANs which are traversing the trunk port to Router1 to only the VLANs
which actually need to be on that link.

The trunk port to Router2 can also be limited to only carry traffic for VLAN 20 and 30. Below is
another way of applying an Allowed VLAN list which shows how to add VLANs to the list after
initially creating it:

SwitchX(config)# interface Ethernet 2/2

SwitchX(config-if)# switchport trunk allowed vlan 20
SwitchX(config-if)# switchport trunk allowed vlan add 30

Notice the important keyword add in the second command above. This instructs the switch
to add VLAN 30 traffic to whatever VLANs are already allowed on the link.

Had the keyword add been omitted, the switch will have replaced the current Allowed VLAN
List (which was allowing just VLAN 20) with the new one (which was allowing just VLAN 30).
 If Router1 was the gateway for the traffic in VLAN 20, all that traffic would now be dropped –
creating a decidedly poor experience for the users in that VLAN.

As such, it is very important to either apply the full list of VLANs in one command (as in the
first example), or to use the add command to add VLANs to the current allowed VLAN list.

You also have the option of using the remove keyword to remove individual VLANs from the
allowed VLAN list.

In fact, the remove keyword provides one more way to apply an allowed VLAN list to a trunk
port. Take a look at the link between SwitchX and SwitchY. Notice VLAN 20 does not need to
be traversing that link.

Rather than simply adding an Allowed VLAN list with VLANs 10 and 30, you can also
simply remove VLAN 20 from the default configuration. We’ll show you how it works with the
trunk port between the switches (Eth1/1):

SwitchX(config)# interface Ethernet1/1

SwitchX(config-if)# switchport trunk allowed vlan remove 20

This automatically applies an Allowed VLAN list for every VLAN except VLAN 20:

SwitchX# show running-config interface Ethernet 1/1

interface Ethernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-19,21-4094
switchport mode trunk
end

Since the default trunk port behavior was to allow all VLANs, removing VLAN 20 caused the
switch to apply an Allowed VLAN list which included every VLAN (1 – 4094), except VLAN
20.

That said, this is typically not the way you would apply a new Allowed VLAN list to an interface
– the remove keyword is more often used to remove individual VLANs from an already added
Allowed VLAN list. We will remove the Allowed VLAN list on Eth1/1, and leave that port
configured as a default trunk port – allowing traffic for all VLANs to traverse the trunk:
SwitchX(config)# interface Ethernet1/1
SwitchX(config-if)# no switchport trunk allowed vlan

The commands above created the following configuration in the running-configuration for
each switch:

SwitchXSwitchY

SwitchX# show running-config

...
interface Ethernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet2/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 3
switchport trunk allowed vlan 10,20
switchport mode trunk
!
interface Ethernet2/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 3
switchport trunk allowed vlan 20,30
switchport mode trunk
!
...

Show Commands
The commands above explain the steps for configuring VLANs on Cisco Switches. The output at
the end of each section displayed the way the configurations appears in the running-
 configuration. However, the running-configuration will only show how a device
is configured – it will not show how a device operates.

This is an important distinction – a talented network engineer needs to not only know how to
configure VLANs, but also how to validate their operation as well. To that end, we will discuss
five show commands that can be used to verify a device’s operation – how it is actually handling
traffic.

 show vlan brief

 show interfaces trunk
 show interfaces switchport
 show interfaces status
 show spanning-tree

show vlan brief

The show vlan brief command provides two main pieces of information:

 The VLANs which exist in the switch’s VLAN Database

 The access ports configured in each VLAN
Here is what the output from both our switches:

SwitchXSwitchY

SwitchX# show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Et0/2, Et0/3, Et1/0, Et1/2
Et1/3, Et2/0, Et2/3, Et3/0
Et3/1, Et3/2, Et3/3
10 RED active Et0/0
20 ORANGE active
30 BLUE active Et0/1

For both switches, the command displays VLANs 1, 10, 20, and 30. These are the only VLANs
that were created in the VLAN database. Should the switch receive traffic tagged for a VLAN
other than these, that traffic will be discarded.

For each VLAN, the VLAN’s name is also provided. Notice VLANs 10, 20, and 30 are
named RED, ORANGE, and BLUE, respectively.
 Also notice VLAN 1 exists and is named default, despite us not explicitly creating it. This is
because VLAN 1 is the default configuration that every switch port starts out in. The switch will
not allow you to delete VLAN 1 or change its name.

The Status column reflects whether the VLAN is active on the switch. A VLAN can become
inactive for two reasons. The first is explicitly using the shutdown command within the VLAN
configuration mode. The second is a VLAN existing in the database, but having no access ports
or trunk ports utilizing that VLAN.

On the far right of output, under the Ports column, you get a list of each access port in each
VLAN. We configured SwitchX’s Eth0/0 interface in VLAN 10, and the output reflects that.
Also notice the port Eth1/1 is nowhere to be found. This is because Eth1/1 was configured as a
trunk port, and will not be visible in the output of show vlan brief.

show interfaces trunk

If show vlan brief is the go-to command to show you information about access ports on a
switch, then show interfaces trunk is the go-to command to show you information
about trunk ports on a switch.

There are four sections to the output of this command. To the untrained eye, it might appear like
some of the information is duplicate – but this is not the case.

SwitchXSwitchY

SwitchX# show interfaces trunk

Port Mode Encapsulation Status Native vlan

Et1/1 on 802.1q trunking 2
Et2/1 on 802.1q trunking 3
Et2/2 on 802.1q trunking 3

Port Vlans allowed on trunk

Et1/1 1-4094
Et2/1 10,20
Et2/2 20,30

Port Vlans allowed and active in management domain

Et1/1 1,10,20,30
Et2/1 10,20
Et2/2 20,30

Port Vlans in spanning tree forwarding state and not pruned

Et1/1 1,10,20,30
Et2/1 10,20
Et2/2 20,30

The first section of the output lists each interface which is operationally behaving like a trunk
port. This will make more sense a little later in the article when we discuss a mechanism that lets
a switch port automatically determine whether it should be a trunk port. In the case above, we
explicitly configured ports Eth1/1, Eth2/1, and Eth2/2 on SwitchX and port Eth1/1 on SwitchY
as trunk ports.

The first section also lists what method of Encapsulation is in use (i.e., what method of VLAN
tagging), as well as the VLAN configured as the Native VLAN for each trunk.

The second section, labeled Vlans allowed on trunk, is a reflection of which VLANs have
made it through any configured Allowed VLAN lists on each trunk port. On SwitchX, we
created two Allowed VLAN lists, one allowing VLAN 10 and 20 on Eth2/1, and another
allowing VLANs 20 and 30 on Eth2/2. Interface Eth1/1 did not have any VLANs restricted, so
therefore all possible VLANs are listed as allowed on the trunk port – VLANs IDs can only be 1
– 4094.

The third section, labeled Vlans allowed and active in management domain, is a
combination of the section before it (Vlans allowed on trunk) and the VLANs which are
created in the VLAN database (i.e., visible in show vlan brief). Despite all VLANs being
allowed on Eth1/1 (as indicated by the 1-4094 in the second section), only VLANs 1, 10, 20, and
30 exist in the VLAN database.

The fourth section, labeled Vlans in spanning tree forwarding state and not pruned,
is a combination of the last two sections and the ports the Spanning Tree Protocol deems as safe
to forward traffic.

The Spanning Tree Protocol (STP) exists to ensure the L2 domain does not contain any loops. If
any are detected, those ports are disabled. In our topology, there are no loops, so the output of the
fourth section looks identical to the output of the third section because STP did not disable any
ports. STP is a fascinating protocol, but its operation is outside the scope of this article – it will
be the subject of a future article.

show interfaces switchport

The show interfaces switchport command can give you an overwhelming amount of
information. Using the command by itself shows you 26 pieces of information for each interface
on your switch (or more, depending on the code version you are using).
 Rather than try to sift through all that, you can specify a particular interface to get those same 26
pieces of information for just the desired interface using the command show
interfaces <intf> switchport.

For the sake of brevity and relevance, the output below has been trimmed to just show the lines
which relate to something discussed in this article. There is an example of the full output of this
command later in this article.

SwitchX Eth0/1SwitchY Eth2/2

SwitchX# show interfaces Ethernet 0/1 switchport

Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 30 (BLUE)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL

The description of each line in the output above is in the table that follows.

Line(s) Description

Switchport
Enabled if the port is functioning as a L2 port. Disabled if the port is
functioning as a L3 port.

These two tell you how the switchport is configured and how the switc
operating. In our case, we configured ports as access Ports and trunk P
they are reflected above. But as alluded to before, there is a protocol ca
Administrative Mode and Operational which allows switchports to automatically negotiate becoming a trunk
Mode DTP’s case, you might have a particular Administrative mode set and t
Operational mode will reflect whether the switchport is actually acting
trunk or access port. This will make more sense when we get into the s
of DTP below.

Administrative Trunking DTP not only negotiates trunk status, it also negotiates encapsulation m
Encapsulation and Operational These two commands show you what encapsulation method is configu
Trunking Encapsulation (Administrative) and what encapsulation method is negotiated (Operati
 Negotiation of Trunking
This indicates the switchport’s participation in DTP. Again, it will agai
more sense below when we elaborate on DTP.

This displays the VLAN membership if the port is configured or negot

Access Mode VLAN
an access port. Note that even our trunk port (SwitchY’s Eth 2/2) has a
for this attribute, but it doesn’t have an effect until the interface becom
access port.

This displays the Native VLAN setting for the port. Again, even an acc
Trunking Native VLAN will have an entry for this setting (see SwitchX’s Eth0/1), but it will on
an effect if the interface is configured or negotiated as a trunk port.

This is a reflection of the VLANs permitted via an Allowed VLAN list

Trunking VLANs Enabled SwitchX’s trunk port was limited to just VLANs 20 and 30, and this is
in the output above.

show interfaces status

Typically, the show interfaces status command is associated with seeing whether devices
are plugged into a switchport or not (connected vs notconnect in the Status column).
However, this command can also reveal some information about the VLAN configuration of a
switchport.

Namely, if you see a number in the VLAN column, then the switchport is an access Port in the
provided VLAN. And if you see the word trunk, then the switchport is configured as a trunk
port.

SwitchXSwitchY

SwitchX# show interfaces status

Port Name Status Vlan Duplex Speed Type

Et0/0 connected 10 auto auto unknown
Et0/1 connected 30 auto auto unknown
Et1/1 connected trunk auto auto unknown
Et2/1 connected trunk auto auto unknown
Et2/2 connected trunk auto auto unknown

Note, the output of the command show interfaces status above has been trimmed to focus on
just the interfaces that were configured in this article.
 show spanning-tree
The show spanning-tree command is obviously mostly associated with verifying the Spanning
Tree Protocol, but it can also provide useful VLAN configuration information.

Earlier we talked about show vlan brief, which provides information about interfaces
configured as access ports. We also talked about show interfaces trunk, which provides
information about interfaces configured as trunk ports. The show spanning-tree vlan <VLAN-
ID#> command provides information on both access ports and trunk ports.

Specifically, you can use this command to see every switchport a VLAN is exiting.

SwitchXSwitchY

SwitchX# show spanning-tree vlan 10

Interface Role Sts Cost [Link] Type

------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 Shr
Et1/1 Desg FWD 100 128.6 Shr
Et2/1 Desg FWD 100 128.10 Shr

SwitchX# show spanning-tree vlan 20

Interface Role Sts Cost [Link] Type

------------------- ---- --- --------- -------- --------------------------------
Et1/1 Desg FWD 100 128.6 Shr
Et2/1 Desg FWD 100 128.10 Shr
Et2/2 Desg FWD 100 128.11 Shr

SwitchX# show spanning-tree vlan 30

Interface Role Sts Cost [Link] Type

------------------- ---- --- --------- -------- --------------------------------
Et0/1 Desg FWD 100 128.2 Shr
Et1/1 Desg FWD 100 128.6 Shr
Et2/2 Desg FWD 100 128.11 Shr
 We configured SwitchX with one access port in VLAN 10 (Eth0/0), and two trunk ports which
are permitting VLAN 10 (Eth1/1 and Eth2/1). Looking at the output of the show spanning-
tree vlan 10 command on SwitchX, we can see all three of the ports that VLAN 10 traffic is
egressing.

You won’t easily be able to determine whether the port is configured as an access port or a trunk
port. But you will be able to easily determine to what other devices a VLAN’s traffic is going to
by comparing the output of show spanning-tree to show cdp neighbors:

SwitchXSwitchY

SwitchX# show cdp neighbors

Capability Codes: R - Router, B - Source Route Bridge, S - Switch, I - IGMP

Device ID Local Intrfce Holdtme Capability Platform Port ID

router2 Eth 2/2 172 R B Linux Uni Eth 0/2
router1 Eth 2/1 131 R B Linux Uni Eth 0/1
SwitchY Eth 1/1 169 R S I Linux Uni Eth 1/1

We can see that VLAN 10 on SwitchX is going to Router1 and SwitchY, as well as a third
device (which we know is Host A, who isn’t participating in CDP). VLAN 20 on SwitchY is
only going to SwitchX. Using these two commands in conjunction with each other is a great way
to trace the L2 path through a network between two devices.

Note, the output of the command show spanning-tree vlan <#> above has been trimmed to
focus on just the features discussed in this article.

Default Switchport Setting

Finally, before configuring VLANs with the commands discussed in this article, it is important to
know the starting point for each interface.

Nearly all Cisco features come with a certain default configuration. These exist and are in place
so that the device can perform (maybe with limited features, but nonetheless) without any
configuration required.

Knowing the default configuration is crucial to be an effective engineer because if you know
how something works innately, you know exactly what needs to change to get it to work the way
you want it to. To that end, we will spend some time discussing the default switch port
configuration applied to Cisco switches.
 First, here is the output of show interfaces switchport for an unmodified interface. There
are three items we must discuss from the output below:

SwitchX# show interfaces eth0/2 switchport

Name: Et0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none

Dynamic Trunking Protocol

The first items we will discuss from the default switch port configuration above have to do with
the Dynamic Trunking Protocol, or DTP. Take a look at these lines from the output above:

Administrative Mode: dynamic auto

Operational Mode: down
 As discussed before, the two modes correlate to the configured mode (administrative) and
the negotiated mode (operational). The distinction exists as a result of the Dynamic Trunking
Protocol (DTP).

Cisco created DTP to further the idea of ‘plug and play’ switches. They created a protocol where
if two switches were linked to each other, they could automatically determine whether their
interlink should be a trunk port or an access port. It works based upon four modes an interface
can be set to:

 switchport mode dynamic desirable – actively attempt to negotiate trunk

 switchport mode dynamic auto – passively attempt to negotiate trunk
 switchport mode trunk – statically set as trunk
 switchport mode access – statically set as access
The configuration of both sides of the link will determine whether the link will negotiate as a
trunk port or an access port. The table below lists every possible combination

One side of Link Other side of Link Result

Dynamic Desirable Dynamic Desirable Trunk

Dynamic Desirable Dynamic Auto Trunk

Dynamic Desirable Static Trunk Trunk

Dynamic Desirable Static Access Access

Dynamic Auto Dynamic Auto Access

Dynamic Auto Static Trunk Trunk

Dynamic Auto Static Access Access

Static Trunk Static Trunk Trunk

Static Trunk Static Access Misconfiguration

Static Access Static Access Access

 The issue with DTP is it provides a means for the other side of a link to modify the behavior
of your side of the link. When you control both sides this might not seem like a terrible feature,
but if you are ever in a situation where you only control your device, DTP gives too much power
to the other side.

As such, it is often recommended to avoid DTP automatically determining the trunk status and
instead manually set a port as trunk or access using the commands we discussed earlier in this
article (switchport mode trunk or switchport mode access).

Even with the switch port mode statically set, however, your switch will still send DTP frames.
This is how the other side knows how your side is configured. Again, if you own both sides the
risk is negligible, but if you might not control the other side, then this is undesirable.

You can disable the sending of DTP frames by also adding to the interface configuration this
command: switchport nonegotiate. This will disable the periodic sending of DTP frames to
advertise the switch port mode of the local switch.

You can view whether a switch port has negotiation disabled in the output of the command
above. The specific line which indicates it is the following:

Negotiation of Trunking: On

To summarize, the default DTP behavior of an unmodified interface is:

 switchport mode dynamic auto

 negotiation of DTP enabled
Which means the link will automatically become a trunk if the other side is configured
with switchport mode dynamic desirable or if the other side is configured with switchport
mode trunk and switchport nonegotiate is not applied.

Default Access Port Settings

From the output above, the following line correlates to the access port configuration:

Access Mode VLAN: 1 (default)

 Whether a switch port is statically set (or negotiated) as an access port or not, this attribute exists
and is configurable via the switchport access vlan <#> command. Of course, it doesn’t
affect the behavior of the switchport unless the switchport becomes an access port.

A potential use case is if you are transitioning a port from a trunk port to an access port, you can
“preset” the access-port VLAN so that once you apply the switchport mode access command, it
is already in the appropriate VLAN.

In any case, notice the default configuration has every switchport in VLAN 1.

A switch is a device which facilitates communication within networks. You can take a Cisco
switch and simply connect two hosts and everything will “just work”. It will do so because all
the ports start in VLAN 1, so that there is no L2 segregation between the switch ports on
switch’s default configuration. This lines up with Cisco’s goal of making their switches “plug
and play”.

Default Trunk Port Settings

Lastly, the following lines in the output above correlate to the trunk port configuration:

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native
...
Trunking Native Mode VLAN: 1 (default)
...
Trunking VLANs Enabled: ALL

We discussed DTP earlier, but we did not mention that DTP also negotiates the encapsulation
method.

Administrative Trunking Encapsulation indicates whether DTP will determine the

encapsulation method or whether it is statically set via the switchport trunk
encapsulation command.

Operational Trunking Encapsulation indicates the chosen or configured encapsulation

method. If the port becomes a trunk port, there are only two options for this attribute: the
ubiquitous 802.1q and the archaic ISL. On an access port, this line will display native (as
above), indicating no VLAN tag will be added to traffic leaving this switch port.
 Trunking Native Mode VLAN indicates the Native VLAN on the port. Once again, this setting
will only take place if the port becomes a trunk port. This setting can be modified with
the switchport trunk native vlan <#> command.

Trunking VLANs Enabled reflects the Allowed VLAN list applied to the port. ALL indicates no
VLANs have been restricted from the trunk, and therefore every VLAN in the VLAN database
will traverse down the trunk. As with the other trunk configurations, this has no effect if the port
is in access mode.

Configuring VLANs — Summary

This article is meant to follow the article discussing VLANs as a concept. The focus of this
article was to understand the different configuration and verification commands that exist to
modify or validate how a switch is behaving in regards to its VLANs.

As with all written guides, practice is key. We encourage you to build out the topology above in
a lab or emulator (GNS3 / Packet-Tracer) and to practice configuring VLANs using the
commands described above.

If you want an additional challenge, build out the topology in the VLAN Challenge from the
other article. Note, you will need to disable CDP and DTP on most of your interfaces to avoid
warnings.

If you are able to successfully build out that topology (as well as answer the two challenge
questions in the previous article), then you can rest assured knowing you have mastered the
concept of Configuring VLANs on Cisco switches.

Configuring VLANs on Cisco Switches – Contents:

 Access Ports
o Creating the VLAN in the VLAN Database
o Assigning the Switchport to a VLAN
 Trunk Ports
o Native VLAN
o Allowed VLAN List
 Show Commands
o show vlan brief
o show interfaces trunk
o show interfaces switchport
o show interfaces status
o show spanning-tree
 Default Switchport Setting
o Dynamic Trunking Protocol
o Default Access Port Settings
o Default Trunk Port Settings
 Summary
 This article explains the knowledge necessary for these CCNA exam objectives:

 2.1 Configure and verify VLANs (normal range) spanning multiple switches
o 2.1.a Access ports (data and voice)
o 2.1.b Default VLAN
o 2.1.c Connectivity
 2.2 Configure and verify interswitch connectivity
o 2.2.a Trunk ports
o 2.2.b 802.1Q
o 2.2.c Native VLAN

Related Posts:
VLANs - the simplest explanation

VLANs -- Index

What is the Native VLAN?

Voice VLAN - Auxiliary VLAN

Tags:CCNAVLANSCISCO
4.4
Article Rating

Subscribe

{}
30 COMMENTS
Oldest
Arjunkrishna
7 years ago
The Post was Awesome!!
7
Reply

Cesar
7 years ago
Hi, very helpful this post. I have a question, what software use to drar the network diagrams?.
0
Reply
Cesar
Reply to Cesar
7 years ago
I meant “draw”
0
Reply
Ed Harmoush
Author
Reply to Cesar
7 years ago
Hi Cesar, glad you enjoyed the post. I draw and animate everything in PowerPoint (don’t laugh! ;p). If I need
clipart, I grab them from [Link].
1
Reply

[Link]
7 years ago
Thanks for this great article, I have shared it on Facebook.
0
Reply
Ed Harmoush
Author
Reply to [Link]
7 years ago
Thanks for the share! I’m glad you liked the article!
0
Reply

Brandon
7 years ago
Yes wonderful article. I have shared on FB as well! One question if you could be so kind to provide
some insight. When you issue Switchport Trunk Allowed VLAN 20, 30 on an interface is the native
VLAN automatically applied (say it’s still default VLAN 1) or do you need to also add it to the
allowed list in order for the trunk to pass I tagged traffic?
1
Reply
Brandon
Reply to Brandon
7 years ago
untagged*
0
Reply
Ed Harmoush
Author
Reply to Brandon
7 years ago
Hi Brandon,
Good Question. It is best to think of the Native VLAN and the Allowed VLAN List as two independent
functions.
The Native VLAN configuration determines which VLAN traverses a Trunk link without a VLAN Tag.
The Allowed VLAN List determines which VLANs are allowed to traverse a trunk.
If the Allowed VLAN List is only allowing VLAN 20 and 30, then only those VLANs can traverse the trunk.
The Native VLAN happens to be 10, then it will not be allowed across the trunk.
Hope this helps!
2
Reply

Jimmy
6 years ago
Nice article. Guess the routers may confuse some peoples as they are not to work like that without
any L3 redundancy.
0
Reply

dav1917
6 years ago
Thanks so much for this great article! It really clarifies vlans in the Cisco world. Although I’ve
worked with vlans, I’ve not worked with Cisco switches in years. Do you really have to add access
ports one at a time? Is there a command to add a group of ports? Example using another vendor on a
VoIP vlan:
#conf vlan VoIP add ports 1:1-48 tagged
Is there a similar command for Cisco switches? If not, it seems that adding access ports would be
tedious on a switch stack.
0
Reply
Ed Harmoush
Author
Reply to dav1917
6 years ago
Hi Dav1917. You have the option of using the interface range to apply commands to multiple interfaces
at the same time. Here is an example of configuring multiple Access ports at once.
0
Reply
dav1917
Reply to Ed Harmoush
6 years ago
Thank you, Ed! That is awesome – and a relief.
0
Reply

Rozak
6 years ago
Mate article is amazing and so so helpful thank you. One thing – above the ‘show interfaces status’
heading, you’ve repeated the quick intro paragraph, probs should be deleted. It’s like –
intro paragraph incorrectly placed
‘show interfaces status’ heading
repeated intro paragraph but correctly placed
Thanks again, it will be you I thank in my CCNA acceptance speech!
0
Reply
Ed Harmoush
Author
Reply to Rozak
6 years ago
Hi Rozak. Yikes, no clue how that slipped through, but good catch! I’ve fixed it. Thanks!
Glad you enjoyed the article and I’m looking forward to your CCNA acceptance speech =)
0
Reply
wayne
6 years ago
Hi, great tutorial! somehow I can`t get “Switch(config-if)# switchport trunk encapsulation dot1q”
this command done in my switch, I just got 2 choices which are access/native after I typed
“Switch(config-if)# switchport trunk”, it doesn`t link to “encapsulation dot1q”, any thought?
0
Reply
Ed Harmoush
Author
Reply to wayne
6 years ago
Switches that do not support ISL do not require designating the use of 802.1q.
If the switchport trunk encapsulation dot1q command is not applying, it is likely your switch
only supports 802.1q.
1
Reply

PATRICK
6 years ago
This is great. Can i get a copy of the same in my email.
0
Reply

Jim
6 years ago
Hello Ed Harmoush
i have the following query what will be happened if the frame came to an access port and what will
be happened if the same frame came to trunk port?
[Link] access port it will retag the frame with the number on vlan that has assign it (for example vlan
access 10) or it drop the packet ?
0
Reply

feshop 2018
6 years ago
Informative article, exactly whhat I was looking for.
0
Reply

Liuis
5 years ago
me sirvió muchismo muchas gracias.
0
Reply
Ed Harmoush
Author
Reply to Liuis
5 years ago
De nada =)
0
Reply

Jaseer K K
4 years ago
in the description of Show interface Trunk cmd ,Vlan 1 is not showing in the allowed vlan as well as
in the Vlan active in managment domain section for the port
Et2/1 and 2/2, Reason?
0
Reply
Ed Harmoush
Author
Reply to Jaseer K K
4 years ago
Hi Jaseer. Because VLAN 1 was not added to the Allowed VLAN List:
[Link]
0
Reply

Afsal Adathi Abdul Khader

2 years ago
Hello Ed Harmoush,
Thank you for this wonderful article and great explanation. One thing – Under the heading “Show
interfaces switchport” there is a table which describe each line of output. In the last row “Notice
SwitchX’s trunk port was limited to just VLANs 20 and 30, and this is reflected in the output above.”
I think that’s not SwitchX’ trunk port that’s SwitchY’s trunk port. Thank you.
0
Reply
Ed Harmoush
Author
Reply to Afsal Adathi Abdul Khader
2 years ago
Good catch! Thank you. I fixed it. =)
1
Reply

KlajdiSS
2 years ago
Great post
0
Reply

RJ.S
2 years ago
Great post! Very helpful. Good job.
0
Reply

Ataiva
1 year ago
I found this article to be very informative, thank you for this. I see it’s a couple years old already, yet
still relevant.
 0
Reply

Jerry
1 year ago
Informative thread. Thanks for sharing…
0
Reply

Most read articles this week:

 Understanding Ethernet Wiring714 views
 Virtual Local Area Networks (VLANs)677 views
 CCNA — Index539 views
 Configuring VLANs on Cisco Switches456 views
 Packet Traveling363 views
 Practical TLS
The most thorough SSL and TLS course

Want to learn Networking?

Watch this free video series.

Want to learn Subnetting?

Watch the best Subnetting training videos ever recorded. Then practice Subnetting
at: [Link]
Your E-Mail:

Your Name:

Subscribe

acl arp ASA BGP CCNA CCNP cisco Cryptography eigrp Encryption hashing nat networki
ng openssl ospf routingsubnetting TLS vlans VPN

Thank you for making this possible =)

Copyright © Practical Networking .net 2015 - 2024