It may come as surprise to you, but configuring VLANs is actually pretty easy. Figuring out which users you want in each VLAN is not; it’s extremely time-consuming. But once you’ve decided on the number of VLANs you want to create and established which users you want to belong to each one, it’ time to bring your first VLAN into the world.
To configure VLANs on a Cisco Catalyst switch, use the global config vlan command. In the following example, we are going to demonstrate how to configure VLANs on the S1 switch by creating three VLANs for three different departments again, remember that VLAN 1 is the native and administrative VLAN by default:
S1#config t
S1(config)#vlan ?
WORD ISL VLAN IDs 1-4094
Internal internal VLAN
S1(config)#vlan 2
S1(config-vlan)#name sales
S1(config-vlan)#vlan 3
S1(config-vlan)#name Marketing
S1(config-vlan)#vlan 4
S1(config-vlan)#name Accounting
S1(config-vlan)#^Z
S1#From the preceding above, you can see that you can create VLANs from 2 to 4094. This is only mostly true. As we said, VLANs can really only be created up to 1005, and you can’t use, change, rename, or delete VLANs 1 and 1002 through 1005 because they’re reserved. The VLAN numbers above that are called extended VLANs and won’t be saved in the database unless your switch is set to VTP transparent mode. You won’t see these VLAN numbers used too often in production. Here’s an example of setting my S1 switch to VLAN 4000 when my switch is set to VTP server mode (the default VTP mode):
S1#config t
S1(config)#vlan 4000
S1(config-vlan)#^Z
% Failed to create VLANs 4000
Extended VLAN(s) not allowed in current VTP mode.
% Failed to commit extended VLAN(s) changes.
After you create the VLANs that you want, you can use the show vlan command to check them out. But notice that, by default, all ports on the switch are in VLAN 1. To change the VLAN associated with a port, you need to go to each interface and tell it which VLAN to be a part of.
Once the VLANs are created, verify your configuration with the show vlan command (sh vlan for short):
S1#sh vlan
VLAN Name Status Ports
---------------------------------------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
2 Sales active
3 Marketing active
4 Accounting active’
[output cut]This may seem repetitive, but it’s important, and I want you to remember it: you can’t change, delete, or rename VLAN 1 because it’s the default VLAN and you just can’t change that period. It’s the native VLAN of all switches by default, and Cisco recommends that you use it as your administrative VLAN. Basically, any packets that aren’t specifically assigned to a different VLAN will be sent down to the native VLAN.
In the preceding S1 output, you can see that ports Fa0/3 through Fa0/8 and the Gi0/1 uplink are all in VLAN 1, but where are ports 1 and 2? Remember that in the article where we were identifying VLAN and trunked and created and Ether channel bundle. Any port that is a trunk port won’t show up in the VLAN database. You have to use the show interface trunk command to see your trunked ports.
Now that we can see the VLANs created, we can assign switch ports to specific ones. Each port can be a part of only one VLAN, with the exception of our voice access ports. With the trunking we went over earlier, you can make a port available to traffic from all VLANs. We’ll cover that in a future article in our CCNA course section.
Assigning Switch Ports to VLANs
You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries, plus the number of VLANs to which it can belong. You can configure each port on a switch to be in a specific VLAN (access port) by using the interface switchport command. You can also configure multiple ports at the same time with the interface range command and we have an article related to this in Introduction to Routing and Routing protocol. You can read this.
Remember that you can configure either static memberships or dynamic memberships on a port. Here, we are only going to cover the static flavor. In the following example, we’ll configure interface Fa0/3 to VLAN 3. This is the connection from the S1 switch to the Host A device:
S1#config t
S1(config)#int fa0/3
S1(config-if)#switchport ?
Access set access mode characteristics of the interface
Backup set backup for the interface
Block disable forwarding of unkown uni/multi cast addresses
Host set port host
Mode set trunking mode of the interface
Nonegotiate device will not engage in negotiation protocol on this interface
Port-security security related command
Priority set appliance 802.1p priority
Protected configure an interface to be a protected port
Trunk set trunking characteristics of the interface
Voice voice appliance attributesWell, now what do we have here? There’s some new stuff showing up in the preceding output. We can see various commands some that we have already covered, but nor worries: we’re going to cove the access, mode, nonegotiation, trunk, and voice commands very soon in the previous articles.
Let’s start with setting an access port on S1, which is probably the most widely used type of port on production switches that has VLANs configured:
S1(config-if)#switchport mode ?
Access set trunking mode to ACCESS unconditionally
Dynamic set trunking mode to dynamically negotiate access or
Trunk mode
Trunk set trunking mode to TRUNK unconditionally
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 3By starting with the switch port mode access command, you’re telling the switch that this is a layer 2 port. You can then assign a VLAN to the port with the switch port access command. Remember, you can choose many ports to configure at the same time if you use the interface range command. The dynamic and trunk commands are used for trunk ports exclusively.
That’s it. Well, sort of. If you plugged devices into each VLAN port, they can only talk to other devices in the same VLAN. We want to enable inter-VLAN communication and we’re going to do that, but first, you need to learn a bit more about trunking.
Configuring Trunk Ports
The 2960 switch only runs the IEEE 802.1Q encapsulation method. To configure trunking on a Fast Ethernet port, use the interface command trunk [parameter]. It’s a tad different on the 3560 switch.
The following switch output shows the trunk configuration on interface fa0/8 as set to trunk on:
S1#config t
S1(config)#int fa0/8
S1(config-if)#switchport mode trunkThe following list describes the different options available when configuring a switch interface:
- Switch port mode access: We discussed this in the VLAN Identification Methods article, but this puts the interface (access port) into a permanent non-trunking mode and negotiates to convert the link into a non-trunk link. The interface becomes a non-trunk interface regardless of whether the neighboring interface is a trunk interface. The port would be a dedicated layer 2 port.
- Switch port mode dynamic auto: This mode makes the interface able to convert the link to the trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. This is now the default switch port mode for all Ethernet interfaces on all new Cisco switches.
- Switch port mode dynamic desirable: This one makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. I used to see this mode as the default on some older switches, but not any longer. The default is dynamic auto now.
- Switch port mode trunk: Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface isn’t a trunk interface.
- Switch port nonegotiate: Prevents the interface from generating DTP frames. You can use this command only when the interface in which port mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link.
To disable trunking on an interface, use the switch port mode access command, which sets the port back to a dedicated layer 2 switch port.
Trunking with the Cisco Catalyst 3560 switch
Okay, let’s take a look at one more switch the Cisco Catalyst 3560. The configuration is pretty much the same as it is for a 2960, with the exception that the 3560 can provide layer 3 services and the 2960 can’t. plus, the 3560 can run both the ISL and the IEEE 802.1Q trunking encapsulation methods the 2960 can only run 802.1Q. with all this in mind, let’s take a quick look at the VLAN encapsulation difference regarding the 3560 switch.
The 3560 has the encapsulation command, which the 2960 switch doesn’t
Core(config-if)#switchport trunk encapsulation ?
Dot1qInterface uses only 802.1q trunking encapsulation when trunking
Is1 Interface uses only ISL trunking encapsulation when trunking
Negotiate Device will negotiate trunking encapsulation with peer on interface
Core(config-if)#switchport trunk encapsulation dot1q
Core(config-if)#switchport mode trunkAs you can see, we’ve got the option to add either the IEEE 802.1Q(dot1q) encapsulation or the ISL encapsulation to the 3560 switch. After you set the encapsulation, you still have to set the interface mode to trunk. Honestly, it’s pretty rare that you’d continue to use the ISL encapsulation method. Cisco is moving away from ISL its new router doesn’t even support it.
Defining the Allowed VLANs on a Trunk
As I have mentioned, trunk ports send and receive information from all VLANs by default, and if a frame is untagged, it’s sent to the management VLAN. This applies to the extended range VLANs as well.
But we can remove VLANs from the allowed list to prevent traffic from certain VLANs from traversing a trunked link. Here’s how you’d do that:
S1#config t
S1(config)#int fa0/1
S1(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
S1(config-if)#switchport trunk allowed vlan remove ?
WORD VLAN IDs of disallowed VLANs when this port is in trunking mode
S1(config-if)#switchport trunk allowed vlan remove 4The preceding command stopped the trunk link configured on S1 port f0/1, causing it to drop all traffic sent and receive for VLAN 4. You can try to remove VLAN 1 on a trunk link, but it will still send and receive management like CDP, PAgP, LACP, DTP, and VTP, so what’s the point?
To remove a range of VLANs, just use the hyphen:
S1(config-if)#switchport tunk allowed vlan remove 4-8If by chance someone has removed some VLANs from a trunk link and you want to set the trunk back to default, just use this command:
S1(config-if)#switchport trunk allowed vlan allOr this command to accomplish the same thing:
S1(config-if)#no switchport trunk allowed vlanNext, we want to show you how to configure pruning for VLANs before we start routing between VLANs.
Changing or Modifying the Trunk Native VLAN
You really don’t want to change the trunk port native VLAN from VLAN 1, but you can, and some people do it for security reasons. To change the native VLAN, use the following command:
S1#config t
S1(config)#int f0/1
S1(config-if)#switchport trunk ?
allowed set allowed VLAN characteristics when interface is in trunking mode native set trunking native characteristics when interface is in trunking mode pruning set pruning VLAN characteristics when interface is in trunking mode S1(config-if)#switchport trunk native ?
vlan set native VLAN when interface is in trunking mode
S1(config-if)#switchport trunk native vlan ?
<1-4094> VLAN ID of the native VLAN when this port is in trunking mode
S1(config-if)#switchport trunk native 40
S1(config-if)#^ZSo we’ve changed our native VLAN on our trunk link to 40, and by using the show running config command, we can see the configuration under the trunk link:
!
interface
FastEthernet0/1 switchport trunk
native vlan 10 switchport trunk allowed
vlan 1-3, 9-4094 switchport trunk pruning vlan 3, 4
!Hold on there partner! You didn’t think it would be this easy and would just start working, did you? Sure you didn’t. here’s the rub: If all switches don’t have the same native VLAN configured on the trunk links, then we’ll start to receive this error:
19:23:29: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
Discovered on FastEthernet0/1 (40), with Core FastEtherent0/7 (1)
19:24:29: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
Discovered on FastEthernet0/1 (40), with Core FastEtherent0/7 (1)Now our trunk link is using the default VLAN 1 as the native VLAN. Just remember that all switches must use the same native VLAN or you’ll have some serious problems.