Configuring VLANs on

Cisco Switches
AUGUST 10, 2016 by ed harmoush leave a comment

We’ve before written about VLANs and what they can do as a concept. This
article will focus on configuring VLANs on Cisco switches.

We will look at each command necessary to configure the topology below. If this
topology looks familiar, it is because you saw it in the article which described
how VLANs operated on a conceptual level.

We will first look at what goes into configuring the access ports in the topology
below, followed by what goes into configuring the trunk ports. Then we will look
at some verification and show commands to validate what is configured. Finally,
we will look at the default configuration for a switch port, so we know our
starting point when we are applying the commands we discuss.

Access Ports
An access port is a switch port that is a member of only one VLAN. There are
two parts to configuring an access port: creating the VLAN in the switch’s VLAN
Database and assigning the switch port to a VLAN.

Creating the VLAN in the VLAN Database

Before a switch will accept or forward traffic for a VLAN, the VLAN must exist in
the switch’s VLAN Database. Adding a VLAN to the VLAN database requires only
one command:

SwitchX(config)# vlan 10

From this point, you can also optionally name the VLAN. While not explicitly
necessary for traffic to flow, it is best practice to provide a name for each VLAN.
This will make the VLAN easier to identify.

To name a VLAN, simply use the name; command directly after creating it.

SwitchX(config-vlan)# name RED

For VLAN 20, we will create and name the VLAN on SwitchX:

SwitchX(config)# vlan 20
SwitchX(config-vlan)# name ORANGE

Note that a VLAN only has to be added to the database once. If a VLAN already exists in
the VLAN database, it is not necessary to re-create it – you can jump directly to the next
step. Later in this article we will look at some show commands used to determine if a
VLAN has already been created.

Assigning the Switchport to a VLAN

Now that the VLAN is in the VLAN database, we can configure a switch port to be
an access port for a particular VLAN. There are two commands within the
interface configuration mode for this step:
SwitchX(config)# interface Ethernet 0/0
SwitchX(config-if)# switchport mode access
SwitchX(config-if)# switchport access vlan 10

The switchport mode access command sets the port as an access port, and
the switchport access vlan <#>command designates the port as a member of
VLAN 10.

Some versions of Cisco switches automatically create the VLAN in the VLAN
Database when you assign an access port to a VLAN:

SwitchX(config)# interface Ethernet 0/1

SwitchX(config-if)# switchport mode access
SwitchX(config-if)# switchport access vlan 30
% Access VLAN does not exist. Creating vlan 30

However, it is not recommended that you depend on this. Some switches will do
it, some will not. Some switches will not create the VLAN and also not report any
errors, leaving you confused as to why traffic might not be flowing. Moreover,
this creates the VLAN with a generic name – the name for VLAN 30 above
defaults to VLAN0030, which is not very helpful.

As such, we always recommend to create and name a VLAN before assigning it

anywhere. If you happen to forget to name it first, you can always update the
name of a VLAN in that database after the fact:

SwitchX(config)# vlan 30
SwitchX(config-vlan)# name BLUE

In summary, the two steps to configure an access port:

 Create and optionally (but ideally) name the VLAN

 Set a switch port as an access port and designate it as a member of a VLAN
Both steps will also need to be accomplished for each VLAN and switch port on
SwitchY. First we will create and name each VLAN:
SwitchY(config)# vlan 10
SwitchY(config-vlan)# name RED
SwitchY(config-vlan)# exit
SwitchY(config)# vlan 20
SwitchY(config-vlan)# name ORANGE
SwitchY(config-vlan)# exit
SwitchY(config)# vlan 30
SwitchY(config-vlan)# name BLUE
SwitchY(config-vlan)# exit

Then we will set Eth0/2 and Eth0/3 as access ports in VLANs 10 and 30,
respectively:

SwitchY(config)# interface Ethernet 0/2

SwitchY(config-if)# switchport mode access
SwitchY(config-if)# switchport access vlan 10
SwitchY(config-if)# exit
SwitchY(config)# interface Ethernet 0/3
SwitchY(config-if)# switchport mode access
SwitchY(config-if)# switchport access vlan 30
SwitchY(config-if)# exit

The commands above created the following configuration in the running-

configuration for each switch:

SwitchXSwitchY

SwitchX# show running-config

...
vlan 10
name RED
!
vlan 20
name ORANGE
!
vlan 30
name BLUE
...
interface Ethernet0/0
 switchport access vlan 10
switchport mode access
!
interface Ethernet0/1
switchport access vlan 30
switchport mode access
...

Note, if you are following along with this configuration guide in your own lab, you may
not see the creation and naming of the VLANs appear in the running configuration. This
is because the default VTP mode causes VLAN database information to appear in
another file (vlan.dat). To force the configuration to appear in your running-
configuration, use the command vtp mode transparent. Beyond that, VTP’s operation
is outside the scope of this article.

Trunk Ports
As discussed before, a trunk port is a switch port that is carrying more than one
VLAN.

Traffic traversing a trunk port is still in the form of 1s and 0s. To designate
which 1s and 0s belong to which VLANs, a VLAN Tag is added to all traffic leaving
a trunk port. The 802.1q standard specifies the ubiquitous format for the VLAN
tag.

Creating a trunk port involves only one command:

SwitchY(config)# interface Ethernet1/1

SwitchY(config-if)# switchport mode trunk

Just like switchport mode access set the port as an access port, switchport
mode trunk will set the port as a trunk port.

Some switches support more than one method for adding the VLAN tag. Namely,
some switches support the antiquated ISL method of VLAN tagging. Before these
switches allow you to set a port as a trunk port, they force you to set a tagging
method, also called an encapsulation method:
SwitchX(config)# interface Ethernet1/1
SwitchX(config-if)# switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be
configured to "trunk" mode.

For these switches, you simply use the switchport trunk encapsulation
dot1q command before setting the switchport as a trunk port:

SwitchX(config)# interface Ethernet1/1

SwitchX(config-if)# switchport trunk encapsulation dot1q
SwitchX(config-if)# switchport mode trunk

We will also configure Eth2/1 and Eth2/2 on SwitchX as trunk ports:

SwitchX(config)# interface Ethernet 2/1

SwitchX(config-if)# switchport trunk encapsulation dot1q
SwitchX(config-if)# switchport mode trunk
SwitchX(config-if)# exit
SwitchX(config)# interface Ethernet 2/2
SwitchX(config-if)# switchport trunk encapsulation dot1q
SwitchX(config-if)# switchport mode trunk
SwitchX(config-if)# exit

This is all you need to create a trunk port. With the configuration above, the
switch will forward traffic from all VLANs in the VLAN Database out the
configured trunk port.

That being said, there are some additional helpful settings you can apply to a
trunk port to modify the default behavior. We will discuss two of them in the
sections that follow.

Native VLAN
The Native VLAN is the one VLAN on a trunk port which is allowed to remain
untagged. By default, this is set to VLAN 1, but this can be changed by an
administrator.
To set the Native VLAN, you use this command:

SwitchX(config)# interface Ethernet 1/1

SwitchX(config-if)# switchport trunk native vlan 2

After setting this command, any time SwitchX is sending traffic on VLAN 2 out
the trunk port Eth1/1, it will do so without adding a VLAN tag. Moreover, anytime
SwitchX receives untagged traffic on trunk port Eth1/1, SwitchX will assign that
traffic to VLAN 2.

An important point to remember: both switches on either end of the same trunk
must have the same Native VLAN. Otherwise, you easily run the risk of a host in
one VLAN being able to communicate with a host in another VLAN.

Therefore, we will set the same Native VLAN on SwitchY:

SwitchY(config)# interface Ethernet 1/1

SwitchY(config-if)# switchport trunk native vlan 2

We will also set another VLAN as the Native VLAN for Eth2/1 and Eth2/2 ports,
facing Router1 and Router2, respectively. This is to show that the Native VLAN
configuration is a per-interface configuration, not a per-deviceconfiguration. But
keep in mind, in most deployments the Native VLAN is typically consistent
across all ports.

SwitchX(config)# interface Ethernet 2/1

SwitchX(config-if)# switchport trunk native vlan 3
SwitchX(config-if)# exit
SwitchX(config)# interface Ethernet 2/2
SwitchX(config-if)# switchport trunk native vlan 3
SwitchX(config-if)# exit

Allowed VLAN List

By default, when an interface is set as a trunk port, traffic from all the VLANs in
the VLAN database is forwarded out that switch port.
There are times, however, where it is wise to limit which VLAN’s traffic is
traversing a particular trunk. This can be done by applying what is known as
an Allowed VLAN list. An Allowed VLAN list allows the administrator to
manually select which VLANs are traversing a trunk port.

Take a look at the illustration. Notice that the trunk port to Router1 is only
processing traffic for VLAN 10 and 20, but if the trunk port is left to its default
behavior, SwitchX will be forwarding traffic to Router1 from VLANs 10,
20, and 30. The VLAN 30 traffic will simply be dropped by Router1, but it does
needlessly add congestion to the link.

To solve this, we will add an Allowed VLAN list to Eth2/1 on SwitchX to restrict
which VLANs are traversing the trunk port:

SwitchX(config)# interface Ethernet 2/1

SwitchX(config-if)# switchport trunk allowed vlan 10,20

This will limit the VLANs which are traversing the trunk port to Router1 to only
the VLANs which actually need to be on that link.

The trunk port to Router2 can also be limited to only carry traffic for VLAN 20
and 30. Below is another way of applying an Allowed VLAN list which shows how
to add VLANs to the list after initially creating it:

SwitchX(config)# interface Ethernet 2/2

SwitchX(config-if)# switchport trunk allowed vlan 20
SwitchX(config-if)# switchport trunk allowed vlan add 30

Notice the important keyword add in the second command above. This instructs
the switch to add VLAN 30 traffic to whatever VLANs are already allowed on the
link.

Had the keyword add been omitted, the switch will have replaced the current
Allowed VLAN List (which was allowing just VLAN 20) with the new one (which
was allowing just VLAN 30). If Router1 was the gateway for the traffic in VLAN
20, all that traffic would now be dropped – creating a decidedly poor experience
for the users in that VLAN.
As such, it is very important to either apply the full list of VLANs in one
command (as in the first example), or to use the add command to add VLANs to
the current allowed VLAN list.

You also have the option of using the remove keyword to remove individual
VLANs from the allowed VLAN list.

In fact, the remove keyword provides one more way to apply an allowed VLAN list
to a trunk port. Take a look at the link between SwitchX and SwitchY. Notice
VLAN 20 does not need to be traversing that link.

Rather than simply adding an Allowed VLAN list with VLANs 10 and 30, you can
also simply remove VLAN 20 from the default configuration. We’ll show you how
it works with the trunk port between the switches (Eth1/1):

SwitchX(config)# interface Ethernet1/1

SwitchX(config-if)# switchport trunk allowed vlan remove 20

This automatically applies an Allowed VLAN list for every VLAN except VLAN 20:

SwitchX# show running-config interface Ethernet 1/1

interface Ethernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-19,21-4094
switchport mode trunk
end

Since the default trunk port behavior was to allow all VLANs, removing VLAN 20
caused the switch to apply an Allowed VLAN list which included every VLAN (1 –
4094), except VLAN 20.

That said, this is typically not the way you would apply a new Allowed VLAN list
to an interface – the removekeyword is more often used to remove individual
VLANs from an already added Allowed VLAN list. We will remove the Allowed
VLAN list on Eth1/1, and leave that port configured as a default trunk port –
allowing traffic for all VLANs to traverse the trunk:

SwitchX(config)# interface Ethernet1/1

SwitchX(config-if)# no switchport trunk allowed vlan

The commands above created the following configuration in the running-

configuration for each switch:

SwitchXSwitchY

SwitchX# show running-config

...
interface Ethernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet2/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 3
switchport trunk allowed vlan 10,20
switchport mode trunk
!
interface Ethernet2/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 3
switchport trunk allowed vlan 20,30
switchport mode trunk
!
...

Show Commands
The commands above explain the steps for configuring VLANs on Cisco
Switches. The output at the end of each section displayed the way the
configurations appears in the running-configuration. However, the running-
configuration will only show how a device is configured – it will not show how a
device operates.
This is an important distinction – a talented network engineer needs to not only
know how to configure VLANs, but also how to validate their operation as well.
To that end, we will discuss five show commands that can be used to verify a
device’s operation – how it is actually handling traffic.

 show vlan brief

 show interfaces trunk
 show interfaces switchport
 show interfaces status
 show spanning-tree

show vlan brief

The show vlan brief command provides two main pieces of information:

 The VLANs which exist in the switch’s VLAN Database

 The access ports configured in each VLAN
Here is what the output from both our switches:

SwitchXSwitchY

SwitchX# show vlan brief

VLAN Name Status Ports

---- -------------------------------- ---------
-------------------------------
1 default active Et0/2, Et0/3, Et1/0, Et1/2
Et1/3, Et2/0, Et2/3, Et3/0
Et3/1, Et3/2, Et3/3
10 RED active Et0/0
20 ORANGE active
30 BLUE active Et0/1

For both switches, the command displays VLANs 1, 10, 20, and 30. These are
the only VLANs that were created in the VLAN database. Should the switch
receive traffic tagged for a VLAN other than these, that traffic will be discarded.

For each VLAN, the VLAN’s name is also provided. Notice VLANs 10, 20, and 30
are named RED, ORANGE, and BLUE, respectively.

Also notice VLAN 1 exists and is named default, despite us not explicitly
creating it. This is because VLAN 1 is the default configuration that every switch
port starts out in. The switch will not allow you to delete VLAN 1 or change its
name.

The Status column reflects whether the VLAN is active on the switch. A VLAN can
become inactive for two reasons. The first is explicitly using
the shutdown command within the VLAN configuration mode. The second is a
VLAN existing in the database, but having no access ports or trunk ports utilizing
that VLAN.

On the far right of output, under the Ports column, you get a list of
each access port in each VLAN. We configured SwitchX’s Eth0/0 interface in
VLAN 10, and the output reflects that. Also notice the port Eth1/1 is nowhere to
be found. This is because Eth1/1 was configured as a trunk port, and will not be
visible in the output of show vlan brief.

show interfaces trunk

If show vlan brief is the go-to command to show you information
about access ports on a switch, then show interfaces trunk is the go-to
command to show you information about trunk ports on a switch.

There are four sections to the output of this command. To the untrained eye, it
might appear like some of the information is duplicate – but this is not the case.

SwitchXSwitchY

SwitchX# show interfaces trunk

Port Mode Encapsulation Status Native vlan

Et1/1 on 802.1q trunking 2
Et2/1 on 802.1q trunking 3
Et2/2 on 802.1q trunking 3

Port Vlans allowed on trunk

Et1/1 1-4094
Et2/1 10,20
Et2/2 20,30

Port Vlans allowed and active in management domain

Et1/1 1,10,20,30
Et2/1 10,20
Et2/2 20,30
Port Vlans in spanning tree forwarding state and not pruned
Et1/1 1,10,20,30
Et2/1 10,20
Et2/2 20,30

The first section of the output lists each interface which is operationally
behaving like a trunk port. This will make more sense a little later in the article
when we discuss a mechanism that lets a switch port automatically determine
whether it should be a trunk port. In the case above, we explicitly configured
ports Eth1/1, Eth2/1, and Eth2/2 on SwitchX and port Eth1/1 on SwitchY as trunk
ports.

The first section also lists what method of Encapsulation is in use (i.e., what
method of VLAN tagging), as well as the VLAN configured as the Native VLAN for
each trunk.

The second section, labeled Vlans allowed on trunk, is a reflection of which

VLANs have made it through any configured Allowed VLAN lists on each trunk
port. On SwitchX, we created two Allowed VLAN lists, one allowing VLAN 10 and
20 on Eth2/1, and another allowing VLANs 20 and 30 on Eth2/2. Interface Eth1/1
did not have any VLANs restricted, so therefore all possible VLANs are listed as
allowed on the trunk port – VLANs IDs can only be 1 – 4094.

The third section, labeled Vlans allowed and active in management domain, is a
combination of the section before it (Vlans allowed on trunk) and the VLANs
which are created in the VLAN database (i.e., visible in show vlan brief). Despite
all VLANs being allowed on Eth1/1 (as indicated by the 1-4094 in the second
section), only VLANs 1, 10, 20, and 30 exist in the VLAN database.

The fourth section, labeled Vlans in spanning tree forwarding state and not
pruned, is a combination of the last two sections and the ports the Spanning Tree
Protocol deems as safe to forward traffic.

The Spanning Tree Protocol (STP) exists to ensure the L2 domain does not
contain any loops. If any are detected, those ports are disabled. In our topology,
there are no loops, so the output of the fourth section looks identical to the
output of the third section because STP did not disable any ports. STP is a
fascinating protocol, but its operation is outside the scope of this article – it will
be the subject of a future article.

show interfaces switchport

The show interfaces switchport command can give you an overwhelming
amount of information. Using the command by itself shows you 26 pieces of
information for each interface on your switch (or more, depending on the code
version you are using).

Rather than try to sift through all that, you can specify a particular interface to
get those same 26 pieces of information for just the desired interface using the
command show interfaces <intf> switchport.

For the sake of brevity and relevance, the output below has been trimmed to
just show the lines which relate to something discussed in this article. There is
an example of the full output of this command later in this article.

SwitchX Eth0/1SwitchY Eth2/2

SwitchX# show interfaces Ethernet 0/1 switchport

Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 30 (BLUE)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL

The description of each line in the output above is in the table that follows.

Line(s) Description
Switchport
Enabled if the port is functioning as a L2 port. Disabled if the po
port.
These two tell you how the switchport is configured and how the
operating. In our case, we configured ports as access Ports and t
reflected above. But as alluded to before, there is a protocol calle
Administrative Mode and Operational switchports to automatically negotiate becoming a trunk port. In
Mode
have a particular Administrative mode set and the Operational m
the switchport is actually acting as a trunk or access port. This w
when we get into the specifics of DTP below.
Administrative Trunking DTP not only negotiates trunk status, it also negotiates encapsul
Encapsulationand Operational Trunking two commands show you what encapsulation method is configu
Encapsulation and what encapsulation method is negotiated (Operational).
Negotiation of Trunking This indicates the switchport’s participation in DTP. Again, it w
 sense below when we elaborate on DTP.
This displays the VLAN membership if the port is configured or
Access Mode VLAN port. Note that even our trunk port (SwitchY’s Eth 2/2) has an en
but it doesn’t have an effect until the interface becomes an acces
This displays the Native VLAN setting for the port. Again, even
Trunking Native VLAN have an entry for this setting (see SwitchX’s Eth0/1), but it will
the interface is configured or negotiated as a trunk port.
This is a reflection of the VLANs permitted via an Allowed VLA
Trunking VLANs Enabled SwitchX’s trunk port was limited to just VLANs 20 and 30, and
output above.
Typically, the show interfaces status command is associated with seeing
whether devices are plugged into a switchport or not (connected vs notconnect
in the Status column). However, this command can also reveal some information
about the VLAN configuration of a switchport.

Namely, if you see a number in the VLAN column, then the switchport is an
access Port in the provided VLAN. And if you see the word trunk, then the
switchport is configured as a trunk port.

show interfaces status

Typically, the show interfaces status command is associated with seeing
whether devices are plugged into a switchport or not ( connected vs notconnect in
the Status column). However, this command can also reveal some information
about the VLAN configuration of a switchport.

Namely, if you see a number in the VLAN column, then the switchport is an
access Port in the provided VLAN. And if you see the word trunk, then the
switchport is configured as a trunk port.

SwitchXSwitchY

SwitchX# show interfaces status

Port Name Status Vlan Duplex Speed Type

Et0/0 connected 10 auto auto unknown
Et0/1 connected 30 auto auto unknown
Et1/1 connected trunk auto auto unknown
Et2/1 connected trunk auto auto unknown
Et2/2 connected trunk auto auto unknown
Note, the output of the command show interfaces status above has been trimmed to
focus on just the interfaces that were configured in this article.

show spanning-tree
The show spanning-tree command is obviously mostly associated with verifying
the Spanning Tree Protocol, but it can also provide useful VLAN configuration
information.

Earlier we talked about show vlan brief, which provides information about
interfaces configured as access ports. We also talked about show interfaces
trunk, which provides information about interfaces configured as trunk ports.
The show spanning-tree vlan <VLAN-ID#> command provides information
on both access ports and trunk ports.

Specifically, you can use this command to see every switchport a VLAN is
exiting.

SwitchXSwitchY

SwitchX# show spanning-tree vlan 10

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- --------
--------------------------------
Et0/0 Desg FWD 100 128.1 Shr
Et1/1 Desg FWD 100 128.6 Shr
Et2/1 Desg FWD 100 128.10 Shr

SwitchX# show spanning-tree vlan 20

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- --------
--------------------------------
Et1/1 Desg FWD 100 128.6 Shr
Et2/1 Desg FWD 100 128.10 Shr
Et2/2 Desg FWD 100 128.11 Shr

SwitchX# show spanning-tree vlan 30

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- --------
--------------------------------
Et0/1 Desg FWD 100 128.2 Shr
Et1/1 Desg FWD 100 128.6 Shr
Et2/2 Desg FWD 100 128.11 Shr

We configured SwitchX with one access port in VLAN 10 (Eth0/0), and two trunk
ports which are permitting VLAN 10 (Eth1/1 and Eth2/1). Looking at the output
of the show spanning-tree vlan 10 command on SwitchX, we can see all three of
the ports that VLAN 10 traffic is egressing.

You won’t easily be able to determine whether the port is configured as an

access port or a trunk port. But you will be able to easily determine to what
other devices a VLAN’s traffic is going to by comparing the output of show
spanning-tree to show cdp neighbors:

SwitchXSwitchY

SwitchX# show cdp neighbors

Capability Codes: R - Router, B - Source Route Bridge, S - Switch, I - IGMP

Device ID Local Intrfce Holdtme Capability Platform Port ID

router2 Eth 2/2 172 R B Linux Uni Eth 0/2
router1 Eth 2/1 131 R B Linux Uni Eth 0/1
SwitchY Eth 1/1 169 R S I Linux Uni Eth 1/1

We can see that VLAN 10 on SwitchX is going to Router1 and SwitchY, as well as
a third device (which we know is Host A, who isn’t participating in CDP). VLAN 20
on SwitchY is only going to SwitchX. Using these two commands in conjunction
with each other is a great way to trace the L2 path through a network between
two devices.

Note, the output of the command show spanning-tree vlan <#> above has been
trimmed to focus on just the features discussed in this article.

Default Switchport Setting

Finally, before configuring VLANs with the commands discussed in this article, it
is important to know the starting point for each interface.
Nearly all Cisco features come with a certain default configuration. These exist
and are in place so that the device can perform (maybe with limited features,
but nonetheless) without any configuration required.

Knowing the default configuration is crucial to be an effective engineer because

if you know how something works innately, you know exactly what needs to
change to get it to work the way you want it to. To that end, we will spend some
time discussing the default switch port configuration applied to Cisco switches.

First, here is the output of show interfaces switchport for an unmodified

interface. There are three items we must discuss from the output below:

SwitchX# show interfaces eth0/2 switchport

Name: Et0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none

Dynamic Trunking Protocol

The first items we will discuss have to do with the Dynamic Trunking Protocol, or
DTP. Take a look at these lines from the output above:

Administrative Mode: dynamic auto

Operational Mode: down

As discussed before, the two modes correlate to the configured mode

(administrative) and the negotiated mode (operational). The distinction exists as
a result of the Dynamic Trunking Protocol (DTP).

Cisco created DTP to further the idea of ‘plug and play’ switches. They created a
protocol where if two switches were linked to each other, they could
automatically determine whether their interlink should be a trunk port or an
access port. It works based upon four modes an interface can be set to:

 switchport mode dynamic desirable – actively attempt to negotiate trunk

 switchport mode dynamic auto – passively attempt to negotiate trunk
 switchport mode trunk – statically set as trunk
 switchport mode access – statically set as access
The configuration of both sides of the link will determine whether the link will
negotiate as a trunk port or an access port. The table below lists every possible
combination

One side of Link Other side of Link

Dynamic Desirable Dynamic Desirable Trunk
Dynamic Desirable Dynamic Auto Trunk
Dynamic Desirable Static Trunk Trunk
Dynamic Desirable Static Access Access
Dynamic Auto Dynamic Auto Access
Dynamic Auto Static Trunk Trunk
Dynamic Auto Static Access Access
Static Trunk Static Trunk Trunk
Static Trunk Static Access Misconfiguration
Static Access Static Access Access
The issue with DTP is it provides a means for the other side of a link to modify
the behavior of your side of the link. When you control both sides this might not
seem like a terrible feature, but if you are ever in a situation where you only
control your device, DTP gives too much power to the other side.

As such, it is often recommended to avoid DTP automatically determining the

trunk status and instead manually set a port as trunk or access using the
commands we discussed earlier in this article ( switchport mode
trunk or switchport mode access).

Even with the switch port mode statically set, however, your switch will still send
DTP frames. This is how the otherside knows how your side is configured. Again,
if you own both sides the risk is negligible, but if you might not control the other
side, then this is undesirable.

You can disable the sending of DTP frames by also adding to the interface
configuration this command: switchport nonegotiate. This will disable the
periodic sending of DTP frames to advertise the switch port mode of the local
switch.

You can view whether a switch port has negotiation disabled in the output of the
command above. The specific line which indicates it is the following:

Negotiation of Trunking: On

To summarize, the default DTP behavior of an unmodified interface is:

 switchport mode dynamic auto

 negotiation of DTP enabled
Which means the link will automatically become a trunk if the other side is
configured with switchport mode dynamic desirable or if the other side is
configured with switchport mode trunk and switchport nonegotiate is notapplied.

Default Access Port Settings

From the output above, the following line correlates to the access port
configuration:

Access Mode VLAN: 1 (default)

Whether a switch port is statically set (or negotiated) as an access port or not,
this attribute exists and is configurable via the switchport access
vlan <#> command. Of course, it doesn’t affect the behavior of the switchport
unless the switchport becomes an access port.
A potential use case is if you are transitioning a port from a trunk port to an
access port, you can “preset” the access-port VLAN so that once you apply the
switchport mode access command, it is already in the appropriate VLAN.

In any case, notice the default configuration has every switchport in VLAN 1.

A switch is a device which facilitates communication within networks. You can

take a Cisco switch and simply connect two hosts and everything will “just
work”. It will do so because all the ports start in VLAN 1, so that there is no L2
segregation between the switch ports on switch’s default configuration. This
lines up with Cisco’s goal of making their switches “plug and play”.

Default Trunk Port Settings

Lastly, the following lines in the output above correlate to the trunk port
configuration:

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native
...
Trunking Native Mode VLAN: 1 (default)
...
Trunking VLANs Enabled: ALL

We discussed DTP earlier, but we did not mention that DTP also negotiates the
encapsulation method.

Administrative Trunking Encapsulation indicates whether DTP will determine the

encapsulation method or whether it is statically set via the switchport trunk
encapsulation command.

Operational Trunking Encapsulation indicates the chosen or configured

encapsulation method. If the port becomes a trunk port, there are only two
options for this attribute: the ubiquitous 802.1q and the archaic ISL. On an
access port, this line will display native (as above), indicating no VLAN tag will
be added to traffic leaving this switch port.

Trunking Native Mode VLAN indicates the Native VLAN on the port. Once again,
this setting will only take place if the port becomes a trunk port. This setting can
be modified with the switchport trunk native vlan <#> command.
Trunking VLANs Enabled reflects the Allowed VLAN list applied to the
port. ALL indicates no VLANs have been restricted from the trunk, and therefore
every VLAN in the VLAN database will traverse down the trunk. As with the other
trunk configurations, this has no effect if the port is in access mode.

Configuring VLANs — Summary

This article is meant to follow the article discussing VLANs as a concept. The
focus of this article was to understand the different configuration and
verification commands that exist to modify or validate how a switch is behaving
in regards to its VLANs.

As with all written guides, practice is key. We encourage you to build out the
topology above in a lab or emulator (GNS3 / Packet-Tracer) and to practice
configuring VLANs using the commands described above.

If you want an additional challenge, build out the topology in the VLAN
Challenge from the other article. Note, you will need to disable CDP and DTP on
most of your interfaces to avoid warnings.

If you are able to successfully build out that topology (as well as answer the two
challenge questions in the previous article), then you can rest assured knowing
you have mastered the concept of Configuring VLANs on Cisco switches.