Computer NetworksVLANs

Virtual LANs (VLANs)

LevelIntermediate

Duration75 mins

TopicVLANs

3 / 5

VLAN Implementation

From Concept to Configuration

Understanding VLAN concepts and benefits is essential, but network engineers are ultimately measured by their ability to implement these concepts in functioning networks. VLAN implementation involves configuring switch ports, creating and managing VLANs, establishing trunk links, and following best practices that ensure reliable, secure operation.

This page bridges theory and practice. We will examine every aspect of VLAN implementation, from the fundamental distinction between access and trunk ports to advanced configuration patterns used in enterprise environments. While examples use Cisco IOS syntax (the de facto industry standard for illustration), the concepts apply universally across vendor platforms.

Note on Vendor Neutrality: Every major switch vendor (Cisco, Juniper, Arista, HPE, Dell, etc.) implements VLANs according to IEEE 802.1Q. While CLI syntax differs, the underlying concepts—access ports, trunk ports, native VLANs, VLAN databases—are universal. Understanding these concepts enables you to work with any platform.

What You Will Learn

By the end of this page, you will understand how to configure access and trunk ports, create and manage VLANs, configure trunk links with appropriate VLAN pruning, and apply enterprise best practices for VLAN deployment. You'll be equipped to implement VLAN designs in production networks.

Switch Port Modes

The foundation of VLAN implementation is understanding switch port modes. Every switch port must operate in one of several modes that determine how it handles VLAN-tagged traffic.

Access Mode:

An access port belongs to exactly one VLAN and carries traffic for that VLAN only. Access ports are used for end devices—workstations, printers, servers, IP phones, etc.

Characteristics:

Assigned to a single VLAN (the access VLAN)
Receives and transmits frames untagged
End devices don't need VLAN awareness
Simplest configuration—one command sets the VLAN

Configuration Example (Cisco IOS):

interface GigabitEthernet0/1
  description Engineering Workstation
  switchport mode access
  switchport access vlan 30

This configuration:

Explicitly sets the port to access mode
Assigns the port to VLAN 30
All ingress traffic is placed in VLAN 30
All egress traffic for VLAN 30 exits this port untagged

Why Explicit Mode Matters

Always explicitly configure 'switchport mode access' on access ports. Without this, ports may use DTP (Dynamic Trunking Protocol) to negotiate, potentially becoming trunks if connected to another switch. DTP negotiation is a security risk—attackers can trigger trunk mode to access all VLANs.

Trunk Mode:

A trunk port carries traffic for multiple VLANs simultaneously. Trunks connect switches to other switches, routers, or servers that need access to multiple VLANs.

Characteristics:

Carries traffic for multiple VLANs (or all VLANs)
Traffic is tagged with 802.1Q VLAN headers (except native VLAN)
Both ends of a trunk must be VLAN-aware
Requires trunk link configuration on both connected devices

Configuration Example (Cisco IOS):

interface GigabitEthernet0/24
  description Trunk to Distribution Switch
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,30,40,100
  switchport trunk native vlan 999

This configuration:

Sets the port to trunk mode
Specifies 802.1Q encapsulation (ISL is obsolete but may be available)
Explicitly allows only VLANs 10, 20, 30, 40, and 100
Changes the native VLAN to 999 (security best practice)

Access vs. Trunk Port Comparison
Characteristic	Access Port	Trunk Port
VLAN Membership	Single VLAN	Multiple VLANs (configurable)
Frame Tagging	Untagged (always)	Tagged (except native VLAN)
Connected Devices	End devices (PCs, printers)	Switches, routers, virtualized servers
Configuration Complexity	Simple (one VLAN)	More complex (allowed VLANs, native VLAN)
Security Considerations	Simpler to secure	Requires careful allowed VLAN configuration
Typical Use Case	User-facing ports	Interconnection/uplink ports

Dynamic/Negotiation Modes (DTP):

Cisco switches support Dynamic Trunking Protocol (DTP) for automatic trunk negotiation:

dynamic auto: Passively waits for the other end to propose trunking; becomes trunk if asked
dynamic desirable: Actively attempts to negotiate a trunk link

Security Warning: DTP is convenient but dangerous. An attacker can connect a device that sends DTP frames, causing your switch port to become a trunk and exposing all VLANs. Best practice: Disable DTP on all access ports.

interface GigabitEthernet0/1
  switchport mode access
  switchport nonegotiate  ! Disables DTP

On trunk ports, also consider switchport nonegotiate to prevent DTP frames:

interface GigabitEthernet0/24
  switchport mode trunk
  switchport nonegotiate  ! Prevents DTP attacks

Voice VLAN Mode (Special Case):

For IP phones with attached computers, access ports can participate in two VLANs:

interface GigabitEthernet0/1
  description IP Phone + Workstation
  switchport mode access
  switchport access vlan 30          ! Data VLAN for PC
  switchport voice vlan 100          ! Voice VLAN for phone

The phone tags its traffic with VLAN 100 (using 802.1Q); the PC's traffic is untagged and placed in VLAN 30. This isn't true trunking—the switch handles this specially.

Creating and Managing VLANs

Before ports can be assigned to VLANs, the VLANs must exist in the switch's VLAN database. VLAN creation is straightforward but requires understanding several configuration aspects.

VLAN Database Location:

On Cisco switches, VLAN information is stored in two locations depending on VTP mode:

VTP Server/Client modes: VLAN database stored in vlan.dat (flash memory); survives configuration erases
VTP Transparent mode: VLANs stored in running-config/startup-config; more controlled behavior

Creating VLANs (Global Configuration Mode):

Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan)# name MANAGEMENT
Switch(config-vlan)# vlan 20
Switch(config-vlan)# name SERVERS
Switch(config-vlan)# vlan 30
Switch(config-vlan)# name ENGINEERING
Switch(config-vlan)# vlan 40
Switch(config-vlan)# name FINANCE
Switch(config-vlan)# vlan 100
Switch(config-vlan)# name VOICE
Switch(config-vlan)# vlan 999
Switch(config-vlan)# name PARKING_NATIVE
Switch(config-vlan)# exit

Each VLAN gets an ID (1-4094) and optionally a descriptive name. Names should be consistent across all switches for clarity.

VLAN Must Exist Before Use

If you assign a port to a VLAN that doesn't exist, the port goes into an inactive state (some platforms) or the assignment fails. Always create VLANs before assigning ports. On Cisco, some platforms auto-create VLANs; others require explicit creation.

Viewing VLAN Configuration:

Switch# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
10   MANAGEMENT                       active    
20   SERVERS                          active    Gi0/5, Gi0/6
30   ENGINEERING                      active    Gi0/7, Gi0/8, Gi0/9, Gi0/10
40   FINANCE                          active    Gi0/11, Gi0/12
100  VOICE                            active    
999  PARKING_NATIVE                   active

This output shows:

VLAN ID and name
Status (active/suspended)
Access ports assigned to each VLAN (trunks not shown here)

Extended VLAN Range (1006-4094):

VLANs 1006-4094 require VTP transparent mode on Cisco switches. These extended-range VLANs:

Store in running-config, not vlan.dat
Do not propagate via VTP
Provide more VLAN capacity for large deployments

Switch(config)# vtp mode transparent  ! Required for extended VLANs
Switch(config)# vlan 2000
Switch(config-vlan)# name GUEST_WIRELESS

VLAN Deletion:

Switch(config)# no vlan 50  ! Deletes VLAN 50

Caution: Deleting a VLAN with ports assigned results in those ports becoming inactive until reassigned.

VLAN Configuration Commands Summary
Task	Command	Mode
Create VLAN	vlan <vlan-id>	Global config
Name VLAN	name <name>	VLAN config
Delete VLAN	no vlan <vlan-id>	Global config
View VLANs	show vlan [brief]	Privileged exec
View VLAN summary	show vlan summary	Privileged exec
View specific VLAN	show vlan id <vlan-id>	Privileged exec
View VLAN on trunk	show interfaces trunk	Privileged exec

Trunk Link Configuration

Trunk links are the arteries of VLAN infrastructure, carrying VLAN-aware traffic between switches. Proper trunk configuration is critical for network operation and security.

Basic Trunk Configuration:

interface GigabitEthernet0/24
  description Uplink to Distribution-1
  switchport trunk encapsulation dot1q     ! May be required on older hardware
  switchport mode trunk
  switchport trunk native vlan 999
  switchport trunk allowed vlan 10,20,30,40,100

Trunk Configuration Elements:

1. Encapsulation:

dot1q — IEEE 802.1Q (standard, universal)
isl — Cisco proprietary Inter-Switch Link (legacy, avoid)
negotiate — Let DTP decide (not recommended)

On modern switches, dot1q is often the only option and may not require explicit configuration.

2. Mode:

trunk — Force trunk mode (recommended)
dynamic desirable — Negotiate, prefer trunk
dynamic auto — Negotiate, become trunk if asked

Always use explicit trunk mode for predictable behavior.

3. Native VLAN: The native VLAN is transmitted untagged on the trunk. Critical considerations:

Native VLAN Best Practices

•Never use VLAN 1 as native VLAN—it's a well-known attack target
•Match both ends — native VLAN mismatch causes traffic to jump VLANs incorrectly
•Use an unused VLAN — e.g., VLAN 999 with no assigned ports ("parking" VLAN)
•Some recommend tagging native — Cisco: vlan dot1q tag native globally
•Monitor for mismatch warnings — CDP/LLDP can detect native VLAN mismatch

4. Allowed VLANs:

By default, trunks allow all VLANs (1-4094). This is rarely desirable:

! Default (not recommended)
switchport trunk allowed vlan all

! Explicit list (recommended)
switchport trunk allowed vlan 10,20,30,40,100

! Add VLAN to existing allowed list
switchport trunk allowed vlan add 50

! Remove VLAN from allowed list
switchport trunk allowed vlan remove 50

! Allow except specific VLANs
switchport trunk allowed vlan except 1,1002-1005

Why prune VLANs?

Security: Limits VLAN scope if trunk is compromised
Bandwidth: Prevents unnecessary broadcast flooding
Stability: Contains STP domains
Compliance: Audit trails show intentional VLAN scope

Verifying Trunk Status:

Switch# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/24      on           802.1q         trunking      999

Port        Vlans allowed on trunk
Gi0/24      10,20,30,40,100

Port        Vlans allowed and active in management domain
Gi0/24      10,20,30,40,100

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/24      10,20,30,40,100

This output confirms:

Port is trunking with 802.1Q
Native VLAN is 999
Only specified VLANs are allowed
VLANs are active and forwarding

Layer 3 EtherChannel Trunks

For high-bandwidth switch interconnects, combine trunk ports into EtherChannel (port channel). This bundles multiple physical links into one logical trunk, providing increased bandwidth and redundancy. Configure EtherChannel first, then apply trunk configuration to the port-channel interface.

Port Assignment Strategies

How ports are assigned to VLANs significantly impacts manageability, security, and flexibility. Several strategies exist, each with trade-offs.

1. Static (Port-Based) Assignment:

Administrator explicitly configures each port's VLAN. This is the most common approach.

Advantages:

Simple to understand and document
Predictable behavior
No additional infrastructure required
Works with any end device

Disadvantages:

Requires manual changes when users move
No identity-based assignment
Scale challenges in large environments

Best for: Small to medium networks, server ports, infrastructure devices

2. Dynamic VLAN Assignment with 802.1X:

VLAN is assigned during 802.1X authentication based on user identity.

! AAA server returns RADIUS attributes including VLAN
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = 30

Advantages:

Location-independent identity
Automatic VLAN assignment
Supports hot desking
Enhanced security (authentication required)

Disadvantages:

Requires 802.1X infrastructure (RADIUS server)
Device must support 802.1X
More complex troubleshooting
Fallback needed for non-802.1X devices

Best for: Large enterprises, healthcare, education, anywhere identity-based access is required

VLAN Assignment Methods Comparison
Method	Decision Basis	Flexibility	Security	Complexity
Static	Physical port	Low	Moderate	Low
802.1X Dynamic	User authentication	High	High	High
MAC Auth Bypass	Device MAC address	Medium	Medium	Medium
VMPS (Legacy)	MAC in database	Medium	Low	High
Protocol-Based	Layer 3 protocol	Low	Low	Medium

3. MAC Authentication Bypass (MAB):

For devices that cannot perform 802.1X (printers, cameras, IoT), the switch uses the device's MAC address to authenticate against RADIUS.

interface GigabitEthernet0/5
  description Network Printer
  switchport mode access
  authentication host-mode single-host
  mab
  dot1x pae authenticator

The RADIUS server has the printer's MAC address registered and returns the appropriate VLAN.

4. Quarantine VLAN Strategy:

For networks using 802.1X or NAC (Network Access Control):

Auth-fail VLAN: Device fails authentication → limited/remediation network
Guest VLAN: No 802.1X client detected → guest access
Voice VLAN: IP phones get voice VLAN regardless of data VLAN

interface GigabitEthernet0/1
  switchport mode access
  switchport access vlan 30
  authentication event fail action authorize vlan 950  ! Quarantine
  authentication event no-response action authorize vlan 100  ! Guest
  dot1x pae authenticator

Port Templates and Ranges:

For consistency, apply configurations to port ranges:

interface range GigabitEthernet0/1 - 12
  description User Access Ports
  switchport mode access
  switchport access vlan 30
  spanning-tree portfast
  spanning-tree bpduguard enable
  switchport nonegotiate

This ensures all user-facing ports have identical, secure configuration.

Unused Port Security

Unused ports should be disabled or assigned to a 'parking' VLAN (e.g., VLAN 999) with no routing. This prevents unauthorized devices from gaining network access through unmonitored ports.

VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates VLAN database information across switches in a VTP domain. While useful, VTP has significant risks that require careful consideration.

VTP Operation:

VTP allows VLAN configuration to be managed centrally:

Add/modify/delete VLANs on a VTP Server
VTP Server increments its revision number
VTP advertisements propagate to VTP Clients
Clients update their VLAN databases to match

VTP Modes:

VTP Modes
Mode	Create/Delete VLANs	Forward VTP Ads	Learn from VTP	Revision Number
Server	Yes	Yes	Yes	Increments
Client	No	Yes	Yes	Syncs from server
Transparent	Yes (local only)	Yes (passes through)	No	Ignores
Off (VTPv3)	Yes (local only)	No	No	N/A

VTP Configuration (Server Mode):

Switch(config)# vtp domain ENTERPRISE
Switch(config)# vtp password SecureVTP123!
Switch(config)# vtp mode server
Switch(config)# vtp version 2

VTP Configuration (Client Mode):

Switch(config)# vtp domain ENTERPRISE
Switch(config)# vtp password SecureVTP123!
Switch(config)# vtp mode client

Verifying VTP:

Switch# show vtp status
VTP Version                     : 2
Configuration Revision          : 156
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 12
VTP Operating Mode              : Server
VTP Domain Name                 : ENTERPRISE
VTP Pruning Mode                : Disabled

VTP Disaster Scenario

The infamous 'VTP bomb': A switch with the same VTP domain name but a higher revision number—perhaps from a lab or previous deployment—joins the network. It 'wins' the revision comparison and its VLAN database (which may be empty or incorrect) overwrites all production switches. All ports assigned to deleted VLANs become inactive. Network-wide outage results.

VTP Risk Mitigation:

Use VTP Transparent mode on all switches — Most modern best practices recommend this. Manage VLANs per-switch or via automation.
Use VTP version 3 — Provides domain-wide primary server concept, password hiding, and extended VLAN support.
VTP Password — Always set; prevents unauthorized VTP participation.
Reset revision number before adding switches:
- Change VTP mode to Transparent, then back to Client
- Or: Change VTP domain to something else, then back to correct domain
Consider disabling VTP entirely — Many enterprises now use automation (Ansible, Netconf) for VLAN consistency.

VTP Pruning:

VTP Pruning automatically restricts broadcast traffic on trunk links to only VLANs with active ports:

Switch(config)# vtp pruning

If Switch B has no ports in VLAN 30, pruning prevents VLAN 30 broadcasts from being sent to Switch B over the trunk. This saves bandwidth but adds complexity.

Implementation Best Practices

Enterprise VLAN implementations follow established best practices that balance functionality, security, and manageability.

Planning Phase:

VLAN Planning Checklist

•Document organizational requirements — What groups need segmentation? What are the security/compliance drivers?
•Design VLAN numbering scheme — Consistent pattern (e.g., 10-99 for infrastructure, 100-199 for users, etc.)
•Map VLANs to IP subnets — One VLAN = one subnet is standard; document the mapping
•Plan VLAN scope — Which VLANs span which switches? Use trunk pruning to limit scope
•Define naming convention — Short, consistent, meaningful names (max 32 chars on Cisco)
•Plan inter-VLAN routing — Layer 3 switch with SVIs? Router-on-a-stick? External router/firewall?
•Document trunk topology — Which links are trunks? What VLANs are allowed on each?

Security Hardening:

! === Switch Hardening Template ===

! 1. Disable unused ports, assign to parking VLAN
interface range GigabitEthernet0/13 - 48
  switchport mode access
  switchport access vlan 999
  shutdown

! 2. Disable DTP on all ports
interface range GigabitEthernet0/1 - 48
  switchport nonegotiate

! 3. Configure access ports properly
interface range GigabitEthernet0/1 - 12
  switchport mode access
  spanning-tree portfast
  spanning-tree bpduguard enable

! 4. Secure trunk configuration
interface GigabitEthernet0/24
  switchport mode trunk
  switchport trunk native vlan 999
  switchport trunk allowed vlan 10,20,30,40,100
  switchport nonegotiate

! 5. Do not use VLAN 1 for anything
! Move management to dedicated VLAN
interface Vlan10
  description Management VLAN
  ip address 10.10.10.1 255.255.255.0

Operational Practices:

Operational Best Practices

•Test VLAN changes in maintenance windows — VLAN misconfigurations can cause widespread outages
•Verify trunk status after changes — Use show interfaces trunk to confirm expected behavior
•Monitor native VLAN mismatch warnings — CDP/LLDP detect mismatches; investigate immediately
•Document all VLAN changes — Change management records should include VLAN modifications
•Regularly audit VLAN assignments — Identify ports in wrong VLANs, unused VLANs, etc.
•Keep VLAN databases consistent — Use automation or VTP (carefully) to prevent drift
•Test inter-VLAN routing policies — Verify ACLs work as intended; test from multiple VLANs

Configuration Templates

Develop standardized configuration templates for access ports, voice ports, trunk ports, and unused ports. Apply these consistently via automation or scripted deployment. Templates reduce human error and ensure security baselines are met on every port.

Implementation Summary

VLAN implementation transforms conceptual designs into functioning network segmentation. Success requires understanding port modes, proper configuration of VLANs and trunks, and adherence to security best practices.

Key Implementation Points

•Access ports belong to one VLAN; end devices send/receive untagged traffic
•Trunk ports carry multiple VLANs using 802.1Q tags; connect switches and VLAN-aware devices
•Create VLANs before assigning ports; use consistent naming conventions
•Prune unnecessary VLANs from trunks; don't allow 'all' by default
•Change native VLAN from 1; use a 'parking' VLAN with no active ports
•Disable DTP on access ports; explicit mode configuration is more secure
•Use VTP carefully or not at all; transparent mode or automation is often safer
•Secure unused ports; shutdown and assign to parking VLAN

Implementation Skills Acquired

You now understand how to implement VLANs in production environments—from basic port configuration to enterprise best practices. The next page explores the 802.1Q protocol in depth, explaining exactly how VLAN tags are structured and processed.

3 / 5

Loading learning content...

Computer NetworksVLANs

Virtual LANs (VLANs)

LevelIntermediate

Duration75 mins

TopicVLANs

3 / 5

VLAN Implementation

From Concept to Configuration

What You Will Learn

Switch Port Modes

The foundation of VLAN implementation is understanding switch port modes. Every switch port must operate in one of several modes that determine how it handles VLAN-tagged traffic.

Access Mode:

An access port belongs to exactly one VLAN and carries traffic for that VLAN only. Access ports are used for end devices—workstations, printers, servers, IP phones, etc.

Characteristics:

Assigned to a single VLAN (the access VLAN)
Receives and transmits frames untagged
End devices don't need VLAN awareness
Simplest configuration—one command sets the VLAN

Configuration Example (Cisco IOS):

interface GigabitEthernet0/1
  description Engineering Workstation
  switchport mode access
  switchport access vlan 30

This configuration:

Explicitly sets the port to access mode
Assigns the port to VLAN 30
All ingress traffic is placed in VLAN 30
All egress traffic for VLAN 30 exits this port untagged

Why Explicit Mode Matters

Trunk Mode:

A trunk port carries traffic for multiple VLANs simultaneously. Trunks connect switches to other switches, routers, or servers that need access to multiple VLANs.

Characteristics:

Carries traffic for multiple VLANs (or all VLANs)
Traffic is tagged with 802.1Q VLAN headers (except native VLAN)
Both ends of a trunk must be VLAN-aware
Requires trunk link configuration on both connected devices

Configuration Example (Cisco IOS):

interface GigabitEthernet0/24
  description Trunk to Distribution Switch
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,30,40,100
  switchport trunk native vlan 999

This configuration:

Sets the port to trunk mode
Specifies 802.1Q encapsulation (ISL is obsolete but may be available)
Explicitly allows only VLANs 10, 20, 30, 40, and 100
Changes the native VLAN to 999 (security best practice)

Access vs. Trunk Port Comparison
Characteristic	Access Port	Trunk Port
VLAN Membership	Single VLAN	Multiple VLANs (configurable)
Frame Tagging	Untagged (always)	Tagged (except native VLAN)
Connected Devices	End devices (PCs, printers)	Switches, routers, virtualized servers
Configuration Complexity	Simple (one VLAN)	More complex (allowed VLANs, native VLAN)
Security Considerations	Simpler to secure	Requires careful allowed VLAN configuration
Typical Use Case	User-facing ports	Interconnection/uplink ports

Dynamic/Negotiation Modes (DTP):

Cisco switches support Dynamic Trunking Protocol (DTP) for automatic trunk negotiation:

dynamic auto: Passively waits for the other end to propose trunking; becomes trunk if asked
dynamic desirable: Actively attempts to negotiate a trunk link

interface GigabitEthernet0/1
  switchport mode access
  switchport nonegotiate  ! Disables DTP

On trunk ports, also consider switchport nonegotiate to prevent DTP frames:

interface GigabitEthernet0/24
  switchport mode trunk
  switchport nonegotiate  ! Prevents DTP attacks

Voice VLAN Mode (Special Case):

For IP phones with attached computers, access ports can participate in two VLANs:

interface GigabitEthernet0/1
  description IP Phone + Workstation
  switchport mode access
  switchport access vlan 30          ! Data VLAN for PC
  switchport voice vlan 100          ! Voice VLAN for phone

The phone tags its traffic with VLAN 100 (using 802.1Q); the PC's traffic is untagged and placed in VLAN 30. This isn't true trunking—the switch handles this specially.

Creating and Managing VLANs

Before ports can be assigned to VLANs, the VLANs must exist in the switch's VLAN database. VLAN creation is straightforward but requires understanding several configuration aspects.

VLAN Database Location:

On Cisco switches, VLAN information is stored in two locations depending on VTP mode:

VTP Server/Client modes: VLAN database stored in vlan.dat (flash memory); survives configuration erases
VTP Transparent mode: VLANs stored in running-config/startup-config; more controlled behavior

Creating VLANs (Global Configuration Mode):

Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan)# name MANAGEMENT
Switch(config-vlan)# vlan 20
Switch(config-vlan)# name SERVERS
Switch(config-vlan)# vlan 30
Switch(config-vlan)# name ENGINEERING
Switch(config-vlan)# vlan 40
Switch(config-vlan)# name FINANCE
Switch(config-vlan)# vlan 100
Switch(config-vlan)# name VOICE
Switch(config-vlan)# vlan 999
Switch(config-vlan)# name PARKING_NATIVE
Switch(config-vlan)# exit

Each VLAN gets an ID (1-4094) and optionally a descriptive name. Names should be consistent across all switches for clarity.

VLAN Must Exist Before Use

Viewing VLAN Configuration:

Switch# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
10   MANAGEMENT                       active    
20   SERVERS                          active    Gi0/5, Gi0/6
30   ENGINEERING                      active    Gi0/7, Gi0/8, Gi0/9, Gi0/10
40   FINANCE                          active    Gi0/11, Gi0/12
100  VOICE                            active    
999  PARKING_NATIVE                   active

This output shows:

VLAN ID and name
Status (active/suspended)
Access ports assigned to each VLAN (trunks not shown here)

Extended VLAN Range (1006-4094):

VLANs 1006-4094 require VTP transparent mode on Cisco switches. These extended-range VLANs:

Store in running-config, not vlan.dat
Do not propagate via VTP
Provide more VLAN capacity for large deployments

Switch(config)# vtp mode transparent  ! Required for extended VLANs
Switch(config)# vlan 2000
Switch(config-vlan)# name GUEST_WIRELESS

VLAN Deletion:

Switch(config)# no vlan 50  ! Deletes VLAN 50

Caution: Deleting a VLAN with ports assigned results in those ports becoming inactive until reassigned.

VLAN Configuration Commands Summary
Task	Command	Mode
Create VLAN	vlan <vlan-id>	Global config
Name VLAN	name <name>	VLAN config
Delete VLAN	no vlan <vlan-id>	Global config
View VLANs	show vlan [brief]	Privileged exec
View VLAN summary	show vlan summary	Privileged exec
View specific VLAN	show vlan id <vlan-id>	Privileged exec
View VLAN on trunk	show interfaces trunk	Privileged exec

Trunk Link Configuration

Trunk links are the arteries of VLAN infrastructure, carrying VLAN-aware traffic between switches. Proper trunk configuration is critical for network operation and security.

Basic Trunk Configuration:

interface GigabitEthernet0/24
  description Uplink to Distribution-1
  switchport trunk encapsulation dot1q     ! May be required on older hardware
  switchport mode trunk
  switchport trunk native vlan 999
  switchport trunk allowed vlan 10,20,30,40,100

Trunk Configuration Elements:

1. Encapsulation:

dot1q — IEEE 802.1Q (standard, universal)
isl — Cisco proprietary Inter-Switch Link (legacy, avoid)
negotiate — Let DTP decide (not recommended)

On modern switches, dot1q is often the only option and may not require explicit configuration.

2. Mode:

trunk — Force trunk mode (recommended)
dynamic desirable — Negotiate, prefer trunk
dynamic auto — Negotiate, become trunk if asked

Always use explicit trunk mode for predictable behavior.

3. Native VLAN: The native VLAN is transmitted untagged on the trunk. Critical considerations:

Native VLAN Best Practices

•Never use VLAN 1 as native VLAN—it's a well-known attack target
•Match both ends — native VLAN mismatch causes traffic to jump VLANs incorrectly
•Use an unused VLAN — e.g., VLAN 999 with no assigned ports ("parking" VLAN)
•Some recommend tagging native — Cisco: vlan dot1q tag native globally
•Monitor for mismatch warnings — CDP/LLDP can detect native VLAN mismatch

4. Allowed VLANs:

By default, trunks allow all VLANs (1-4094). This is rarely desirable:

! Default (not recommended)
switchport trunk allowed vlan all

! Explicit list (recommended)
switchport trunk allowed vlan 10,20,30,40,100

! Add VLAN to existing allowed list
switchport trunk allowed vlan add 50

! Remove VLAN from allowed list
switchport trunk allowed vlan remove 50

! Allow except specific VLANs
switchport trunk allowed vlan except 1,1002-1005

Why prune VLANs?

Security: Limits VLAN scope if trunk is compromised
Bandwidth: Prevents unnecessary broadcast flooding
Stability: Contains STP domains
Compliance: Audit trails show intentional VLAN scope

Verifying Trunk Status:

Switch# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/24      on           802.1q         trunking      999

Port        Vlans allowed on trunk
Gi0/24      10,20,30,40,100

Port        Vlans allowed and active in management domain
Gi0/24      10,20,30,40,100

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/24      10,20,30,40,100

This output confirms:

Port is trunking with 802.1Q
Native VLAN is 999
Only specified VLANs are allowed
VLANs are active and forwarding

Layer 3 EtherChannel Trunks

Port Assignment Strategies

How ports are assigned to VLANs significantly impacts manageability, security, and flexibility. Several strategies exist, each with trade-offs.

1. Static (Port-Based) Assignment:

Administrator explicitly configures each port's VLAN. This is the most common approach.

Advantages:

Simple to understand and document
Predictable behavior
No additional infrastructure required
Works with any end device

Disadvantages:

Requires manual changes when users move
No identity-based assignment
Scale challenges in large environments

Best for: Small to medium networks, server ports, infrastructure devices

2. Dynamic VLAN Assignment with 802.1X:

VLAN is assigned during 802.1X authentication based on user identity.

! AAA server returns RADIUS attributes including VLAN
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = 30

Advantages:

Location-independent identity
Automatic VLAN assignment
Supports hot desking
Enhanced security (authentication required)

Disadvantages:

Requires 802.1X infrastructure (RADIUS server)
Device must support 802.1X
More complex troubleshooting
Fallback needed for non-802.1X devices

Best for: Large enterprises, healthcare, education, anywhere identity-based access is required

VLAN Assignment Methods Comparison
Method	Decision Basis	Flexibility	Security	Complexity
Static	Physical port	Low	Moderate	Low
802.1X Dynamic	User authentication	High	High	High
MAC Auth Bypass	Device MAC address	Medium	Medium	Medium
VMPS (Legacy)	MAC in database	Medium	Low	High
Protocol-Based	Layer 3 protocol	Low	Low	Medium

3. MAC Authentication Bypass (MAB):

For devices that cannot perform 802.1X (printers, cameras, IoT), the switch uses the device's MAC address to authenticate against RADIUS.

interface GigabitEthernet0/5
  description Network Printer
  switchport mode access
  authentication host-mode single-host
  mab
  dot1x pae authenticator

The RADIUS server has the printer's MAC address registered and returns the appropriate VLAN.

4. Quarantine VLAN Strategy:

For networks using 802.1X or NAC (Network Access Control):

Auth-fail VLAN: Device fails authentication → limited/remediation network
Guest VLAN: No 802.1X client detected → guest access
Voice VLAN: IP phones get voice VLAN regardless of data VLAN

interface GigabitEthernet0/1
  switchport mode access
  switchport access vlan 30
  authentication event fail action authorize vlan 950  ! Quarantine
  authentication event no-response action authorize vlan 100  ! Guest
  dot1x pae authenticator

Port Templates and Ranges:

For consistency, apply configurations to port ranges:

interface range GigabitEthernet0/1 - 12
  description User Access Ports
  switchport mode access
  switchport access vlan 30
  spanning-tree portfast
  spanning-tree bpduguard enable
  switchport nonegotiate

This ensures all user-facing ports have identical, secure configuration.

Unused Port Security

Unused ports should be disabled or assigned to a 'parking' VLAN (e.g., VLAN 999) with no routing. This prevents unauthorized devices from gaining network access through unmonitored ports.

VLAN Trunking Protocol (VTP)

VTP Operation:

VTP allows VLAN configuration to be managed centrally:

Add/modify/delete VLANs on a VTP Server
VTP Server increments its revision number
VTP advertisements propagate to VTP Clients
Clients update their VLAN databases to match

VTP Modes:

VTP Modes
Mode	Create/Delete VLANs	Forward VTP Ads	Learn from VTP	Revision Number
Server	Yes	Yes	Yes	Increments
Client	No	Yes	Yes	Syncs from server
Transparent	Yes (local only)	Yes (passes through)	No	Ignores
Off (VTPv3)	Yes (local only)	No	No	N/A

VTP Configuration (Server Mode):

Switch(config)# vtp domain ENTERPRISE
Switch(config)# vtp password SecureVTP123!
Switch(config)# vtp mode server
Switch(config)# vtp version 2

VTP Configuration (Client Mode):

Switch(config)# vtp domain ENTERPRISE
Switch(config)# vtp password SecureVTP123!
Switch(config)# vtp mode client

Verifying VTP:

Switch# show vtp status
VTP Version                     : 2
Configuration Revision          : 156
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 12
VTP Operating Mode              : Server
VTP Domain Name                 : ENTERPRISE
VTP Pruning Mode                : Disabled

VTP Disaster Scenario

VTP Risk Mitigation:

Use VTP Transparent mode on all switches — Most modern best practices recommend this. Manage VLANs per-switch or via automation.
Use VTP version 3 — Provides domain-wide primary server concept, password hiding, and extended VLAN support.
VTP Password — Always set; prevents unauthorized VTP participation.
Reset revision number before adding switches:
- Change VTP mode to Transparent, then back to Client
- Or: Change VTP domain to something else, then back to correct domain
Consider disabling VTP entirely — Many enterprises now use automation (Ansible, Netconf) for VLAN consistency.

VTP Pruning:

VTP Pruning automatically restricts broadcast traffic on trunk links to only VLANs with active ports:

Switch(config)# vtp pruning

If Switch B has no ports in VLAN 30, pruning prevents VLAN 30 broadcasts from being sent to Switch B over the trunk. This saves bandwidth but adds complexity.

Implementation Best Practices

Enterprise VLAN implementations follow established best practices that balance functionality, security, and manageability.

Planning Phase:

VLAN Planning Checklist

•Document organizational requirements — What groups need segmentation? What are the security/compliance drivers?
•Design VLAN numbering scheme — Consistent pattern (e.g., 10-99 for infrastructure, 100-199 for users, etc.)
•Map VLANs to IP subnets — One VLAN = one subnet is standard; document the mapping
•Plan VLAN scope — Which VLANs span which switches? Use trunk pruning to limit scope
•Define naming convention — Short, consistent, meaningful names (max 32 chars on Cisco)
•Plan inter-VLAN routing — Layer 3 switch with SVIs? Router-on-a-stick? External router/firewall?
•Document trunk topology — Which links are trunks? What VLANs are allowed on each?

Security Hardening:

! === Switch Hardening Template ===

! 1. Disable unused ports, assign to parking VLAN
interface range GigabitEthernet0/13 - 48
  switchport mode access
  switchport access vlan 999
  shutdown

! 2. Disable DTP on all ports
interface range GigabitEthernet0/1 - 48
  switchport nonegotiate

! 3. Configure access ports properly
interface range GigabitEthernet0/1 - 12
  switchport mode access
  spanning-tree portfast
  spanning-tree bpduguard enable

! 4. Secure trunk configuration
interface GigabitEthernet0/24
  switchport mode trunk
  switchport trunk native vlan 999
  switchport trunk allowed vlan 10,20,30,40,100
  switchport nonegotiate

! 5. Do not use VLAN 1 for anything
! Move management to dedicated VLAN
interface Vlan10
  description Management VLAN
  ip address 10.10.10.1 255.255.255.0

Operational Practices:

Operational Best Practices

•Test VLAN changes in maintenance windows — VLAN misconfigurations can cause widespread outages
•Verify trunk status after changes — Use show interfaces trunk to confirm expected behavior
•Monitor native VLAN mismatch warnings — CDP/LLDP detect mismatches; investigate immediately
•Document all VLAN changes — Change management records should include VLAN modifications
•Regularly audit VLAN assignments — Identify ports in wrong VLANs, unused VLANs, etc.
•Keep VLAN databases consistent — Use automation or VTP (carefully) to prevent drift
•Test inter-VLAN routing policies — Verify ACLs work as intended; test from multiple VLANs

Configuration Templates

Implementation Summary

Key Implementation Points

•Access ports belong to one VLAN; end devices send/receive untagged traffic
•Trunk ports carry multiple VLANs using 802.1Q tags; connect switches and VLAN-aware devices
•Create VLANs before assigning ports; use consistent naming conventions
•Prune unnecessary VLANs from trunks; don't allow 'all' by default
•Change native VLAN from 1; use a 'parking' VLAN with no active ports
•Disable DTP on access ports; explicit mode configuration is more secure
•Use VTP carefully or not at all; transparent mode or automation is often safer
•Secure unused ports; shutdown and assign to parking VLAN

Implementation Skills Acquired

3 / 5