Cisco Switches: VLAN Support

Understanding key VLAN concepts is essential when working with Cisco switches, as VLANs help segment network traffic for improved security, performance, and manageability.

• VLAN (Virtual Local Area Network):
  A VLAN is a logical grouping of devices within a network, regardless of their physical location. VLANs segment the network into isolated broadcast domains, reducing traffic and improving security.
• Access Port:
  An access port is a switch port assigned to a single VLAN. It carries only untagged traffic and is typically used to connect end-user devices like desktops or printers.
• Trunk Port:
  A trunk port is a port that can carry traffic for multiple VLANs. It uses VLAN tagging (usually IEEE 802.1Q) to differentiate between VLANs. Trunks are often used to connect switches to other switches or to routers.
• VLAN Tagging:
  VLAN tagging adds a header to Ethernet frames that include the VLAN ID. This helps switches understand which VLAN the traffic belongs to when sent over a trunk link.
• Native VLAN:
  The native VLAN is the VLAN that carries untagged traffic on a trunk port. By default, Cisco switches use VLAN 1 as the native VLAN, but it is recommended to change it for security purposes.
• VLAN ID:
  Each VLAN is uniquely identified by a VLAN ID ranging from 1 to 4094. VLAN IDs 1–1005 are standard, and 1006–4094 are extended VLANs.
• Broadcast Domain:
  VLANs define the boundaries of a broadcast domain. Devices in the same VLAN can communicate directly with each other and share broadcast traffic.

This section provides a quick reference for essential VLAN configuration commands on Cisco switches, making it simple to set up, verify, and manage VLANs step by step.

1. Display Current VLANs:
   show vlan brief
   Use this command to quickly list all current VLANs and their associated ports.
2. Create a VLAN:
   vlan <VLAN_ID>
   Enter VLAN configuration mode for the specified VLAN ID.
3. Name the VLAN:
   name <VLAN_NAME>
   Assign a friendly name to the VLAN for easy identification.
4. Assign Interface to VLAN (Access Port):
   interface <INTERFACE_ID>
switchport mode access
switchport access vlan <VLAN_ID>
   Set the interface as an access port and assign it to a VLAN.
5. Configure Trunk Port:
   interface <INTERFACE_ID>
switchport mode trunk
switchport trunk allowed vlan <VLAN_LIST>
   Enable trunking and specify the list of VLANs allowed on the trunk.
6. Set Native VLAN on Trunk:
   switchport trunk native vlan <VLAN_ID>
   Assign the native VLAN for untagged traffic on this trunk.
7. Show Trunk Ports and Active VLANs:
   show interfaces trunk
   Display all trunk ports and their allowed and active VLANs.

Tip: Always verify your configuration with show commands to ensure that VLANs and trunking settings are correctly applied.

This section outlines the VLAN ID ranges supported on Cisco switches and explains the distinctions between normal, extended, and reserved VLANs. Understanding these ranges is crucial for proper network segmentation and switch configuration.

1. VLAN ID Structure:
   VLANs are identified by a unique VLAN ID, which is a number between 0 and 4095. However, not all IDs are available for user configuration.
   
   • VLAN 0: Reserved for system use (802.1Q priority tagging).
   • VLAN 1: Default VLAN for all switch ports out of the box—cannot be deleted[1][8].
   • VLANs 2–1001: Normal-range VLANs (user-configurable for most networks).
   • VLANs 1002–1005: Reserved for legacy technologies (FDDI/Token Ring)—automatically created and cannot be removed[1][8].
   • VLANs 1006–4094: Extended-range VLANs, used for larger and more complex network environments. These require specific configuration modes on most switches[1][2][6].
   • VLAN 4095: Reserved for system use, not available for configuration[1].
2. Normal vs. Extended VLANs:
   
   • Normal Range: 1–1005
     - Stored in the VLAN database (vlan.dat)
     - Supported by all VTP versions
     - Used in most business and enterprise networks
   • Extended Range: 1006–4094
     - Stored in the switch running configuration (not vlan.dat)
     - Requires VTP transparent mode for configuration in VTP v1/v2
     - Needed by VTP version 3 for propagation
3. Reserved VLANs:
   Specific ranges including VLANs 0, 1002–1005, and 4095 are reserved and cannot be used for regular network segmentation[1][10].

Tip: When creating VLANs for production environments, avoid using the default and reserved VLAN IDs. For larger-scale segmentation, use extended VLANs with proper configuration settings as required by your Cisco device model.

This section explains how Cisco switches handle VLANs by default, including the significance of VLAN 1, reserved VLANs, and best practices for configuring new environments.

1. Default VLAN Assignment:
   Out of the box, all switch ports on a Cisco device are assigned to VLAN 1. This means that, unless specified otherwise, devices connected to the switch are on the same broadcast domain, allowing immediate communication[2][11].
2. VLAN 1 Behavior and Limitations:
   - VLAN 1 is the default VLAN and cannot be deleted, suspended, or renamed.
   - Many internal management and control protocols (like CDP, VTP, DTP, STP) use VLAN 1 by default for their traffic[17][18]. - VLAN 1 is also the default native VLAN for trunk ports, meaning untagged traffic on a trunk is assigned to VLAN 1 unless you specify a different VLAN as native[1][5].
3. Changing Port VLANs:
   When you configure an access port to a different VLAN (e.g., VLAN 10), that port is no longer part of VLAN 1. Only unconfigured or default access ports remain in VLAN 1[2].
4. Reserved VLANs (1002–1005):
   VLANs 1002–1005 are reserved for legacy technologies (FDDI/Token Ring) and cannot be deleted or used for standard Ethernet traffic[10][13]. These VLANs always appear in the VLAN table even if they are not actively used in modern networks.
5. Best Practices:
   - Cisco recommends not using VLAN 1 for management or user traffic due to security risks. Since VLAN 1 is widely known as the default, keeping critical systems on it can expose the network to certain vulnerabilities like VLAN hopping attacks[3][9]. - Assign unused ports to an unused VLAN and shut them down for security. - Always standardize the native VLAN on trunk links and avoid relying on the default settings, especially in production environments[5].

Tip: For improved security and management, always move user and management devices to a different VLAN, configure the native VLAN consistently across trunk links, and avoid using the default VLAN for any critical services.

This section highlights frequently encountered VLAN problems on Cisco switches and offers practical, actionable troubleshooting steps to resolve them effectively.

1. VLAN Mismatch (Native VLAN Mismatch):
   A native VLAN mismatch occurs when trunk links between two switches have different native VLANs configured. This can lead to connectivity issues and error messages.
   Troubleshooting Steps:
   • Use show interfaces trunk to check native VLANs on both ends.
   • Configure the same native VLAN on both trunk ports using switchport trunk native vlan <VLAN_ID>[7][8][19].
2. Incorrect Port VLAN Assignment:
   Devices fail to communicate if connected to ports assigned to the wrong VLAN or if ports are not correctly set as access or trunk.
   Troubleshooting Steps:
   • Run show vlan to verify port assignments and VLAN status.
   • Use switchport access vlan <VLAN_ID> and switchport mode access to assign ports correctly[3][8].
3. Trunking Issues:
   Trunk links may not pass VLAN traffic if not configured properly or if allowed VLAN lists are incomplete.
   Troubleshooting Steps:
   • Check trunk port status and VLANs allowed with show interfaces trunk.
   • Ensure all necessary VLANs are allowed using switchport trunk allowed vlan <VLAN_LIST>.
4. VLAN Pruning and Spanning Tree Problems:
   VLANs not forwarding because they have been pruned from trunks or blocked by Spanning Tree Protocol.
   Troubleshooting Steps:
   • Confirm VLAN is not pruned unintentionally.
   • Use show spanning-tree vlan <VLAN_ID> to verify forwarding status[6].
5. Missing or Inactive VLANs:
   A VLAN shows as "down" if no ports are assigned or if the VLAN does not exist on the switch.
   Troubleshooting Steps:
   • Add the VLAN with vlan <VLAN_ID> if missing.
   • Assign at least one port to the VLAN to activate it[5][11].
6. VTP and VLAN Propagation Issues:
   VTP domain mismatches or misconfigurations can prevent VLANs from being learned or propagated.
   Troubleshooting Steps:
   • Ensure switches are in the same VTP domain and version.
   • Verify VTP mode and configuration with show vtp status[14].
7. Voice VLAN Misconfiguration:
   Phones and PCs not working as expected if the voice VLAN is missing or incorrectly set.
   Troubleshooting Steps:
   • Confirm voice VLAN with show run interface <INTERFACE_ID> and proper VLAN configuration for phone and data[6].

Tip: Begin troubleshooting by checking physical connectivity, then verify VLAN and trunk configurations. Many VLAN issues stem from simple misconfigurations that are easy to overlook!

This section highlights trusted Cisco resources and official documentation that are invaluable for configuring, troubleshooting, and deepening your understanding of VLANs on Cisco switches. Use these references to ensure your knowledge remains current and aligned with best practices.

1. Cisco Catalyst Switches: VLAN Configuration Guide:
   Step-by-step procedures for VLAN setup, trunking, verification, and best practices on Catalyst series switches.
   Ideal for beginners and experienced network engineers alike to get the most out of VLAN features.
2. Cisco Networking Academy: VLAN Implementation Module:
   Comprehensive learning module on VLAN concepts, configuration commands, security implications, and troubleshooting.
   Best for visual learners seeking guided tutorials and hands-on labs.
3. Cisco Official Command References:
   Detailed syntax and usage notes for all CLI commands, including examples related to VLAN management.
   Perfect for quick look-ups during deployment or troubleshooting sessions.
4. Cisco TechDocs: Best Practices for VLAN Security:
   Reviews the risks of default settings, native VLAN exploits, and offers actionable guidance for securing VLAN environments.
   Essential reading for network administrators focused on maintaining a secure architecture.
5. Cisco Community Forums and Support:
   A vibrant place to discuss real-world issues, ask questions, and review peer solutions on VLAN topics from other IT professionals.

Tip: Bookmark these resources so you can quickly access authoritative guides and answers for your VLAN deployments, troubleshooting, and design questions.