VLANs

VLAN creation, trunk port configuration, VTP modes, and voice VLAN assignment.

VLAN Creation and Naming

Create a VLAN and assign a descriptive name — names appear in show vlan brief

configure terminal
vlan 10
 name DATA
!
vlan 20
 name VOICE
!
vlan 99
 name NATIVE
!
vlan 100
 name MANAGEMENT
end

Verify VLAN database — shows VLAN ID, name, status, and assigned ports

show vlan brief

Access Ports

Configure an access port — single VLAN, no trunking negotiation

configure terminal
interface GigabitEthernet1/0/1
 switchport mode access
 switchport access vlan 10
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Configure access port with voice VLAN — phone tags voice traffic, PC uses access VLAN untagged

configure terminal
interface GigabitEthernet1/0/1
 switchport mode access
 switchport access vlan 10
 switchport voice vlan 20
 spanning-tree portfast
end

Trunk Ports

Configure a trunk port — 802.1Q encapsulation, specify allowed VLANs explicitly

configure terminal
interface GigabitEthernet1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10,20,99,100
 switchport nonegotiate
end

Add or remove VLANs from an existing trunk — never overwrite the full allowed list accidentally

configure terminal
interface GigabitEthernet1/0/24
 switchport trunk allowed vlan add 30
 switchport trunk allowed vlan remove 20
end

Verify trunk status — shows mode, encapsulation, native VLAN, and allowed VLANs

show interfaces trunk
show interfaces GigabitEthernet1/0/24 trunk

Native VLAN

Set native VLAN on trunk — untagged traffic uses this VLAN; must match both sides

configure terminal
interface GigabitEthernet1/0/24
 switchport trunk native vlan 99
end

Native VLAN mismatch causes CDP warnings and traffic blackholing — verify both ends

show interfaces trunk | include Native
show cdp neighbors detail | include Native

DTP and Negotiation

Disable DTP — hardcode mode and disable negotiation; DTP is a security risk (VLAN hopping)

configure terminal
interface GigabitEthernet1/0/1
 switchport nonegotiate
end

Verify DTP is disabled

show dtp interface GigabitEthernet1/0/1

VTP Configuration

Set VTP to transparent mode — does not propagate VLAN changes; safest for production

configure terminal
vtp mode transparent
vtp domain LAB
end

VTP off mode (IOS-XE) — completely disables VTP

configure terminal
vtp mode off
end

Verify VTP status — confirm mode, domain, and revision number

show vtp status

VLAN Pruning

Enable VTP pruning — only effective in VTP server/client mode; restricts flooded traffic to trunks that need it

configure terminal
vtp pruning
end

Manual pruning via trunk allowed list — preferred over VTP pruning in transparent mode

configure terminal
interface GigabitEthernet1/0/24
 switchport trunk allowed vlan 10,20,99
end

Verification Summary

Key show commands for VLAN troubleshooting

show vlan brief
show interfaces trunk
show interfaces switchport
show vtp status
show dtp interface GigabitEthernet1/0/1