Skip to content
Learni
View all tutorials
Réseautique

How to Configure VLANs on a Cisco Switch in 2026

12 minINTERMEDIATE
VLANCisco IOSRéseautiqueSwitchTrunk 802.1Q
Lire en français

Introduction

VLANs (Virtual Local Area Networks) are essential for dividing a physical network into multiple logical networks, improving security, performance, and management. Think of a switch like a building: without VLANs, all tenants share the same hallways (broadcast domain); with VLANs, each floor is isolated. In 2026, with the rise of IoT and hybrid networks, mastering VLANs is crucial to avoid congestion and lateral attacks.

This intermediate tutorial takes you from basic configuration to advanced setups like 802.1Q trunks and VTP. We're using Cisco IOS on a Catalyst switch (e.g., 2960 via Packet Tracer or GNS3). By the end, you'll know how to implement a segmented network with 3 VLANs (VLAN 10: Prod, 20: Dev, 30: Guest), assign ports, and interconnect switches. Every step includes full commands you can verify. Estimated lab time: 30 minutes. Why it matters: Reduces broadcast domains from 100% to 33% and enhances security through isolation.

Prerequisites

  • Emulated Cisco switch (Packet Tracer 8+, GNS3 with IOS 15.x) or physical (Catalyst 2960/3650).
  • Basic networking knowledge: IP, Layer 2 switches.
  • Console/Telnet/SSH access to the switch (serial cable or PuTTY).
  • Cisco CLI basics (user/exec/config modes).
  • 2 switches + 2 PCs for trunk testing (optional).

Basic Switch Configuration

switch1-basic-config.txt
enable
configure terminal
hostname SW1
enable secret cisco123
line console 0
 password cisco
 login
line vty 0 15
 password cisco
 login
service password-encryption
no ip domain-lookup
interface vlan 1
 ip address 192.168.1.2 255.255.255.0
no shutdown
ip default-gateway 192.168.1.1
end
write memory

This initial setup defines a hostname, secures access (encrypted passwords), and configures the VLAN 1 management interface with IP and gateway. It also prevents unnecessary DNS lookups. Pitfall: Forgetting 'write memory' loses the config on reboot; always verify with 'show running-config' afterward.

Creating and Naming VLANs

Before assigning ports, create the VLANs. We'll make 3: VLAN 10 (Prod, 192.168.10.0/24), VLAN 20 (Dev, 192.168.20.0/24), VLAN 30 (Guest, 192.168.30.0/24). Use names for readability. Verify with 'show vlan brief'.

Creating the VLANs

switch1-vlans-create.txt
enable
configure terminal
vlan 10
 name Production
vlan 20
 name Development
vlan 30
 name Guest
exit
end
show vlan brief

Creates 3 VLANs with descriptive names. VLAN 1 remains for management. The 'show vlan brief' command lists active VLANs and assigned ports (empty here). Pitfall: VLANs >4094 on some switches; stick to 1000 max for standard Catalysts.

Assigning Access Ports

Access ports connect to endpoints (PCs). Use Fa0/1 (FastEthernet0/1). Configure Fa0/1-5 for VLAN 10, Fa0/6-10 for VLAN 20, Fa0/11-15 for VLAN 30. Access mode prevents unauthorized trunks.

Configuring Access Ports

switch1-access-ports.txt
enable
configure terminal
interface range fa0/1 - 5
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
interface range fa0/6 - 10
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast
interface range fa0/11 - 15
 switchport mode access
 switchport access vlan 30
 spanning-tree portfast
end
show interfaces switchport

Assigns ports to specific VLANs in access mode and enables PortFast for quick convergence (for PCs). 'show interfaces switchport' verifies operational mode/VLAN. Pitfall: Without PortFast, TCN floods slow things down; use it only for non-switch devices.

Configuring Trunk Ports

To interconnect switches, use trunks (802.1Q). Use port Fa0/24 to SW2. Allow VLANs 10,20,30 (native VLAN 1). Verify with 'show interfaces trunk'.

Configuring the Trunk Port

switch1-trunk-port.txt
enable
configure terminal
interface fa0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 1
 switchport trunk allowed vlan 10,20,30
 switchport nonegotiate
end
show interfaces trunk
show interfaces fa0/24 switchport

Sets up an 802.1Q trunk, restricts allowed VLANs for security, and disables DTP (nonegotiate). Verification commands show the trunk is up and VLANs are passing. Pitfall: Native VLAN mismatch causes drops; align it across all trunks.

VTP Configuration for Propagation

VTP (VLAN Trunking Protocol) propagates VLANs to SW2. Use server mode on SW1 (creator) and client on SW2. Domain 'Learni'. Password for security.

Enabling VTP

switch1-vtp-config.txt
enable
configure terminal
vtp domain Learni
vtp mode server
vtp password learni123
vtp version 2
end
show vtp status
show vlan brief

Configures VTP v2 server with domain and password. VLANs will propagate over trunks. 'show vtp status' confirms setup. Pitfall: VTP pruning reduces traffic automatically; use transparent mode for independence.

Full Verification and Testing

Test with: intra/extra-VLAN pings (should fail without L3), CDP for neighbors.

Verification Commands

switch1-verification.txt
show vlan brief
show interfaces switchport | include access|trunk
show interfaces trunk
show spanning-tree vlan 10
show cdp neighbors
ping 192.168.1.1
write memory

Checks VLANs, ports, trunks, STP, and neighbors. Ping tests management connectivity. Save the config. Pitfall: STP blocking drops pings; use 'show spanning-tree' for diagnostics.

Best Practices

  • Restrict trunks: Use 'allowed vlan' to minimize attack surface.
  • Native VLAN mismatch: Always align (e.g., VLAN 999 for unused).
  • Use VTPv3: For MSTP/PVLAN support on modern switches.
  • Port security: Limit MACs per port (switchport port-security maximum 2).
  • Document: Name VLANs and back up configs with TFTP.

Common Errors to Avoid

  • Forgetting 'switchport mode trunk': Port stays access, blocking VLANs.
  • Assigning port to non-existent VLAN: Defaults to VLAN 1.
  • DTP auto-negotiation: VLAN hopping risk; force 'nonegotiate'.
  • No 'no shutdown' on SVI: No L3 routing without IP up.

Next Steps