Introduction
VLANs (Virtual Local Area Networks) are the foundational building block of every modern campus and data-center network. On Cisco Catalyst switches running IOS or IOS-XE, VLANs let you segment broadcast domains, enforce security boundaries, and simplify traffic management — all on a single physical switch fabric.
This run book walks you through every step of a production VLAN deployment: creating VLANs, configuring access and trunk ports, hardening native VLANs, tuning VTP, and enabling inter-VLAN routing with both SVIs and router-on-a-stick. Every command is real, every config is copy-paste ready, and every section includes verification steps.
Platforms covered: Cisco Catalyst 2960-X/XR, 3560-X, 3650, 3850, 9200, 9300, 9500 (IOS 15.x and IOS-XE 16.x / 17.x).
1. VLAN Fundamentals
A VLAN is a Layer 2 broadcast domain defined by a numeric ID (1–4094). Frames within a VLAN are switched locally; frames between VLANs must be routed. Cisco Catalyst switches support two VLAN ranges:
- Normal range: 1–1005 — stored in
vlan.dat
on flash and propagated by VTP. - Extended range: 1006–4094 — available only in VTP transparent or off mode (IOS 15+) and stored in running-config.
VLAN 1 is the default VLAN for all ports, the default native VLAN on trunks, and carries CDP, VTP, PAgP, and DTP control traffic. Never use VLAN 1 for user data in production.
2. Planning Your VLAN Scheme
Before touching the CLI, document your VLANs. A sample enterprise scheme:
| VLAN ID | Name | Subnet | Purpose |
|---|---|---|---|
| 10 | MGMT | 10.0.10.0/24 | Switch & AP management |
| 100 | PRODUCTION_DATA | 10.0.100.0/24 | End-user workstations |
| 200 | VOICE | 10.0.200.0/24 | IP phones |
| 300 | SERVERS | 10.0.300.0/24 | Server farm |
| 666 | BLACKHOLE | — | Unused ports / native VLAN |
| 999 | PARKING_LOT | — | Disabled/quarantine ports |
3. Creating VLANs
3.1 Single VLAN Creation
Switch# configure terminal
Switch(config)# vlan 100
Switch(config-vlan)# name PRODUCTION_DATA
Switch(config-vlan)# exit
Switch(config)# vlan 200
Switch(config-vlan)# name VOICE
Switch(config-vlan)# exit
Switch(config)# vlan 300
Switch(config-vlan)# name SERVERS
Switch(config-vlan)# exit
Switch(config)# vlan 10
Switch(config-vlan)# name MGMT
Switch(config-vlan)# exit
Switch(config)# vlan 666
Switch(config-vlan)# name BLACKHOLE
Switch(config-vlan)# state suspend
Switch(config-vlan)# exit
Switch(config)# vlan 999
Switch(config-vlan)# name PARKING_LOT
Switch(config-vlan)# shutdown
Switch(config-vlan)# exit3.2 Batch VLAN Creation
On IOS-XE 16.x+ you can create multiple VLANs in one command:
Switch(config)# vlan 10,100,200,300,666,999Note: Batch creation does not allow per-VLAN naming in the same line. Name them individually afterwards.
3.3 Verification
Switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- --------------------------------
1 default active Gi1/0/1, Gi1/0/2 ... (all ports)
10 MGMT active
100 PRODUCTION_DATA active
200 VOICE active
300 SERVERS active
666 BLACKHOLE suspended
999 PARKING_LOT shutdown4. Access Port Configuration
Access ports carry traffic for a single VLAN and connect to end devices (PCs, printers, servers). Always harden them.
4.1 Basic Access Port
Switch(config)# interface GigabitEthernet1/0/5
Switch(config-if)# description >> PC-Finance-JSmith <<
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 100
Switch(config-if)# switchport nonegotiate
Switch(config-if)# spanning-tree portfast
Switch(config-if)# spanning-tree bpduguard enable
Switch(config-if)# no shutdown
Switch(config-if)# exit4.2 Access Port with Voice VLAN (IP Phone + PC)
Switch(config)# interface GigabitEthernet1/0/10
Switch(config-if)# description >> IP-Phone-Desk-4F-Room401 <<
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 100
Switch(config-if)# switchport voice vlan 200
Switch(config-if)# switchport nonegotiate
Switch(config-if)# spanning-tree portfast
Switch(config-if)# spanning-tree bpduguard enable
Switch(config-if)# mls qos trust cos
Switch(config-if)# no shutdown
Switch(config-if)# exitThe
switchport voice vlan 200command causes the switch to send CDP messages telling the phone to tag voice frames with 802.1Q VLAN 200 and CoS 5.
4.3 Parking-Lot (Unused Ports)
Switch(config)# interface range GigabitEthernet1/0/40 - 48
Switch(config-if-range)# description >> UNUSED - PARKING LOT <<
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 999
Switch(config-if-range)# switchport nonegotiate
Switch(config-if-range)# spanning-tree portfast
Switch(config-if-range)# spanning-tree bpduguard enable
Switch(config-if-range)# shutdown
Switch(config-if-range)# exit4.4 Verification
Switch# show interfaces GigabitEthernet1/0/10 switchport
Name: Gi1/0/10
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 100 (PRODUCTION_DATA)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 200 (VOICE)
...
Switch# show vlan id 100
VLAN Name Status Ports
---- -------------------------------- --------- --------------------------------
100 PRODUCTION_DATA active Gi1/0/5, Gi1/0/105. Trunk Port Configuration
Trunk ports carry multiple VLANs between switches, routers, and hypervisors using 802.1Q tagging.
5.1 Standard Trunk Between Two Catalyst Switches
! ---- Switch-A (Gi1/0/49 uplink) ----
Switch-A(config)# interface GigabitEthernet1/0/49
Switch-A(config-if)# description >> TRUNK to Switch-B Gi1/0/49 <<
Switch-A(config-if)# switchport trunk encapsulation dot1q
Switch-A(config-if)# switchport mode trunk
Switch-A(config-if)# switchport trunk native vlan 666
Switch-A(config-if)# switchport trunk allowed vlan 10,100,200,300
Switch-A(config-if)# switchport nonegotiate
Switch-A(config-if)# spanning-tree guard root
Switch-A(config-if)# no shutdown
Switch-A(config-if)# exit
! ---- Switch-B (Gi1/0/49 uplink) ----
Switch-B(config)# interface GigabitEthernet1/0/49
Switch-B(config-if)# description >> TRUNK to Switch-A Gi1/0/49 <<
Switch-B(config-if)# switchport trunk encapsulation dot1q
Switch-B(config-if)# switchport mode trunk
Switch-B(config-if)# switchport trunk native vlan 666
Switch-B(config-if)# switchport trunk allowed vlan 10,100,200,300
Switch-B(config-if)# switchport nonegotiate
Switch-B(config-if)# spanning-tree guard root
Switch-B(config-if)# no shutdown
Switch-B(config-if)# exitKey hardening points:
- switchport nonegotiate — disables DTP, preventing VLAN hopping attacks.
- native vlan 666 — moves the native VLAN away from VLAN 1 onto an unused, suspended VLAN to mitigate double-tagging attacks.
- allowed vlan — explicit allow list. Only listed VLANs cross the trunk.
5.2 Adding a VLAN to an Existing Trunk
Switch-A(config)# interface GigabitEthernet1/0/49
Switch-A(config-if)# switchport trunk allowed vlan add 400Warning: Forgetting the
addkeyword will replace the entire allowed list with VLAN 400 only — a common production outage cause.
5.3 Removing a VLAN from a Trunk
Switch-A(config-if)# switchport trunk allowed vlan remove 3005.4 Verification
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/49 on 802.1q trunking 666
Port Vlans allowed on trunk
Gi1/0/49 10,100,200,300
Port Vlans allowed and active in management domain
Gi1/0/49 10,100,200,300
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/49 10,100,200,300
Switch# show interfaces GigabitEthernet1/0/49 switchport
Name: Gi1/0/49
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 666 (BLACKHOLE)
Administrative Native VLAN tagging: enabled
Trunking VLANs Enabled: 10,100,200,3006. VTP (VLAN Trunking Protocol) Configuration
VTP propagates VLAN databases across trunked switches. In modern networks, VTP transparent or VTP off mode is recommended to avoid accidental VLAN deletions propagating campus-wide.
6.1 Setting VTP Transparent Mode (Recommended)
Switch(config)# vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
Switch(config)# vtp domain YOURCOMPANY
Switch(config)# vtp password S3cur3VtpP@ss!
Switch(config)# end
Switch# show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : YOURCOMPANY
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc00.1100
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Feature VLAN:
-----------
VTP Operating Mode : Transparent
Maximum VLANs supported locally : 4094
Number of existing VLANs : 10
Configuration Revision : 06.2 Disabling VTP Entirely (IOS-XE 16.x+)
Switch(config)# vtp mode off6.3 VTP Version 3 (When Central Management Is Needed)
Switch(config)# vtp version 3
Switch(config)# vtp domain YOURCOMPANY
Switch(config)# vtp password S3cur3VtpP@ss! hidden
Switch(config)# vtp mode server
Switch(config)# end
! Promote this switch to primary server:
Switch# vtp primary vlan
This system is becoming primary server for feature vlan
VTP Database Conf Switch ID Primary Server Revision System Name
------------ ---- --------------- --------------- --------- -----------
VLANDB Yes aabb.cc00.1100 aabb.cc00.1100 1 Switch
Do you want to continue (y/n) [n]? yVTPv3 adds a primary server concept that prevents accidental overwrites — a significant improvement over VTPv1/v2.
7. Inter-VLAN Routing
Hosts in different VLANs need a Layer 3 device to communicate. Two approaches are common on Catalyst platforms.
7.1 Method A: SVI (Switched Virtual Interface) on a Layer 3 Switch
This is the preferred method for Catalyst 3650, 3850, 9300, and 9500 platforms.
Switch(config)# ip routing
Switch(config)# interface Vlan10
Switch(config-if)# description >> MGMT Gateway <<
Switch(config-if)# ip address 10.0.10.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface Vlan100
Switch(config-if)# description >> PRODUCTION_DATA Gateway <<
Switch(config-if)# ip address 10.0.100.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface Vlan200
Switch(config-if)# description >> VOICE Gateway <<
Switch(config-if)# ip address 10.0.200.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface Vlan300
Switch(config-if)# description >> SERVERS Gateway <<
Switch(config-if)# ip address 10.0.300.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exitVerification:
Switch# show ip interface brief | include Vlan
Vlan10 10.0.10.1 YES manual up up
Vlan100 10.0.100.1 YES manual up up
Vlan200 10.0.200.1 YES manual up up
Vlan300 10.0.300.1 YES manual up up
Switch# show ip route connected
C 10.0.10.0/24 is directly connected, Vlan10
C 10.0.100.0/24 is directly connected, Vlan100
C 10.0.200.0/24 is directly connected, Vlan200
C 10.0.300.0/24 is directly connected, Vlan300
Switch# ping 10.0.100.1
!!!
Success rate is 100 percent (5/5)7.2 Method B: Router-on-a-Stick (External Router via Sub-interfaces)
Use this when your switch is Layer 2 only (e.g., Catalyst 2960-X) and you have a Cisco ISR/ASR as the gateway.
Switch side (L2 trunk to router):
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# description >> TRUNK to Router Gi0/0 <<
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 666
Switch(config-if)# switchport trunk allowed vlan 10,100,200,300
Switch(config-if)# switchport nonegotiate
Switch(config-if)# no shutdown
Switch(config-if)# exitRouter side (sub-interfaces):
Router(config)# interface GigabitEthernet0/0
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface GigabitEthernet0/0.10
Router(config-subif)# description >> MGMT VLAN 10 <<
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 10.0.10.1 255.255.255.0
Router(config-subif)# exit
Router(config)# interface GigabitEthernet0/0.100
Router(config-subif)# description >> PRODUCTION VLAN 100 <<
Router(config-subif)# encapsulation dot1Q 100
Router(config-subif)# ip address 10.0.100.1 255.255.255.0
Router(config-subif)# exit
Router(config)# interface GigabitEthernet0/0.200
Router(config-subif)# description >> VOICE VLAN 200 <<
Router(config-subif)# encapsulation dot1Q 200
Router(config-subif)# ip address 10.0.200.1 255.255.255.0
Router(config-subif)# exit
Router(config)# interface GigabitEthernet0/0.300
Router(config-subif)# description >> SERVERS VLAN 300 <<
Router(config-subif)# encapsulation dot1Q 300
Router(config-subif)# ip address 10.0.300.1 255.255.255.0
Router(config-subif)# exitVerification on the router:
Router# show ip interface brief | include GigabitEthernet0/0
GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/0.10 10.0.10.1 YES manual up up
GigabitEthernet0/0.100 10.0.100.1 YES manual up up
GigabitEthernet0/0.200 10.0.200.1 YES manual up up
GigabitEthernet0/0.300 10.0.300.1 YES manual up up8. VLAN Security Hardening Checklist
Apply these practices on every Catalyst deployment:
- Change the native VLAN on all trunks to an unused VLAN (e.g., 666). Never send user traffic on the native VLAN.
- Disable DTP with
switchport nonegotiate
on every port — both access and trunk. - Explicit trunk allowed lists — never allow all VLANs. Use
switchport trunk allowed vlan
. - Shut down unused ports and assign them to a parking-lot VLAN.
- Enable BPDU Guard on all access ports to prevent rogue switches.
- Use VTP transparent or off mode unless you have a very strong reason for server/client.
- Enable DHCP Snooping on user VLANs (covered in a future article).
- Enable Dynamic ARP Inspection (DAI) on user VLANs.
- Apply ACLs on SVIs to restrict inter-VLAN traffic where needed.
- Tag native VLAN on trunks (where supported):
Switch(config)# vlan dot1q tag nativeThis command forces native VLAN frames to be tagged, eliminating double-tagging attack vectors entirely.
9. Restricting Inter-VLAN Traffic with SVI ACLs
Example: Allow PRODUCTION (VLAN 100) to reach SERVERS (VLAN 300) on HTTP/HTTPS and SSH only. Deny everything else between them.
Switch(config)# ip access-list extended ACL_PROD_TO_SERVERS
Switch(config-ext-nacl)# permit tcp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 eq 80
Switch(config-ext-nacl)# permit tcp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 eq 443
Switch(config-ext-nacl)# permit tcp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 eq 22
Switch(config-ext-nacl)# permit icmp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 echo
Switch(config-ext-nacl)# permit icmp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 echo-reply
Switch(config-ext-nacl)# deny ip 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 log
Switch(config-ext-nacl)# permit ip any any
Switch(config-ext-nacl)# exit
Switch(config)# interface Vlan100
Switch(config-if)# ip access-group ACL_PROD_TO_SERVERS in
Switch(config-if)# exitSwitch# show ip access-lists ACL_PROD_TO_SERVERS
Extended IP access list ACL_PROD_TO_SERVERS
10 permit tcp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 eq www (1523 matches)
20 permit tcp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 eq 443 (842 matches)
30 permit tcp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 eq 22 (37 matches)
40 permit icmp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 echo
50 permit icmp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 echo-reply
60 deny ip 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 log (12 matches)
70 permit ip any any (45821 matches)10. Saving and Backing Up Configuration
Switch# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
! Backup to TFTP
Switch# copy running-config tftp://10.0.10.50/backups/switch-a-2026-02-15.cfg
Address or name of remote host [10.0.10.50]?
Destination filename [backups/switch-a-2026-02-15.cfg]?
!!
Successful11. Troubleshooting Quick Reference
| Symptom | Check Command | Likely Cause |
|---|---|---|
| Port in VLAN 1 instead of expected VLAN | show vlan brief | VLAN not created on this switch; port falls back to VLAN 1 |
| Trunk shows "not-trunking" | show interfaces trunk | Encapsulation mismatch or switchport nonegotiateon one side with dynamic autoon the other |
| Native VLAN mismatch syslog | show interfaces trunk | Different native VLANs on each end of the trunk |
| SVI is up/down | show ip interface brief | No active port in that VLAN or VLAN is in shutdown/suspend state |
| No inter-VLAN connectivity | show ip route | ip routingnot enabled on the L3 switch |
| VTP revision number too high | show vtp status | Switch in client/server mode overwriting VLAN database |
12. Complete Configuration Example
Here is a consolidated, production-ready configuration snippet for a Catalyst 9300 distribution switch:
! =============================================
! Catalyst 9300 - Distribution Switch
! Hostname: DIST-SW-01
! =============================================
hostname DIST-SW-01
!
vtp mode off
!
vlan dot1q tag native
!
vlan 10
name MGMT
vlan 100
name PRODUCTION_DATA
vlan 200
name VOICE
vlan 300
name SERVERS
vlan 666
name BLACKHOLE
state suspend
vlan 999
name PARKING_LOT
shutdown
!
ip routing
!
interface Vlan10
description >> MGMT Gateway <<
ip address 10.0.10.1 255.255.255.0
no shutdown
!
interface Vlan100
description >> PRODUCTION Gateway <<
ip address 10.0.100.1 255.255.255.0
ip access-group ACL_PROD_TO_SERVERS in
no shutdown
!
interface Vlan200
description >> VOICE Gateway <<
ip address 10.0.200.1 255.255.255.0
no shutdown
!
interface Vlan300
description >> SERVERS Gateway <<
ip address 10.0.300.1 255.255.255.0
no shutdown
!
! --- Uplink to Core ---
interface TenGigabitEthernet1/1/1
description >> TRUNK to CORE-SW-01 Te1/1/1 <<
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 666
switchport trunk allowed vlan 10,100,200,300
switchport nonegotiate
spanning-tree guard root
no shutdown
!
! --- Downlinks to Access Switches ---
interface GigabitEthernet1/0/1
description >> TRUNK to ACC-SW-01 Gi1/0/49 <<
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 666
switchport trunk allowed vlan 10,100,200,300
switchport nonegotiate
no shutdown
!
! --- Unused Ports ---
interface range GigabitEthernet1/0/40 - 48
description >> UNUSED - PARKING LOT <<
switchport mode access
switchport access vlan 999
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
shutdown
!
ip access-list extended ACL_PROD_TO_SERVERS
permit tcp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 eq 80
permit tcp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 eq 443
permit tcp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 eq 22
permit icmp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 echo
permit icmp 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 echo-reply
deny ip 10.0.100.0 0.0.0.255 10.0.300.0 0.0.0.255 log
permit ip any any
!
endFrequently Asked Questions
Q1: What is the maximum number of VLANs on a Cisco Catalyst switch?
Cisco Catalyst switches support VLAN IDs 1–4094 per the 802.1Q standard (12-bit VLAN ID field). However, VLANs 1002–1005 are reserved for legacy Token Ring and FDDI, and VLAN 1 and 4094 have special roles. Practically, you can create up to 4,093 usable VLANs, but most platforms limit active VLANs in hardware to 256, 1,024, or 4,094 depending on the TCAM SDM template.
Q2: How do I change the native VLAN on a trunk, and why should I?
Use
switchport trunk native vlan 666on both ends of the trunk. The native VLAN carries untagged frames. If an attacker sends a double-tagged frame with VLAN 1 as the outer tag and your target VLAN as the inner tag, the first switch strips the outer tag (native) and forwards it tagged with the inner VLAN. Moving native to an unused, suspended VLAN — and enabling
vlan dot1q tag nativeglobally — eliminates this VLAN hopping vector.
Q3: What is the difference between switchport mode access and switchport mode trunk?
An access port belongs to exactly one VLAN and sends/receives untagged frames (except for the voice VLAN). A trunk port carries traffic for multiple VLANs using 802.1Q tags. Access ports connect to endpoints; trunk ports connect to other switches, routers, firewalls, or hypervisor vSwitches.
Q4: Why does my port end up in VLAN 1 even though I assigned it to VLAN 100?
If VLAN 100 has not been created in the VLAN database of that specific switch, the port reverts to VLAN 1. Verify with
show vlan brief. Create the VLAN with
vlan 100in global config. On VTP client switches, ensure the VTP server has VLAN 100 and the trunk between them allows it.
Q5: What does "switchport nonegotiate" do, and should I always use it?
switchport nonegotiatedisables DTP (Dynamic Trunking Protocol) frames on the interface. DTP allows an attacker to negotiate a trunk with a switch port, gaining access to all VLANs. You should use
switchport nonegotiateon every port — both access and trunk — in a production network. Manually set each port to either
switchport mode accessor
switchport mode trunk.
Q6: How do I enable inter-VLAN routing on a Catalyst 2960-X that is Layer 2 only?
The Catalyst 2960-X does not support Layer 3 routing between VLANs. You must use the router-on-a-stick method: configure a trunk from the 2960-X to a router (ISR, ASR, or firewall), then create sub-interfaces with 802.1Q encapsulation on the router — one per VLAN. The router performs inter-VLAN routing. See Section 7.2 of this article for the full configuration.
Q7: What is VTP pruning and should I enable it?
VTP pruning prevents a trunk from flooding broadcast, multicast, and unknown unicast traffic for VLANs that have no active ports on the remote switch. It reduces unnecessary bandwidth usage. Enable it with
vtp pruningon the VTP server. However, if you are using VTP transparent or off mode (recommended), pruning is irrelevant because you manually control allowed VLANs per trunk with
switchport trunk allowed vlan.
Q8: What happens if native VLAN IDs don't match on the two ends of a trunk?
Cisco IOS generates a CDP/syslog warning:
%CDP-4-NATIVE_VLAN_MISMATCH. Traffic on the native VLAN will be misassigned — frames sent untagged by one side end up in the wrong VLAN on the other. STP may also place the port in a broken state. Always ensure both ends of a trunk have the same native VLAN configuration.
Q9: How do I verify which VLAN a specific port is in?
Use
show interfaces GigabitEthernet1/0/5 switchportfor detailed information, or
show vlan briefto see all ports grouped by VLAN. For trunks,
show interfaces trunkdisplays allowed and active VLANs. You can also use
show mac address-table interface GigabitEthernet1/0/5to see the MAC addresses learned on that port and their associated VLANs.
Q10: Can I assign the same IP subnet to the same VLAN across multiple Layer 3 switches?
Yes, but only one switch should be the active gateway for that subnet. Use HSRP (Hot Standby Router Protocol) or VRRP to share a virtual IP between two L3 switches for redundancy. For example, Switch-A has 10.0.100.2/24, Switch-B has 10.0.100.3/24, and the HSRP virtual IP is 10.0.100.1/24. Clients point their default gateway to 10.0.100.1. This is covered in depth in our upcoming HSRP/VRRP run book.