VLAN Configuration on Cisco IOS Switch

Leave a Comment / Cisco, Networking Tutorials

When you first connect to a Cisco switch, almost everything lives in VLAN 1. That works for a tiny lab, but in any real network you need to separate traffic for security, performance, and organization. In this lesson, we’ll show the exact process of creating a new VLAN and moving ports into it—classic layer 2 segmentation you’ll see on the CCNA exam and in every production network.

Default State – Everything in VLAN 1

Right after boot or reset, run this command:

SW1#show vlan

You’ll see output similar to this (ports abbreviated for clarity):

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/22
                                                ... (most FastEthernet ports)
1002 fddi-default                     act/unsup Fa0/23, Fa0/24, Gi0/1, Gi0/2
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup

Key points:

  • All user ports start in VLAN 1 (“default”).
  • VLANs 1002–1005 are legacy (FDDI, Token Ring, etc.) and marked unsupported on modern switches.
  • Every connected device shares the same broadcast domain—broadcasts and unknown unicasts flood everywhere.

Step 1: Create the New VLAN

Enter global configuration mode and create VLAN 50, giving it a descriptive name (optional but recommended):

SW1(config)# vlan 50
SW1(config-vlan)# name Computers
SW1(config-vlan)# exit

Immediately run show vlan again:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                ... (most ports remain)
50   Computers                        active

VLAN 50 now exists and is active, even though no ports are assigned yet. Why active immediately? The VLAN is written to the vlan.dat file in flash and the switch considers it usable the instant it’s created (assuming VTP server or transparent mode, which is default).

Step 2: Assign Ports to the New VLAN

Move FastEthernet0/1 and FastEthernet0/2 into VLAN 50. Always set the mode to access first:

SW1(config)# interface fa0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 50
SW1(config-if)# exit

SW1(config)# interface fa0/2
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 50
SW1(config-if)# exit
  • switchport mode access locks the port as an access port (no trunking, no DTP negotiation).
  • switchport access vlan 50 assigns untagged frames on that port to VLAN 50.

Verify with show vlan:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                ... (remaining ports)
50   Computers                        active    Fa0/1, Fa0/2

Now Fa0/1 and Fa0/2 are exclusively in VLAN 50. A device connected to Fa0/1 can only communicate at layer 2 with other devices in VLAN 50. Broadcasts stay contained—no more flooding the entire switch.

Why This Matters in Real Networks

Devices on Fa0/1 and Fa0/2 are now in their own broadcast domain. This is the foundation for:

  • Departmental separation (accounting vs. engineering)
  • Reducing broadcast traffic
  • Improving security (layer 2 isolation before ACLs or firewalls)
  • Easier troubleshooting (you know exactly which ports belong where)

Changes take effect instantly—no reload needed. Save your work afterward:

text

SW1# write memory

Quick Reference – Commands Used

  • Create VLAN: vlan 50 → name Computers
  • Assign port: switchport mode access → switchport access vlan 50
  • Verify: show vlan or show vlan brief
  • Detailed port status: show interfaces switchport

For deeper port details (recommended for troubleshooting):

text

SW1# show interfaces fa0/1 switchport

Common Misunderstandings to Avoid

  • Creating the VLAN does not automatically move ports—you must assign them manually.
  • Skipping switchport mode access can allow DTP to negotiate a trunk (especially on older IOS versions or non-default settings).
  • VLAN names are cosmetic—only the number matters to the switch.
  • VLAN 1 cannot be deleted and should not be used for user data in production.
  • No connectivity between VLANs without a layer 3 device (router or layer 3 switch) configured for inter-VLAN routing.

Master these exact steps and outputs and you’ll handle VLAN configuration confidently on the exam and in the field.

Leave a Comment

Your email address will not be published. Required fields are marked *

Download Your Cheat Sheet
Enter your email to get instant access to this cheat sheet. We'll also notify you when new cheat sheets are released.
No spam, ever. Your email is stored securely and never shared.