Learn how to create VLANs, assign access ports, and verify your VLAN configuration on Cisco Catalyst 9000 series switches using IOS XE 17.x.
Creating VLANs on Cisco Catalyst switches is the foundation of logical network segmentation, allowing you to isolate traffic, improve security, and optimize bandwidth allocation across your infrastructure. Whether you're building a new campus network or expanding an existing one, understanding how to create VLANs and assign ports is essential for every network engineer.
Understanding VLAN Creation on Catalyst
When you create a VLAN on a Catalyst switch, the configuration is stored in two places: the running-configuration (RAM) and the vlan.dat file (NVRAM). For standard-range VLANs (1-1005), the VLAN is automatically synchronized with vlan.dat during a reload. Understanding this behavior prevents accidental VLAN loss.
Creating VLANs in Global Configuration Mode
The standard method for creating VLANs on Catalyst 9000 series switches uses global configuration mode:
CORE-SW1# configure terminal
CORE-SW1(config)# vlan 10
CORE-SW1(config-vlan)# name Users
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 20
CORE-SW1(config-vlan)# name Servers
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 30
CORE-SW1(config-vlan)# name Mgmt
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 40
CORE-SW1(config-vlan)# name Voice
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 50
CORE-SW1(config-vlan)# name Guest
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 99
CORE-SW1(config-vlan)# name Native
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 999
CORE-SW1(config-vlan)# name Parking
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# end
CORE-SW1# write memory
Each vlan command enters VLAN configuration mode where you can assign a descriptive name. The name helps administrators quickly identify the VLAN's purpose in show command output and network documentation. Without a name, VLANs appear as "VLAN####" in displays.
Assigning Access Ports to VLANs
After creating VLANs, assign physical ports to them using switchport commands. On an access port, all traffic on that port belongs to a single VLAN:
CORE-SW1(config)# interface GigabitEthernet 1/0/1
CORE-SW1(config-if)# switchport mode access
CORE-SW1(config-if)# switchport access vlan 10
CORE-SW1(config-if)# description Users-Access-Port-1
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface GigabitEthernet 1/0/2
CORE-SW1(config-if)# switchport mode access
CORE-SW1(config-if)# switchport access vlan 20
CORE-SW1(config-if)# description Servers-Access-Port-1
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
The switchport mode access command configures the port in access mode (Layer 2 only, no trunking). The switchport access vlan command assigns the VLAN ID to that port. All frames transmitted on this port will be tagged with VLAN 10 internally; untagged frames received on the port are assumed to belong to VLAN 10.
Complete VLAN Configuration for ACC-SW1
Here's the full configuration for an access switch with all standard lab VLANs and port assignments:
ACC-SW1# configure terminal
ACC-SW1(config)# vlan 10
ACC-SW1(config-vlan)# name Users
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 20
ACC-SW1(config-vlan)# name Servers
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 30
ACC-SW1(config-vlan)# name Mgmt
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 40
ACC-SW1(config-vlan)# name Voice
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 50
ACC-SW1(config-vlan)# name Guest
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 99
ACC-SW1(config-vlan)# name Native
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 999
ACC-SW1(config-vlan)# name Parking
ACC-SW1(config-vlan)# exit
! Configure User ports
ACC-SW1(config)# interface range GigabitEthernet 1/0/1-10
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 10
ACC-SW1(config-if-range)# description Users-Access-Ports
ACC-SW1(config-if-range)# no shutdown
ACC-SW1(config-if-range)# exit
! Configure Server ports
ACC-SW1(config)# interface range GigabitEthernet 1/0/11-14
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 20
ACC-SW1(config-if-range)# description Servers-Access-Ports
ACC-SW1(config-if-range)# no shutdown
ACC-SW1(config-if-range)# exit
! Configure Management port
ACC-SW1(config)# interface GigabitEthernet 1/0/15
ACC-SW1(config-if)# switchport mode access
ACC-SW1(config-if)# switchport access vlan 30
ACC-SW1(config-if)# description Mgmt-Access-Port
ACC-SW1(config-if)# no shutdown
ACC-SW1(config-if)# exit
! Configure Voice ports
ACC-SW1(config)# interface range GigabitEthernet 1/0/16-18
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 40
ACC-SW1(config-if-range)# description Voice-Access-Ports
ACC-SW1(config-if-range)# no shutdown
ACC-SW1(config-if-range)# exit
! Configure Guest ports
ACC-SW1(config)# interface range GigabitEthernet 1/0/19-21
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 50
ACC-SW1(config-if-range)# description Guest-Access-Ports
ACC-SW1(config-if-range)# no shutdown
ACC-SW1(config-if-range)# exit
! Configure Parking (unused ports)
ACC-SW1(config)# interface range GigabitEthernet 1/0/22
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 999
ACC-SW1(config-if-range)# description Parking-Port
ACC-SW1(config-if-range)# shutdown
ACC-SW1(config-if-range)# exit
ACC-SW1(config)# end
ACC-SW1# write memory
Verifying VLAN Configuration
After configuring VLANs and ports, verify the configuration using show commands. The show vlan brief command displays all VLANs and their assigned ports:
ACC-SW1# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/23,Gi1/0/24
10 Users active Gi1/0/1,Gi1/0/2,Gi1/0/3,Gi1/0/4
Gi1/0/5,Gi1/0/6,Gi1/0/7,Gi1/0/8
Gi1/0/9,Gi1/0/10
20 Servers active Gi1/0/11,Gi1/0/12,Gi1/0/13,Gi1/0/14
30 Mgmt active Gi1/0/15
40 Voice active Gi1/0/16,Gi1/0/17,Gi1/0/18
50 Guest active Gi1/0/19,Gi1/0/20,Gi1/0/21
99 Native active
999 Parking active Gi1/0/22
The show interfaces switchport command shows detailed switchport configuration for individual ports or ranges:
ACC-SW1# show interfaces GigabitEthernet 1/0/1 switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Users)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture Session ID - Common Session ID: 0
Protected Port: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
To view multiple ports at once, use the show interfaces command with a range:
ACC-SW1# show interfaces GigabitEthernet 1/0/1-10 switchport | include Name|Access Mode VLAN
Name: Gi1/0/1
Access Mode VLAN: 10 (Users)
Name: Gi1/0/2
Access Mode VLAN: 10 (Users)
Name: Gi1/0/3
Access Mode VLAN: 10 (Users)
Name: Gi1/0/4
Access Mode VLAN: 10 (Users)
Name: Gi1/0/5
Access Mode VLAN: 10 (Users)
Name: Gi1/0/6
Access Mode VLAN: 10 (Users)
Name: Gi1/0/7
Access Mode VLAN: 10 (Users)
Name: Gi1/0/8
Access Mode VLAN: 10 (Users)
Name: Gi1/0/9
Access Mode VLAN: 10 (Users)
Name: Gi1/0/10
Access Mode VLAN: 10 (Users)
Verification and Troubleshooting
Symptom: Hosts cannot ping each other on the same VLAN
Cause: Ports may not be assigned to the same VLAN, or one port is administratively down.
Fix: Verify port assignments with show vlan brief, check port status with show interfaces status, and confirm both ports are enabled (no shutdown).
ACC-SW1# show interfaces status | include Users|Gi1/0/1
Interface Name Status Vlan Duplex Speed Type
Gi1/0/1 Users-Access-Port-1 connected 10 a-full a-100 10/100/1000BaseTX
Gi1/0/2 Users-Access-Port-2 connected 10 a-full a-100 10/100/1000BaseTX
If a port shows "notconnect," the issue may be a cable problem or the connected device is down. Use show interfaces GigabitEthernet 1/0/1 to check physical status.
Symptom: VLAN configuration disappears after reload
Cause: VLANs 1-1005 are stored in vlan.dat, but if vlan.dat is deleted or corrupted, only VLAN 1 survives a reload.
Fix: Verify vlan.dat exists with show flash: or dir flash:. If missing, reconfigure VLANs and execute write memory to rebuild vlan.dat. For extended-range VLANs (1006-4094), always include them in running-config via vlan database or config mode, then copy running-config to startup-config.
ACC-SW1# show flash: | include vlan.dat
32 -rw- 786432 Mar 28 2026 17:42:31 +00:00 vlan.dat
Symptom: Wrong VLAN assigned to a port
Cause: Port assignment commands were entered incorrectly or overwritten by a misconfiguration script.
Fix: Re-enter the correct VLAN assignment for the port. The switchport access vlan command automatically replaces the previous assignment.
ACC-SW1(config)# interface GigabitEthernet 1/0/5
ACC-SW1(config-if)# switchport access vlan 20
ACC-SW1(config-if)# end
ACC-SW1# show interfaces GigabitEthernet 1/0/5 switchport | include Access Mode VLAN
Access Mode VLAN: 20 (Servers)
Key Takeaways
- Create VLANs in global configuration mode using
vlan <id>and assign a descriptive name for easy identification - Assign access ports using
switchport mode accessfollowed byswitchport access vlan <id> - Verify VLAN configuration with
show vlan briefto see all VLANs and their port members - Standard-range VLANs (1-1005) are automatically saved to vlan.dat; always execute
write memoryafter configuration changes - Use interface ranges (e.g.,
interface range Gi1/0/1-10) to efficiently configure multiple ports with the same VLAN assignment