Creating VLANs on Cisco Catalyst switches is the foundation of logical network segmentation, allowing you to isolate traffic, improve security, and optimize bandwidth allocation across your infrastructure. Whether you're building a new campus network or expanding an existing one, understanding how to create VLANs and assign ports is essential for every network engineer.
Understanding VLAN Creation on Catalyst
When you create a VLAN on a Catalyst switch, the configuration is stored in two places: the running-configuration (RAM) and the vlan.dat file (NVRAM). For standard-range VLANs (1-1005), the VLAN is automatically synchronized with vlan.dat during a reload. Understanding this behavior prevents accidental VLAN loss.
Creating VLANs in Global Configuration Mode
The standard method for creating VLANs on Catalyst 9000 series switches uses global configuration mode:
CORE-SW1# configure terminal
CORE-SW1(config)# vlan 10
CORE-SW1(config-vlan)# name Users
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 20
CORE-SW1(config-vlan)# name Servers
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 30
CORE-SW1(config-vlan)# name Mgmt
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 40
CORE-SW1(config-vlan)# name Voice
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 50
CORE-SW1(config-vlan)# name Guest
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 99
CORE-SW1(config-vlan)# name Native
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# vlan 999
CORE-SW1(config-vlan)# name Parking
CORE-SW1(config-vlan)# exit
CORE-SW1(config)# end
CORE-SW1# write memory
Each vlan command enters VLAN configuration mode where you can assign a descriptive name. The name helps administrators quickly identify the VLAN's purpose in show command output and network documentation. Without a name, VLANs appear as "VLAN####" in displays.
Assigning Access Ports to VLANs
After creating VLANs, assign physical ports to them using switchport commands. On an access port, all traffic on that port belongs to a single VLAN:
CORE-SW1(config)# interface GigabitEthernet 1/0/1
CORE-SW1(config-if)# switchport mode access
CORE-SW1(config-if)# switchport access vlan 10
CORE-SW1(config-if)# description Users-Access-Port-1
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface GigabitEthernet 1/0/2
CORE-SW1(config-if)# switchport mode access
CORE-SW1(config-if)# switchport access vlan 20
CORE-SW1(config-if)# description Servers-Access-Port-1
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
The switchport mode access command configures the port in access mode (Layer 2 only, no trunking). The switchport access vlan command assigns the VLAN ID to that port. All frames transmitted on this port will be tagged with VLAN 10 internally; untagged frames received on the port are assumed to belong to VLAN 10.
Complete VLAN Configuration for ACC-SW1
Here's the full configuration for an access switch with all standard lab VLANs and port assignments:
ACC-SW1# configure terminal
ACC-SW1(config)# vlan 10
ACC-SW1(config-vlan)# name Users
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 20
ACC-SW1(config-vlan)# name Servers
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 30
ACC-SW1(config-vlan)# name Mgmt
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 40
ACC-SW1(config-vlan)# name Voice
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 50
ACC-SW1(config-vlan)# name Guest
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 99
ACC-SW1(config-vlan)# name Native
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# vlan 999
ACC-SW1(config-vlan)# name Parking
ACC-SW1(config-vlan)# exit
! Configure User ports
ACC-SW1(config)# interface range GigabitEthernet 1/0/1-10
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 10
ACC-SW1(config-if-range)# description Users-Access-Ports
ACC-SW1(config-if-range)# no shutdown
ACC-SW1(config-if-range)# exit
! Configure Server ports
ACC-SW1(config)# interface range GigabitEthernet 1/0/11-14
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 20
ACC-SW1(config-if-range)# description Servers-Access-Ports
ACC-SW1(config-if-range)# no shutdown
ACC-SW1(config-if-range)# exit
! Configure Management port
ACC-SW1(config)# interface GigabitEthernet 1/0/15
ACC-SW1(config-if)# switchport mode access
ACC-SW1(config-if)# switchport access vlan 30
ACC-SW1(config-if)# description Mgmt-Access-Port
ACC-SW1(config-if)# no shutdown
ACC-SW1(config-if)# exit
! Configure Voice ports
ACC-SW1(config)# interface range GigabitEthernet 1/0/16-18
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 40
ACC-SW1(config-if-range)# description Voice-Access-Ports
ACC-SW1(config-if-range)# no shutdown
ACC-SW1(config-if-range)# exit
! Configure Guest ports
ACC-SW1(config)# interface range GigabitEthernet 1/0/19-21
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 50
ACC-SW1(config-if-range)# description Guest-Access-Ports
ACC-SW1(config-if-range)# no shutdown
ACC-SW1(config-if-range)# exit
! Configure Parking (unused ports)
ACC-SW1(config)# interface range GigabitEthernet 1/0/22
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 999
ACC-SW1(config-if-range)# description Parking-Port
ACC-SW1(config-if-range)# shutdown
ACC-SW1(config-if-range)# exit
ACC-SW1(config)# end
ACC-SW1# write memory
Verifying VLAN Configuration
After configuring VLANs and ports, verify the configuration using show commands. The show vlan brief command displays all VLANs and their assigned ports:
ACC-SW1# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/23,Gi1/0/24
10 Users active Gi1/0/1,Gi1/0/2,Gi1/0/3,Gi1/0/4
Gi1/0/5,Gi1/0/6,Gi1/0/7,Gi1/0/8
Gi1/0/9,Gi1/0/10
20 Servers active Gi1/0/11,Gi1/0/12,Gi1/0/13,Gi1/0/14
30 Mgmt active Gi1/0/15
40 Voice active Gi1/0/16,Gi1/0/17,Gi1/0/18
50 Guest active Gi1/0/19,Gi1/0/20,Gi1/0/21
99 Native active
999 Parking active Gi1/0/22
The show interfaces switchport command shows detailed switchport configuration for individual ports or ranges:
ACC-SW1# show interfaces GigabitEthernet 1/0/1 switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Users)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture Session ID - Common Session ID: 0
Protected Port: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
To view multiple ports at once, use the show interfaces command with a range:
ACC-SW1# show interfaces GigabitEthernet 1/0/1-10 switchport | include Name|Access Mode VLAN
Name: Gi1/0/1
Access Mode VLAN: 10 (Users)
Name: Gi1/0/2
Access Mode VLAN: 10 (Users)
Name: Gi1/0/3
Access Mode VLAN: 10 (Users)
Name: Gi1/0/4
Access Mode VLAN: 10 (Users)
Name: Gi1/0/5
Access Mode VLAN: 10 (Users)
Name: Gi1/0/6
Access Mode VLAN: 10 (Users)
Name: Gi1/0/7
Access Mode VLAN: 10 (Users)
Name: Gi1/0/8
Access Mode VLAN: 10 (Users)
Name: Gi1/0/9
Access Mode VLAN: 10 (Users)
Name: Gi1/0/10
Access Mode VLAN: 10 (Users)
Verification and Troubleshooting
Symptom: Hosts cannot ping each other on the same VLAN
Cause: Ports may not be assigned to the same VLAN, or one port is administratively down.
Fix: Verify port assignments with show vlan brief, check port status with show interfaces status, and confirm both ports are enabled (no shutdown).
ACC-SW1# show interfaces status | include Users|Gi1/0/1
Interface Name Status Vlan Duplex Speed Type
Gi1/0/1 Users-Access-Port-1 connected 10 a-full a-100 10/100/1000BaseTX
Gi1/0/2 Users-Access-Port-2 connected 10 a-full a-100 10/100/1000BaseTX
If a port shows "notconnect," the issue may be a cable problem or the connected device is down. Use show interfaces GigabitEthernet 1/0/1 to check physical status.
Symptom: VLAN configuration disappears after reload
Cause: VLANs 1-1005 are stored in vlan.dat, but if vlan.dat is deleted or corrupted, only VLAN 1 survives a reload.
Fix: Verify vlan.dat exists with show flash: or dir flash:. If missing, reconfigure VLANs and execute write memory to rebuild vlan.dat. For extended-range VLANs (1006-4094), always include them in running-config via vlan database or config mode, then copy running-config to startup-config.
ACC-SW1# show flash: | include vlan.dat
32 -rw- 786432 Mar 28 2026 17:42:31 +00:00 vlan.dat
Symptom: Wrong VLAN assigned to a port
Cause: Port assignment commands were entered incorrectly or overwritten by a misconfiguration script.
Fix: Re-enter the correct VLAN assignment for the port. The switchport access vlan command automatically replaces the previous assignment.
ACC-SW1(config)# interface GigabitEthernet 1/0/5
ACC-SW1(config-if)# switchport access vlan 20
ACC-SW1(config-if)# end
ACC-SW1# show interfaces GigabitEthernet 1/0/5 switchport | include Access Mode VLAN
Access Mode VLAN: 20 (Servers)
Key Takeaways
- Create VLANs in global configuration mode using
vlan <id>and assign a descriptive name for easy identification - Assign access ports using
switchport mode accessfollowed byswitchport access vlan <id> - Verify VLAN configuration with
show vlan briefto see all VLANs and their port members - Standard-range VLANs (1-1005) are automatically saved to vlan.dat; always execute
write memoryafter configuration changes - Use interface ranges (e.g.,
interface range Gi1/0/1-10) to efficiently configure multiple ports with the same VLAN assignment
