Virtual LAN (VLAN)

VLAN Creation

When you create a VLAN, it gets added to either:

the VLAN database (vlan.dat in bootflash)
or the running-config (for extended VLANs)

Normal VLANs (1–1005)

Stored in vlan.dat
Not saved in running-config
Persist through reload if vlan.dat is present

Extended VLANs (1006–4094)

Stored in running-config
Saved to NVRAM on write mem
Used for internal VLANs, routed ports, etc.

(config)# vlan 10

What Happens Internally?

When a VLAN is created, the switch instantiates:

A [[Spanning Tree Protocol (STP)]] instance.
An entry in the [[MAC Address Table]].

You can verify with:

show spanning-tree vlan 10
show mac address-table vlan 10

Access vs Trunk Ports

Access Ports

interface FastEthernet1/0/2
  switchport mode access
  switchport access vlan 30

Forwards only VLAN 30
Drops all tagged traffic (except [[CDP & LLDP]])
Can use voice VLAN if configured

Trunk Ports

interface GigabitEthernet1/0/24
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk native vlan 99
  switchport trunk allowed vlan 1-50

Carries multiple VLANs
Tags all VLANs except the native VLAN (in this case, 99)
- When untagged traffic is received on a trunk port, it is considered to be a part of the native VLAN (defaults to 1).
Ideal for switch uplinks and routed links

Tune trunks with the following:

interface GigabitEthernet1/0/24
  switchport trunk allowed vlan allowed 1-50
  switchport trunk allowed vlan remove 1-5
  switchport trunk allowed vlan add 1-5

Internal VLANs

If you apply no switchport on a Layer 2 interface, the switch allocates an internal VLAN behind the scenes. This is required to bind Layer 3 interfaces to the switching backend.

interface Ethernet1/1
  no switchport

This allocates a VLAN from the extended range (1006–4094).

By default, internal VLANs are assigned in ascending order starting at 1006, but you can reverse it:

vlan internal allocation policy descending

Verify with:

show running-config | include internal
show vlan internal usage

VLAN Usage
---- --------------------
1006 GigabitEthernet0/0
4094 GigabitEthernet0/1

Note: In this example, descending mode was applied after some internal VLANs were already allocated, which is why you see both high and low VLANs being used.

Voice VLANs

Voice VLANs help IP phones (like Cisco VoIP phones) get placed into the correct VLAN using CDP advertisements. These phones often have built-in switches, allowing a PC to daisy-chain through them.

There are multiple ways to design this, depending on how voice and data traffic should behave.

Option 1: Voice and Data on Same VLAN

interface FastEthernet1/0/1
  switchport mode access
  switchport access vlan 10

Everything (PC + phone) goes on VLAN 10 — no voice isolation or QoS differentiation.

Option 2: Separate Voice and Data VLANs

interface FastEthernet1/0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 20

PC is untagged on VLAN 10
Phone tags voice frames as VLAN 20

Clean separation, better for QoS and security.

Option 3: Same VLAN, But QoS via Dot1p

Let’s say you want PC and phone on the same VLAN but still prioritize voice traffic.

interface FastEthernet1/0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan dot1p

In this case:

PC sends untagged frames on VLAN 10
Phone sends tagged frames with VLAN ID 0, but with CoS = 5
Switch reclassifies VLAN 0 → VLAN 10 internally, but preserves QoS

Commands Reference

Action	Command
Create VLAN	`vlan [ID]`
Assign VLAN to Access Port	`switchport access vlan [ID]`
Enable Voice VLAN	`switchport voice vlan [ID]`
Enable Dot1p Voice	`switchport voice vlan dot1p`
Set Internal VLAN Allocation Order	`vlan internal allocation policy [ascending\|descending]`
Make Port Routed	`no switchport`
Show Internal VLAN Usage	`show vlan internal usage`
Show VLAN Config	`show vlan brief`