This tutorial explains how to create and assign VLAN, VLAN Membership (Static and Dynamic), Router on Stick and Spanning Tree Protocol (STP) in detail with practical examples in packet tracer. Learn how to create and manage VLAN in Cisco switch step by step.
Create a practice lab in packet tracer as shown in following figure or download pre-created practice lab from second part of this tutorial.
Configuration on the switch is to have the management of the switch controlled through VLAN 1. However, a best practice for basic switch configuration is to change the management VLAN to a VLAN other than VLAN 1. The implications and reasoning behind this action are explained in the next chapter. For management purposes, we will use VLAN 99. Implement VLANs Configuration on a Cisco Switch is easy with this tutorial. Learn how to create and name VLANs, then associate them to end devices.
This is the last part of our article 'VLAN, VTP, DTP, STP and Router on Stick Explained with Examples'. You can read other parts of this article here:-
This is the first part of this article. In this part we explained basic concepts of VLAN such as What VLAN is, Advantage of VLAN, VLAN membership Static and Dynamic, VLAN Connections; Access link and trunk links, trunk tagging and how VLAN add additional layer of security with examples.
This is the second part of this article. In this part we explained how to create a practice lab in Packet Tracer. You can create practice lab by following the instruction or alternatively download pre created lab. This lab will we used to demonstrate the configuration part of VLAN, VTP, DTP, STP and router on stick.
This the third part of this article. In this part we explained VTP mode with examples including VTP Server mode, VTP Client mode and VTP transparent mode. Later we configured VTP protocol in our practice lab.
This the fourth part of this article. In this part we explained access link, trunk link, VLAN tagging process, VLAN tagging protocol ISL and 802.1Q, Dynamic trunking protocol and DTP mode with examples. Later in this part we configured trunking in our practice lab.
Creating VLAN
In practice lab network Office1 Switch is configured as VTP Server. Office2 and Office3 switches are configured as VTP clients. We only need to create VLANs in VTP Server. VTP Server will propagate this information to all VTP clients automatically.
vlan vlan number command is used to create the VLAN.
Office 1 Switch
Assigning VLAN Membership
VLAN can be assigned statically or dynamically. CCNA exam only includes static method; therefore we will also use static method to assign VLAN membership. switchport access vlan [vlan number ] command is used to assign VLAN to the interface. Following commands will assign VLANs to the interfaces.
Office 1 Switch
Basic Switch Configuration Steps
Office 2 Switch
Office 3 Switch
We have successfully assigned VLAN membership. It's time to test our configuration. To test this configuration, we will use ping command. ping command is used to test connectivity between two devices. As per our configuration, devices from same VLAN can communicate. Devices from different VLANs must not be able to communicate with each other without router.
Testing VLAN configuration
Access PC's command prompt to test VLAN configuration. Double click PC-PT and click Command Prompt
We have two VLAN configurations VLAN 10 and VLAN 20. Let's test VLAN 10 first. In VLAN 10 we have three PCs with IP addresses 10.0.0.2, 10.0.0.3 and 10.0.0.4. These PCs must be able to communicate with each other's. At this point PCs from VLAN 10 should not be allowed to access PCs from VLAN 20. VLAN 20 also has three PCs 20.0.0.2, 20.0.0.3 and 20.0.0.4.
We have successfully implemented VLAN 10 now test VLAN 20.
Same as VLAN 10, PCs from VLAN 20 must be able to communicate with other PCs of same VLAN while they should not be able to access VLAN 10.
Congratulations we have successfully achieved one more mile stones of this article.
Configure Router on Stick
Typically routers are configured to receive data on one physical interface and forward that data from another physical interface based on its configuration. Each VLAN has a layer 3 address that should be configured as default gateway address on all its devices. In our scenario we reserved IP address 10.0.0.1 for VLAN 10 and 20.0.0.1 for VLAN 20.
With default configuration we need two physical interfaces on router to make this intra VLAN communication. Due to price of router, it’s not a cost effective solution to use a physical interface of router for each VLAN. Usually a router has one or two Ethernet interface. For example if we have 50 VLANs, we would need nearly 25 routers in order to make intra VLANs communications. To deal with situation we use Router on Stick.
Router on Stick is router that supports trunk connection and has an ability to switch frames between the VLANs on this trunk connection. On this router, single physical interface is sufficient to make communication between our both VLANs.
Access command prompt of Router
To configure Router on Stick we have to access CLI prompt of Router. Click Router and Click CLI from menu items and Press Enter key to access the CLI
Run following commands in same sequence to configure Router on Stick
- In above configuration we broke up single physical interface [FastEthernet 0/0] into two logical interfaces, known as sub-interfaces. Router supports up to 1000 interfaces including both physical and logical.
- By default interface link works as access link. We need to change it into trunk link. encapsulation commands specify the trunk type and associate VLAN with sub-interface.
- In next step we assigned IP address to our sub-interface.
That's all configuration we need to switch VLANs. Now we can test different VLAN communications. To test intra VLANs communication open command prompt of PC and ping the PC of other VLAN.
PC [10.0.0.3] from VLAN 10 can now access PC [20.0.0.2] from VLAN 20.
Spanning Tree Protocol (STP)
STP is a layer 2 protocol, used for removing loops. For backup purpose we typically create backup links for important resources. In our scenario, all offices have backup links that create loops in topology. STP automatically removes layer 2 loops. STP multicasts frame that contain information about switch interfaces. These frames are called BPDU (Bridge Protocol Data Units). Switch use BPDUs to learn network topology. If it found any loop, it will automatically remove that. To remove loop, STP disables port or ports that are causing it.
How to configure VLAN VTP DTP cheat sheet
| Command | Descriptions |
| Switch(config)#vtp mode server | Configure Switch as VTP Server |
| Switch(config)#vtp mode client | Configure Switch as VTP Client |
| Switch(config)#vtp mode transparent | Configure Switch as VTP Transparent |
| Switch(config)#no vtp mode Configure | Switch to default VTP Server Mode |
| Switch(config)#vtp domain domain-name | Set VTP Domain name. |
| Switch(config)#vtp password password | Set VTP password. Password is case sensitive |
| Switch#show vtp status | Display VTP status including general information |
| Switch#show vtp counters | Show VTP counters of switch |
| Switch(config-if) #switchport mode trunk | Change interface mode in Trunk |
| Switch(config)#vlan 10 | Create VLAN and associate number ID 10 with it |
| Switch(config-vlan)#name Sales | Assign name to VLAN |
| Switch(config-vlan)#exit | Return in Global configuration mode from VLAN configuration mode |
| Switch(config)#interface fastethernet 0/1 | Enter in interface configuration mode |
| Switch(config-if)#switchport mode access | Set interface link type to access link |
| Switch(config-if)#switchport access vlan 10 | Assign this interface to VLAN 10 |
| Switch#show vlan | Displays VLAN information |
| Switch#show vlan brief | Displays VLAN information in short |
| Switch#show vlan id 10 | Displays information VLAN ID 10 only |
| Switch#show vlan name sales | Displays information about VLAN named sales only |
| Switch(config)#interface fastethernet 0/8 | Enter in Interface configuration mode |
| Switch(config-if)#no switchport access vlan 10 | Removes interface from VLAN 10 and reassigns it to the default VLAN - VLAN 1 |
| Switch(config-if)#exit | Move back to Global configuration mode |
| Switch(config)#no vlan 10 | Delete VLAN 10 from VLAN database |
| Switch#copy running-config startup-config | Saves the running configuration in NVRAM |
Use this configured topology for cross check if you are not getting the same output after following all steps.
That's all for this article. I hope you have enjoyed this tutorial.
This tutorial explains basic switch configuration commands in detail with examples. Configuration and commands explained in this tutorial are essential commands to manage a Cisco switch effectively. Learn how to configure and manage a Cisco Switch step by step with this basic switch commands and configuration guide.
To explain basic switch configuration commands, I will use packet tracer network simulator software. You can use any network simulator software or can use a real Cisco switch to follow this guide. There is no difference in output as long as your selected software contains the commands explained in this tutorial.
Create a practice lab as shown in following figure or download this pre-created practice lab and load in packet tracer
If require, you can download the latest as well as earlier version of Packet Tracer from here. Download Packet Tracer
In this topology
- Two 2960 Series switches are used.
- Switch1 (Interfarce Gig1/1) is connected with Switch2 (Interface Gig1/1) via cross cable.
- Switch1 has two PCs connected on interfaces Eth0/1 and Eth0/2 via straight through cable.
- Same as switch1, Switch2 also has two PCs connected on its interfaces Eth0/1 and Eth0/2.
- IP address is configured on all PCs PC0 (192.168.1.1/24), PC1 (192.168.1.2/24), PC2 (192.168.1.3/24), PC3 (192.168.1.4/24).
Click Switch1 and click CLI menu item and press Enter Key
Navigating between different switch command modes
Cisco switches run on proprietary OS known as Cisco IOS. IOS is a group of commands used for monitoring, configuring and maintaining cisco devices. For security and easy administration, IOS commands are divided in the set of different command modes. Each command mode has its own set of commands. Which commands are available to use, depend upon the mode we are in.
Following table lists necessary commands to navigate between different IOS modes with examples.
| Mode | Purpose | Prompt | Command to enter | Command to exit |
| User EXEC | Allow you to connect with remote devices, perform basic tests, temporary change terminal setting and list system information | Router > | Default mode after booting. Login with password, if configured. | Use exit command |
| Privileged EXEC | Allow you to set operating parameters. It also includes high level testing and list commands like show, copy and debug. | Router # | Use enable command from user exec mode | Use exit command |
| Global Configuration | Contain commands those affect the entire system | Router(config)# | Use configure terminal command from privileged exec mode | Use exit command |
| Interface Configuration | Contain commands those modify the operation of an interface | Router(config-if)# | Use interface type number command from global configuration mode | Use exit command to return in global configuration mode |
| Sub-Interface Configuration | Configure or modify the virtual interface created from physical interface | Router(config-subif) | Use interface type sub interface number command from global configuration mode or interface configure mode | Use exit to return in previous mode. Use end command to return in privileged exec mode. |
| Setup | Used by router to create initial configuration, if running configuration is not present | Parameter[Parameter value]: | Router will automatically insert in this mode if running configuration is not present | Press CTRL+C to abort. Type Yes to save configuration, or No to exit without saving when asked in the end of setup. |
| ROMMON | If router automatically enter in this mode, then it indicates that it fails to locate a valid IOS image. Manual entrance in this mode Allow you to perform low-level diagnostics. | ROMMON> | Enter reload command from privileged exec mode. Press CTRL + C key combination during the first 60 seconds of booting process | Use exit command. |
How to get help on Cisco Switch command mode
Switch provides two types of context sensitive help, word help and command syntax help.
Word help
Word help is used to get a list of available commands that begin with a specific letter. For example if we know that our command begins with letter e, we can hit enter key after typing e? at command prompt. It will list all possible commands that begin with letter e.
We can list all available commands, if we don't know the initials of our command. For example to list all available commands at User exec mode, just type ? at command prompt and hit enter key.
Command syntax help
Command syntax help can be used to get the list of keyword, commands, or parameters that are available starting with the keywords that we had already entered. Enter ? (Question mark) after hitting Space key and prompt will return with the list of available command options. For example to know the parameters required by show ip command type show ip ? and prompt will return with all associate parameters. If prompt returns with <CR> only as an option, that means switch does not need any additional parameters to complete the command. You can execute the command in current condition.
How to set name on switch
Switch name can be set from global configuration mode. Use hostname [desired hostname] command to set name on switch.
How to set password on a Catalyst switch
Passwords are used to restrict physical access to switch. Cisco switch supports console line for local login and VTYs for remote login. All supported lines need be secure for User Exec mode. For example if you have secured VTYs line leaving console line unsecure, an intruder can take advantage of this situation in connecting with device. Once you are connected with device, all remaining authentication are same. No separate configuration is required for further modes.
Password can be set from their respective line mode. Enter in line mode from global configuration mode.
VTY term stand for virtual terminal such as telnet or SSH. Switch may support up to thousand VTYs lines. By default first five (0 - 4) lines are enabled. If we need more lines, we have to enable them manually. 2960 Series switch supports 16 lines. We can set a separate password for each line, for that we have to specify the number of line. In our example we set a common password for all lines.
Above method is good for small companies, where numbers of network administrators are very few. In above method we have to share password between all administrators. Switch supports both local and remote server authentication. Remote server authentication is a complex process and not included in any entry level exams. For this article I am also skipping remote server method. In local database authentication method switch allows us to set a separate password for each user. Two global configuration commands are used to set local user database.
Both commands do same job. Advantage of using secret option over password option is that in secret option password is stored in MD5 encryption format while in password option password is stored in plain text format.
Along with User Exec mode we can also secure Privilege Exec mode. Two commands are available for it.
Again as I mentioned earlier, password stored with secret command is encrypted while password stored with password command remains in plain text. You only need to use single command. If you would use both commands as I did, enable secret command would automatically replace the enable password command.
How to reset switch to factory defaults
During the practice several times we have to reset switch to factory defaults. Make sure you don't run following commands in production environment unless you understand their effect clearly. Following commands will erase all configurations. In production environment you should always takes backup before removing configurations. In LAB environment we can skip backup process.
How to set IP address in Switch
IP address is the address of device in network. Switch allows us to set IP address on interface level. IP address assigned on interface is used to manage that particular interface. To manage entire switch we have to assign IP address to VLAN1( Default VLAN of switch). We also have to set default gateway IP address from global configuration mode. In following example we would assign IP 172.16.10.2 255.255.255.0 to VLAN1 and set default gateway to 172.16.10.1.
How to set interface description
Switches have several interfaces. Adding description to interface is a good habit. It may help you in finding correct interface. In following example we would add description Development VLAN to interface FastEthernet 0/1.
How to clear mac address table
Switch stores MAC addresses in MAC address table. Gradually it could be full. Once it full, switch automatically starts removing old entries. You can also clear these tables manually from privileged exec mode. To delete all entries use following command
To delete only dynamic entries use
How to add static MAC address in CAM table
For security purpose sometime we have to add mac address in CAM table manually. To add static MAC address in CAM table use following command
In above command we entered an entry for static MAC address aaaa.aaaa.aaaa assigned to FastEnternet 0/1 with default VLAN1.
How to save running configuration in switch
Switch keeps all running configuration in RAM. All data from RAM is erased when we turned off the device. To save running configuration use following command
How to set duplex mode
Switch automatically adjust duplex mode depending upon remote device. We could change this mode with any of other supported mode. For example to force switch to use full duplex mode use
To use half duplex useshow version
show version command provides general information about device including its model number, type of interfaces, its software version, configuration settings, location of IOS and configuration files and available memories.
show mac-address-table
Switch stores MAC address of devices those are attached with its interfaces in CAM table. We can use show mac-address-table command to list all learned devices. Switch uses this table to make forward decision.
show flash
Switch stores IOS image file in flash memory. show flash command will list the content of flash memory. This command is useful to get information about IOS file and available memory space in flash.
show running-config
Configuration parameter values are created, stored, updated and deleted from running configuration. Running configuration is stored in RAM. We can use show running-config command to view the running configuration.
show startup-config
Any configuration stored in RAM is erased when devices is turned off. We can save running configuration in NVRAM. If we have saved running configuration in NVRAM, it would be automatically loaded back in RAM from NVRAM during the next boot. As switch load this configuration back in RAM in startup of device, at NVRAM it is known as startup-config.
show vlan
show vlan command will display the VLANs. For administrative purpose, switch automatically create VLAN 1 and assign all its interfaces to it. You can create custom VLANs from global configuration mode and then assign them to interfaces.
show interface
show interface command displays information about interfaces. Without argument it would list all interfaces. To get information about specific interface we need to pass its interface number as an argument. For example to view details about FastEthernet 0/1, use show interface fastethernet 0/1.
First line from output provides information about the status of interface.
The first up indicates the status of the physical layer, and the second up indicates to the status of the data link layer.
Possible interface status
- up and up :- Interface is operational.
- up and down :- Its data link layer problem.
- down and down :- Its physical layer problem.
- Administratively down and down :- Interface is disabled with shutdown command.
Possible values for physical layer status
- Up :- Switch is sensing physical layer signal.
- Down :- Switch is not sensing physical layer signal. Possible reasons could be cable is not connected, wrong cable type is used and remote end device is turned off.
- Administratively down :- Interface is disabled by using shutdown command.
Possible values for data link layer status
- Up :- The data link layer is operational.
- Down :- The data link layer is not operational. Possible reasons could be a disabled physical layer, missed keep alives on a serial link, no clocking or an incorrect encapsulation type.
show ip interface brief
show ip interface brief is a extremely useful command to get quick overview of all interfaces on switch. It lists their status including IP address and protocol.
Step By Step Cisco Switch Configuration Pdf
That’s all for this article.