Port configurations on Cisco Catalyst switches
Published on
13,611 Points
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN) and port-configurations in Cisco Catalyst switches.
An Ethernet-frame (packet) can be either tagged or untagged. The default is untagged. When a frame is tagged, an extra 802.1q header is placed first in each frame, containing a VLAN id, a number normally between 1 and 2004. Each VLAN is a separate broadcast domain and should use different IP network addressing. As you probably know, a switch cannot pass traffic between different VLANs.
A switch port can be configured either as an access port or as a trunk. An access port sends and receives traffic to/from one single VLAN, untagged. This is the normal thing for connecting PCs and other non trunk-aware equipment into a switch. The default configuration for a switch port is to be configured as an access port in VLAN 1. It looks like this:
In case of connecting non trunk-aware equipment to another VLAN than default VLAN 1, this is specified with the switch port "access vlan" command which is now visible:
To configure a trunk, change the switch mode to trunk. The default is to carry all VLANs.
To filter which VLANs should be available on the trunk, add the "allowed vlan" command:
In case of reconfiguring a trunk port to an access port or vice versa there can be "unused" configuration lines left in the config. For example:
Do always first look in the port configuration if it is configured as an access port or a trunk port so that you know which of the other commands in the commands that are in use.
In case of a trunk port frames on all VLANs are sent as tagged, with the VLAN id attached to the frame. One exception for this is the "native VLAN". By default VLAN 1 is the native VLAN and is sent untagged. This can be changed with the "switch port trunk native vlan x" command. Obviously, though, there can only be one native VLAN configured on each port.
In the configuration above, frames from VLAN 1, 5, 7 and 9 are sent tagged with respective VLAN id while frames from VLAN 6 are sent without a tag.
An Ethernet-frame (packet) can be either tagged or untagged. The default is untagged. When a frame is tagged, an extra 802.1q header is placed first in each frame, containing a VLAN id, a number normally between 1 and 2004. Each VLAN is a separate broadcast domain and should use different IP network addressing. As you probably know, a switch cannot pass traffic between different VLANs.
A switch port can be configured either as an access port or as a trunk. An access port sends and receives traffic to/from one single VLAN, untagged. This is the normal thing for connecting PCs and other non trunk-aware equipment into a switch. The default configuration for a switch port is to be configured as an access port in VLAN 1. It looks like this:
Interface FastEthernet0/1
switchport mode access (default, invisible)
switchport access vlan 1 (default, invisible)
!
In case of connecting non trunk-aware equipment to another VLAN than default VLAN 1, this is specified with the switch port "access vlan" command which is now visible:
Interface FastEthernet0/1
switchport mode access (default, invisible)
switchport access vlan 2
!
To configure a trunk, change the switch mode to trunk. The default is to carry all VLANs.
Interface FastEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 1-2004 (default, invisible)
!
To filter which VLANs should be available on the trunk, add the "allowed vlan" command:
Interface FastEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 1,5-7,9
!
In case of reconfiguring a trunk port to an access port or vice versa there can be "unused" configuration lines left in the config. For example:
Interface FastEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 1,5-7,9
switchport access vlan 2 (not in use since the port is in trunk mode)
!
Interface FastEthernet0/1
switchport mode access (default, invisible)
switchport trunk allowed vlan 1,5-7,9 (not in use since the port is configured as an access port)
!
Do always first look in the port configuration if it is configured as an access port or a trunk port so that you know which of the other commands in the commands that are in use.
In case of a trunk port frames on all VLANs are sent as tagged, with the VLAN id attached to the frame. One exception for this is the "native VLAN". By default VLAN 1 is the native VLAN and is sent untagged. This can be changed with the "switch port trunk native vlan x" command. Obviously, though, there can only be one native VLAN configured on each port.
Interface FastEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 1,5-7,9
switchport trunk native vlan 6
!
In the configuration above, frames from VLAN 1, 5, 7 and 9 are sent tagged with respective VLAN id while frames from VLAN 6 are sent without a tag.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.