Assigning VLANs to Switch Ports (Cisco IOS)

After creating VLANs, the next critical step is to assign switch ports to those VLANs. Until a port is explicitly assigned, it remains in VLAN 1 by default — meaning all devices on an unconfigured switch share the same broadcast domain regardless of their department or role. This lab covers single-port assignment, bulk port assignment using interface range, adding interface descriptions, and configuring a Voice VLAN.

Make sure you have completed VLAN Creation and Management before starting this lab — the VLANs used here (10, 20, 30, 40, 100) must already exist on NetsTuts_SW1. If you need a refresher on why VLANs matter, see VLANs, VLAN Tagging and Access and Trunk Ports.

Access Ports vs Trunk Ports — Quick Review

Before assigning ports, it is important to understand the two types of switch port modes used in VLAN configurations:

Feature Access Port Trunk Port
Purpose Connects end devices (PCs, printers, IP phones) Connects switches together or switch to router
VLANs carried One VLAN only (data) + optional Voice VLAN Multiple VLANs simultaneously
VLAN tagging Untagged — the end device is unaware of the VLAN Tagged with 802.1Q headers (except native VLAN)
IOS command switchport mode access switchport mode trunk
Used in this lab ✅ Yes Covered in Trunk Port Configuration and Access and Trunk Ports
Why does mode matter? If you assign a VLAN to a port without setting switchport mode access first, the port may auto-negotiate to trunk mode (DTP — Dynamic Trunking Protocol) and behave unexpectedly. Always explicitly set the mode.

Lab Scenario & Port Plan

In this lab, NetsTuts_SW1 has the following VLANs already created (from the previous lab). We will assign ports to match this plan:

Port(s) VLAN Name Connected Device
Fa0/1 VLAN 10 VLAN0010 Single PC
Fa0/2 – Fa0/10 VLAN 20 VLAN0020 Multiple PCs (bulk assignment)
Fa0/11 VLAN 30 SALES SALES-PC-01 (with description)
Fa0/12 VLAN 40 (data) + VLAN 100 (voice) HR + Voice IP Phone with PC behind it

1. Assign a Single Port to a VLAN

Explanation

Access ports connect end devices such as PCs, printers, and servers. Each access port belongs to only one data VLAN. The connected device sends and receives untagged frames — it has no knowledge of the VLAN concept. The switch handles all VLAN tagging internally.

In this example, we assign FastEthernet0/1 to VLAN 10.

Configuring an Access Port for VLAN 10

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 10
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#
%SYS-5-CONFIG_I: Configured from console by console
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#
FastEthernet0/1 configured as an access port and assigned to VLAN 10.

Command Breakdown

Command What It Does Why It Matters
interface FastEthernet0/1 Enters interface configuration mode for port Fa0/1 All commands that follow apply only to this specific port
switchport mode access Explicitly sets the port to access mode Disables DTP negotiation and ensures the port carries only one VLAN — must be done before VLAN assignment
switchport access vlan 10 Assigns the port to VLAN 10 Any device connected to Fa0/1 becomes part of VLAN 10's broadcast domain

Verify with show running-config

NetsTuts_SW1#show running-config interface FastEthernet0/1
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
!

Verify with show vlan brief

NetsTuts_SW1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gig0/1
                                                Gig0/2
10   VLAN0010                         active    Fa0/1
20   VLAN0020                         active
30   SALES                            active
40   HR                               active
50   IT                               active
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
NetsTuts_SW1#
Fa0/1 has moved from VLAN 1 to VLAN 10. VLANs 20, 30, 40, and 50 show no ports yet — they will be assigned in the following steps.

Remove a Port from a VLAN (Reset to Default)

To return a port to VLAN 1, remove the access VLAN assignment:

NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#no switchport access vlan
NetsTuts_SW1(config-if)#end
no switchport access vlan removes the VLAN assignment and returns the port to VLAN 1.

2. Assign Multiple Ports to a VLAN (interface range)

Explanation

When multiple devices in the same department need to be on the same VLAN, configuring each port individually is inefficient and error-prone. The interface range command lets you apply the same configuration to a consecutive group of ports in a single step — saving time and ensuring consistency.

This example assigns FastEthernet0/2 through FastEthernet0/10 (9 ports) to VLAN 20 simultaneously.

Configuring a Range of Ports for VLAN 20

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#interface range FastEthernet0/2 - 10
NetsTuts_SW1(config-if-range)#switchport mode access
NetsTuts_SW1(config-if-range)#switchport access vlan 20
NetsTuts_SW1(config-if-range)#end
NetsTuts_SW1#
%SYS-5-CONFIG_I: Configured from console by console
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#
The prompt changes to (config-if-range)# confirming all commands apply to every port in the range simultaneously.
Syntax note: Spaces around the dash are required — FastEthernet0/2 - 10 works correctly. FastEthernet0/2-10 (no spaces) may be rejected on some IOS versions. You can also specify non-consecutive ports: interface range fa0/1, fa0/5, fa0/9.

Verify with show vlan brief

NetsTuts_SW1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig0/1, Gig0/2
10   VLAN0010                         active    Fa0/1
20   VLAN0020                         active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10
30   SALES                            active
40   HR                               active
50   IT                               active
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
NetsTuts_SW1#
Nine ports (Fa0/2–Fa0/10) are now assigned to VLAN 20 with a single command sequence.

3. Assign VLAN with Port Description

Explanation

Adding an interface description is a professional best practice that improves documentation and significantly speeds up troubleshooting — especially in environments with dozens or hundreds of ports. A description like SALES-PC-01 immediately tells any engineer what is connected to that port without needing to trace a cable.

In this example, we assign FastEthernet0/11 to VLAN 30 (SALES) and add a descriptive label. 

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#interface FastEthernet0/11
NetsTuts_SW1(config-if)#description SALES-PC-01
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 30
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#
%SYS-5-CONFIG_I: Configured from console by console
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#
Description added before VLAN assignment — both appear in the running-config for this interface.

Verify with show running-config interface

NetsTuts_SW1#show running-config interface FastEthernet0/11
!
interface FastEthernet0/11
 description SALES-PC-01
 switchport access vlan 30
 switchport mode access
!
The description, VLAN assignment, and access mode are all confirmed in the interface config.

Verify with show interfaces FastEthernet0/11 switchport

NetsTuts_SW1#show interfaces FastEthernet0/11 switchport
Name: Fa0/11
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 30 (SALES)
Trunking Native Mode VLAN: 1 (default)
show interfaces switchport confirms the port is in static access mode and assigned to VLAN 30 (SALES). "Negotiation of Trunking: Off" confirms DTP is disabled.

4. Voice VLAN Configuration

Explanation

A Voice VLAN is used when an IP phone and a PC share the same physical switch port. This is the standard Cisco enterprise cabling model — one cable runs from the switch to the IP phone, and a second cable connects the PC to the pass-through port on the back of the phone.

The switch port carries two streams simultaneously:

  • Data VLAN (VLAN 40) — handles PC traffic, untagged
  • Voice VLAN (VLAN 100) — handles IP phone traffic, tagged with 802.1Q and given higher QoS priority (CoS 5)

This separation ensures voice quality is maintained even when the data network is congested. For a deeper explanation of QoS and voice traffic prioritization, see Voice VLAN and QoS Overview.

How It Works — Port Behavior

Traffic Type Source VLAN Tagging Priority
Data PC (via IP phone pass-through) VLAN 40 Untagged Normal (CoS 0)
Voice IP phone VLAN 100 Tagged (802.1Q) High (CoS 5)

Configuring Voice VLAN on FastEthernet0/12

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#interface FastEthernet0/12
NetsTuts_SW1(config-if)#description HR-PHONE-01
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 40
NetsTuts_SW1(config-if)#switchport voice vlan 100
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#
%SYS-5-CONFIG_I: Configured from console by console
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#
Fa0/12 now carries both data traffic (VLAN 40) for the PC and voice traffic (VLAN 100) for the IP phone over the same physical cable.

Verify with show running-config interface

NetsTuts_SW1#show running-config interface FastEthernet0/12
!
interface FastEthernet0/12
 description HR-PHONE-01
 switchport mode access
 switchport access vlan 40
 switchport voice vlan 100
!

Verify with show vlan brief

NetsTuts_SW1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig0/1, Gig0/2
10   VLAN0010                         active    Fa0/1
20   VLAN0020                         active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10
30   SALES                            active    Fa0/11
40   HR                               active    Fa0/12
100  VLAN0100                         active    Fa0/12
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
NetsTuts_SW1#
Fa0/12 appears in both VLAN 40 and VLAN 100 — this is expected and correct for a voice VLAN configuration. VLAN 100 was automatically created when the switchport voice vlan 100 command was entered.
Auto VLAN creation: If VLAN 100 did not exist in the VLAN database before this command, Cisco IOS creates it automatically. Always verify with show vlan brief after configuration.

5. Full Lab Verification

After completing all four sections, here is the final show vlan brief output for NetsTuts_SW1 with all port assignments confirmed: 

NetsTuts_SW1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig0/1, Gig0/2
10   VLAN0010                         active    Fa0/1
20   VLAN0020                         active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10
30   SALES                            active    Fa0/11
40   HR                               active    Fa0/12
50   IT                               active
100  VLAN0100                         active    Fa0/12
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
NetsTuts_SW1#
Complete port assignment summary. VLAN 50 (IT) has no ports yet — it is ready and waiting for devices to be connected and assigned.

Common Mistakes and Troubleshooting

Problem Symptom Cause Fix
VLAN assignment not working Port still shows in VLAN 1 after configuration switchport mode access was not entered before switchport access vlan Re-enter both commands in the correct order: mode first, then VLAN assignment
Device cannot communicate Ping fails between two ports in the same VLAN VLAN does not exist in the database — was never created Run show vlan brief and create the missing VLAN. See VLAN Creation Lab.
Port auto-negotiating to trunk Unexpected trunk shown in show interfaces switchport DTP negotiated a trunk because switchport mode access was not set Set switchport mode access and switchport nonegotiate to disable DTP. See Trunk Port Configuration.
Voice VLAN not working IP phone cannot register or poor call quality VLAN 100 not created, or CDP not running (phone uses CDP to learn voice VLAN) Verify VLAN 100 exists with show vlan brief; verify CDP is enabled with show cdp neighbors. See Voice VLAN Configuration.
Description not saving Description missing from running-config after reload Configuration not saved before reload Always run wr after making changes. Verify with show running-config.

Key Points & Exam Tips

  • All switch ports belong to VLAN 1 by default. Ports stay in VLAN 1 until explicitly reassigned. See VLANs for an overview of VLAN concepts.
  • Always set switchport mode access before switchport access vlan [id] — mode must be set first or the behavior is unpredictable.
  • An access port carries traffic for only one data VLAN. It can also have an optional Voice VLAN — but the data and voice VLANs must be different.
  • Use interface range to configure multiple consecutive ports simultaneously — it is both faster and more consistent than configuring ports one by one.
  • Always add a description to every interface in a production environment. It is a professional standard and makes troubleshooting significantly faster.
  • A port configured with switchport voice vlan will appear in two VLANs in show vlan brief output — this is correct, not an error.
  • The VLAN you assign a port to must already exist in the VLAN database — otherwise IOS may accept the command but the port will not function as expected. Verify with show vlan brief.
  • Use show interfaces [port] switchport for detailed per-port information including access mode VLAN, trunk status, and DTP negotiation state.
  • Use no switchport access vlan to return a port to VLAN 1 without removing the access mode setting.
  • Voice VLANs use CDP to communicate the voice VLAN ID to the IP phone — CDP must be enabled on the port for the phone to automatically configure itself.
  • For additional port security on access ports, consider Port Security and Sticky MAC to lock ports to specific devices.
Next Steps: Now that ports are assigned to VLANs, the logical next step is connecting multiple switches together using Trunk Port Configuration and Trunk Ports so VLANs can span across switches. For routing between VLANs on a single router, see Inter-VLAN Routing (Router-on-a-Stick) and Router-on-a-Stick. For Layer 3 switch routing, see Inter-VLAN Routing (Layer 3 Switch) and Layer 3 Switch Routing (SVI).

An engineer assigns switchport access vlan 10 to a port but forgets switchport mode access. What is the risk?

Correct answer is C. Without switchport mode access, DTP (Dynamic Trunking Protocol) can negotiate the port to trunk mode. The VLAN assignment may be accepted by IOS but the port could carry traffic for multiple VLANs instead of just VLAN 10. Always set the mode explicitly first. See Trunk Port Configuration for more on DTP behavior.

An engineer needs to assign ports Fa0/3 through Fa0/8 to VLAN 30 simultaneously. Which command enters the correct configuration mode?

Correct answer is B. interface range FastEthernet0/3 - 8 is the correct Cisco IOS syntax. Note the spaces around the dash — they are required on many IOS versions. The prompt changes to (config-if-range)# to confirm all commands apply to every port in the range.

After assigning Fa0/11 to VLAN 30 with a description of "SALES-PC-01", an engineer runs show running-config interface FastEthernet0/11. What should appear?

Correct answer is D. All three lines appear in the interface config when properly configured: the description, the access mode, and the VLAN assignment. If any are missing, the configuration is incomplete.

A port is configured with switchport access vlan 40 and switchport voice vlan 100. What will show vlan brief display for this port?

Correct answer is B. A port with both a data VLAN and a voice VLAN will appear in both VLANs in show vlan brief output. This is expected and correct — the port carries untagged data traffic on VLAN 40 and tagged voice traffic on VLAN 100 simultaneously.

An engineer assigns Fa0/5 to VLAN 50 but VLAN 50 was never created. What will show vlan brief show?

Correct answer is B. IOS accepts the command and assigns the port to VLAN 50, but if VLAN 50 does not exist in the VLAN database, the port will be inactive and cannot pass traffic. Always create the VLAN first with VLAN Creation and Management, then assign ports. Verify both with show vlan brief.

Why does an IP phone need CDP to be enabled on the switch port when a Voice VLAN is configured?

Correct answer is C. Cisco IP phones use CDP to discover the voice VLAN ID from the switch. Once the phone learns the voice VLAN, it automatically tags its traffic with that VLAN ID. Without CDP, the phone does not know which VLAN to use and falls back to untagged traffic on the data VLAN.

Which command provides the most detailed per-port information including access mode VLAN, trunk status, and whether DTP negotiation is active?

Correct answer is B. show interfaces [port] switchport provides detailed Layer 2 port information including administrative mode, operational mode, access VLAN, voice VLAN, native VLAN, and DTP negotiation status. show vlan brief gives a summary but does not show DTP or trunk details.

What is the difference between data traffic and voice traffic on a port configured with a Voice VLAN?

Correct answer is C. On a voice VLAN port, the PC sends untagged traffic which the switch assigns to the data VLAN (40). The IP phone sends 802.1Q tagged traffic marked with the voice VLAN (100) and CoS 5 priority. The switch handles both streams simultaneously on the same physical port.

An engineer wants to return Fa0/7 from VLAN 20 back to VLAN 1 without removing the access mode setting. Which command achieves this?

Correct answer is A. no switchport access vlan removes the VLAN assignment and returns the port to VLAN 1 while keeping the access mode setting intact. Option B also works technically, but option A is the cleaner way to reset it. Option D resets all interface settings to default, which may remove other configurations.

An engineer creates VLAN 30 on the switch but does not assign any ports to it. A device is connected to Fa0/11 which is still in VLAN 1. Can this device communicate with devices in VLAN 30?

Correct answer is D. VLANs are separate broadcast domains — a device in VLAN 1 cannot communicate with a device in VLAN 30 directly, even if both are on the same physical switch. Inter-VLAN routing requires either a router using router-on-a-stick or a Layer 3 switch. See also Router-on-a-Stick and Layer 3 Switch Routing (SVI).
Back to Home