VLAN Creation and Management

VLANs are a core switching concept used in almost every modern network. In this tutorial, you will learn how to create, name, verify, and delete VLANs using Cisco IOS commands on a Cisco switch, along with understanding where VLAN data is stored and how to clean up the VLAN database correctly.

Before starting this lab, make sure you have completed Basic Interface Configuration and are comfortable with the Cisco IOS mode hierarchy. A solid understanding of network types and LAN concepts will also help you follow the purpose of each step.

What is a VLAN?

A VLAN (Virtual Local Area Network) is a logical segmentation of a switch network that groups devices as if they were on the same physical LAN — regardless of their physical location or which switch port they are connected to. VLANs operate at Layer 2 of the OSI model and are identified by a VLAN ID (1–4094). For conceptual background see VLANs Overview and 802.1Q VLAN Tagging.

Benefit How VLANs Achieve It
Reduced broadcast traffic Each VLAN is its own broadcast domain — broadcasts stay within the VLAN and do not flood the entire switch
Improved security Devices in different VLANs cannot communicate directly — traffic must pass through a router or Layer 3 switch. Combine with DHCP Snooping for per-VLAN security enforcement
Better performance Smaller broadcast domains mean less unnecessary traffic reaching every device
Simplified management Users can be grouped by department (SALES, HR, IT) regardless of physical location or floor
Flexible design VLANs can span multiple switches using trunk links
Key concept: A VLAN is a broadcast domain. Without VLANs, every device on the switch receives every broadcast frame — in a large network, this wastes significant bandwidth. With VLANs, broadcasts are contained within each segment.

VLAN ID Ranges

Range Description Usage
1 Default VLAN All ports belong here by default. Cannot be deleted.
2 – 1001 Normal range VLANs Available for administrator use. Stored in vlan.dat.
1002 – 1005 Legacy reserved VLANs Reserved for FDDI and Token Ring. Cannot be deleted or modified.
1006 – 4094 Extended range VLANs Used in large enterprise networks. Requires VTP transparent mode.

1. Create VLANs

Explanation

By default, all switch ports belong to VLAN 1 (the default VLAN). To logically separate traffic, you must create new VLANs in the switch database. VLAN creation only adds the VLAN to the database — no ports are assigned during this step. Port assignment is covered in the Assigning VLANs to Switch Ports lab.

Creating VLAN 10 and VLAN 20

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#vlan 10
NetsTuts_SW1(config-vlan)#exit
NetsTuts_SW1(config)#vlan 20
NetsTuts_SW1(config-vlan)#end
NetsTuts_SW1#
%SYS-5-CONFIG_I: Configured from console by console
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#
Creating VLAN 10 and VLAN 20 using Global Configuration mode. The prompt changes to (config-vlan)# after entering each VLAN ID.
Shortcut: You do not need to exit between each VLAN. You can move directly from one VLAN to the next — IOS stays in VLAN configuration mode until you type exit or end. For example: 
NetsTuts_SW1(config)#vlan 10
NetsTuts_SW1(config-vlan)#vlan 20
NetsTuts_SW1(config-vlan)#end

2. Verify VLAN Configuration

After creating VLANs, always verify using show vlan brief. This command shows all VLANs in the database, their names, status, and which ports (if any) are assigned to each. See Show VLAN for a full command reference. 

NetsTuts_SW1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig0/1, Gig0/2
10   VLAN0010                         active
20   VLAN0020                         active
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
NetsTuts_SW1#
VLANs 10 and 20 are created and active. No ports are assigned yet — that is expected at this stage.
Column Meaning
VLAN The VLAN ID number
Name The VLAN name — VLAN0010 is the auto-generated default name (no custom name assigned yet)
Status active = VLAN exists and is ready to use
Ports Switch ports currently assigned to this VLAN. Blank = no ports assigned yet.

3. Name VLANs

Explanation

Assigning descriptive names to VLANs is a professional best practice. Names make configurations self-documenting and are especially important in large enterprise networks where dozens of VLANs may exist. A VLAN with the name SALES is far easier to identify in show vlan brief output than one named VLAN0030.

Creating and Naming VLANs 30, 40, and 50 in One Session

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#vlan 30
NetsTuts_SW1(config-vlan)#name SALES
NetsTuts_SW1(config-vlan)#vlan 40
NetsTuts_SW1(config-vlan)#name HR
NetsTuts_SW1(config-vlan)#vlan 50
NetsTuts_SW1(config-vlan)#name IT
NetsTuts_SW1(config-vlan)#end
NetsTuts_SW1#
%SYS-5-CONFIG_I: Configured from console by console
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#
Creating and naming three VLANs in a single session. The name command must be issued while inside that VLAN's configuration mode (config-vlan).

4. Verify VLAN Names

Run show vlan brief again to confirm the names were applied correctly. 

NetsTuts_SW1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig0/1, Gig0/2
30   SALES                            active
40   HR                               active
50   IT                               active
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
NetsTuts_SW1#
VLANs 30, 40, and 50 now show their custom names in the Name column. The Ports column is empty because no switch ports have been assigned yet.
Note: VLANs with no ports in the Ports column are active but unused. This is normal — ports are assigned separately. See Assigning VLANs to Switch Ports for the next step.

Understanding Legacy VLANs (1002–1005)

Every Cisco switch automatically creates VLANs 1002–1005 in the VLAN database. You will always see them in show vlan brief output. Here is what they are and why they exist:

VLAN ID Name Original Purpose Modern Status
1002 fddi-default Reserved for FDDI (Fiber Distributed Data Interface) networks Obsolete — legacy fiber networking technology
1003 token-ring-default Reserved for Token Ring networks (IBM, popular in 1980s–1990s) Obsolete — replaced by Ethernet
1004 fddinet-default Reserved for FDDI-to-Ethernet translation bridges Obsolete
1005 trnet-default Reserved for Token Ring-to-Ethernet translation bridges Obsolete
Key rules for VLANs 1002–1005: You cannot delete, rename, or use these VLANs for your own network traffic. The status act/unsup (active/unsupported) means they exist but are not functional on modern Ethernet switches. Simply ignore them — they have no impact on your configuration.

5. Where Are VLANs Stored? (vlan.dat)

Explanation

VLAN information is stored in a separate database file called vlan.dat, located in the switch's flash memory. This is an important distinction to understand — especially during troubleshooting and factory resets. Flash memory also holds the IOS image — see IOS Upgrade via TFTP for how to manage flash contents.

Storage Location Contains Cleared by erase startup-config?
running-config (RAM) Active interface configs, ACLs, routing — but NOT VLANs N/A — cleared on reload
startup-config (NVRAM) Saved configuration loaded at boot — but NOT VLANs Yes — erased
vlan.dat (Flash) VLAN IDs and names ❌ No — persists after erase startup-config and reload
Critical exam point: Running erase startup-config and reloading will not remove VLANs. You must separately delete vlan.dat from flash memory to fully reset VLAN configuration.

Viewing Flash Memory Contents

Use dir flash: or show flash to see what is stored in flash:

NetsTuts_SW1#dir flash:
Directory of flash:/

    1  -rw-     4670455          <no date>  2960-lanbasek9-mz.150-2.SE4.bin
    2  -rw-         676          <no date>  vlan.dat

64016384 bytes total (59345253 bytes free)
NetsTuts_SW1#
Two files are stored in flash: the IOS operating system image (.bin) and the VLAN database (vlan.dat). Both commands — dir flash: and show flash — display the same information.

Flash Memory Output Explained

Field File 1 (IOS Image) File 2 (VLAN Database)
Index 1 2
Permissions -rw- (read/write) -rw- (read/write)
File size 4,670,455 bytes (~4.5 MB) 676 bytes (very small — just VLAN IDs and names)
Filename 2960-lanbasek9-mz.150-2.SE4.bin — the IOS OS image vlan.dat — the VLAN database
Date <no date> — normal on Catalyst 2960; no timestamp stored <no date> — same reason
Why <no date>? Older switches and certain IOS versions do not maintain file timestamps in flash. This is completely normal on the Catalyst 2960 platform and does not indicate any problem.

6. Delete VLANs

Method 1: Delete a Single VLAN

Use the no vlan command from Global Configuration mode to remove a specific VLAN from the database: 

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#no vlan 10
NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#
VLAN 10 is removed from the database immediately. Any ports previously assigned to VLAN 10 will become inactive until reassigned to another VLAN.
Important: Before deleting a VLAN, always reassign any ports that belong to it — otherwise those ports lose connectivity. Use show vlan brief first to check which ports are assigned to the VLAN you are about to delete.

Method 2: Delete All VLANs (Full Reset)

To completely wipe the VLAN database, delete the vlan.dat file from flash and reload the switch. This is typically done when repurposing or factory-resetting a switch. 

NetsTuts_SW1#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]

NetsTuts_SW1#reload
System configuration has been modified. Save? [yes/no]:no
Proceed with reload? [confirm]
Deleting vlan.dat and reloading removes all custom VLANs. Answering no to "Save?" is critical — see explanation below.

Why You Must Answer "No" to Save?

Your Answer What Happens Result
No Switch reloads without saving running-config to startup-config VLANs are gone — vlan.dat was already deleted and not recreated
Yes Switch saves running-config first, which recreates vlan.dat VLANs reappear after reload — your deletion is undone

Complete VLAN Removal Checklist

For a thorough reset, follow this sequence:

  1. Check which ports are assigned to each VLAN: show vlan brief
  2. Reassign or note affected ports before removing VLANs
  3. Remove VLANs from running-config: no vlan [number] for each
  4. Save: write memory
  5. Delete the VLAN database: delete flash:vlan.dat
  6. Reload the switch: reload
  7. Answer no when prompted to save
  8. Verify after reload: show vlan brief

Key Points & Exam Tips

  • All switch ports belong to VLAN 1 by default. VLAN 1 cannot be deleted.
  • VLANs are stored in vlan.dat in flash memory — not in running-config or startup-config. erase startup-config does NOT remove VLANs.
  • The show vlan brief command is your primary verification tool — memorize its columns (VLAN ID, Name, Status, Ports).
  • A VLAN with no ports in the Ports column is active but has no traffic — ports must be assigned separately using access port configuration.
  • VLANs 1002–1005 are reserved legacy VLANs — they cannot be deleted, renamed, or used for your traffic. Ignore them.
  • To carry VLAN traffic between switches, a trunk link must be configured — see the Trunk Port Configuration lab. VLANs created on one switch are not automatically known by another switch unless VTP or manual creation is used.
  • To completely remove all VLANs: first use no vlan commands, then delete vlan.dat, reload, and answer no to the save prompt.
  • Each VLAN is its own broadcast domain. Inter-VLAN communication requires a router (router-on-a-stick) or a Layer 3 switch — see the Inter-VLAN Routing lab. STP runs per-VLAN in Cisco's PVST+ — see Spanning Tree Root Bridge.
  • Always name your VLANs — it is a professional best practice and makes large configurations significantly easier to read and troubleshoot.
  • Both dir flash: and show flash display flash memory contents including vlan.dat.
Next Steps: Now that your VLANs are created, continue with Assigning VLANs to Switch Ports to put ports into the correct VLANs. To allow VLAN traffic across multiple switches, see Trunk Port Configuration. For routing between VLANs, see Router-on-a-Stick and Inter-VLAN Routing (Layer 3 Switch). For DHCP per-VLAN, see DHCP Server Configuration. For Layer 2 security on VLAN access ports, see Port Security & Sticky MAC.

An engineer creates VLAN 50 on a switch. Which VLAN ID range is this in, and where will it be stored?

Correct answer is C. VLAN 50 falls in the normal range (2–1001). VLANs are stored in vlan.dat in flash memory — not in running-config or startup-config. This is why erase startup-config does not remove VLANs.

An engineer runs erase startup-config and reloads a switch to factory reset it. After reload, show vlan brief still shows VLANs 10, 20, and 30. Why?

Correct answer is C. erase startup-config only clears NVRAM (startup-config). The VLAN database in vlan.dat is stored separately in flash memory and survives this process. To remove VLANs, you must delete vlan.dat explicitly.

A network has 200 devices on a single switch with no VLANs. What is the impact on broadcast traffic compared to a properly segmented VLAN design?

Correct answer is B. Without VLANs, the entire switch is one broadcast domain — every broadcast frame (ARP requests, DHCP discoveries, etc.) is flooded to all 200 devices. VLANs divide this into smaller broadcast domains, dramatically reducing unnecessary traffic.

After running show vlan brief, VLAN 40 shows "active" but the Ports column is empty. What does this mean?

Correct answer is B. An empty Ports column simply means no access ports have been assigned to VLAN 40 yet. The VLAN is valid and ready to use — port assignment is a separate configuration step performed under each interface.

Why are VLANs 1002–1005 always present in show vlan brief output on a Cisco switch?

Correct answer is B. Cisco IOS automatically creates VLANs 1002–1005 on every switch for backward compatibility with older network technologies like FDDI and Token Ring — both of which are now obsolete. These VLANs cannot be deleted, renamed, or used for Ethernet traffic.

An engineer is in (config-vlan)# mode for VLAN 30. What is the correct command to name it "SALES"?

Correct answer is A. The name command is used in VLAN configuration mode (config-vlan) to assign a descriptive name. description is used on interfaces, not VLANs. vlan-name and set name are not valid IOS commands.

An engineer deletes vlan.dat and then answers "yes" when the switch asks "Save? [yes/no]:" before reloading. What will happen after the reload?

Correct answer is B. Answering "yes" saves the current running-config to startup-config, which includes the VLAN configuration — this recreates vlan.dat. The deletion is undone. You must answer no to preserve the deletion.

An engineer deletes VLAN 20 using no vlan 20 without first reassigning the ports. What happens to ports that were in VLAN 20?

Correct answer is C. When a VLAN is deleted, any ports assigned to it become inactive immediately — they do not automatically move to VLAN 1 or any other VLAN. Always check show vlan brief and reassign ports before deleting a VLAN.

What is the correct complete sequence to fully remove all custom VLANs from a switch?

Correct answer is A. The complete correct sequence is: (1) Remove VLANs from running-config with no vlan commands, (2) save with write memory, (3) delete vlan.dat from flash, (4) reload, (5) answer no to the save prompt. Skipping any step risks VLANs reappearing.

Two switches are connected. VLAN 30 is created on Switch A but not Switch B. A device in VLAN 30 on Switch A tries to reach a device on Switch B. What is needed for this to work?

Correct answer is B. For VLAN traffic to cross between switches, two things are required: (1) the VLAN must exist on both switches, and (2) the link between the switches must be configured as a trunk port so it can carry tagged VLAN traffic. See the Access and Trunk Port Configuration lab for details.
Back to Home