VLAN Configuration — IOS-XE

Cisco VLAN Configuration Generator

Generate complete VLAN configurations for Cisco Catalyst access switches. Trunk setup, DHCP snooping per VLAN, and BLACKHOLE VLAN for unused ports — all included.

Generate my VLAN config →

VLAN configuration on Cisco IOS-XE

VLANs (Virtual Local Area Networks) segment your network at Layer 2, allowing different groups of devices — workstations, IP phones, servers, access points — to share the same physical switch while remaining logically isolated from each other. On an access switch, VLANs determine which broadcast domain each port belongs to and which traffic can flow between endpoints without routing.

Access ports carry traffic for a single VLAN and connect to end devices. Trunk ports carry traffic for multiple VLANs simultaneously using 802.1Q tagging and connect switches together or to the distribution layer. The native VLAN on a trunk carries untagged traffic — it should never be VLAN 1 and should not be assigned to any end device.

VLAN naming matters for operational clarity and consistency. The convention used by netconfgen is all-uppercase with hyphens: PRODUCTION, VOICE, MANAGEMENT. Consistent naming across your estate makes it immediately obvious what each VLAN is for when reading configs or troubleshooting.

IOS-XE VLAN configuration examples

Example 1 — Create VLANs
VLAN database
vlan 10
 name PRODUCTION
vlan 20
 name VOICE
vlan 99
 name MANAGEMENT
vlan 999
 name BLACKHOLE
Example 2 — Access port
Access port configuration
interface GigabitEthernet1/0/1
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 spanning-tree bpduguard enable
 shutdown
Example 3 — Trunk port
Trunk port configuration (C9300 uplink)
interface TwentyFiveGigE1/1/1
 switchport mode trunk
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10,20,99
 spanning-tree link-type point-to-point
 no shutdown

VLAN best practices for access switches

Never use VLAN 1 as native VLAN. VLAN 1 is the default native VLAN and carries untagged traffic. Use a dedicated native VLAN (e.g. 99) that is not assigned to any end device and not routed.
Always name your VLANs in UPPERCASE. Consistent naming across all switches makes it immediately clear what each VLAN is for. PRODUCTION is unambiguous. vlan10 is not.
Use a BLACKHOLE VLAN 999 for all unused ports. Assign every inactive port to VLAN 999 and shut it down. Plugging a cable into an unused port should not give access to any production VLAN.
Restrict trunk allowed VLANs explicitly. Never use switchport trunk allowed vlan all in production. Enumerate only the VLANs that need to traverse each trunk link.
Enable DHCP snooping per VLAN, not globally. Scope ip dhcp snooping vlan to your user VLANs specifically. This blocks rogue DHCP servers without interfering with management traffic.

Frequently Asked Questions

The native VLAN carries untagged traffic on a trunk port. By default it is VLAN 1 — which is a security risk because VLAN 1 traffic from any device can appear untagged on the trunk. Always change it to a dedicated VLAN that is not used for any user traffic and is not routed anywhere.

The Catalyst 9300 supports up to 4094 VLANs (VLANs 1–4094, with some reserved by the system). In practice, most enterprise deployments use 10–50 VLANs per site. The practical limit is determined by your spanning-tree topology and management complexity, not the hardware.

VTP (VLAN Trunking Protocol) synchronizes VLAN databases across switches automatically. Most network engineers today set switches to VTP transparent mode and manage VLANs manually or via automation. The risk of VTP is real: a misconfigured switch joining the domain in server mode can wipe VLANs from every switch in the domain in seconds.

Generate your VLAN configuration now

VLANs, trunk, DHCP snooping and BLACKHOLE — all configured automatically.

Generate my config →