show vlan – VLAN Configuration, Port Assignment, and Troubleshooting

1. What Is show vlan?

show vlan is the primary Cisco IOS switch command for inspecting the VLAN database. It displays every VLAN that exists on the switch — including its ID, name, operational status, and the list of access ports assigned to it. It is the essential starting point when troubleshooting Layer 2 connectivity between hosts on the same switch, or when auditing VLAN configuration after changes.

Understanding what show vlan does and does not show is a key exam distinction: it shows access port assignments but does not show trunk ports. A port configured as a trunk port carries multiple VLANs simultaneously and is not listed under any specific VLAN in this output — for trunk ports, use show interfaces trunk.

  What show vlan shows:              What show vlan does NOT show:
  ✓ All VLAN IDs in the database     ✗ Trunk ports (use show interfaces trunk)
  ✓ VLAN names                       ✗ IP addresses (use show interfaces vlan)
  ✓ VLAN operational status          ✗ MAC addresses in each VLAN
  ✓ Access port assignments          ✗ STP state per VLAN (use show spanning-tree)
  ✓ Extended range VLANs (1006–4094) ✗ VTP configuration (use show vtp status)

2. show vlan Output — Field by Field

The output from show vlan is divided into two parts: the VLAN table at the top, and a lower section showing extended VLAN information. The table is what you will read most frequently.

  Switch# show vlan

  VLAN Name                             Status    Ports
  ---- -------------------------------- --------- -------------------------------
  1    default                          active    Gi0/1, Gi0/2, Gi0/3
  10   SALES                            active    Gi0/4, Gi0/5
  20   ENGINEERING                      active    Gi0/6, Gi0/7
  100  MANAGEMENT                       active
  999  PARKING_LOT                      suspended
  1002 fddi-default                     act/unsup
  1003 trcrf-default                    act/unsup
  1004 fddinet-default                  act/unsup
  1005 trbrf-default                    act/unsup

  │    │                                │         │
  │    │                                │         └─ Ports: access ports assigned
  │    │                                │            to this VLAN. Trunk ports
  │    │                                │            DO NOT appear here.
  │    │                                └─ Status: operational state of the VLAN
  │    └─ Name: text label (up to 32 characters); default name is "VLAN00XX"
  └─ VLAN: numeric VLAN ID (1–4094)

  Key observations:
  VLAN 1      → default; all ports start here; cannot be deleted
  VLAN 100    → MANAGEMENT VLAN exists but has NO access ports listed —
                all ports carrying management traffic must be trunk ports
                (they won't appear here) or the VLAN is unused on this switch
  VLAN 999    → suspended; NOT forwarding traffic for any device
  VLANs 1002–1005 → reserved legacy VLANs (FDDI, Token Ring);
                    act/unsup = active but unsupported; cannot be deleted

Field	Description	Key Notes
VLAN	Numeric VLAN ID (1–4094)	VLANs 1–1005 are normal range; 1006–4094 are extended range (require VTP transparent or off mode to configure)
Name	Human-readable text label up to 32 characters	If no name is configured, IOS defaults to `VLANxxxx` (e.g., VLAN0010 for VLAN 10); descriptive names are a best practice
Status	Operational state — `active`, `suspended`, or `inactive`	Only `active` VLANs forward traffic; `suspended` VLANs are present but not forwarding — devices assigned to them lose connectivity
Ports	Access ports assigned to this VLAN on this switch	Trunk ports are NEVER listed here, even if they carry this VLAN; a VLAN with an empty Ports column may still have traffic flowing if the VLAN is on trunk links

3. VLAN Status Values — What Each Means

Status	Meaning	Traffic Forwarded?	Common Cause	Fix
active	VLAN is operational and forwarding frames for all assigned ports	Yes	Normal state after VLAN is created	N/A — desired state
suspended	VLAN exists in the database but has been administratively suspended — all ports assigned to this VLAN lose connectivity	No	VTP configuration conflict; admin ran `state suspend` under the VLAN; VTP client received a conflicting update from a VTP server	`Switch(config-vlan)# state active`; or resolve the VTP domain/password mismatch causing the conflict
inactive	VLAN exists but is not currently usable — typically because the required hardware is not present	No	Rare; seen on some platform-specific VLANs when associated hardware module is not installed	Install required hardware or remove the VLAN
act/unsup	Active but unsupported — VLAN is active but carries a legacy protocol (FDDI, Token Ring) not supported on modern hardware	No (for the legacy protocol)	VLANs 1002–1005 always appear with this status; cannot be deleted or modified	Ignore — these are permanent read-only VLANs

Critical exam point: A suspended VLAN is still present in the VLAN database and still shows in show vlan output — but every device connected to a port in that VLAN loses all network connectivity until the VLAN is returned to active state. This is one of the most impactful misconfigurations possible on a switch. Use ping to confirm connectivity loss, and show logging to check for timestamped VLAN suspension events.

4. VLAN Ranges — Normal, Extended, and Reserved

Not all VLAN IDs behave the same way. Understanding the three ranges is important for both configuration and troubleshooting. See VLAN Overview for the full architectural context.

Range	VLAN IDs	Use	VTP Propagation	Stored In
Default	1	Default VLAN — all ports start here; used as the native VLAN on trunks by default; cannot be deleted	Yes	Running config + VLAN database
Normal range	2–1001	Standard VLANs for everyday network segmentation	Yes (VTP propagates these)	`flash:vlan.dat` (and running config in VTP transparent mode)
Reserved	1002–1005	Legacy protocols (FDDI, Token Ring); cannot be deleted or assigned to ports; always appear with `act/unsup` status	Yes (propagated but not usable)	Permanent — not deletable
Extended range	1006–4094	Large-scale environments requiring more than 1001 VLANs (service providers, large data centres)	No — only propagated in VTP version 3; requires VTP transparent or off mode in v1/v2	Running config only (not in vlan.dat for VTP v1/v2)

  Important: VLAN 1 security considerations
  ─────────────────────────────────────────
  VLAN 1 is the default native VLAN on 802.1Q trunks — untagged frames
  on a trunk are assumed to belong to VLAN 1. This is a security risk:
  VLAN hopping attacks can exploit the untagged native VLAN to send
  frames into VLAN 1 without being a member of it.

  Best practice: change the native VLAN on all trunk links to an unused,
  non-routable VLAN (e.g., VLAN 999):
  Switch(config-if)# switchport trunk native vlan 999
  (match on both ends of every trunk)

5. Why Trunk Ports Are Not Listed in show vlan

This is the single most tested show vlan concept on the CCNA exam, and it causes real-world confusion constantly.

A trunk port carries multiple VLANs simultaneously, each frame tagged with its VLAN ID using 802.1Q. Because a trunk port does not belong to one VLAN the way an access port does, it is not assigned to any VLAN in the VLAN database. Therefore it does not appear in the Ports column of show vlan output for any VLAN.

  Scenario: Switch has Gi0/1 (access, VLAN 10) and Gi0/24 (trunk to another switch)

  Switch# show vlan brief

  VLAN Name         Status    Ports
  ---- ------------ --------- -------------------------
  1    default      active    (none — all moved to VLANs)
  10   SALES        active    Gi0/1            ← access port Gi0/1 IS listed here
  20   ENGINEERING  active    (none on this switch)

  Notice: Gi0/24 (trunk port) does NOT appear under VLAN 10, 20, or any VLAN.
  This does NOT mean Gi0/24 is ignoring VLAN 10 and 20 — it is actively
  carrying both! To see trunk port VLAN information:

  Switch# show interfaces GigabitEthernet0/24 trunk
  (or: show interfaces trunk)

  Port        Mode         Encapsulation  Status        Native vlan
  Gi0/24      desirable    802.1q         trunking      1

  Port        Vlans allowed on trunk
  Gi0/24      1-4094

  Port        Vlans allowed and active in management domain
  Gi0/24      1,10,20

  → VLAN 10 and 20 ARE active on trunk Gi0/24, even though show vlan
    does not list Gi0/24 in either VLAN's Ports column.

See Access & Trunk Ports for the full trunk configuration reference, and Layer 2 Troubleshooting Lab for hands-on practice with this exact scenario.

6. Complete VLAN Verification Command Set

Command	What It Shows	When to Use It
`show vlan`	All VLANs in database: ID, name, status, and access port assignments; also shows extended range VLANs and reserved VLANs	First check when a VLAN is missing or a host cannot communicate with others in the same VLAN
`show vlan brief`	Same VLAN table as `show vlan` but without the lower extended information section — faster to read	Quick overview of all VLANs and their access ports; the most commonly used variant in day-to-day operations
`show vlan id <n>`	All information for one specific VLAN — status, ports, and extended VLAN details	When investigating a specific VLAN without the noise of the entire database
`show interfaces trunk`	All trunk ports, their encapsulation, native VLAN, allowed VLANs, and VLANs active in the management domain	When hosts in the same VLAN on different switches cannot communicate — verify the VLAN is allowed on the trunk between them
`show interfaces <int> switchport`	Full switchport configuration for one port — mode (access/trunk), access VLAN, trunk VLANs, native VLAN, voice VLAN, admin and operational mode	When verifying a single port's VLAN assignment in detail; confirms whether the port is truly in access or trunk mode operationally
`show interfaces switchport`	Switchport details for every interface on the switch	Full VLAN audit of all ports; verbose but comprehensive
`show spanning-tree vlan <n>`	STP topology for a specific VLAN — root bridge, port roles, and port states	When a VLAN is active and trunk-verified but traffic is still not flowing — STP may be blocking a port
`show vtp status`	VTP mode (server/client/transparent), domain name, revision number, and number of VLANs	When VLANs are disappearing unexpectedly or a suspended VLAN status needs investigating

show vlan vs show interfaces trunk — Side by Side

  show vlan brief:                  show interfaces trunk:
  ──────────────────────────────    ──────────────────────────────────────
  VLAN 10 → Gi0/1, Gi0/2           Gi0/24 trunking, native vlan 1
  (access ports only)               VLANs allowed: 1-4094
                                    VLANs active:  1,10,20,30
  Tells you: which access ports     Tells you: which VLANs cross which
  are in each VLAN on THIS switch   trunk links

  Need BOTH commands to get the complete picture of VLAN connectivity.

See Layer 2 Troubleshooting Lab for step-by-step practice using both commands together.

7. VLAN Configuration — Creating, Naming, and Assigning

Create a VLAN and Assign a Name

  ! Method 1 — VLAN database mode (most common):
  Switch(config)# vlan 10
  Switch(config-vlan)# name SALES
  Switch(config-vlan)# exit

  Switch(config)# vlan 20
  Switch(config-vlan)# name ENGINEERING
  Switch(config-vlan)# exit

  ! Method 2 — create multiple VLANs in one command:
  Switch(config)# vlan 10,20,30,40
  ! Creates all four VLANs; assign names separately

  ! Verify VLANs were created:
  Switch# show vlan brief
  VLAN Name         Status    Ports
  ---- ------------ --------- ------
  10   SALES        active
  20   ENGINEERING  active
  ! (No ports yet — no access ports have been assigned)

Assign an Access Port to a VLAN

  Switch(config)# interface GigabitEthernet0/5
  Switch(config-if)# description PC - John Smith
  Switch(config-if)# switchport mode access      ! must explicitly set access mode
  Switch(config-if)# switchport access vlan 10   ! assign to VLAN 10
  Switch(config-if)# switchport nonegotiate      ! disable DTP negotiation (security)
  Switch(config-if)# spanning-tree portfast      ! skip STP listening/learning for end hosts
  Switch(config-if)# no shutdown

  ! IMPORTANT: if VLAN 10 does not exist yet, IOS will either:
  ! - Create it automatically (on some IOS versions)
  ! - Assign the port but the VLAN will show as "inactive" in show vlan
  ! Always create the VLAN explicitly BEFORE assigning ports.

  ! Verify the assignment:
  Switch# show vlan brief
  10   SALES   active   Gi0/5    ← Gi0/5 now appears under VLAN 10 ✓

  Switch# show interfaces GigabitEthernet0/5 switchport
  Administrative Mode: static access
  Operational Mode: static access
  Access Mode VLAN: 10 (SALES)   ← confirms the port is in VLAN 10

See Assigning VLANs to Switch Ports Lab for hands-on practice with this configuration workflow.

Remove a Port from a VLAN (Return to VLAN 1)

  Switch(config)# interface GigabitEthernet0/5
  Switch(config-if)# no switchport access vlan
  ! Returns the port to VLAN 1 (default)

  ! Delete a VLAN from the database:
  Switch(config)# no vlan 10
  ! WARNING: Deleting a VLAN while ports are still assigned to it
  ! leaves those ports with no VLAN and they will lose connectivity.
  ! Always reassign or verify ports before deleting a VLAN.

Configure a Trunk Port

  ! Port connecting to another switch or a router (router-on-a-stick):
  Switch(config)# interface GigabitEthernet0/24
  Switch(config-if)# switchport trunk encapsulation dot1q  ! on switches that need it
  Switch(config-if)# switchport mode trunk
  Switch(config-if)# switchport trunk allowed vlan 10,20,30
  Switch(config-if)# switchport trunk native vlan 999      ! security best practice
  Switch(config-if)# switchport nonegotiate                ! disable DTP

  ! Verify:
  Switch# show interfaces GigabitEthernet0/24 trunk
  ! Confirm trunk is active; VLANs 10,20,30 appear in "allowed and active" list

See: Trunk Configuration | Access & Trunk Ports | Router-on-a-Stick | show running-config (verify VLAN/trunk config) | VLAN Configuration Lab

8. show interfaces switchport — Reading the Output

show interfaces <int> switchport is the deepest single-port VLAN verification command. It shows both the administrative mode (what was configured) and the operational mode (what is actually running) — these can differ when DTP negotiation is involved.

  Switch# show interfaces GigabitEthernet0/5 switchport

  Name: Gi0/5
  Switchport: Enabled
  Administrative Mode: static access          ← configured as: access
  Operational Mode: static access             ← actually running as: access
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: native
  Negotiation of Trunking: Off                ← DTP disabled (nonegotiate)
  Access Mode VLAN: 10 (SALES)                ← assigned to VLAN 10, named SALES
  Trunking Native Mode VLAN: 1 (default)
  Administrative Native VLAN tagging: disabled
  Voice VLAN: none
  Trunking VLANs Enabled: ALL
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled

  Key fields to check:
  Administrative Mode vs Operational Mode:
    If admin=trunk but operational=access → DTP negotiation failed;
    the other end may not be set to trunk.
    If admin=access but operational=trunk → DTP auto-negotiated a trunk
    when you expected an access port — security risk.

  Access Mode VLAN → confirms exactly which VLAN the port is in.
  Voice VLAN       → if an IP phone is connected, it will have a
                     separate voice VLAN entry here.

9. VTP and Its Effect on show vlan Output

VTP (VLAN Trunking Protocol) is a Cisco protocol that propagates VLAN database changes from a VTP Server switch to all VTP Client switches across trunk links. Understanding VTP is critical for interpreting show vlan output because VTP can add, remove, or suspend VLANs without any local configuration action.

  VTP modes and their effect on show vlan:

  ┌─────────────────┬──────────────────────────────────────────────────────┐
  │ VTP Server      │ Can create, modify, delete VLANs.                   │
  │                 │ Propagates VLAN database to all clients.             │
  │                 │ show vlan shows VLANs from local DB + received.     │
  ├─────────────────┼──────────────────────────────────────────────────────┤
  │ VTP Client      │ Cannot create or delete VLANs locally.              │
  │                 │ Receives VLAN database from the VTP server.         │
  │                 │ show vlan shows only what the server sent.           │
  ├─────────────────┼──────────────────────────────────────────────────────┤
  │ VTP Transparent │ Does not participate in VTP. Creates its own VLANs  │
  │                 │ locally and forwards VTP messages it receives.       │
  │                 │ show vlan shows only locally configured VLANs.      │
  ├─────────────────┼──────────────────────────────────────────────────────┤
  │ VTP Off         │ Same as Transparent but does not forward VTP msgs.  │
  └─────────────────┴──────────────────────────────────────────────────────┘

  The VTP danger scenario:
  A new switch with VTP Server mode and a HIGHER revision number is
  connected to the network. Its (possibly empty) VLAN database overwrites
  the existing database on all VTP Client switches → ALL VLANs disappear.

  Prevention:
  • Set new switches to VTP Transparent before connecting to the network
  • Verify: Switch# show vtp status
  • Reset revision number: change VTP domain name twice, or change to
    transparent mode then back

10. Step-by-Step Troubleshooting Scenarios

Scenario A — Host Cannot Reach Anyone (Same VLAN)

  PC1 (VLAN 10, 192.168.10.10) cannot ping PC2 (VLAN 10, 192.168.10.20).
  Both are connected to the same switch.

  Step 1: show vlan brief
  VLAN Name    Status    Ports
  10   SALES   active    Gi0/1       ← only PC1's port is listed
  20   ENG     active    Gi0/4, Gi0/5

  Diagnosis: PC2's port (Gi0/2) is NOT listed under VLAN 10.
  Gi0/2 is either: in VLAN 1 (default), in a different VLAN, or a trunk port.

  Step 2: show interfaces Gi0/2 switchport
  Access Mode VLAN: 1 (default)    ← PC2's port is in VLAN 1, not VLAN 10!

  Fix:
  Switch(config)# interface GigabitEthernet0/2
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 10

  Verify: show vlan brief → Gi0/2 now appears under VLAN 10 ✓
  Confirm connectivity: ping 192.168.10.20 from PC1

Scenario B — VLAN Missing from show vlan

  Engineer expects VLAN 30 (SERVERS) to exist but it is not in show vlan output.

  Possible causes:
  1. VLAN 30 was never created → create it:
     Switch(config)# vlan 30
     Switch(config-vlan)# name SERVERS

  2. Switch is a VTP Client and the VTP Server never had VLAN 30 → create
     VLAN 30 on the VTP Server; it will propagate to all clients.
     Or change this switch to VTP Transparent if it needs its own VLANs.

  3. VLAN 30 exists but was deleted accidentally → check all switches in
     the path; recreate on VTP Server.

  4. Show vlan does show VLAN 30 but it says "suspended":
     Switch(config)# vlan 30
     Switch(config-vlan)# state active    ! restore to active state
     Investigate what caused the suspension (VTP conflict, admin action).

Scenario C — Cross-Switch VLAN Communication Failing

  PC1 (VLAN 10, SW1) cannot reach PC3 (VLAN 10, SW2). Same VLAN, different switches.

  Step 1: show vlan brief on both switches — VLAN 10 exists on both ✓

  Step 2: show interfaces trunk on SW1
  Port     Vlans allowed and active in management domain
  Gi0/24   1,20,30        ← VLAN 10 is NOT in this list!

  Diagnosis: VLAN 10 is not allowed on the trunk between SW1 and SW2.
  Fix:
  SW1(config)# interface GigabitEthernet0/24
  SW1(config-if)# switchport trunk allowed vlan add 10

  Verify:
  SW1# show interfaces trunk
  Gi0/24   1,10,20,30     ← VLAN 10 now present ✓

  Step 3 (if trunk looks correct): check show spanning-tree vlan 10
  If a port shows "BLK" (Blocking) or "LIS/LRN", STP is preventing
  forwarding — investigate STP topology for VLAN 10.

See Layer 2 Troubleshooting Lab for a full walkthrough of this cross-switch VLAN scenario including STP checks.

Scenario D — Port Moves to Access VLAN Not Yet Created

  Engineer assigns Gi0/8 to VLAN 50 before creating VLAN 50:
  Switch(config-if)# switchport access vlan 50
  % Access VLAN does not exist; creating vlan 50
  ! On some IOS versions, IOS auto-creates the VLAN with no name.
  ! The VLAN may show as "active" but has no name — add it:
  Switch(config)# vlan 50
  Switch(config-vlan)# name GUEST

  On other IOS versions: the port is assigned but the VLAN shows as
  inactive until explicitly created. Always verify after assignment.

See: STP/PVST | Spanning Tree | Trunking | show logging

11. Best Practices for VLAN Management

Best Practice	Why It Matters	How to Implement
Use descriptive VLAN names	A name like "SALES" is immediately meaningful in `show vlan` output; "VLAN0010" requires consulting documentation every time	`Switch(config-vlan)# name SALES`
Change the native VLAN from VLAN 1	VLAN 1 is the default native VLAN — untagged frames are placed in VLAN 1; VLAN hopping attacks exploit this; changing to an unused VLAN mitigates the risk	`switchport trunk native vlan 999` (match both ends). See Access & Trunk Ports.
Explicitly restrict trunk allowed VLANs	By default all VLANs (1–4094) are allowed on a trunk; restricting to only needed VLANs reduces the attack surface and minimises unnecessary BUM traffic	`switchport trunk allowed vlan 10,20,30`
Keep VLAN IDs consistent across all switches	VLAN 10 on SW1 must be VLAN 10 on SW2 for traffic to flow across trunk links; a VLAN ID mismatch means hosts in "the same VLAN" on different switches cannot communicate	Use VTP or manually configure matching VLAN IDs and names on every switch in the path. Verify with `show running-config`.
Set VTP mode to Transparent on non-server switches	Prevents accidental VTP propagation overwriting the VLAN database when a new switch is connected	`vtp mode transparent`
Create a dedicated "parking lot" VLAN for unused ports	Moves unused ports out of VLAN 1 and into a suspended or isolated VLAN; reduces attack surface for rogue device connections	Create `vlan 999` named PARKING_LOT; assign all unused ports to it and shut them down
Verify with show vlan after every change	Confirms the change took effect; catches typos in VLAN IDs; verifies port assignments in real time	`show vlan brief` after every configuration step

12. Exam Tips & Key Points

show vlan displays VLAN IDs, names, status, and access port assignments. Trunk ports are never listed — use show interfaces trunk for trunk port VLAN information.
A VLAN must exist in the database before it forwards traffic. If a port is assigned to a non-existent VLAN, the port will have no connectivity. Use ping to confirm.
The three VLAN status values: active (forwarding), suspended (present but not forwarding — devices lose connectivity), inactive (rare). A suspended VLAN is the most impactful possible silent failure on a switch.
VLAN 1 is the default — all ports start there; it cannot be deleted. VLANs 1002–1005 are reserved legacy VLANs; they cannot be deleted or assigned to ports.
Normal range VLANs: 1–1005. Extended range: 1006–4094 (requires VTP transparent or off mode in VTP v1/v2). See VLAN Overview.
Know all four verification commands and when to use each: show vlan brief (VLAN database + access ports), show interfaces trunk (trunk ports + VLAN allowed/active lists), show interfaces <int> switchport (one port — admin vs operational mode, access VLAN), show vtp status (VTP mode and revision).
The troubleshooting sequence for "host cannot communicate": (1) show vlan brief — does the VLAN exist and is the port in it? (2) show interfaces trunk — is the VLAN allowed on the trunk? (3) show spanning-tree vlan <n> — is STP blocking a port? Use ping to confirm each fix.
For inter-VLAN routing between VLANs, use router-on-a-stick or Layer 3 switch SVIs.
VTP danger: a new switch with a higher revision number connecting to the network can wipe all VLANs from client switches. Always set new switches to VTP Transparent before connecting. Check show logging for VTP event messages.
For management VLAN SSH access, configure an SVI (interface vlan X with an IP address) and use SSH on the VTY lines. Monitor with SNMP.

13. Summary Reference Table

Topic	Key Detail
Primary command	`show vlan` or `show vlan brief`
What it shows	VLAN ID, name, status, and access port assignments
What it does NOT show	Trunk ports — use `show interfaces trunk`
Default VLAN	VLAN 1 — all ports start here; cannot be deleted
Reserved VLANs	1002–1005 (FDDI/Token Ring); show as act/unsup; cannot be deleted
Extended range	1006–4094; requires VTP transparent/off in VTP v1/v2
Create VLAN	`vlan <id>` then `name <name>`
Assign access port	`switchport mode access` then `switchport access vlan <id>`. See Access & Trunk Ports.
VLAN "suspended" fix	`vlan <id> / state active`; or resolve VTP conflict
Verify single port	`show interfaces <int> switchport`
Verify trunk VLANs	`show interfaces trunk`
VTP mode check	`show vtp status`
STP blocking check	`show spanning-tree vlan <n>`
Inter-VLAN routing	Router-on-a-Stick or Layer 3 Switch SVIs

show vlan Quiz

1. What information does show vlan display, and what important information does it NOT show?

A. It displays a detailed routing table with VLAN-to-subnet mappings — it does not show access port assignments B. It displays a list of active DHCP leases per VLAN — it does not show VLAN status C. It displays VLAN IDs, names, operational status (active/suspended/inactive), and access port assignments — it does NOT show trunk ports; use show interfaces trunk for trunk port VLAN information D. It displays trunk port configurations and the 802.1Q tags applied to each VLAN — it does not show access port assignments

Correct answer is C. show vlan displays the VLAN database table with four columns: VLAN ID (numeric), Name (text label up to 32 characters), Status (active/suspended/inactive), and Ports (access ports assigned to this VLAN). The most critical limitation to understand — and the most commonly tested point on the CCNA exam — is that trunk ports are never listed in this output. A trunk port carries multiple VLANs simultaneously using 802.1Q tagging, so it is not a member of any single VLAN and does not appear in any VLAN's Ports column. To see which VLANs are active on trunk links, use show interfaces trunk. Combining show vlan brief with show interfaces trunk gives the complete VLAN picture on a switch.

2. A VLAN shows status "suspended" in show vlan output. What does this mean for connected devices, and what are the two most likely causes?

A. All devices assigned to that VLAN lose network connectivity — the VLAN exists in the database but is not forwarding frames; the two most likely causes are a VTP configuration conflict (mismatched domain name or password) or an administrator having run "state suspend" under the VLAN B. The VLAN is fully operational and forwarding traffic — "suspended" is just an internal label that has no impact on connectivity C. The VLAN has been permanently deleted from the database — it cannot be restored without a factory reset D. The VLAN is temporarily suspended for a scheduled maintenance window — it will return to active automatically after the maintenance period

Correct answer is A. A suspended VLAN is one of the most impactful silent failures on a switch. The VLAN still exists in the database (it shows in show vlan), ports may still be assigned to it, but the VLAN is not forwarding any Ethernet frames — every device in the VLAN loses connectivity instantly and completely. Use ping to confirm connectivity loss. The two most common causes: (1) A VTP conflict — when a VTP client receives conflicting VLAN information (mismatched VTP domain name or password), it may suspend VLANs; (2) An administrator explicitly suspended the VLAN with Switch(config-vlan)# state suspend. To restore: Switch(config)# vlan <id> then Switch(config-vlan)# state active. Check show logging for timestamped VTP suspension events.

3. Which VLAN is the default VLAN on Cisco switches, what are its unique properties, and why should it not be used for regular user traffic?

A. VLAN 100 — it is the recommended management VLAN on all Cisco switches and is the default VLAN for new port assignments B. VLAN 10 — it is the default for data VLANs on all Cisco switches; all new ports start here unless explicitly changed C. VLAN 999 — the parking lot VLAN is the Cisco default for unused ports and serves as the global default for new switches D. VLAN 1 — all switch ports start in VLAN 1 by default, it cannot be deleted, it is the default native VLAN on trunks, and it should not be used for user traffic because it carries switch management traffic and is the target of VLAN hopping attacks

Correct answer is D. VLAN 1 is the Cisco default VLAN with several unique properties: (1) Every switch port starts as a member of VLAN 1 when the switch leaves the factory; (2) VLAN 1 cannot be deleted or renamed; (3) VLAN 1 is the default native VLAN on 802.1Q trunk links — untagged frames on a trunk are placed into VLAN 1; (4) CDP, VTP, STP, and other management protocol frames are sent untagged and travel over VLAN 1. Using VLAN 1 for regular user data traffic is a security best practice violation because: management traffic for the switch itself is mixed with user data; VLAN hopping attacks specifically target the native VLAN (VLAN 1) by sending double-tagged 802.1Q frames to bypass VLAN isolation. Best practice: move all user traffic to VLANs 10, 20, 30 etc., and change the trunk native VLAN to an unused, non-routable VLAN like 999. See VLAN Overview.

4. What does the "Ports" column in show vlan output show, and why would a VLAN have an empty Ports column even though hosts in that VLAN are communicating normally?

A. All trunk ports configured on the switch — an empty column means no trunks are carrying this VLAN B. Access ports (only) assigned to the VLAN on this specific switch — an empty column is normal if the VLAN's hosts on this switch are connected via trunk ports, or if the hosts reside on a different switch and traffic is carried over trunks C. All wireless access points connected to the VLAN — wired ports require a separate command to view D. All devices (both wired and wireless) currently connected to the VLAN — an empty column means no devices are connected

Correct answer is B. The Ports column in show vlan output lists only the access ports on this specific switch that are assigned to this VLAN. Trunk ports are never listed. This means a VLAN can appear with an empty Ports column in two completely normal scenarios: (1) The VLAN exists on this switch but all of its hosts are connected to other switches; traffic flows over trunk links to this switch and then across to the other switches — the trunk carries the VLAN but the trunk port does not appear in the Ports column; (2) The VLAN is a management or transit VLAN that has an SVI (Layer 3 interface) but no directly connected hosts on access ports. An empty Ports column by itself does not indicate a problem — always also run show interfaces trunk to see which trunk ports are carrying the VLAN.

5. A host on VLAN 10 of Switch 1 cannot reach a host on VLAN 10 of Switch 2. show vlan brief on both switches confirms VLAN 10 exists and the correct ports are assigned. What should be checked next?

A. show vlan brief — re-run the same command to look for any recently changed entries B. show interfaces switchport — check if the hosts' ports are administratively down C. show interfaces trunk on both switches — confirm that the trunk link between them exists, is in trunking state, and that VLAN 10 appears in the "VLANs allowed and active in management domain" list D. show vlan trunk — this command shows VLANs on trunk ports and would reveal the missing VLAN

Correct answer is C. Once show vlan brief confirms that VLAN 10 exists on both switches and the correct access ports are assigned, the next logical step in the troubleshooting sequence is to verify the trunk link between the two switches. show interfaces trunk on each switch reveals: whether the uplink port is actually in trunking state (not just configured for it); which VLANs are in the "allowed" list; and critically, which VLANs are in the "VLANs allowed and active in management domain" list — if VLAN 10 is absent from this final list, it is being pruned or was not added to the allowed list. This is the most common cause of cross-switch VLAN failures after the VLAN itself is confirmed to exist. The command show vlan trunk (option D) does not exist in Cisco IOS. See Layer 2 Troubleshooting Lab.

6. An engineer runs show vlan brief and does not see VLAN 50. A port has already been assigned to VLAN 50 with switchport access vlan 50. What are the correct next steps?

A. Create VLAN 50 explicitly with "vlan 50" in global config mode, then optionally assign a name — until the VLAN exists in the database, the assigned port will have no connectivity regardless of the switchport access vlan command B. Reboot the switch — the VLAN database does not update until the switch reloads C. Reset all port assignments to VLAN 1 and then reassign to VLAN 50 — the switchport access vlan command does not work unless ports start from VLAN 1 D. Disable the VLAN database with "no vlan database" and then re-enable it — this forces the switch to regenerate the VLAN table

Correct answer is A. Assigning a port to a VLAN with switchport access vlan 50 before the VLAN exists in the database is a common configuration error. On some IOS versions, the command succeeds and IOS auto-creates the VLAN with no name; on other versions, the port is assigned but the VLAN shows as inactive or does not appear at all. In either case, the VLAN must be explicitly created to ensure it is properly configured and named. The correct sequence is: (1) vlan 50 → (2) name SERVERS → (3) assign ports with switchport access vlan 50. Always create the VLAN first, then assign ports, and verify with show vlan brief after each step. Use ping to confirm connectivity. See Assigning VLANs to Switch Ports Lab.

7. Why might a VLAN show as "suspended" in show vlan, and what is the single-line IOS command to restore it to active state?

A. A port assigned to the VLAN has been disabled — re-enable the port with "no shutdown" B. The VLAN was newly created and has not yet propagated across the VTP domain — wait 30 seconds for it to become active automatically C. The VLAN has no assigned ports — adding at least one port with switchport access vlan will restore active status D. VTP configuration inconsistencies (domain name or password mismatch between switches) or an administrator ran "state suspend" — restore with: Switch(config)# vlan [id] then Switch(config-vlan)# state active

Correct answer is D. A VLAN enters the suspended state for two main reasons: (1) VTP conflict — when a VTP client switch receives a VTP update from a server with conflicting information (different VTP domain name, different password, or a configuration revision number conflict), affected VLANs may be suspended; (2) Administrative action — an engineer ran Switch(config-vlan)# state suspend intentionally or accidentally. A VLAN with no ports assigned does NOT become suspended — it remains active; the absence of ports only means the Ports column is empty, not that the VLAN is non-functional. The restoration command is: Switch(config)# vlan <id> followed by Switch(config-vlan)# state active. If VTP is the root cause, the VLAN may be re-suspended if the VTP conflict is not also resolved — check show vtp status and ensure domain name and password match on all switches. Check show logging for VTP-related events.

8. What is the purpose of a Management VLAN, why should it be separate from user VLANs, and what must be configured to allow SSH access to the switch on that VLAN?

A. A management VLAN is used to carry voice traffic from IP phones — it must be configured with QoS priority and should be isolated because it carries real-time audio B. A management VLAN carries switch management traffic (SSH, SNMP, syslog) — separating it from user VLANs limits which devices can access the switch's management plane; an SVI (interface vlan X) must be created on the management VLAN with an IP address, and SSH must be configured on the VTY lines C. A management VLAN is a suspended VLAN that carries only administrative traffic — it intentionally does not forward user data and this is its normal operational state D. A management VLAN carries the native VLAN traffic on trunk links — it must be VLAN 1 on all switches and cannot be changed

Correct answer is B. A Management VLAN is a dedicated VLAN used for switch management traffic — SSH sessions, SNMP polling, Telnet (if still used), syslog, and NTP. Separating management traffic from user data VLANs is a fundamental security best practice: it means that a user workstation in VLAN 10 cannot reach the switch's management interface even if they know the IP — only devices in the Management VLAN can initiate management sessions. To enable SSH access on a specific management VLAN (e.g., VLAN 100): (1) Create the VLAN; (2) Create an SVI: interface vlan 100 / ip address 192.168.100.1 255.255.255.0 / no shutdown; (3) Configure SSH: ip domain-name / crypto key generate rsa / username / line vty 0 4 / login local / transport input ssh. The SVI is the Layer 3 gateway for the management VLAN on that switch.

9. An engineer needs to verify exactly which VLAN a specific port (Gi0/8) belongs to and confirm whether it is operating as an access or trunk port. Which command provides this and what fields should be checked?

A. show vlan summary — provides a count of VLANs but not per-port assignment details B. show interfaces trunk — shows trunk ports but not access port VLAN assignments C. show interfaces GigabitEthernet0/8 switchport — shows Administrative Mode (configured), Operational Mode (actual), and Access Mode VLAN; if admin=access but operational=trunk, DTP has auto-negotiated an unintended trunk D. show ip interface brief — shows IP addresses and interface status but not switchport VLAN membership

Correct answer is C.

show
                  interfaces GigabitEthernet0/8 switchport

is the definitive per-port VLAN verification command. Its output includes: Administrative Mode (what was configured — static access, trunk, dynamic desirable, etc.); Operational Mode (what is actually running — may differ from administrative if DTP negotiated a different mode); Access Mode VLAN (the VLAN number and name the port is in when operating as an access port); Voice VLAN (if an IP phone is connected). The admin-vs-operational comparison is crucial: if you configured switchport mode access but the output shows Operational Mode: trunk, then DTP has negotiated a trunk — the port is not providing the access port isolation you intended. Fix with switchport nonegotiate or explicitly verify the other end is also in access mode. Verify with show running-config.

10. In a multi-switch network, what is the most critical best practice for VLAN management, and what VTP-related risk must engineers guard against when adding a new switch?

A. Maintain consistent VLAN IDs and names across all switches — a mismatch means hosts in "the same VLAN" on different switches cannot communicate; the VTP risk is that a new switch in Server mode with a higher revision number will overwrite all VLANs on existing Client switches, potentially erasing the entire VLAN database B. Use different VLAN IDs on each switch — this prevents routing loops between switches and ensures broadcasts are contained C. Disable VLAN trunking between switches — trunks are a security risk and all inter-switch links should use access mode to prevent VLAN hopping D. Only configure VLANs on the root bridge switch — other switches receive VLAN assignments automatically through STP

Correct answer is A. For hosts in the same VLAN to communicate across multiple switches, every switch in the path must have the same VLAN ID. If SW1 has VLAN 10 and SW2 has no VLAN 10, traffic tagged as VLAN 10 arriving at SW2 via the trunk is not associated with any VLAN and is dropped. VLAN names also need to match for clarity and management, though technically only the ID affects forwarding. The critical VTP risk: VTP uses a configuration revision number to determine which switch has the most recent VLAN database. A newly connected switch in VTP Server mode with a higher revision number (which resets to 0 on domain name change) will push its VLAN database to all VTP Client switches, potentially overwriting all existing VLANs with its own (possibly empty) database — causing a complete network outage. Prevention: always set new switches to vtp mode transparent before connecting them to the production network, and reset the revision counter by changing the VTP domain name temporarily. Verify the change with show running-config and check show logging for VTP events.

← Back to Home