This is the second entry in the series. After configuring the basic settings on a Cisco switch in the previous post, it is now time to configure VLANs. When it comes to configuring VLANs on a Cisco switch, you don’t technically need to enable port security, but this is a recommendes step nonetheless.


Disclaimer: this series is not meant to be a replacement for your own testing or for the recommended documentation and training material. It just aims at offering a quick reference for some of the most important tasks you might have to engage with when preparing for the exam. For a comprehensive list of commands and related explanations, please use the official Cisco documentation.


Enabling port security

Port security can only be enabled on access interfaces. It doesn’t make sense to enable port security on trunks because you don’t really want to limit the number of allowed MAC addresses on a trunk which, by definition, allows frames to travel through VLANs. In addition to this, trunks between switches are considered trusted connections.

By default, on Cisco switches all interfaces are set to dynamic desirable (which means that they can be either an access port or a trunk port, but they would prefer to be trunks), a mode that does not allow you to configure port security, therefore you must manually set the port as an access port before being able to configure port security on it.

configure terminal
interface fastEthernet 0/1
switchport mode access
switchport port-security

switchport port-security is the command that effectively enables port security, so it should be left for last and all the configuration commands should be run before it.

Possible options:

  • switchport port-security maximum $number: only a maximum of $number devices are allowed at the time, no specific devices, so you can switch devices and the switch will not block any of them
  • switchport port-security violation < protect | restrict | shutdown >
  • switchport port-security mac-address $mac_address [ sticky ]

If you combine the maximum option with the sticky option, the switch will automatically learn the first n devices that connect to the port.

Finally, if a port goes in err-disabled state because of a port security violation, the way to bring it back up consists in running a shutdown followed by a no shutdown in interface configuration mode. Shutting down a port clears the port security violation that occurred.

Configuring VLANs

To configure VLANs, you need to configure both access ports and trunking ports.

Configuring access ports

configure terminal
interface $interface
switchport mode access
switchport access vlan $vlan number

Configuring trunk ports

switchport trunk encapsulation dot1q
switchport mode trunk

The switchport trunk encapsulation dot1q might not even be accepted on some switches because the protocol defaults to 802.1Q already.

Configure the VLANs that are allowed over a trunk

switchport trunk allowed vlan $options

Deleting a VLAN

To delete a VLAN (in switch configuration mode): no vlan $vlan_number or no interface vlan $vlan_number.