CCIE 400-101: Layer 2 Technologies - Access Ports, VLAN Database, Normal and Extended Range VLANs, Voice VLAN

Access Ports

  • An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN port).  
  • Traffic is received and sent in native formats with no VLAN tagging.  
  • Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. 
  • If an access port receives an 802.1Q tagged packet, the packet is dropped, and the source MAC address is not learned.  
  • Two types of access ports: static and dynamic. 
  • Static access ports are manually assigned to a VLAN with the switchport access vlan <vlan-id> command. 
  • When a port is configured as dynamic, it receives VLAN information based on the MAC address of incoming packets. A centralized VLAN Membership Policy Server (VMPS) is used to handle the VLAN assignment. The VMPS contains a database of VLAN-to-MAC address mappings, which it then references to send the correct VLAN information to the switch.

VLAN Database

  • By default, VLAN information is saved into the vlan.dat file, which is stored in NVRAM. 
  • This means that even if the startup configuration is erased and the switch is reloaded, the VLANs are still there (as viewed with the show vlan brief command). 
  • VLANs have a variety of configurable parameters, including name, type, and state. 
  • Most commonly, VLANs are given an ID and a name. 


vlan 10
 name CCIE

  • VLANs can be configured either in global configuration mode (above) or VLAN database configuration mode.
  • The VLAN database mode is deprecated and does not support the creation of extended range VLANs.
  • In VTP Transparent mode, the VLANs will also be saved in the running/startup configuration.
  • The vtp file <name> command specifies the VLAN database file. 
  • During boot up, the switch compares the content in the vlan.dat file and the configuration in startup-config to determine if it should use the configuration in vlan.dat or startup-config. 
  • The VTP and VLAN configurations are selected by these conditions: 
    • If both the VLAN database and the configuration file show the VTP mode as transparent and the VTP domain names match, the VLAN database is ignored. The VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database. 
    • If the startup VTP mode is server mode, or the startup VTP mode or domain names do not match the VLAN database, VTP mode and VLAN configuration for the first 1005 VLANs are selected by VLAN database information, such as the vlan.dat file. VLANs greater than 1005 are configured from the switch configuration file. 
  • If there is no vlan.dat file, or if the vlan.dat cannot be read, the switch boots with these characteristics:
    • VTP Mode: Server
    • VTP Domain: (no name / empty)
    • VLANs: 1, 1002-1005

Normal and Extended Range VLANs

  • Switches support 4096 VLANs in accordance with the IEEE 802.1Q standard. 
  • These VLANs are organized into two distinct ranges: normal range and extended range. 
  • There are also special purpose VLANs. 
  • VLANs 0 and 4095 are reserved for sytem use only. You cannot see or use these VLANs. 
  • VLAN 1 and VLANs 1002-1005 are default VLANs. Default VLANs are created automatically and cannot be configured or deleted by users. 
  • Extended range VLANs are not stored in the VLAN database.  
  • The switch must be in VTP transparent mode when you create extended range VLANs (except VTPv3). 
  • Before configuring extended-range VLANs, enter the show vlan internal usage privileged EXEC command to see which VLANs have been allocated as internal VLANs.  
  • If you configure a VLAN number that matches the number of an existing internal VLAN, an error message appears and the extended VLAN configuration is denied.  
  • VLANs in the extended range cannot be pruned. The VLAN range for the switchport trunk pruning vlan command remains 1-1005. 

Voice VLAN

  • The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone.
  • You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
  • The interface supporting a voice VLAN is a mystical case between an access port and a trunk port. Cisco officially calls it a multi-VLAN access port.
  • Sometimes it is referred to as "special 802.1Q trunk" or "mini-trunk".
  • This "multi-VLAN access port" allows only two distinct VLANs (voice and data).
  • The data traffic is untagged.
  • The voice traffic is tagged.
  • The switch communicates the voice VLAN ID to the IP phone using CDP.
  • Voice VLAN support is enabled by adding a single command: switchport voice vlan <vlan-id>.


interface FastEthernet0/1
 switchport mode access
 switchport access vlan 100
 switchport voice vlan 200

sw1#sh int f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access

Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 100
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: 200
Appliance trust: none


Managing vlan.dat in Cisco IOS
Extended VLAN ID
Good Explanation of the Voice VLAN