📘 CCNA 200-301 v1.1
2.1 Configure and verify VLANs (normal range) spanning multiple switches
2.1.b Default VLAN
1. What is a VLAN?
Before understanding the default VLAN, you must recall what a VLAN (Virtual Local Area Network) is.
- A VLAN logically separates a single physical switch network into multiple broadcast domains.
- Devices in different VLANs cannot communicate with each other unless a router or Layer 3 device is used.
- Each VLAN is identified by a VLAN ID (number between 1–4094).
So instead of having all devices in one big LAN, VLANs allow you to divide them for better security, management, and performance.
2. What is the Default VLAN?
When you take a new switch out of the box (factory default), it already has a default VLAN configured.
This is called VLAN 1.
Key points:
- VLAN 1 is the default VLAN on all Cisco switches.
- It is automatically created and cannot be deleted or renamed.
- All switch ports (interfaces) are assigned to VLAN 1 by default.
- Control plane traffic such as CDP, VTP, DTP, and PAgP also use VLAN 1 by default.
- VLAN 1 is considered a “management VLAN” by default, because the switch’s management IP address (if configured) can be assigned to an interface in VLAN 1.
3. Behavior of the Default VLAN
Let’s look at how VLAN 1 behaves in a Cisco switch:
| Function | Behavior of VLAN 1 |
|---|---|
| Default VLAN for all ports | All access ports belong to VLAN 1 by default. |
| Trunking | All Cisco switches include VLAN 1 in the allowed VLANs on trunk ports by default. Control traffic always passes on VLAN 1. |
| Deletion / Modification | VLAN 1 cannot be deleted, suspended, or renamed. |
| IP address assignment | The management interface (like interface vlan 1) can be used to assign an IP address for remote management (Telnet, SSH, SNMP). |
| Control protocols | CDP, VTP, DTP, PAgP, and STP (for VLAN 1 instance) use VLAN 1 by default. |
4. Why VLAN 1 is Important
- It is the base VLAN used for all internal control and management protocols.
- It ensures connectivity between switches when no VLAN configuration is done yet.
- It helps in initial switch management — for example, when setting up switches for the first time before VLANs are configured.
5. Security Concerns with VLAN 1
Although VLAN 1 is useful, it is not recommended to use it for user or management traffic in production networks.
Reasons:
- It is well known and predictable, which makes it a target for attackers.
- Control plane protocols (CDP, VTP, etc.) already use VLAN 1, so mixing user data with it increases security risks.
- If an attacker connects to a port that’s in VLAN 1, they can see control traffic.
Best practice:
- Do not use VLAN 1 for user data or management traffic.
- Create a separate VLAN for management (e.g., VLAN 10 or VLAN 100).
- Restrict VLAN 1 on trunk ports so it doesn’t carry unnecessary traffic.
6. Default VLAN in Trunk Links
- When you configure trunk ports (using 802.1Q encapsulation), VLAN 1 is included by default in the allowed VLAN list.
- The native VLAN (by default VLAN 1) is untagged traffic on a trunk.
- Even if you change the native VLAN, VLAN 1 will still exist and continue to handle control traffic.
You can verify this using:
Switch# show interfaces trunk
You will see VLAN 1 listed under “Vlans allowed on trunk” unless manually removed.
7. Commands to View and Verify Default VLAN
You can use these commands to verify VLAN 1 and its configuration:
a) To view VLANs:
Switch# show vlan brief
Output example:
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
Here, VLAN 1 (default) has all ports assigned to it.
b) To check VLAN database:
Switch# show vlan id 1
This will show detailed information about VLAN 1.
c) To view management interface:
Switch# show ip interface brief
You may see:
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.1.10 YES manual up up
This shows VLAN 1 being used for switch management.
8. Summary Table
| Feature | VLAN 1 (Default VLAN) |
|---|---|
| VLAN ID | 1 |
| Name | default |
| Default Status | Active |
| Assigned Ports | All switch ports by default |
| Deletable | ❌ No |
| Renamable | ❌ No |
| Used by | CDP, VTP, DTP, PAgP, STP |
| Default Native VLAN | Yes (on trunks, by default) |
| Best Practice | Do not use for user or management traffic |
9. Example Configuration (for understanding)
By default:
Switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
If you create a new VLAN:
Switch(config)# vlan 10
Switch(config-vlan)# name Management
Switch(config)# interface fa0/1
Switch(config-if)# switchport access vlan 10
Now Fa0/1 is no longer in VLAN 1; it belongs to VLAN 10.
10. What You Must Remember for the Exam
✅ VLAN 1 is the default VLAN on Cisco switches.
✅ All ports belong to VLAN 1 until assigned to another VLAN.
✅ VLAN 1 cannot be deleted, renamed, or suspended.
✅ It carries management and control traffic by default.
✅ VLAN 1 is included in trunk links unless manually removed.
✅ Best practice — avoid using VLAN 1 for user or management data.
In summary:
VLAN 1 is the default and foundational VLAN on Cisco switches. It plays a critical role in switch communication and management. While it’s automatically active and necessary for control protocols, it should not be used for regular data traffic in modern networks for security and segmentation reasons.
