{{ summary.title }}
{{ summary.primary }}
{{ summary.line }}
{{ badge.label }}
Use this when you want interface-level proof beyond the explicit VLAN lists below.
Paste only public config snippets; secrets, keys, and management addresses are not needed.
Enter intended access, voice, SVI, or service VLANs to compare against trunk policy.
This is the policy list every checked trunk is expected to match.
Use an unused parking VLAN when that is your trunk standard.
VLAN
Leave blank only when you are checking allowed-list math without VLAN database evidence.
Include platform-reserved IDs plus local parking, quarantine, or fabric-internal VLANs.
Choose the interpretation that matches how your platform treats untagged trunk traffic.
Many environments remove VLAN 1 from data trunks; keep exceptions explicit.
VLAN Evidence Allowed coverage Declared state Verdict Action Copy
{{ row.vlan }} {{ row.evidence }} {{ row.coverage }} {{ row.declaredState }} {{ row.verdict }} {{ row.action }}
Interface Mode Allowed VLANs Native Target drift Verdict Copy
{{ row.name }} {{ row.mode }} {{ row.allowed }} {{ row.native }} {{ row.drift }} {{ row.verdict }}
Severity Scope Evidence Action Copy
{{ row.severityLabel }} {{ row.scope }} {{ row.evidence }} {{ row.action }}
No VLAN findings are active
The current evidence and VLAN policy do not produce warning or blocker rows.
Tags: Diagnostics, Networking, Sysadmin
Cisco Interface Config Generator Generate Cisco interface config for routed, access, or trunk ports, with VLAN validation, syntax profiles, command audit, and copy-ready CLI.
Switchport Config Generator Generate access or trunk switchport CLI for Cisco IOS, NX-OS, or Arista EOS with VLAN normalization, command notes, and paste-safety warnings.
VLAN Capacity Calculator Plan VLAN ID capacity from reserved and existing ranges, then check new segment demand, IPv4 subnet host fit, allocation order, and warnings.
dnsmasq DHCP Config Generator Generate a dnsmasq DHCP scope config with pool checks, router and DNS options, static reservations, PXE/TFTP lines, and audit exports.
Customize
Advanced
:

Most VLAN problems are not caused by one bad number. They appear when several places in the switching design tell different stories about the same VLAN. A port may use VLAN 120 for phones, a trunk may allow only VLANs 10 through 40, the VLAN database may omit VLAN 120, and the native VLAN may still be VLAN 1 on one side of the link. Each statement can look reasonable by itself, while the combined configuration drops traffic, leaks a default segment, or turns a planned change into a troubleshooting window.

A virtual LAN, or VLAN, is a logical Layer 2 segment identified by a numeric VLAN ID. Access ports usually place untagged endpoint traffic into one VLAN. Voice VLAN settings add a second VLAN for phones on the same edge port. A switched virtual interface, or SVI, gives a VLAN a Layer 3 gateway. Trunk ports carry multiple VLANs between switches, routers, hypervisors, firewalls, and wireless controllers. Native VLAN handling adds one more wrinkle because untagged traffic on an 802.1Q trunk is associated with a specific VLAN according to platform behavior and local standard.

Evidence type What it proves What it does not prove
Port assignment A VLAN is referenced by an access port, voice setting, or SVI. The VLAN exists everywhere it must be carried.
Trunk allowed list A trunk is permitted to carry a set of VLAN IDs. Each VLAN is active, used, safe, or allowed on the peer side.
VLAN database A VLAN ID is declared active or appears inactive/suspended locally. The VLAN reaches every required trunk or adjacent switch.
Native VLAN setting Untagged trunk traffic maps to a specific VLAN on that interface. The other end of the trunk uses the same native VLAN.

Change windows, site turnups, trunk pruning, and voice network moves all depend on this agreement. Missing a service VLAN from one uplink can break only a few floors, which makes the fault look like DHCP, call-control, or wireless trouble. Allowing a reserved VLAN can expose a quarantine, parking, or fabric-internal segment. Leaving VLAN 1 in the wrong place can conflict with a security standard even when no user is deliberately assigned to it.

Diagram showing VLAN consistency as agreement between used VLANs, trunk allowed policy, active VLAN database, native VLAN, and findings.
A useful VLAN review compares the VLANs in use, the trunks that carry them, the declared database state, and the native VLAN policy.

The common mistake is treating one list as the whole truth. An allowed list can include VLANs that should be blocked. A VLAN database can show an ID as active while one uplink omits it. A native VLAN can be configured locally and still fail because the peer trunk uses another value. A sound review asks whether each VLAN is used, carried, declared, allowed by policy, and safe to expose.

Text evidence can catch contradictions before a change is pushed, but it cannot replace live peer checks. VLAN consistency is a configuration review, not proof that spanning tree is healthy, the neighbor device agrees, DHCP is reachable, or user traffic is flowing.

How to Use This Tool:

Start with the evidence you trust, then describe the policy that evidence should match.

  1. Paste sanitized switch text into Switch VLAN evidence. Interface blocks, show interfaces trunk sections, show vlan brief rows, and simple vlan command lines can all contribute evidence.
  2. Add intended access, voice, SVI, or service VLANs in Used VLANs. IDs and ranges such as 10,20,30-40,120 are accepted.
  3. Set Expected trunk allowed VLANs to the policy every checked trunk should follow. Use IDs, ranges, all, or none when those match the intended standard.
  4. Enter Expected native VLAN, then fill Declared active VLANs and Reserved or blocked VLANs when you have database or policy evidence.
  5. Choose Native VLAN rule to match the platform or local convention, and set VLAN 1 policy to warn, block, or allow VLAN 1 exposure.
  6. If Review VLAN input appears, fix ignored tokens or VLAN IDs outside 1-4094 before using the findings.
  7. Review Findings Register for the action list, Consistency Ledger for per-VLAN detail, Interface Trunk Matrix for per-trunk drift, and VLAN Consistency Map for category counts.

The sample buttons are useful for learning the workflow: Mixed trunk sample shows drift and missing coverage, while Clean sample shows the expected shape of an aligned review.

Interpreting Results:

Blocker findings should stop or slow a change until the VLAN policy is corrected. They can appear when a used VLAN is missing from the expected trunk allowed list, appears in the reserved or blocked list, is inactive, or violates a blocking VLAN 1 policy. Warning findings usually call out native VLAN policy issues, undeclared VLAN evidence, or VLAN 1 exposure under a warn policy. Notice rows are lower-severity cues, such as extra allowed VLANs or missing trunk evidence.

A clean result means the pasted evidence and policy fields did not trigger the supported checks. It does not prove that peer trunks match, that every switch has the same VLAN database, or that traffic is passing. Use a clean ledger as a configuration-evidence checkpoint, then confirm neighbor trunks and live device state through normal operations.

Output cue Meaning Follow-up
target missing A used or native-related VLAN is absent from the expected allowed list. Add it to required trunks or remove the stale reference.
not found A used VLAN was not found in declared active evidence when declaration evidence exists. Paste complete VLAN database evidence, create the VLAN, or remove the reference.
Target drift A parsed trunk differs from the expected trunk policy. Fix the trunk or document an intentional exception.
Native policy The native VLAN handling does not match the selected rule. Confirm the trunk standard and align both ends of the link.

Technical Details:

IEEE 802.1Q tagging identifies VLAN membership on Ethernet frames so one trunk link can carry multiple Layer 2 segments. In ordinary switch configuration, the valid VLAN ID range checked here is 1-4094. Trunk policy decides which tagged VLANs are permitted, while native VLAN behavior decides how untagged trunk traffic is classified.

Consistency is a set comparison with a few policy rules layered on top. Used VLANs come from explicit user input and recognized access, voice, SVI, and native VLAN evidence. Allowed VLANs come from the expected trunk policy and parsed trunk statements. Declared active state comes from explicit database input plus recognized VLAN rows or VLAN declarations. Reserved or blocked IDs are treated as policy exceptions that should not be used or carried unless deliberately removed from the blocked list.

Rule Core:

Rule area Evidence used Finding behavior
Used VLAN coverage Explicit used list plus parsed access VLANs, voice VLANs, SVIs, and native VLAN references. A used VLAN absent from the expected allowed set becomes a Blocker, except for the native VLAN under separate-native mode.
Declared state Explicit declared VLANs, recognized show vlan brief rows, and vlan declarations. A used VLAN missing from declared evidence becomes a Warning when any declaration evidence exists. Suspended or inactive evidence becomes a Blocker.
Reserved or blocked IDs Policy list such as 1,1002-1005,4094, adjusted for the environment being reviewed. A used blocked VLAN becomes a Blocker. A parsed trunk that carries a blocked ID is also flagged.
Interface trunk drift Parsed trunk allowed lists and native VLAN values from interface blocks or trunk output. Missing target VLANs become Warning findings. Extra VLANs become Notice findings when the expected policy is not all.
VLAN 1 exposure Use or allowance of VLAN 1 in the submitted evidence and policy. The selected VLAN 1 policy reports exposure as Warning, Blocker, or accepted.

Input Bounds and List Semantics:

Input pattern Accepted meaning Important boundary
10,20,30-40 Individual IDs and inclusive ranges, separated by commas, spaces, or semicolons. Every numeric ID must fall within 1-4094.
all The full valid VLAN ID set in the expected allowed policy. Useful for permissive trunks, but it can hide extra-VLAN drift by design.
none An empty expected allowed set. Any used non-native VLAN becomes missing unless policy fields are changed.
Trunk add and remove evidence Recognized interface statements can modify the parsed allowed set for that trunk. Complex vendor syntax still needs human review when the parsed result looks incomplete.

Native VLAN Rules:

Mode Rule Typical use
Cisco-style native must be carried The expected native VLAN should appear in the allowed set. Use when the platform or local standard expects the native VLAN to remain available on trunks.
Native separate from tagged VLAN list The native VLAN should not appear in the tagged allowed set. Use when native traffic is treated as untagged-only and separate from tagged members.
Ignore native membership Native membership is not used for findings. Use only when native handling is outside the reviewed change.

The category chart counts clean used/native VLANs and findings for missing trunks, native policy, reserved IDs, inactive or undeclared state, and VLAN 1 exposure. It is a summary of the same rules, so a high bar in one category should be traced back to the exact rows in Findings Register and Consistency Ledger.

Accuracy Notes:

The checker reviews submitted text and policy fields. It does not log in to switches, poll neighbors, run packet tests, or verify that both ends of a trunk agree in real time.

  • Paste only the configuration or command output needed for the review. Full running configurations, credentials, keys, and management addresses are not needed.
  • Check the address bar before sharing a populated page. Current values may be kept in the browser URL for reload or sharing behavior.
  • Confirm vendor-specific trunk semantics, native VLAN handling, and platform-reserved VLANs against the devices being changed.
  • Use live commands or network monitoring to confirm forwarding state before approving a production change.

Advanced Tips:

  • Keep Used VLANs as the intended service list, not merely the VLANs already seen in pasted evidence. That catches stale trunks before the interface parser has enough context.
  • Use Expected trunk allowed VLANs as the policy baseline for every trunk in the review. Intentional exceptions should be documented separately so Interface Trunk Matrix drift stays meaningful.
  • Fill Declared active VLANs when database state matters. Leaving it blank avoids undeclared checks, while complete evidence lets inactive or missing VLANs surface as findings.
  • Adjust Reserved or blocked VLANs to match the platform and local standard before treating a reserved finding as a production blocker.
  • Change Native VLAN rule only after confirming how the devices handle untagged trunk traffic. The same native VLAN can be correct under one rule and a warning under another.
  • Raise VLAN 1 policy from warn to block when the review is enforcing a hard data-trunk standard, then trace any finding back to the exact ledger or trunk row.

Worked Examples:

Voice VLAN missing from the trunk

Evidence includes switchport voice vlan 120, and Used VLANs includes 120. If Expected trunk allowed VLANs is 10,20,30,40, Consistency Ledger marks VLAN 120 as target missing, and Findings Register reports a Blocker. The practical fix is to carry VLAN 120 on required trunks or remove the stale voice VLAN reference.

Native VLAN policy changes the warning

A site uses native VLAN 999. With Native VLAN rule set to Cisco-style native must be carried, the expected allowed list should include 999. If the same review changes to Native separate from tagged VLAN list, VLAN 999 appearing in the allowed list becomes a Warning instead.

No trunk evidence limits confidence

Suppose Used VLANs, Expected trunk allowed VLANs, and Declared active VLANs all include 10,20,30, but no trunk text is pasted. The ledger can still look clean, while Interface Trunk Matrix shows No trunk evidence and a notice-level action. The next step is to paste trunk evidence or verify the trunk on the device.

Invalid IDs stop the review from being trustworthy

If Reserved or blocked VLANs contains 0,4095, Review VLAN input reports that those tokens are outside VLAN 1-4094. Fix the list before acting on VLAN Consistency Map counts or exported rows.

FAQ:

What VLAN ID range is accepted?

The fields accept VLAN IDs from 1 through 4094. Values outside that range appear under Review VLAN input.

Can I enter VLAN ranges?

Yes. VLAN lists can include individual IDs and ranges such as 10,20,30-40. Expected trunk allowed VLANs also accepts all and none.

Why does the native VLAN rule have different modes?

Platforms and local standards do not always treat native VLAN membership the same way. Choose the mode that matches the trunk policy you are reviewing.

Why did VLAN 1 become a warning or blocker?

VLAN 1 policy controls that severity. If VLAN 1 is used or allowed and the policy is set to warn or block, the finding appears with that severity.

Does a clean result approve the network change?

No. It means the submitted evidence and policy lists did not trigger the supported checks. Confirm peer trunk configuration and live device state before approval.

Glossary:

VLAN
A logical Layer 2 segment identified by a VLAN ID.
Trunk
A switch link that carries multiple VLANs between devices.
Allowed VLAN list
The VLAN IDs a trunk is permitted to carry by policy or interface configuration.
Native VLAN
The VLAN associated with untagged traffic on a trunk according to platform behavior.
SVI
A switched virtual interface, often written as interface VlanX, that gives a VLAN a Layer 3 gateway.
Declared active VLAN
A VLAN ID shown or entered as present in the local VLAN database.
VLAN 1 exposure
Use or trunk allowance of VLAN 1 when local policy expects it to be warned or blocked.

References: