What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

Configure Cisco IOS VLANs, Trunks & SSH from the CLI

A hands-on Cisco IOS / IOS-XE walkthrough covering VLAN creation, access and 802.1Q trunk ports, secure SSH access with RSA keys, and saving your configuration — with the exact, verified CLI commands.

SKYLINE Engineering @skyline

Published: May 31, 2026
Last updated: May 31, 2026
Reading time: 4 min

This guide gives you the exact Cisco IOS / IOS-XE command-line steps that SKYLINE engineers use when bringing a new Catalyst switch into service: creating VLANs, assigning access ports, building an 802.1Q trunk to a neighbouring switch, securing management access with SSH version 2, and saving the configuration so it survives a reboot. The commands below are standard across the Catalyst 1000, 9200 and 9300 families and most IOS-XE switches; minor differences are called out where they exist.

Before you start: you need console or existing access to the switch, an enable (privileged) password, and a plan for your VLAN IDs and IP addressing. Always take a backup of the current configuration before changing a production device.

1. Enter configuration mode

From the privileged EXEC prompt, enter global configuration mode:

Switch> enable
Switch# configure terminal
Switch(config)#

A best practice is to set a meaningful hostname first, because the SSH step later requires it:

Switch(config)# hostname SW-CORE-01
SW-CORE-01(config)#

2. Create VLANs and name them

Create each VLAN in global configuration mode and give it a descriptive name. Names make the network self-documenting:

SW-CORE-01(config)# vlan 10
SW-CORE-01(config-vlan)# name STAFF
SW-CORE-01(config-vlan)# exit
SW-CORE-01(config)# vlan 20
SW-CORE-01(config-vlan)# name VOICE
SW-CORE-01(config-vlan)# exit
SW-CORE-01(config)# vlan 30
SW-CORE-01(config-vlan)# name GUEST
SW-CORE-01(config-vlan)# exit
SW-CORE-01(config)# vlan 99
SW-CORE-01(config-vlan)# name MGMT
SW-CORE-01(config-vlan)# exit

Note: VLAN definitions are stored in a separate vlan.dat file in flash, not in the running or startup configuration. They survive a reboot independently, but a full configuration backup should always include this file.

3. Assign access ports to a VLAN

An access port carries a single VLAN to an end device such as a PC, IP phone or camera. Configure the interface to access mode and assign the VLAN:

SW-CORE-01(config)# interface GigabitEthernet1/0/5
SW-CORE-01(config-if)# switchport mode access
SW-CORE-01(config-if)# switchport access vlan 10
SW-CORE-01(config-if)# spanning-tree portfast
SW-CORE-01(config-if)# exit

To configure a range of ports at once, use the interface range form:

SW-CORE-01(config)# interface range GigabitEthernet1/0/1 - 24
SW-CORE-01(config-if-range)# switchport mode access
SW-CORE-01(config-if-range)# switchport access vlan 10
SW-CORE-01(config-if-range)# exit

For Cisco IP phones with a PC daisy-chained behind them, add a voice VLAN to the same port:

SW-CORE-01(config)# interface GigabitEthernet1/0/6
SW-CORE-01(config-if)# switchport mode access
SW-CORE-01(config-if)# switchport access vlan 10
SW-CORE-01(config-if)# switchport voice vlan 20
SW-CORE-01(config-if)# exit

4. Build an 802.1Q trunk between switches

A trunk carries multiple VLANs over a single link to another switch. On some platforms you must first set the trunk encapsulation to 802.1Q; on Catalyst 9000 switches the encapsulation is dot1q-only and that step is unnecessary, but including it is harmless on platforms that support it.

SW-CORE-01(config)# interface GigabitEthernet1/0/48
SW-CORE-01(config-if)# switchport trunk encapsulation dot1q
SW-CORE-01(config-if)# switchport mode trunk
SW-CORE-01(config-if)# switchport trunk allowed vlan 10,20,30,99
SW-CORE-01(config-if)# switchport trunk native vlan 99
SW-CORE-01(config-if)# exit

Key points: switchport trunk allowed vlan explicitly limits which VLANs cross the link (a security best practice — the default is to allow all). To add or remove VLANs later without retyping the whole list, use the add and remove keywords:

SW-CORE-01(config-if)# switchport trunk allowed vlan add 40
SW-CORE-01(config-if)# switchport trunk allowed vlan remove 30

Setting the native VLAN to an unused, dedicated VLAN (here 99) rather than the default VLAN 1 helps protect against VLAN-hopping. Remember that VLANs 1 and 1002–1005 are reserved and cannot be removed from a trunk.

5. Secure management access with SSH version 2

Telnet sends credentials in clear text and should never be used. To enable SSH you first need a hostname (set above), an IP domain name, and RSA keys. The RSA keys cannot be generated without both a hostname and a domain name configured.

SW-CORE-01(config)# ip domain name example.local
SW-CORE-01(config)# crypto key generate rsa modulus 2048

The modulus can range from 360 to 4096 bits; 2048 is the recommended minimum for production. Generating the RSA key pair automatically enables the SSH server. Next, force SSH version 2 and create a local admin user:

SW-CORE-01(config)# ip ssh version 2
SW-CORE-01(config)# username netadmin privilege 15 secret StrongP@ss!
SW-CORE-01(config)# enable secret AnotherStrongP@ss!

Now apply SSH-only login to the VTY (remote access) lines and authenticate with the local user database:

SW-CORE-01(config)# line vty 0 15
SW-CORE-01(config-line)# transport input ssh
SW-CORE-01(config-line)# login local
SW-CORE-01(config-line)# exec-timeout 10 0
SW-CORE-01(config-line)# exit

Optionally tighten the SSH service further:

SW-CORE-01(config)# ip ssh time-out 60
SW-CORE-01(config)# ip ssh authentication-retries 3

Verify SSH is up:

SW-CORE-01# show ip ssh

6. Configure the management interface

Give the switch a reachable management IP on the dedicated MGMT VLAN (SVI), and set a default gateway if it is a Layer 2 switch:

SW-CORE-01(config)# interface vlan 99
SW-CORE-01(config-if)# ip address 192.168.99.10 255.255.255.0
SW-CORE-01(config-if)# no shutdown
SW-CORE-01(config-if)# exit
SW-CORE-01(config)# ip default-gateway 192.168.99.1

7. Verify your work

Before saving, confirm everything looks right:

SW-CORE-01# show vlan brief
SW-CORE-01# show interfaces trunk
SW-CORE-01# show interfaces status
SW-CORE-01# show running-config interface GigabitEthernet1/0/48
SW-CORE-01# show ip ssh

show vlan brief lists VLANs and their assigned ports; show interfaces trunk confirms which VLANs are actually trunking and which are the native VLAN.

8. Save the configuration

None of the above survives a power cycle until you copy the running configuration to the startup configuration:

SW-CORE-01# copy running-config startup-config

Press Enter to confirm the destination filename. You can also use the shorthand write memory (or simply wr) on most IOS versions. Take a fresh backup off-box at this point.

Need this done for you?

If you would rather have it designed, deployed and documented end-to-end, SKYLINE installs, configures and supports Cisco networks across Saudi Arabia. For the cloud-managed alternative, read Cisco Catalyst vs Meraki for Saudi enterprise networking, browse the networking category in our marketplace, or contact us on +966 50 993 9334.

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship Networking for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Corporate VPN & Remote Access ZTNA, Cisco AnyConnect, FortiClient IT AMC Annual maintenance, 24/7 SLA, Bronze→Platinum

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.