๐ฏ Welcome to Network Architecture
Imagine you're designing a modern office building. You could put everyone in one giant room, but that would be chaos! Instead, you create separate rooms for different departments. VLANs are the network equivalent - they let you build virtual rooms in your network house, even when everyone shares the same physical switch.
๐ฏ Chapter Goals: Master VLAN concepts, create and manage VLANs, configure access and trunk ports, understand VLAN tagging, and organize network traffic efficiently!
๐ข What Are VLANs? The Office Building Analogy
A VLAN (Virtual Local Area Network) creates logical separation within your physical network. Think of it as building invisible walls that organize traffic:
๐ Without VLANs (One Big Room)
- Everyone together: All devices in same broadcast domain
- Security issues: Accounting hears HR conversations
- Performance problems: Network chatter everywhere
- Management nightmare: Can't organize by department
- Broadcast storms: One device's broadcast affects everyone
๐ข With VLANs (Separate Rooms)
- Logical separation: Each VLAN is isolated broadcast domain
- Enhanced security: Departments can't see each other
- Better performance: Broadcasts contained per VLAN
- Easy management: Organize by function or department
- Scalable design: Add rooms as needed
๐ง Memory Trick: VLAN = "Virtual Logical Area Network" - Virtual rooms in your network building!
๐ข VLAN Basics and Numbers
VLAN ID Range and Types
Valid Range1-4094 (4096 total VLANs possible, 0 and 4095 reserved)
Default VLANVLAN 1 - all switch ports start here, can't be deleted
Normal RangeVLANs 1-1005 - stored in vlan.dat file on switch
Extended RangeVLANs 1006-4094 - require VTP transparent mode
Special VLANs You Should Know
VLAN 1 (Default)Management VLAN, native VLAN, all ports start here
VLAN 1002-1005Reserved for Token Ring and FDDI (legacy protocols)
Common PracticeDon't use VLAN 1 for user traffic - create dedicated VLANs
VLAN Naming Best Practices
Good VLAN Names:
VLAN 10 - Sales-Users
VLAN 20 - Engineering-Users
VLAN 30 - HR-Users
VLAN 40 - Guest-WiFi
VLAN 99 - Management
VLAN 100 - Servers
VLAN 200 - Printers
๐ฏ Pro Tip: Use consistent numbering schemes. Many organizations use 10, 20, 30 for users and higher numbers for infrastructure.
๐ฑ Access Ports vs Trunk Ports
Understanding port types is crucial for VLAN success. Think of ports as doorways in your office building:
๐ช Access Ports (Regular Doors)
- Purpose: Connect end devices (PCs, phones, printers)
- VLAN Assignment: Belongs to exactly one VLAN
- Frame Tagging: No tags - frames are untagged
- Device Knowledge: End device doesn't know about VLANs
- Configuration: Simple - just assign to a VLAN
- Analogy: Office door - you're in one room only
๐ Trunk Ports (Bridges Between Buildings)
- Purpose: Connect switches together
- VLAN Assignment: Carries multiple VLANs
- Frame Tagging: Adds VLAN tags to frames
- Device Knowledge: Both sides understand VLAN tags
- Configuration: More complex - define allowed VLANs
- Analogy: Bridge connecting multiple buildings
VLAN Tagging Process
Frame Journey: PC to Switch to Another Switch
๐ฑ
PC sends normal Ethernet frame to access port (no VLAN knowledge needed)
๐ท๏ธ
Switch receives frame on access port, adds VLAN tag based on port assignment
๐
Switch forwards tagged frame out trunk port to another switch
๐
Receiving switch examines VLAN tag, forwards to correct VLAN
๐๏ธ
If destined for access port, switch removes tag before forwarding
โ๏ธ VLAN Configuration Commands
Creating VLANs
Switch(config)#
vlan 10
Switch(config-vlan)#
name Sales-Users
Switch(config-vlan)#
exit
Switch(config)#
vlan 20
Switch(config-vlan)#
name Engineering-Users
Switch(config-vlan)#
exit
Switch(config)#
vlan 30
Switch(config-vlan)#
name HR-Users
Switch(config-vlan)#
exit
Switch(config)#
vlan 99
Switch(config-vlan)#
name Management
Switch(config-vlan)#
exit
Configuring Access Ports
Switch(config)#
interface fastethernet 0/1
Switch(config-if)#
switchport mode access
Switch(config-if)#
switchport access vlan 10
Switch(config-if)#
description Sales-PC1
Switch(config-if)#
exit
Switch(config)#
interface range fastethernet 0/2-5
Switch(config-if-range)#
switchport mode access
Switch(config-if-range)#
switchport access vlan 20
Switch(config-if-range)#
description Engineering-Users
Switch(config-if-range)#
exit
Configuring Trunk Ports
Switch(config)#
interface gigabitethernet 0/1
Switch(config-if)#
switchport mode trunk
Switch(config-if)#
switchport trunk allowed vlan 1,10,20,30,99
Switch(config-if)#
switchport trunk native vlan 99
Switch(config-if)#
description Trunk-to-Switch2
Switch(config-if)#
exit
# Alternative: Allow all VLANs (be careful!)
Switch(config-if)# switchport trunk allowed vlan all
Management VLAN Configuration
Switch(config)#
interface vlan 99
Switch(config-if)#
ip address 192.168.99.10 255.255.255.0
Switch(config-if)#
description Management-Interface
Switch(config-if)#
no shutdown
Switch(config-if)#
exit
Switch(config)#
ip default-gateway 192.168.99.1
๐ Security Best Practice: Always move management off VLAN 1 and use a dedicated management VLAN with restricted access.
๐ Essential VLAN Show Commands
VLAN Information Commands
Switch#
show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9
10 Sales-Users active Fa0/1, Fa0/2
20 Engineering-Users active Fa0/3, Fa0/4, Fa0/5
99 Management active
Switch#
show vlan id 10
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
10 Sales-Users active Fa0/1, Fa0/2
Switch#
show interfaces fastethernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: access
Operational Mode: access
Access Mode VLAN: 10 (Sales-Users)
Trunk Port Verification
Switch#
show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/1 1,10,20,30,99
Switch#
show interfaces gigabitethernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (Management)
Trunking VLANs Enabled: 1,10,20,30,99
MAC Address Table by VLAN
Switch#
show mac address-table vlan 10
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0050.56c0.0001 DYNAMIC Fa0/1
10 0050.56c0.0002 DYNAMIC Fa0/2
Total Mac Addresses for this criterion: 2
Switch#
show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0050.56c0.0008 DYNAMIC Fa0/8
10 0050.56c0.0001 DYNAMIC Fa0/1
10 0050.56c0.0002 DYNAMIC Fa0/2
20 0050.56c0.0003 DYNAMIC Fa0/3
20 0050.56c0.0004 DYNAMIC Fa0/4
Total Mac Addresses for this criterion: 5
๐ฏ Troubleshooting Tip: Always start with "show vlan brief" to get the big picture, then drill down with specific commands.
๐ท๏ธ Native VLAN Deep Dive
The native VLAN is a special concept that often confuses beginners. Think of it as the "default room" on trunk connections:
What is Native VLAN?
DefinitionVLAN that sends frames untagged across trunk links
Default ValueVLAN 1 (but should be changed for security)
Both Sides Must MatchNative VLAN must be same on both ends of trunk
Security RiskAttackers can exploit native VLAN mismatches
Native VLAN Best Practices
โ What NOT to Do
- Leave native VLAN as default VLAN 1
- Use native VLAN for user traffic
- Forget to match native VLAN on both sides
- Leave native VLAN in allowed VLAN list
โ
Best Practices
- Change native VLAN to unused number (like 999)
- Use native VLAN only for trunk management
- Document native VLAN assignments
- Remove native VLAN from allowed list when possible
Native VLAN Configuration Example
# Both switches need matching config
interface gigabitethernet 0/1
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30
โ ๏ธ Warning: Native VLAN mismatch between trunk ends can cause serious connectivity and security issues!
๐ ๏ธ Hands-On VLAN Labs
Lab 1: Basic VLAN Setup
- Topology Setup:
- Add two switches and four PCs in Packet Tracer
- Connect switches with trunk cable
- Connect two PCs to each switch
- Create VLANs on both switches:
- VLAN 10 (Sales) and VLAN 20 (Engineering)
- Give descriptive names to each VLAN
- Configure access ports:
- Assign PC1 and PC3 to VLAN 10
- Assign PC2 and PC4 to VLAN 20
- Test connectivity:
- PCs in same VLAN should communicate
- PCs in different VLANs should NOT communicate
Lab 2: Trunk Port Configuration
- Configure trunk ports:
- Set inter-switch link as trunk
- Allow specific VLANs only
- Configure native VLAN
- Verification:
- Use "show interfaces trunk" to verify
- Check VLAN database with "show vlan brief"
- Verify MAC address learning per VLAN
Lab 3: VLAN Troubleshooting Challenge
- Create broken scenarios:
- Wrong VLAN assignment on access port
- Missing VLAN on one switch
- Trunk not allowing required VLANs
- Native VLAN mismatch
- Practice troubleshooting:
- Use show commands to identify problems
- Fix configuration issues
- Verify solutions work correctly
Lab 4: Real-World Office Scenario
Scenario: Design VLANs for a company with:
- Sales department (10 users)
- Engineering team (15 users)
- HR department (5 users)
- Guest WiFi network
- Network management
- Shared printers and servers
๐ฏ Challenge: Plan VLAN numbers, create logical network design, configure switches, and test inter-VLAN isolation.
๐จ VLAN Troubleshooting Guide
Common VLAN Problems and Solutions
Problem: Device can't communicate
PC can't reach other devices even though cables look good
Check These:
โ Verify VLAN assignment on access port
โ Confirm VLAN exists on all switches
โ Check trunk allows required VLANs
โ Verify both devices in same VLAN
Problem: Trunk not working
VLANs not passing between switches correctly
Verify:
โ Both ends configured as trunk
โ Native VLAN matches on both sides
โ Required VLANs in allowed list
โ No DTP negotiation issues
Problem: Management access lost
Can't SSH or telnet to switch after VLAN changes
Check:
โ Management VLAN IP configuration
โ Default gateway setting
โ VLAN interface is up/up
โ Management VLAN in trunk allowed list
VLAN Troubleshooting Command Sequence
Step 1: Get the big picture
show vlan brief
Step 2: Check specific port
show interfaces fa0/1 switchport
Step 3: Verify trunk status
show interfaces trunk
Step 4: Check MAC learning
show mac address-table vlan 10
Port Status Meanings for VLANs
Access/Active
Port assigned to VLAN correctly
Trunk/Active
Trunk working correctly
Access/Inactive
VLAN doesn't exist or port issue
Trunk/Error
Native VLAN mismatch or config error
Admin Down
Port disabled by shutdown command
DTP (Dynamic Trunking Protocol)
PurposeAutomatically negotiate trunk formation between switches
Security RiskCan be exploited by attackers to create unauthorized trunks
Best PracticeDisable DTP and manually configure trunk ports
Disable Commandswitchport nonegotiate on trunk interfaces
VLAN Troubleshooting Decision Tree
Device can't communicate?
โ
Check VLAN assignment
Same VLAN? โ Check physical layer
Different VLANs? โ Need Layer 3 routing
Inter-switch communication fails?
Check trunk configuration
Verify VLAN exists on both switches
Management access lost?
Check management VLAN IP and gateway
Verify management VLAN in trunk allowed list
๐ Chapter Summary
- VLAN Concept: Virtual LANs create logical broadcast domains
- Access Ports: Connect end devices to single VLANs
- Trunk Ports: Carry multiple VLANs between switches
- VLAN Tagging: 802.1Q standard adds VLAN information to frames
- Native VLAN: Untagged VLAN on trunk links (security concern)
- Configuration: Create VLANs, assign ports, configure trunks
- Verification: show vlan brief, show interfaces trunk
- Troubleshooting: VLAN mismatches, trunk configuration issues
๐ฏ VLAN Architecture Complete! You can now logically segment networks like a professional network architect. Ready for advanced topics?
๐ VLAN Mastery Quiz
1. What's the difference between access and trunk ports? Access ports connect end devices to one VLAN; trunk ports carry multiple VLANs between switches
2. What is the native VLAN? The VLAN that sends untagged frames across trunk links (default VLAN 1)
3. Why should you change the native VLAN from default? Security - VLAN 1 is well-known and can be exploited by attackers
4. What command shows all VLANs and their port assignments? show vlan brief
5. How do you assign a port to VLAN 20? switchport mode access then switchport access vlan 20
6. What happens if a VLAN doesn't exist when you assign a port to it? Cisco switches automatically create the VLAN
7. What's the maximum number of VLANs possible? 4094 (VLAN IDs 1-4094, with 0 and 4095 reserved)
8. What command verifies trunk port configuration? show interfaces trunk or show interfaces [interface] switchport
๐ Outstanding! You've mastered VLANs and can now build logical network rooms. Ready to prevent network loops?
Comments