VLAN Configuration Lab

1

Topology & VLAN Planning

Beginner

Scenario: You are configuring VLANs for a small office with 3 departments. Each department needs network isolation for security, but all departments must reach a central server.

VLAN Assignment Table

VLAN ID	Name	Ports	Subnet	Gateway
`10`	SALES	Fa0/1 - Fa0/8	192.168.10.0/24	192.168.10.1
`20`	ENGINEERING	Fa0/9 - Fa0/16	192.168.20.0/24	192.168.20.1
`30`	SERVERS	Fa0/17 - Fa0/24	192.168.30.0/24	192.168.30.1
`1`	default	None assigned	Management	-

Tasks

Review the VLAN assignment table above
Identify which ports belong to each VLAN
Understand why the trunk link connects to the router

Q: Why do we use separate VLANs for each department instead of one flat network?

2

Create VLANs on the Switch

Beginner

VLAN Creation Commands

Switch> enable Switch# configure terminal Switch(config)# hostname Core-Switch ! Create VLAN 10 for Sales Core-Switch(config)# vlan 10 Core-Switch(config-vlan)# name SALES Core-Switch(config-vlan)# exit ! Create VLAN 20 for Engineering Core-Switch(config)# vlan 20 Core-Switch(config-vlan)# name ENGINEERING Core-Switch(config-vlan)# exit ! Create VLAN 30 for Servers Core-Switch(config)# vlan 30 Core-Switch(config-vlan)# name SERVERS Core-Switch(config-vlan)# exit

Verify VLANs

Core-Switch# show vlan brief VLAN Name Status Ports ---- ---- ------ ----- 1 default active Fa0/1-24, Gi0/1 10 SALES active 20 ENGINEERING active 30 SERVERS active 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup

Key Insight: Creating a VLAN does not automatically assign ports to it. All ports start in VLAN 1 (default). You must explicitly assign each port to the correct VLAN.

Q: After creating VLANs, do any ports belong to VLAN 10 yet?

3

Assign Access Ports to VLANs

Intermediate

Port Assignment Commands

! Assign Fa0/1-8 to VLAN 10 (Sales) Core-Switch(config)# interface range FastEthernet0/1-8 Core-Switch(config-if-range)# switchport mode access Core-Switch(config-if-range)# switchport access vlan 10 Core-Switch(config-if-range)# exit ! Assign Fa0/9-16 to VLAN 20 (Engineering) Core-Switch(config)# interface range FastEthernet0/9-16 Core-Switch(config-if-range)# switchport mode access Core-Switch(config-if-range)# switchport access vlan 20 Core-Switch(config-if-range)# exit ! Assign Fa0/17-24 to VLAN 30 (Servers) Core-Switch(config)# interface range FastEthernet0/17-24 Core-Switch(config-if-range)# switchport mode access Core-Switch(config-if-range)# switchport access vlan 30 Core-Switch(config-if-range)# exit

Verify Port Assignments

Core-Switch# show vlan brief VLAN Name Status Ports ---- ---- ------ ----- 1 default active Gi0/1 10 SALES active Fa0/1-8 20 ENGINEERING active Fa0/9-16 30 SERVERS active Fa0/17-24

Why No Connectivity? VLANs create separate broadcast domains. For traffic to cross VLANs, you need a Layer 3 device (router or L3 switch) to route between them. This is called inter-VLAN routing.

Q1: What mode should access ports be set to?

Q2: Can a Sales PC on Fa0/1 (VLAN 10) ping an Engineering PC on Fa0/9 (VLAN 20) right now?

4

Configure Trunk Link

Intermediate

Key Concept: A trunk port carries traffic from multiple VLANs using 802.1Q tagging. Each frame is tagged with its VLAN ID so the receiving device knows which VLAN it belongs to.

Trunk Configuration (Switch Side)

! Configure Gi0/1 as a trunk to the router Core-Switch(config)# interface GigabitEthernet0/1 Core-Switch(config-if)# switchport mode trunk Core-Switch(config-if)# switchport trunk allowed vlan 10,20,30 Core-Switch(config-if)# switchport trunk native vlan 99 Core-Switch(config-if)# exit ! Create the native VLAN (security best practice) Core-Switch(config)# vlan 99 Core-Switch(config-vlan)# name NATIVE

Verify Trunk

Core-Switch# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 99 Port Vlans allowed on trunk Gi0/1 10,20,30 Port Vlans allowed and active in management domain Gi0/1 10,20,30

Security Best Practice: Change the native VLAN from the default (VLAN 1) to an unused VLAN (like 99). This prevents VLAN hopping attacks where an attacker double-tags frames to escape their VLAN.

Q1: What encapsulation protocol tags VLAN frames on trunk links?

Q2: Why should the native VLAN NOT be VLAN 1?

5

Router-on-a-Stick (Inter-VLAN Routing)

Advanced

Key Concept: Router-on-a-stick uses a single physical interface with sub-interfaces, one per VLAN. Each sub-interface has its own IP address serving as the default gateway for that VLAN.

Router Sub-interface Configuration

Router> enable Router# configure terminal Router(config)# hostname GW-Router ! Enable the physical interface (no IP on it) GW-Router(config)# interface GigabitEthernet0/1 GW-Router(config-if)# no shutdown GW-Router(config-if)# exit ! Sub-interface for VLAN 10 (Sales) GW-Router(config)# interface GigabitEthernet0/1.10 GW-Router(config-subif)# encapsulation dot1Q 10 GW-Router(config-subif)# ip address 192.168.10.1 255.255.255.0 GW-Router(config-subif)# exit ! Sub-interface for VLAN 20 (Engineering) GW-Router(config)# interface GigabitEthernet0/1.20 GW-Router(config-subif)# encapsulation dot1Q 20 GW-Router(config-subif)# ip address 192.168.20.1 255.255.255.0 GW-Router(config-subif)# exit ! Sub-interface for VLAN 30 (Servers) GW-Router(config)# interface GigabitEthernet0/1.30 GW-Router(config-subif)# encapsulation dot1Q 30 GW-Router(config-subif)# ip address 192.168.30.1 255.255.255.0 GW-Router(config-subif)# exit

Q1: What command associates a sub-interface with a specific VLAN?

Q2: If a Sales PC (192.168.10.50) wants to reach a Server (192.168.30.10), what is the traffic path?

Q3: What IP address should Sales PCs use as their default gateway?

6

Verification & Troubleshooting

Advanced

Connectivity Tests

From	To	Expected	Why
Sales PC (VLAN 10)	Sales PC (VLAN 10)	Success	Same VLAN, switched locally
Sales PC (VLAN 10)	Engineering PC (VLAN 20)	Success	Inter-VLAN via router sub-interfaces
Sales PC (VLAN 10)	Server (VLAN 30)	Success	Inter-VLAN via router sub-interfaces
Sales PC (VLAN 10)	Gateway 192.168.10.1	Success	Router sub-interface Gi0/1.10

Troubleshooting Commands

! Check VLAN assignments Core-Switch# show vlan brief ! Check trunk status Core-Switch# show interfaces trunk ! Check specific port VLAN membership Core-Switch# show interfaces Fa0/1 switchport ! Check router sub-interfaces GW-Router# show ip interface brief ! Verify routing table GW-Router# show ip route

Troubleshooting Checklist: (1) VLANs created? (2) Ports assigned to correct VLANs? (3) Trunk link up and allowing correct VLANs? (4) Router sub-interfaces configured with correct encapsulation and IPs? (5) PCs have correct gateway addresses?

Q1: PCs in VLAN 10 cannot reach PCs in VLAN 20. Same-VLAN pings work. What should you check?

Q2: A PC on Fa0/5 cannot reach anything. show vlan brief shows it in VLAN 1 instead of VLAN 10. What command fixes this?

Q3: The trunk link shows "not-trunking" status. What is likely wrong?