Chapter 8: VLANs and Trunking
Learning Objectives
By the end of this chapter, you will be able to: - Understand VLAN concepts and benefits - Configure VLANs on different network operating systems - Implement VLAN trunking protocols - Configure inter-VLAN routing - Troubleshoot VLAN-related issues
VLAN Fundamentals
What are VLANs?
Virtual Local Area Networks (VLANs) are logical network segments that allow you to group devices together regardless of their physical location. VLANs operate at Layer 2 and create separate broadcast domains within a single physical switch infrastructure.
Benefits of VLANs
- Broadcast Domain Segmentation: Reduces broadcast traffic
- Security: Isolates sensitive traffic
- Flexibility: Easy device grouping and moves
- Performance: Reduces network congestion
- Cost Efficiency: Eliminates need for separate physical switches
VLAN Types
Data VLANs
- Carry user-generated traffic
- Most common VLAN type
- Configured on access ports
Voice VLANs
- Dedicated to VoIP traffic
- Quality of Service (QoS) enabled
- Often configured alongside data VLANs
Management VLANs
- Used for switch management traffic
- Provides secure administrative access
- Typically VLAN 1 by default (should be changed)
Native VLANs
- Untagged traffic on trunk ports
- Default is VLAN 1
- Security best practice: change from default
Basic VLAN Configuration
Single Switch VLAN Lab
# Basic VLAN configuration lab
name: basic-vlan-lab
prefix: vlan
topology:
nodes:
switch1:
kind: cisco_iosxe
image: cisco/catalyst:latest
mgmt-ipv4: 172.20.20.10
startup-config: |
hostname VLAN-Switch
!
! Create VLANs
vlan 10
name SALES
!
vlan 20
name ENGINEERING
!
vlan 30
name MANAGEMENT
!
vlan 99
name NATIVE
!
! Configure access ports
interface range GigabitEthernet1/0/1-2
switchport mode access
switchport access vlan 10
spanning-tree portfast
no shutdown
!
interface range GigabitEthernet1/0/3-4
switchport mode access
switchport access vlan 20
spanning-tree portfast
no shutdown
!
interface GigabitEthernet1/0/5
switchport mode access
switchport access vlan 30
spanning-tree portfast
no shutdown
!
! Management VLAN interface
interface vlan 30
ip address 192.168.30.10 255.255.255.0
no shutdown
!
ip default-gateway 192.168.30.1
!
# Sales department PCs
sales-pc1:
kind: linux
image: alpine:latest
mgmt-ipv4: 172.20.20.11
exec:
- ip addr add 192.168.10.10/24 dev eth1
- ip route add default via 192.168.10.1
sales-pc2:
kind: linux
image: alpine:latest
mgmt-ipv4: 172.20.20.12
exec:
- ip addr add 192.168.10.11/24 dev eth1
- ip route add default via 192.168.10.1
# Engineering department PCs
eng-pc1:
kind: linux
image: alpine:latest
mgmt-ipv4: 172.20.20.13
exec:
- ip addr add 192.168.20.10/24 dev eth1
- ip route add default via 192.168.20.1
eng-pc2:
kind: linux
image: alpine:latest
mgmt-ipv4: 172.20.20.14
exec:
- ip addr add 192.168.20.11/24 dev eth1
- ip route add default via 192.168.20.1
# Management PC
mgmt-pc:
kind: linux
image: alpine:latest
mgmt-ipv4: 172.20.20.15
exec:
- ip addr add 192.168.30.20/24 dev eth1
- ip route add default via 192.168.30.1
links:
# Sales VLAN connections
- endpoints: ["switch1:eth1", "sales-pc1:eth1"]
- endpoints: ["switch1:eth2", "sales-pc2:eth1"]
# Engineering VLAN connections
- endpoints: ["switch1:eth3", "eng-pc1:eth1"]
- endpoints: ["switch1:eth4", "eng-pc2:eth1"]
# Management VLAN connection
- endpoints: ["switch1:eth5", "mgmt-pc:eth1"]Testing VLAN Isolation
# Deploy the lab
containerlab deploy -t basic-vlan-lab.yml
# Test connectivity within same VLAN (should work)
docker exec clab-vlan-sales-pc1 ping -c 3 192.168.10.11
# Test connectivity between different VLANs (should fail)
docker exec clab-vlan-sales-pc1 ping -c 3 192.168.20.10
# Check VLAN configuration on switch
docker exec -it clab-vlan-switch1 cli -c "show vlan brief"VLAN Configuration Commands
Creating VLANs
# Cisco IOS/IOS-XE
configure terminal
vlan 10
name SALES
exit
vlan 20
name ENGINEERING
exit
# Alternative method
vlan database
vlan 10 name SALES
vlan 20 name ENGINEERING
exitAssigning Ports to VLANs
# Access port configuration
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
no shutdown
# Range configuration
interface range GigabitEthernet1/0/1-5
switchport mode access
switchport access vlan 10VLAN Trunking
Trunk Port Fundamentals
Trunk ports carry traffic for multiple VLANs between switches. They use VLAN tagging to identify which VLAN each frame belongs to.
VLAN Tagging Protocols
IEEE 802.1Q (Dot1Q) - Industry standard - 4-byte tag inserted into Ethernet frame - Supports up to 4,094 VLANs - Native VLAN concept for untagged traffic
ISL (Inter-Switch Link) - Cisco proprietary (legacy) - Encapsulates entire frame - 30-byte overhead - Being phased out
802.1Q Frame Format
Original Frame:
| Dest MAC | Src MAC | EtherType | Data | FCS |
Tagged Frame:
| Dest MAC | Src MAC | 802.1Q Tag | EtherType | Data | FCS |
802.1Q Tag (4 bytes):
| TPID (2B) | TCI (2B) |
| PCP(3b) | DEI(1b) | VID(12b) |
TPID: Tag Protocol Identifier (0x8100)
PCP: Priority Code Point (QoS)
DEI: Drop Eligible Indicator
VID: VLAN Identifier (1-4094)Multi-Switch VLAN Lab
# Multi-switch VLAN with trunking
name: multi-switch-vlan
prefix: trunk
topology:
nodes:
# Core switch
core-sw:
kind: cisco_iosxe
image: cisco/catalyst:latest
mgmt-ipv4: 172.20.20.10
startup-config: |
hostname Core-Switch
!
! Create VLANs
vlan 10
name SALES
!
vlan 20
name ENGINEERING
!
vlan 30
name MANAGEMENT
!
vlan 99
name NATIVE
!
! Configure trunk ports
interface range GigabitEthernet1/0/1-2
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport trunk allowed vlan 10,20,30,99
no shutdown
!
! Management interface
interface vlan 30
ip address 192.168.30.1 255.255.255.0
no shutdown
!
# Access switch 1 (Sales)
access-sw1:
kind: cisco_iosxe
image: cisco/catalyst:latest
mgmt-ipv4: 172.20.20.11
startup-config: |
hostname Access-Switch-1
!
! Create VLANs
vlan 10
name SALES
!
vlan 99
name NATIVE
!
! Trunk to core
interface GigabitEthernet1/0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport trunk allowed vlan 10,99
no shutdown
!
! Access ports for sales
interface range GigabitEthernet1/0/2-5
switchport mode access
switchport access vlan 10
spanning-tree portfast
no shutdown
!
# Access switch 2 (Engineering)
access-sw2:
kind: cisco_iosxe
image: cisco/catalyst:latest
mgmt-ipv4: 172.20.20.12
startup-config: |
hostname Access-Switch-2
!
! Create VLANs
vlan 20
name ENGINEERING
!
vlan 99
name NATIVE
!
! Trunk to core
interface GigabitEthernet1/0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport trunk allowed vlan 20,99
no shutdown
!
! Access ports for engineering
interface range GigabitEthernet1/0/2-5
switchport mode access
switchport access vlan 20
spanning-tree portfast
no shutdown
!
# Router for inter-VLAN routing
router1:
kind: cisco_iosxe
image: cisco/iosxe:latest
mgmt-ipv4: 172.20.20.20
startup-config: |
hostname Inter-VLAN-Router
!
! Configure trunk interface with subinterfaces
interface GigabitEthernet0/0/0
no ip address
no shutdown
!
interface GigabitEthernet0/0/0.10
description Sales-VLAN
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0/0.20
description Engineering-VLAN
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/0/0.30
description Management-VLAN
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
!
# End devices
sales-pc1:
kind: linux
image: alpine:latest
exec:
- ip addr add 192.168.10.10/24 dev eth1
- ip route add default via 192.168.10.1
sales-pc2:
kind: linux
image: alpine:latest
exec:
- ip addr add 192.168.10.11/24 dev eth1
- ip route add default via 192.168.10.1
eng-pc1:
kind: linux
image: alpine:latest
exec:
- ip addr add 192.168.20.10/24 dev eth1
- ip route add default via 192.168.20.1
eng-pc2:
kind: linux
image: alpine:latest
exec:
- ip addr add 192.168.20.11/24 dev eth1
- ip route add default via 192.168.20.1
links:
# Trunk connections
- endpoints: ["core-sw:eth1", "access-sw1:eth1"]
- endpoints: ["core-sw:eth2", "access-sw2:eth1"]
- endpoints: ["core-sw:eth3", "router1:eth1"]
# Access connections
- endpoints: ["access-sw1:eth2", "sales-pc1:eth1"]
- endpoints: ["access-sw1:eth3", "sales-pc2:eth1"]
- endpoints: ["access-sw2:eth2", "eng-pc1:eth1"]
- endpoints: ["access-sw2:eth3", "eng-pc2:eth1"]Trunk Configuration Commands
Basic Trunk Configuration
# Configure trunk port
interface GigabitEthernet1/0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport trunk allowed vlan 10,20,30
no shutdownTrunk Verification
# Show trunk status
show interfaces trunk
show interfaces GigabitEthernet1/0/1 trunk
# Show VLAN information
show vlan brief
show vlan id 10
# Show interface switchport status
show interfaces GigabitEthernet1/0/1 switchportDynamic Trunking Protocol (DTP)
DTP is a Cisco proprietary protocol that automatically negotiates trunking between switches.
DTP Modes
| Mode | Description | Behavior |
|---|---|---|
| trunk | Permanent trunk | Always trunk, sends DTP |
| access | Permanent access | Never trunk, ignores DTP |
| dynamic auto | Passive negotiation | Trunk if neighbor is trunk/desirable |
| dynamic desirable | Active negotiation | Actively tries to form trunk |
| nonegotiate | No DTP | Trunk without DTP negotiation |
# Configure DTP modes
interface GigabitEthernet1/0/1
switchport mode dynamic desirable
interface GigabitEthernet1/0/2
switchport mode dynamic auto
# Disable DTP (security best practice)
interface GigabitEthernet1/0/1
switchport mode trunk
switchport nonegotiateInter-VLAN Routing
Router-on-a-Stick
Traditional method using a single router interface with subinterfaces for each VLAN.
Subinterface Configuration
# Configure physical interface
interface GigabitEthernet0/0/0
no ip address
no shutdown
# Configure subinterfaces
interface GigabitEthernet0/0/0.10
description Sales-VLAN
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/0/0.20
description Engineering-VLAN
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0Switch Virtual Interfaces (SVIs)
Layer 3 switches can route between VLANs using SVIs.
# Layer 3 switch inter-VLAN routing
startup-config: |
! Enable IP routing
ip routing
!
! Create VLANs
vlan 10
name SALES
!
vlan 20
name ENGINEERING
!
! Configure SVIs
interface vlan 10
ip address 192.168.10.1 255.255.255.0
no shutdown
!
interface vlan 20
ip address 192.168.20.1 255.255.255.0
no shutdown
!
! Configure access ports
interface range GigabitEthernet1/0/1-10
switchport mode access
switchport access vlan 10
!
interface range GigabitEthernet1/0/11-20
switchport mode access
switchport access vlan 20
!VLAN Security
VLAN Hopping Attacks
Switch Spoofing Attack
Attacker configures device to trunk and gains access to all VLANs.
Prevention:
# Explicitly configure access ports
interface GigabitEthernet1/0/1
switchport mode access
switchport nonegotiate
# Disable unused ports
interface range GigabitEthernet1/0/20-24
shutdown
switchport mode access
switchport access vlan 999 # Unused VLANDouble Tagging Attack
Attacker sends frames with two 802.1Q tags to access different VLANs.
Prevention:
# Change native VLAN from default
interface GigabitEthernet1/0/1
switchport trunk native vlan 999
# Use dedicated native VLAN
vlan 999
name NATIVE_VLANVLAN Security Best Practices
- Change default native VLAN from VLAN 1
- Disable unused ports and assign to unused VLAN
- Use explicit trunk configuration (avoid DTP)
- Implement port security on access ports
- Separate management traffic into dedicated VLAN
- Regular VLAN audits and cleanup
# Security hardening example
! Change native VLAN
interface range GigabitEthernet1/0/1-2
switchport trunk native vlan 999
switchport nonegotiate
! Secure unused ports
interface range GigabitEthernet1/0/20-24
shutdown
switchport mode access
switchport access vlan 999
! Port security on access ports
interface range GigabitEthernet1/0/3-10
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdownVoice VLANs
Voice VLANs provide dedicated bandwidth and QoS for VoIP traffic.
Voice VLAN Configuration
# Configure voice VLAN
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10 # Data VLAN
switchport voice vlan 20 # Voice VLAN
spanning-tree portfast
# QoS for voice traffic
mls qos trust cosVoice VLAN Lab Example
# Voice VLAN demonstration
startup-config: |
! Create VLANs
vlan 10
name DATA
!
vlan 20
name VOICE
!
! Configure voice-enabled port
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
mls qos trust cos
!Troubleshooting VLANs
Common VLAN Issues
VLAN Mismatch
# Symptoms
- Devices in same VLAN cannot communicate
- Trunk not passing traffic for specific VLAN
# Diagnosis
show vlan brief
show interfaces trunk
# Resolution
- Verify VLAN exists on both switches
- Check trunk allowed VLAN list
- Verify VLAN is activeNative VLAN Mismatch
# Symptoms
- CDP/LLDP native VLAN mismatch messages
- Connectivity issues for untagged traffic
# Diagnosis
show interfaces GigabitEthernet1/0/1 trunk
show cdp neighbors detail
# Resolution
- Configure same native VLAN on both ends
- Or use different native VLANs intentionallyTrunk Negotiation Issues
# Symptoms
- Trunk not forming
- DTP negotiation failures
# Diagnosis
show interfaces GigabitEthernet1/0/1 switchport
show dtp interface GigabitEthernet1/0/1
# Resolution
- Configure explicit trunk mode
- Disable DTP if not needed
- Check encapsulation compatibilityDiagnostic Commands
VLAN Verification
# VLAN information
show vlan brief
show vlan id 10
show vlan name SALES
# Interface VLAN assignment
show interfaces GigabitEthernet1/0/1 switchport
show interfaces status
# Trunk verification
show interfaces trunk
show interfaces GigabitEthernet1/0/1 trunkTraffic Analysis
# MAC address table per VLAN
show mac address-table vlan 10
show mac address-table interface GigabitEthernet1/0/1
# Spanning tree per VLAN
show spanning-tree vlan 10
show spanning-tree interface GigabitEthernet1/0/1
# Interface counters
show interfaces GigabitEthernet1/0/1 countersAdvanced VLAN Features
Private VLANs
Private VLANs provide Layer 2 isolation within a VLAN.
Private VLAN Types
- Primary VLAN: Main VLAN containing all ports
- Isolated VLAN: Ports can only communicate with promiscuous ports
- Community VLAN: Ports can communicate with each other and promiscuous ports
- Promiscuous VLAN: Can communicate with all VLAN types
# Private VLAN configuration
vlan 100
private-vlan primary
!
vlan 101
private-vlan isolated
!
vlan 102
private-vlan community
!
vlan 100
private-vlan association 101,102
!
interface GigabitEthernet1/0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 101,102
!
interface GigabitEthernet1/0/2
switchport mode private-vlan host
switchport private-vlan host-association 100 101VLAN Access Control Lists
VACLs filter traffic within a VLAN.
# Configure VACL
ip access-list extended BLOCK_HTTP
deny tcp any any eq 80
permit ip any any
!
vlan access-map VLAN_FILTER 10
match ip address BLOCK_HTTP
action drop
!
vlan access-map VLAN_FILTER 20
action forward
!
vlan filter VLAN_FILTER vlan-list 10Performance Optimization
VLAN Performance Considerations
- VLAN Spanning: Minimize VLANs spanning multiple switches
- Trunk Utilization: Monitor trunk link utilization
- STP Optimization: Optimize spanning tree per VLAN
- Load Balancing: Distribute VLANs across trunk links
Monitoring and Optimization
# Monitor trunk utilization
show interfaces GigabitEthernet1/0/1 | include rate
# Check spanning tree load balancing
show spanning-tree vlan 10 | include Root
# VLAN statistics
show vlan countersSummary
VLANs are fundamental to modern network design, providing segmentation, security, and flexibility. Understanding VLAN configuration, trunking protocols, and inter-VLAN routing is essential for network engineers. Proper VLAN design and security implementation help create scalable and secure network infrastructures.
Key concepts covered: - VLAN fundamentals and benefits - VLAN configuration and management - Trunking protocols and configuration - Inter-VLAN routing methods - VLAN security considerations - Troubleshooting methodologies
In the next chapter, we’ll explore Spanning Tree Protocol, which prevents loops in switched networks with redundant paths.
Review Questions
- What are the benefits of implementing VLANs in a network?
- How does 802.1Q tagging work in trunk links?
- What are the security risks associated with VLANs and how can they be mitigated?
- What’s the difference between router-on-a-stick and SVI inter-VLAN routing?
- How do you troubleshoot VLAN connectivity issues?
Hands-on Exercises
Exercise 1: Basic VLAN Implementation
- Deploy the basic VLAN lab topology
- Configure VLANs and assign ports
- Test VLAN isolation between different VLANs
- Verify VLAN configuration with show commands
Exercise 2: Multi-Switch VLAN with Trunking
- Implement the multi-switch VLAN topology
- Configure trunk links between switches
- Test VLAN connectivity across switches
- Implement inter-VLAN routing
Exercise 3: VLAN Security Hardening
- Implement VLAN security best practices
- Test and prevent VLAN hopping attacks
- Configure voice VLANs with QoS
- Document security improvements
Exercise 4: VLAN Troubleshooting
- Create various VLAN problems (misconfigurations, trunk issues)
- Practice diagnostic commands and procedures
- Develop systematic troubleshooting approaches
- Document solutions and prevention strategies