SkarpSkarp

Chapter 7 of 27

VLAN Foundations: Segmentation and Access Port Configuration

Transform a flat LAN into multiple isolated segments using VLANs so that you can control broadcast domains and enforce basic policy boundaries.

27 min readen

From Flat LAN to VLANs: Why Segmentation Matters

The Problem with Flat LANs

A new switch starts as one big broadcast domain. Every broadcast is flooded out all ports in the same VLAN. In small labs this is ok, but in real networks it creates noise, security risks, and management pain.

Canonical VLAN Definition

A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location. This exact wording is key for CCNA.

Logical vs Physical

Users in marketing, finance, and engineering can plug into the same physical switch but be placed into different VLANs. Physically they share cabling; logically each VLAN is its own Layer 2 island.

Why Use VLANs?

VLANs shrink broadcast domains, create basic security boundaries, and let users move around while keeping their network membership. Traffic between VLANs must cross a router or multilayer switch.

VLANs, Broadcast Domains, and Layer 2 Segmentation

Broadcast Domains Refresher

A broadcast domain is the set of interfaces that receive a Layer 2 broadcast. With no VLANs, the whole switch is usually one broadcast domain, typically VLAN 1 on Cisco.

Layer 2 Segmentation

When you create VLANs and assign ports, each VLAN becomes its own broadcast domain. You are logically slicing one physical switch into multiple smaller switches, one per VLAN.

VLAN IDs and Ranges

Cisco uses VLAN IDs 1–4094. VLANs 1–1005 are normal-range, 1006–4094 are extended-range. VLAN 1 is the default VLAN and historically used by control-plane protocols.

VLANs and IP Subnets

Each VLAN should map to its own IPv4 and/or IPv6 subnet. For example, VLAN 10 uses 192.168.10.0/24 and 2001:db8:10::/64, while VLAN 20 uses different subnets and requires routing to communicate.

Access Ports and VLAN Membership

Access vs Trunk (High Level)

Switch ports can be access or trunk. Access ports connect end devices and carry a single data VLAN (plus optional voice VLAN). Trunks connect switches and carry multiple VLANs.

How Access Ports Handle VLANs

On an access port, incoming frames are treated as belonging to one VLAN. The switch tags them internally. Outgoing frames have the VLAN tag removed before reaching the host.

Static VLAN Assignment

For CCNA, focus on static access ports: `switchport mode access` and `switchport access vlan <id>`. Each access port belongs to exactly one data VLAN at a time.

Default VLAN Trap

If you do not set `switchport access vlan`, the port remains in VLAN 1. Many exam questions rely on this: new ports are in VLAN 1 unless you explicitly change them.

Building a Simple Three-VLAN Design

Scenario Overview

You have a 24-port access switch on one floor. Ports 1–8 are Finance, 9–16 Engineering, 17–20 IP phones with PCs, 21–24 are spare for future guests.

VLAN Plan

Define VLAN 10 for Finance, VLAN 20 for Engineering, VLAN 30 for Voice, and VLAN 99 for Management. Each VLAN becomes its own broadcast domain on the same physical switch.

Visualizing the Switch

Imagine the switch ports as a row of jacks: 1–8 colored blue (VLAN 10), 9–16 green (VLAN 20), 17–20 show IP phones (VLAN 30) with PCs behind them, 21–24 gray and unused.

Policy Possibilities

With this layout, you can later apply ACLs and QoS at Layer 3. Finance and Engineering can be isolated, and voice VLAN traffic can be prioritized without changing cabling.

Cisco CLI: Creating VLANs and Naming Them

Creating VLANs

Use global config: `configure terminal`, then `vlan <id>`. This creates or edits a VLAN entry in the switch’s VLAN database, such as `vlan 10`.

Naming VLANs

Inside VLAN config mode, use `name FINANCE` or similar. Meaningful names help you and others understand the design when using `show vlan brief`.

Verifying VLANs

`show vlan brief` lists VLAN IDs, names, and member access ports. `show vlan id 10` shows more detail for a specific VLAN, useful for troubleshooting.

Important Behaviors

VLANs are local to a switch unless managed by protocols like VTP. Deleting a VLAN with `no vlan 10` removes it and leaves its ports without a valid VLAN until reassigned.

Configuring Access Ports and a Voice VLAN (Step-by-Step)

This step walks through full CLI examples for configuring access ports, including data and voice VLANs, and shows how to verify them.

How Voice VLANs Work on Access Ports

Physical Layout with IP Phones

An IP phone plugs into the wall jack; the PC plugs into the phone. The switch port must support both, separating voice and data logically even though they share one cable.

Key Commands

Use `switchport mode access`, `switchport access vlan <data-vlan>` for the PC, and `switchport voice vlan <voice-vlan>` for the phone’s voice traffic on the same port.

Tagging Behavior

Phones tag voice frames with the voice VLAN ID using 802.1Q. PCs usually send untagged frames, which the switch places into the access (data) VLAN.

Exam Traps

Voice VLAN only works on access ports. If both `access vlan 20` and `voice vlan 30` are set, PC traffic is in VLAN 20 and voice traffic is in VLAN 30—do not mix them up.

Thought Exercise: Predict Connectivity with VLANs

Use this scenario to mentally practice how VLAN segmentation affects connectivity.

Scenario:

  • Switch S1 has VLANs 10 and 20 configured.
  • Ports:
  • Fa0/1: `switchport mode access`, `switchport access vlan 10` (PC-A)
  • Fa0/2: `switchport mode access`, `switchport access vlan 10` (PC-B)
  • Fa0/3: `switchport mode access`, `switchport access vlan 20` (PC-C)
  • Fa0/4: `switchport mode access` only, no `switchport access vlan` configured (PC-D)
  • All PCs get valid IPv4 addresses in their respective subnets and correct default gateways.

Questions to think through (answer in your head or notes):

  1. Which PCs can exchange Layer 2 frames directly (without routing)?
  2. If the switch has no Layer 3 interfaces configured (no SVIs, no routed ports), which PCs can successfully ping each other?
  3. What VLAN is PC-D in?
  4. If you later configure an SVI for VLAN 10 with an IP address and set it as the default gateway for PCs in VLAN 10, which devices can now ping that SVI?

Hints:

  • Remember that a VLAN is a broadcast domain.
  • Hosts in different VLANs cannot communicate without routing.
  • Default switch behavior uses VLAN 1 for unassigned access ports.

After you have your answers, compare them to the explanation in the next step’s quiz.

Quiz 1: VLAN Basics and Access Ports

Check your understanding of VLAN fundamentals and access port behavior.

On a new Cisco switch, you configure the following on interface Fa0/5: switchport mode access switchport access vlan 20 Which statement is TRUE?

  1. Fa0/5 will accept frames from all VLANs because it is an access port.
  2. Fa0/5 belongs to VLAN 20, and its frames will be in VLAN 20's broadcast domain only.
  3. Fa0/5 will belong to VLAN 1 until you also configure a voice VLAN.
  4. Fa0/5 becomes a routed port and will not participate in any VLAN.
Show Answer

Answer: B) Fa0/5 belongs to VLAN 20, and its frames will be in VLAN 20's broadcast domain only.

An access port carries traffic for a single data VLAN. With `switchport mode access` and `switchport access vlan 20`, Fa0/5 is an access port in VLAN 20. It participates only in VLAN 20's broadcast domain. Access ports do not accept frames from all VLANs (that is what trunks do). A voice VLAN is optional and does not change the data VLAN. Routed ports use `no switchport`, which is not present here.

Quiz 2: Troubleshooting VLAN Misconfigurations

Apply what you know to a common troubleshooting scenario.

PC-A is connected to switch S1 on Fa0/1. PC-B is on the same switch on Fa0/2. Both are in the same IPv4 subnet and have the same default gateway. You can ping from PC-A to the default gateway, but not to PC-B. On S1, you see: S1# show vlan brief VLAN Name Status Ports 1 default active Fa0/2 10 USERS active Fa0/1 What is the MOST likely cause?

  1. PC-B has the wrong default gateway configured.
  2. PC-A and PC-B are in different VLANs, so their traffic is in different broadcast domains.
  3. The switch does not support VLANs and is ignoring the configuration.
  4. The router default gateway interface is down.
Show Answer

Answer: B) PC-A and PC-B are in different VLANs, so their traffic is in different broadcast domains.

The `show vlan brief` output shows Fa0/1 in VLAN 10 and Fa0/2 in VLAN 1. Even though the PCs share an IP subnet, they are in different VLANs (different broadcast domains). PC-A can reach the default gateway via VLAN 10, but cannot reach PC-B because Layer 2 connectivity between VLAN 10 and VLAN 1 does not exist without routing. This mismatch between VLAN membership and IP subnetting is a classic VLAN misconfiguration.

Verifying VLAN and Access Port Configuration

Core Verification Commands

Key tools: `show vlan brief`, `show interfaces status`, `show interfaces <int> switchport`, and `show mac address-table dynamic`. These reveal VLAN and port details.

Using show vlan brief

`show vlan brief` shows VLAN IDs, names, and member access ports. If a VLAN has no ports assigned, hosts in that subnet will not have correct Layer 2 connectivity.

Per-Port Details

`show interfaces <int> switchport` displays the port’s mode, access VLAN, and voice VLAN. Use it to confirm that a port is really in the VLAN you think it is.

Spotting Mismatches

If a PC is in subnet 192.168.20.0/24 but the port’s VLAN is 1, there is a VLAN mismatch. Expect connectivity only to devices in VLAN 1, not to the 192.168.20.0/24 gateway.

Key VLAN and Access Port Terms

Use these flashcards to reinforce core terminology and behaviors.

VLAN (canonical definition)
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
Broadcast domain
A set of interfaces that receive a Layer 2 broadcast frame. In a switched network with VLANs, each VLAN is a separate broadcast domain.
Access port
A switch port configured to carry traffic for a single data VLAN (plus optional voice VLAN). Frames are sent to the host untagged; the switch internally associates them with the configured VLAN.
Voice VLAN
A special VLAN configured on an access port (using `switchport voice vlan <id>`) used for IP phone traffic, usually tagged, while PC data on the same port uses the access VLAN.
Default VLAN on Cisco switches
VLAN 1. All switch ports are in VLAN 1 by default until explicitly assigned to another VLAN. Many control-plane protocols historically use VLAN 1.
Command: switchport mode access
Forces a switch interface into access mode, disabling dynamic negotiation and ensuring it carries a single data VLAN (plus optional voice VLAN).
Command: switchport access vlan 20
Assigns the interface’s data VLAN to VLAN 20. The port’s untagged frames are associated with VLAN 20’s broadcast domain.
Command: show vlan brief
Displays VLAN IDs, names, status, and which access ports are members of each VLAN. A primary tool for checking VLAN assignments.
Common VLAN misconfiguration
Port VLAN does not match the host’s IP subnet. Example: host in 192.168.10.0/24 but port still in VLAN 1, preventing proper Layer 2 connectivity to the 192.168.10.0/24 gateway.
Relationship between VLANs and IP subnets
Best practice is one IP subnet per VLAN. Different VLANs use different subnets and require Layer 3 routing to communicate.

Key Terms

VLAN
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
VLAN ID
A numeric identifier from 1 to 4094 that uniquely identifies a VLAN on a switch.
Voice VLAN
A VLAN dedicated to IP phone traffic on an access port, configured with `switchport voice vlan <id>` so voice and data share one physical link but stay logically separate.
Access port
A switch port that carries traffic for one data VLAN (and optionally one voice VLAN), sending frames to the host untagged.
Native VLAN
On 802.1Q trunks, the VLAN whose frames are sent untagged. On Cisco switches, VLAN 1 is the default native VLAN unless changed.
show vlan brief
Cisco IOS command that summarizes VLANs and their member access ports.
Broadcast domain
A collection of interfaces that receive a Layer 2 broadcast frame. Each VLAN defines one broadcast domain on a switch.
Normal-range VLANs
VLANs 1–1005 on Cisco switches, stored in the VLAN database file and widely supported.
Extended-range VLANs
VLANs 1006–4094 on Cisco switches, used in larger environments with specific configuration constraints depending on platform.
show interfaces switchport
Cisco IOS command that displays Layer 2 settings for an interface, including mode, access VLAN, and voice VLAN.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself