SkarpSkarp

Chapter 9 of 29

VLAN Concepts and Configuration: Segmenting the Layer 2 Network

Transform a flat network into logical segments using VLANs so you can isolate traffic, improve security, and prepare for inter-VLAN routing scenarios.

27 min readen

VLANs in Context: Why We Segment Layer 2

From Flat to Segmented

A flat Layer 2 network has one big broadcast domain. That is simple, but broadcasts spread everywhere and different departments cannot be separated easily.

Canonical VLAN Definition

A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.

Campus Example

Finance on VLAN 10, Engineering on VLAN 20, and Guests on VLAN 30 can all plug into the same physical switches but remain separate broadcast domains.

Exam Relevance

For CCNA, VLANs are foundational: you must configure them, assign switch ports, and verify/troubleshoot using show commands and basic Cisco IOS syntax.

Broadcast Domains, VLAN IDs, and Native VLAN

Broadcast Domains

A broadcast domain is the set of devices that receive a Layer 2 broadcast. With VLANs, each VLAN is its own broadcast domain, isolated from others.

VLAN ID Ranges

Cisco uses VLAN IDs 1–4094. For CCNA, focus on normal range 1–1005. VLAN 1 is the default; other IDs are commonly assigned per department or function.

Native VLAN Concept

On 802.1Q trunks, the native VLAN is carried untagged; all other VLANs are tagged. Cisco defaults to VLAN 1 as native, but best practice is to change it.

Mental Model

Treat each VLAN ID as a label for a separate broadcast domain. VLAN 10 means “the broadcast domain 10” that switches will keep isolated from VLAN 20, 30, etc.

Access Ports vs Trunk Ports (and Where Voice VLAN Fits)

Access Ports

Access ports carry traffic for one data VLAN to end devices. Example: `switchport mode access` and `switchport access vlan 10` for a Finance PC.

Trunk Ports

Trunk ports carry multiple VLANs between switches or to routers. They tag frames with 802.1Q VLAN IDs and are set with `switchport mode trunk`.

Voice VLAN Concept

IP phones often share a port with a PC. You can put voice in VLAN 20 and data in VLAN 10 using `switchport voice vlan 20` on an access port.

Common Exam Trap

An access port with a voice VLAN is still an access port, not a trunk, even though it handles both data and voice VLANs on that single edge port.

Topology Walkthrough: Office with Data and Voice VLANs

Physical Topology

Imagine a floor switch with desks for Finance and Sales. Each desk has a PC and IP phone sharing a single switch port via the phone’s internal switch.

Logical VLAN Design

Finance PCs are in VLAN 10, Sales PCs in VLAN 20, and all IP phones in VLAN 30. Each VLAN maps to its own IPv4 subnet for routing.

Access Port Behavior

On Fa0/1, the phone tags voice frames with VLAN 30; the PC sends untagged frames, which the switch assigns to VLAN 10 as the access VLAN.

Trunk Uplinks

Trunk ports Gi0/1 and Gi0/2 carry VLANs 10, 20, and 30 using 802.1Q tags to reach routers or other switches for inter‑VLAN routing.

Core VLAN Configuration on a Cisco Switch

Step 1: Create VLANs

In global config: `vlan 10` `name FINANCE`, `vlan 20` `name SALES`, `vlan 30` `name VOICE`. Names are optional but help with troubleshooting.

Step 2: Access Ports

On Fa0/1 for a Finance PC: `interface fa0/1`, `switchport mode access`, `switchport access vlan 10`. Repeat with VLAN 20 for Sales ports.

Step 3: Trunk Port Basics

On Gi0/1 uplink: `interface gi0/1`, `switchport mode trunk`, and typically `switchport trunk allowed vlan 10,20,30` to restrict which VLANs cross.

Native VLAN on Trunks

Optionally set `switchport trunk native vlan 99` for a dedicated native VLAN, making sure both sides of the trunk agree on the same ID.

Hands-On: Sample VLAN and Voice VLAN Configuration

Study and mentally simulate this configuration. Try to visualize which devices end up in which VLANs.

```plaintext

! 1. Create VLANs

vlan 10

name FINANCE

vlan 20

name SALES

vlan 30

name VOICE

vlan 99

name NATIVE-MGMT

!

! 2. Finance desk ports (PC + IP phone)

interface range fastethernet0/1 - 10

switchport mode access

switchport access vlan 10

switchport voice vlan 30

spanning-tree portfast

!

! 3. Sales desk ports (PC + IP phone)

interface range fastethernet0/11 - 20

switchport mode access

switchport access vlan 20

switchport voice vlan 30

spanning-tree portfast

!

! 4. Uplink to distribution switch

interface gigabitethernet0/1

switchport trunk encapsulation dot1q ! may be omitted on newer switches

switchport mode trunk

switchport trunk native vlan 99

switchport trunk allowed vlan 10,20,30,99

spanning-tree portfast trunk ! only if directly to router, not to another switch

!

! 5. Management SVI (if used)

interface vlan 99

ip address 192.168.99.2 255.255.255.0

no shutdown

!

ip default-gateway 192.168.99.1

```

Questions to ask yourself:

  • Which VLAN carries the switch management IP?
  • Which VLAN IDs are allowed across the trunk?
  • What happens to untagged frames on Gi0/1?
  • Where will the Finance PC on Fa0/5 and its phone send their traffic?

Verifying VLANs: show vlan, show interfaces switchport, show interfaces trunk

show vlan brief

`show vlan brief` lists VLAN IDs, names, status, and which access ports are in each VLAN. It is your first check after creating and assigning VLANs.

show interfaces switchport

On a port like Fa0/1, this command shows admin/operational mode, access VLAN, and voice VLAN. Use it to confirm what each edge port is really doing.

show interfaces trunk

This command lists trunk ports, encapsulation, native VLAN, and allowed VLANs. If a VLAN is missing here, it will not cross that trunk.

Verification Mindset

Always compare your intended design with show outputs. Ask: Is the port in the right VLAN? Is the trunk carrying all needed VLANs with the correct native VLAN?

Quiz 1: Core VLAN Concepts

Test your understanding of VLAN basics and port types.

A PC in the Sales department is connected to switch port Fa0/12. The port is configured as `switchport mode access` and `switchport access vlan 20`. Which statement is TRUE?

  1. The PC can send and receive frames for multiple VLANs because access ports support tagging.
  2. The PC is in VLAN 20’s broadcast domain, and its frames are treated as belonging only to VLAN 20 on that switch.
  3. The port will automatically negotiate a trunk if the other side supports 802.1Q.
  4. The PC is in the same broadcast domain as VLANs 1 and 10 because they are on the same physical switch.
Show Answer

Answer: B) The PC is in VLAN 20’s broadcast domain, and its frames are treated as belonging only to VLAN 20 on that switch.

An access port belongs to exactly one data VLAN. With `switchport mode access` and `switchport access vlan 20`, untagged frames from the PC are classified into VLAN 20. Access ports do not negotiate trunks (that would require dynamic desirable/auto), and VLAN membership is per VLAN, not per switch.

Thought Exercise: Predicting VLAN Behavior

Work through this scenario mentally. Do not worry about typing commands; focus on reasoning.

Scenario

You have two switches, SW1 and SW2, connected by Gi0/1 on both sides.

On SW1:

  • VLAN 10 and VLAN 20 are created.
  • Fa0/1 is an access port in VLAN 10.
  • Fa0/2 is an access port in VLAN 20.
  • Gi0/1 is configured as a trunk with `switchport trunk allowed vlan 10,20`.

On SW2:

  • VLAN 10 and VLAN 20 are created.
  • Fa0/1 is an access port in VLAN 10.
  • Fa0/2 is an access port in VLAN 20.
  • Gi0/1 is configured as a trunk with `switchport trunk allowed vlan 10` (VLAN 20 is missing).

Questions to answer (mentally or on paper)

  1. Can the PC on SW1 Fa0/1 ping the PC on SW2 Fa0/1 (both in VLAN 10, same subnet), assuming correct IP settings and no ACLs?
  2. Can the PC on SW1 Fa0/2 ping the PC on SW2 Fa0/2 (both in VLAN 20, same subnet)?
  3. What would `show interfaces trunk` on SW2 tell you about VLAN 20?
  4. Which single configuration change on SW2 would fix the issue for VLAN 20?

Check yourself

  1. Yes, VLAN 10 is allowed on both sides, so VLAN 10’s broadcast domain spans both switches.
  2. No, VLAN 20 is not allowed on SW2’s trunk, so VLAN 20’s broadcast domain stops at SW1.
  3. It would show VLAN 10 as allowed and active, but VLAN 20 would not appear in the allowed list.
  4. Add VLAN 20 to the allowed list: `switchport trunk allowed vlan 10,20` on SW2 Gi0/1.

Quiz 2: Voice VLANs and Verification

Apply what you know about voice VLANs and show commands.

A port is configured as follows: interface fastethernet0/5 switchport mode access switchport access vlan 10 switchport voice vlan 30 Which `show` command and output pair BEST confirms that both the PC and IP phone on this port are in the intended VLANs?

  1. `show vlan brief` showing Fa0/5 listed under VLANs 10 and 30.
  2. `show interfaces fastethernet0/5 switchport` showing Access Mode VLAN: 10 and Voice VLAN: 30.
  3. `show interfaces trunk` showing Fa0/5 as a trunk carrying VLANs 10 and 30.
  4. `show running-config` showing only `switchport access vlan 10` under interface Fa0/5.
Show Answer

Answer: B) `show interfaces fastethernet0/5 switchport` showing Access Mode VLAN: 10 and Voice VLAN: 30.

`show interfaces fastethernet0/5 switchport` explicitly lists the access VLAN and voice VLAN for that interface. `show vlan brief` shows only the access VLAN membership, not the voice VLAN. Fa0/5 is not a trunk, and `show running-config` alone does not prove the operational VLANs.

Common VLAN Misconfigurations and Troubleshooting Flow

Wrong VLAN on Port

If a device cannot reach its peers, first confirm the port’s access VLAN with `show vlan brief` and `show interfaces switchport` for that specific interface.

VLAN Missing or Inactive

If devices on different switches cannot talk, ensure the VLAN is created and active on each switch using `show vlan brief` on both sides.

Trunk and Native Issues

Use `show interfaces trunk` to confirm the VLAN is allowed and that native VLANs match. Mismatches can cause leaks and protocol warnings.

Layered Troubleshooting

Work from edge to core: edge port config, local VLAN, trunks, remote port. Only after Layer 2 checks out should you investigate IP, default gateway, and ACLs.

Flashcards: Key VLAN Terms and Commands

Flip through these cards to reinforce core VLAN concepts and CLI syntax.

Define VLAN (use the canonical definition).
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
What is a broadcast domain in the context of VLANs?
A broadcast domain is the set of devices that receive a Layer 2 broadcast frame. Each VLAN forms its own separate broadcast domain on a switch or group of switches.
Command: Create VLAN 20 with name SALES.
From global config: `vlan 20` ` name SALES`
Command: Make Fa0/3 an access port in VLAN 10.
`interface fastethernet0/3` ` switchport mode access` ` switchport access vlan 10`
Command: Configure a voice VLAN 30 on access port Fa0/5 with data VLAN 10.
`interface fastethernet0/5` ` switchport mode access` ` switchport access vlan 10` ` switchport voice vlan 30`
Command: Configure Gi0/1 as a trunk allowing VLANs 10,20,30 with native VLAN 99.
`interface gigabitethernet0/1` ` switchport mode trunk` ` switchport trunk native vlan 99` ` switchport trunk allowed vlan 10,20,30,99`
Which command quickly shows which access ports belong to each VLAN?
`show vlan brief`
Which command shows the access VLAN and voice VLAN for a specific interface?
`show interfaces <interface-id> switchport`
Which command shows trunk interfaces, their native VLAN, and allowed VLAN list?
`show interfaces trunk`
What is the default VLAN and why is it often avoided for user traffic?
VLAN 1 is the default VLAN. It is often avoided for user traffic due to security best practices and to clearly separate management and user data.

Key Terms

VLAN
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
trunk port
A switch port that carries traffic for multiple VLANs using 802.1Q tags, typically between switches or between a switch and a router.
voice VLAN
A VLAN dedicated to IP voice traffic, configured on an access port so that an IP phone’s tagged voice frames are separated from the PC’s data VLAN.
access port
A switch port configured to carry traffic for a single data VLAN (plus optionally a separate voice VLAN) to endpoint devices.
native VLAN
On an 802.1Q trunk, the VLAN whose frames are sent untagged. All other VLANs are tagged.
default gateway
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
show vlan brief
Cisco IOS command that lists VLAN IDs, names, status, and access port membership.
broadcast domain
The set of devices that receive a Layer 2 broadcast frame. Each VLAN forms its own broadcast domain.
show interfaces trunk
Cisco IOS command that lists trunk interfaces, their encapsulation, native VLAN, and allowed/active VLANs.
show interfaces switchport
Cisco IOS command that displays Layer 2 characteristics of an interface, including mode (access/trunk), access VLAN, and voice VLAN.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself