Creating VLANS

Creating VLANs and VTP

domains
 VLAN is a technology used to partition a single layer 2 network
into multiple broadcast domains .
 This is done to restrict communication between devices that
share the same broadcast medium.
 However, these devices can communicate with one another
through a layer 3 device, such as a router
 This is similar to connecting devices to different switches and
then connecting them all to a router to separate broadcast traffic.
 As more and more VLANs are created, it becomes tedious to
replicate the configuration across all switches, which was why
VTP(VLAN Trunking Protocol) was created
 Advantages of using VLANS
 Solve broadcast problem
 Reduce the size of broadcast domains
 Allow us to add additional layer of security
 Make device management easier
 Allow us to implement the logical grouping of
devices by function instead of location
• We'll first learn about creating VLAN and assigning ports to it. VLAN 1 is created by
default on all switches, and all ports reside in it. This VLAN is called the
management VLAN.
• To create a VLAN, use the following command:
• Sw1(config)#vlan 2
• The VLAN ID can be between 1 and 1001. The IDs 1002, 1003, 1004, and 1005 are
reserved. Once this command has been entered, you are taken to the VLAN
subconfiguration mode. This is the place where we can assign a name to the VLAN.
• Sw1(config-vlan)#name finance
• Assigning a name to a VLAN is optional; by default, the name is VLAN0002. Next,
we will assign a few ports to this VLAN. To assign many ports to a single VLAN, the
range command can be used, which then selects multiple interfaces.
• Sw1(config)#interface range f0/10-20
• To assign these ports to VLAN 2, use the following command:
• Sw1(config-if-range)#switchport access vlan 2
Let's verify if the ports were indeed assigned to the correct VLAN.
Sw1#show vlan
Note that in the above example, some of the output has been omitted for
brevity
We will now create a topology with three switches to demonstrate VTP. VTP has three
modes: server, client, and transparent.

Server: This is the default mode of VTP; in this mode, switches are allowed to modify
their VLANs and send VTP advertisements

Client: In this mode, switches listen for VTP advertisements from other server switches.
Client switches aren't allowed to modify their VLAN database locally.
• Transparent: This mode works independent of other switches. In this mode, the
switch only forwards the VTP advertisements it receives and does not generate any,
neither does it modify its own VLANs based on the VTP advertisements
The following topology will be used for demonstration:

In the first switch (VTP-Server), we will have four VLANs with different names. Then,
we will set all the switch-switch ports to trunking.
VTP-Server(config)#interface Fa0/1
VTP-Server(config-if)#switchport mode trunk
VTP-Transparent(config)#interface range Fa0/1-2
VTP-Transparent(config-if-range)#switchport mode trunk
VTP-Client(config)#interface Fa0/1
VTP-Client(config-if)#switchport mode trunk
• Since VTP is already in server mode, we will just change the VTP domain name and set a
password.
VTP-Server(config)#vtp domain My-Office
Changing VTP domain name from NULL to My-Office
VTP-Server(config)#vtp password s3cRet
Setting device VLAN database password to s3cRet

• Move on to the second switch (VTP-Transparent) and make it transparent.

VTP-Transparent(config)#vtp mode transparent

The final task is to move the third switch (VTP-Client) to client mode.
VTP-Client(config)#vtp mode client

You do not have to change the domain of this switch, as changing it to client will make it pick
up the domain name from the server. However, it is necessary to set the VTP password.
VTP-Client(config)#vtp password s3cRet

The configuration is done; now, use the show vlan command on the VTP-Client switch to see
the new VLANs. This example is only to demonstrate VTP. This topology won't allow normal
communication between VTP-Server and VTP-Client, as the switch in the middle (VTP-
Transparent) doesn't have any of the VLANs we configured.
 InterVLAN routing with routers and
layer 3 switches
 Although VLAN is used to split the broadcast domain, it is
necessary to enable communication between two or more
VLANs at layer 3 using IP routing.
 This is called InterVLAN routing and can be configured using
both routers and layer 3 switches. This requires allocating a
different IP subnet for devices in each VLAN .
 We will configure InterVLAN routing by connecting the router
to a switch using a single link. All the traffic to other VLANs
passes through this link, to the router and back again through
this link. This method of configuration is also called router-on-
a-stick, as a single link to the router handles all traffic
 InterVLAN on a router
 We will use the following topology for
this setup:
As stated earlier, each VLAN will have IP addresses from different network ranges and
the router's interface will have three IP addresses—each belonging to a different network

After IP addresses have been assigned to all PCs, create the necessary VLANs on the
switch and assign the ports to them.
Sw1(config)#int range f0/2-3
Sw1(config-if-range)#switchport access vlan 10
Sw1(config-if-range)#int range f0/4-5
Sw1(config-if-range)#switchport access vlan 20
Sw1(config-if-range)#int range f0/6-7
Sw1(config-if-range)#switchport access vlan 30

Configure the switch port that connects to the router as a trunk link. More on this in the
Switch-to-switch trunk links section.
Sw1(config)#int f0/1
Sw1(config-if)#switchport mode trunk

Now, moving on to the router portion of the configuration, bring the interface up.
R1(config)#int f0/0
R1(config-if)#no shutdown
We will now create the subinterfaces. Each will have its own IP address in a different
network.
R1(config-subif)#int f0/0.10
R1(config-subif)#encapsulation dot1Q 10
R1(config-subif)#ip address 10.10.0.1 255.255.255.0
R1(config-subif)#int f0/0.20
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip address 10.20.0.1 255.255.255.0
R1(config-subif)#int f0/0.30
R1(config-subif)#encapsulation dot1Q 30
R1(config-subif)#ip address 10.30.0.1 255.255.255.0

Notice the encapsulation command here. It specifies the VLAN ID the interface will
handle

That's it, now test the connectivity between hosts on different VLANs using simple PDUs
or a ping. The first packet will always time out as it takes some time for the ARP
(Address Resolution Protocol) to complete
Try using tracert to see the path the packet takes
 InterVLAN on a layer 3
switch
 The only layer 3 switch present on
Packet Tracer is 3560-24PS. We will use
the same topology by replacing only the
router with the layer 3 switch, as shown
in the following screenshot:
Creation and configuration of VLANs is the same on the layer 2 switch, hence it won't be
repeated here. So, we'll move to the layer 3 switch straightaway.

Since the switch-switch link on the layer 2 switch was set to trunking mode with the
switchport mode trunk command, the same port on the layer 3 switch will also be in trunking
mode. This can be verified as follows:
MSw1#sh interface trunk

The trunking status indicates this.

We will configure what is called SVI (Switch Virtual Interface), which will act as layer 3
interfaces for each VLAN.
MSw1(config)#int vlan 10
MSw1(config-if)#ip add 10.10.0.1 255.255.255.0
MSw1(config-if)#int vlan 20
MSw1(config-if)#ip add 10.20.0.1 255.255.255.0
MSw1(config-if)#int vlan 30
MSw1(config-if)#ip add 10.30.0.1 255.255.255.0

These interfaces will stay down, as this layer 3 switch doesn't have VLANs 10, 20, and 30. So
we'll create them as follows:
MSw1(config)#vlan 10
MSw1(config-vlan)#vlan 20
MSw1(config-vlan)#vlan 30

As each command is entered, the associated SVI will come up. IP Routing has to be enabled.
MSw1(config)#ip routing

Use the simple PDU tool to test the connectivity

Switch-to-switch trunk links
 When two switches are connected together, there must be a
mechanism to identify the VLAN a frame belongs to
 We aren't talking about the physical layer but about the data link
layer. When two switches are connected together, each one needs
to know to which VLAN the traffic is destined for
 This is where VLAN tagging comes in; when a frame moves
over a switch-to-switch link, the source switch tags the frame
with the VLAN ID, and this switch-to-switch link is known as a
trunk
 Following is a screenshot of an inbound and an outbound PDU,
captured in simulation mode, when a PC in VLAN 10 pinged a
PC in VLAN 30:
Notice the TCI (Tag Control Information) field that contains a hexadecimal
value; it denotes the VLAN ID. So, the inbound PDU has 0xa, which is a
VLAN 10 source, and the outbound PDU has 0x1e, which is a VLAN 30
destination
Analyzing broadcasts in the simulation
mode
 The concept of VLAN is to split the broadcast domain: so, in this
section, we will see how broadcasts are handled in a VLAN
environment using the simulation mode.
 Use the same InterVLAN topology we used previously. From
PC0 ping to 255.255.255.255, this sets the destination MAC
address to FFFF.FFFF.FFFF, which is the layer 2 broadcast
address
 Switch to the simulation mode and see what happens. The switch
receives an ICMP packet from PC0, and sends out two copies of
it: one to the router and another to PC1. If this network weren't
divided into VLANs, the ICMP packet would've been sent to each
and every PC connected to the switch
Configuration
1- Create Vlan 10,20,30 on Switch 1
Switch(config)#vlan 10
Switch(config-vlan)#name student
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name faculty
Switch(config-vlan)#vlan 30
Switch(config-vlan)#name guest
2- Repeat Step on S2 and S3
3- Configure trunk on S1 port 23 and 24
Switch(config)#interface range fa0/23 - 24
Switch(config-if-range)#switchport mode trunk
4- configure S2 port assignment for vlan 10,20,30 from 1-5,6-10,11-15 respectively
4- configure S3 port assignment for vlan 10,20,30 from 1-5,6-10,11-15 respectively
Switch(config)#interface range fa0/1 - 5
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config)#interface range fa0/6 - 10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config)#interface range fa0/11 - 15
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 30
5- Repeat step 4 on S3
6- Assign IP address on Host for Vlan 10 used 192.168.10.0, for Vlan 20 use
192.168.20.0 and for vlan 30 use 192.168.30.0 network
interface vlan 1
ip address 192.168.10.1 255.255.255.0
7- For Verification
I) Switch#show vlan brief
II) Switch#show interface trunk
III)Switch#show interfaces fa0/1 switchport
IV) Switch#show running-config
8- Change Native VLAN
First create VLAN 50 and set name native on all 3 switches as in step 1
then change native vlan in each switch trunk port for example in S1
Switch(config)#interface range fa0/23 - 24
Switch(config-if-range)#switchport trunk native vlan 50
Repeat this step in S2 and S3 switch trunk port
9)Allowed all vlan on trunk except vlan 30 on S2
Switch(config-if)#switchport trunk allowed vlan ?

Switch(config-if)#switchport trunk allowed vlan except 30

then check status of trunk
10) Create vlan 60 and set name voice on switch 3 as in step 1
and then assign port 16 for voice and vlan 10
Switch(config)#int fa0/16
Switch(config-if)#mls qos trust cos ( for priorities voice traffic)
Switch(config-if)#switchport voice vlan 60
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
and set ip address on pc from 10 network and communicate with vlan 10
Configuring VLANs and
Trunks

Learning Objectives
• View the default VLAN configuration.
• Configure VLANs.
• Assign VLANs to ports.
• Configure trunking.
 Introduction
 VLANs are helpful in the administration
of logical groups, allowing members of a
group to be easily moved, changed, or
added. This activity focuses on creating
and naming VLANs, assigning access
ports to specific VLANs, changing the
native VLAN, and configuring trunk
links.
 Task 1: View the Default VLAN
Configuration

 Step 1. Verify the current running configuration on

the switches.
 On all three switches, enter user EXEC mode with the
password cisco. Then enter privileged EXEC mode with
the password class.
 From privileged EXEC mode on all three switches,
issue the show running-config command to verify the
current running configuration. The basic configurations
are already set, but there are no VLAN assignments.
 Step 2. Display the current VLANs
 On S1, issue the show vlan command. The only VLANs present are
the default ones. By default, all interfaces are assigned to VLAN 1.
 Step 3. Verify connectivity between PCs on the same network.
 Notice that each PC can ping the other PC that shares the same
network:
 PC1 can ping PC4
 PC2 can ping PC5
 PC3 can ping PC6
 Pings to PCs in other networks fail.
 What benefit will configuring VLANs provide to the current
configuration?
 Task 2: Configure VLANs
 Step 1. Create VLANs on S1.
 The command vlan vlan-id creates a VLAN. Use the name vlan-name command to name a
VLAN.
 On S1, create four VLANs using the vlan-ids and the names shown below:
 S1(config)#vlan 10
 S1(config-vlan)#name Faculty/Staff
 S1(config-vlan)#vlan 20
 S1(config-vlan)#name Students
 S1(config-vlan)#vlan 30
 S1(config-vlan)#name Guest(Default)
 S1(config-vlan)#vlan 99
 S1(config-vlan)#name Management&Native
 Step 2. Verify the VLAN configuration.
 After creating the VLANs, return to privileged EXEC and issue the show vlan brief command
to verify the creation of the new VLANs.
 S1#show vlan brief
Step 3. Create the VLANs on S2 and S3.
On S2 and S3, use the same commands you used on S1 to create and name the VLANs.
Step 4. Verify the VLAN configuration.
Use the show vlan brief command to verify all VLANs are configured and named.
Step 5. Check results.
Your completion percentage should be 38%. If not, click Check Results to see which required
components are not yet completed.
Task 3: Assign VLANs to Ports
The range command greatly reduces the amount of repetitive commands you must enter when
configuring the same commands on multiple ports. However, Packet Tracer does not support the
range command. So only the active interfaces are graded for the switchport mode access command.
Step 1. Assign VLANs to the active ports on S2.
The switchport mode access command configures the interface as an access port. The switchport
access vlan vlan-id command assigns a VLAN to the port. An access port can only be assigned one
access VLAN. Enter the following commands on S2.
S2(config)#interface fastEthernet 0/6
S2(config-if)#switchport mode access
S2(config-if)#switchport access vlan 30
S2(config-if)#interface fastEthernet 0/11
S2(config-if)#switchport mode access
S2(config-if)#switchport access vlan 10
S2(config-if)#interface fastEthernet 0/18
S2(config-if)#switchport mode access
S2(config-if)#switchport access vlan 20
Step 2. Assign VLANs to the active ports on S3.
Assign VLANs to the active ports on S3. S3 uses the same VLAN access port assignments
that you configured on S2.
Step 3. Verify loss of connectivity.
Previously, PCs that shared the same network could ping each other successfully. Try
pinging between PC1 and PC4. Although the access ports are assigned to the appropriate
VLANs, the ping fails. Why?
Step 4. Check results.
Your completion percentage should be 75%. If not, click Check Results to see which
required components are not yet completed.
Task 4: Configure Trunking
Step 1. Configure S1 Fa0/1 and Fa0/3 for trunking and to use VLAN 99 as the native
VLAN.
S1(config)#interface FastEthernet 0/1
S1(config-if)#switchport mode trunk
S1(config-if)#switchport trunk native vlan 99
S1(config-if)#interface FastEthernet 0/3
S1(config-if)#switchport mode trunk
S1(config-if)#switchport trunk native vlan 99
The trunk port takes about a minute to become active again. You can switch between
Realtime and Simulation modes three or four times to quickly bring the port back up.
Then, the ports on S2 and S3 that connect to S1 become inactive. Again, switch between
Realtime and Simulation modes three or four times to quickly bring the ports back up.
Once the ports become active, you periodically receive the following syslog messages:
You configured the native VLAN on S1 to be VLAN 99. However, the native VLAN on S2 and S3
is set to the default VLAN 1.
Step 2. Verify connectivity between devices on the same VLAN.
Although there is currently a native VLAN mismatch, pings between PCs on the same VLAN are
now successful. Why?
Step 3. Verify trunking is enabled on S2 and configure VLAN 99 as the native VLAN.
Dynamic Trunking Protocol (DTP) has automatically enabled the Fast Ethernet 0/1 port on S2 for
trunking. Once you configured the mode to trunking on S1, DTP messages sent from S1 to S2
automatically informed S1 to move the state of Fa0/1 to trunking. This can be verified with the
following command on S1:
S2#show interface fastEthernet 0/1 switchport
Notice that the administrative mode is set to dynamic auto. This is the default state of all ports on
a Cisco IOS switch. However, DTP has negotiated trunking, so the operation mode is trunk,
resulting in a native VLAN mismatch.
As a best practice, configure the administrative mode of the trunking interface to be in trunk mode.
This ensures that the interface is statically configured as a trunk port and never negotiates a
different mode.
S2(config)#interface FastEthernet 0/1
S2(config-if)#switchport mode trunk
To correct the native VLAN mismatch, configure the trunking port with the switchport trunk
native vlan 99 command.
S2(config-if)#switchport trunk native vlan 99
Step 4. Verify trunking is enabled on S3 and configure VLAN 99 as the native VLAN.
DTP has also successfully negotiated a trunk between S1 and S3.
S3#show interfaces fastEthernet 0/3 switchport
Configure the administrative mode of the trunking interface to be in trunk mode, and
correct the native VLAN mismatch with the switchport trunk native vlan 99
command.
Step 5. Check results.
Your completion percentage should be 100%. If not, click Check Results to see
which required components are not yet completed.
Configuring VLANs
 Addressing Table

Objectives
Part 1: Verify the Default VLAN
Configuration
Part 2: Configure VLANs
Part 3: Assign VLANs to Ports
 Background
VLANs are helpful in the administration of logical groups, allowing members of a group
to be easily moved, changed, or added. This activity focuses on creating and naming
VLANs, and assigning access ports to specific VLANs.
Part 1: View the Default VLAN Configuration
Step 1: Display the current VLANs.

On S1, issue the command that displays all VLANs configured. By default, all interfaces
are assigned to VLAN 1.

Step 2: Verify connectivity between PCs on the same network.

Notice that each PC can ping the other PC that shares the same network.
• PC1 can ping PC4
• PC2 can ping PC5
• PC3 can ping PC6

Pings to PCs in other networks fail.

What benefit will configuring VLANs provide to the current configuration?
Part 2: Configure VLANs
Step 1: Create and name VLANs on S1.

Create the following VLANs. Names are case-sensitive:

• VLAN 10: Faculty/Staff
• VLAN 20: Students
• VLAN 30: Guest(Default)
• VLAN 99: Management&Native
Step 2: Verify the VLAN configuration.

Which command will only display the VLAN name, status, and associated ports on a
switch?

Step 3: Create the VLANs on S2 and S3.

Using the same commands from Step 1, create and name the same VLANs on S2 and S3.
Step 4: Verify the VLAN configuration.

Part 3: Assign VLANs to Ports

Step 1: Assign VLANs to the active ports on S2.

Assign the VLANs to the following ports:

• VLAN 10: Fast Ethernet 0/11
• VLAN 20: Fast Ethernet 0/18
• VLAN 30: Fast Ethernet 0/6
Step 2: Assign VLANs to the active ports on S3.
S3 uses the same VLAN access port assignments as S2.
Step 3: Verify loss of connectivity.

Previously, PCs that shared the same network could ping each other successfully. Try pinging
between PC1 and PC4. Although the access ports are assigned to the appropriate VLANs,
were the pings successful? Why?