VLAN Concepts and Configuration

In modern networking, simply connecting all devices to the same set of switches leads to inefficient and insecure networks. Virtual LANs (VLANs) solve this by allowing you to logically segment a physical network into multiple independent broadcast domains, improving performance, enhancing security, and simplifying management. For any network professional, especially those pursuing the CCNA certification, mastering VLANs is a foundational skill that forms the basis for more advanced switching and routing concepts.

Understanding VLAN Fundamentals

A Virtual LAN (VLAN) is a logical grouping of network devices that communicate as if they were on the same physical network segment, regardless of their actual physical location. The primary benefit is the segmentation of a broadcast domain, which is the network area where a broadcast frame is forwarded. In a flat network (a single VLAN), a broadcast from one device reaches all devices, consuming bandwidth and processing power on every endpoint. By creating multiple VLANs, you contain broadcast traffic within a smaller logical group, leading to better performance and security.

Each VLAN is essentially an independent logical switch within a single physical switch. Devices in one VLAN cannot communicate with devices in another VLAN without a router or Layer 3 switch to route traffic between them. This isolation is a powerful security tool; for instance, you can place guest devices in one VLAN and corporate finance servers in another, preventing unauthorized access. VLANs are identified by a number, with a valid range typically from 1 to 4094 on standard switches.

Configuring VLANs on Cisco Switches

VLAN configuration on Cisco switches is performed in Global Configuration mode. The first step is to create the VLAN itself. While you can create multiple VLANs at once, the recommended practice is to create them individually and assign a descriptive name.

Switch> enable
Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan)# name ENGINEERING
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name SALES

After creating the VLANs, you must assign switch ports to them. By default, all ports belong to VLAN 1. Access ports are used for connections to end devices like computers, printers, or access points. The configuration involves setting the port to access mode and then assigning it to a specific VLAN.

Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# no shutdown

This commands sequence configures interface GigabitEthernet 0/1 as an access port and places it in VLAN 10 (ENGINEERING). Any device connected to this port will now be part of that VLAN's broadcast domain.

Trunking and the Native VLAN

While access ports handle traffic for a single VLAN, connections between switches or to a router must carry traffic for multiple VLANs. This is achieved using a trunk port. A trunk uses a process called tagging to identify which VLAN each frame belongs to by adding a small header (an 802.1Q tag) to the Ethernet frame. This allows the receiving switch to understand which VLAN the frame is destined for.

Configuring a trunk port is straightforward:

Switch(config)# interface gigabitethernet 0/24
Switch(config-if)# switchport mode trunk

A critical concept on trunk ports is the native VLAN. The native VLAN is the one VLAN on a trunk whose traffic is not tagged. By default, this is VLAN 1. This exists for compatibility with older devices that don't understand 802.1Q tags. It is a major security best practice to change the native VLAN to an unused VLAN number on all trunks.

Switch(config-if)# switchport trunk native vlan 999

Failing to change the native VLAN from the default can lead to security vulnerabilities like VLAN hopping attacks, where an attacker might attempt to send crafted traffic tagged with the native VLAN ID.

Specialized VLANs: Default and Voice VLAN

Cisco switches come with several pre-configured VLANs. The default VLAN is VLAN 1. All switch ports are in VLAN 1 initially, and it is used for default switch management traffic. It is considered a security best practice not to use VLAN 1 for user or device traffic and to avoid placing any access ports in it. Treat VLAN 1 as a management-only backbone.

Another specialized type is the voice VLAN, designed specifically for IP telephony deployments. It allows an access port to belong to two VLANs simultaneously: one for data (from a computer) and one for voice (from an IP phone). The switch uses Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) to inform the IP phone of its voice VLAN. This configuration provides quality of service (QoS) priority to voice traffic while keeping data traffic separate.

Switch(config)# interface gigabitethernet 0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10   # Data VLAN
Switch(config-if)# switchport voice vlan 110   # Voice VLAN

Verifying and Troubleshooting VLAN Configuration

After configuration, verification is essential. Key commands include show vlan brief, which provides a concise overview of all VLANs and their assigned ports. The show interfaces trunk command is vital for verifying trunk status, the VLANs allowed across the trunk, and confirming the native VLAN setting.

For a detailed look at a specific interface's VLAN configuration, use show interfaces [interface-id] switchport. This command outputs a wealth of information, including the operational mode (access/trunk), access VLAN, voice VLAN, native VLAN, and the list of VLANs allowed on a trunk.

Common issues include a port being in the wrong mode (e.g., an access port when a trunk is needed), a mismatch in the allowed VLAN list or native VLAN on two ends of a trunk, and simple typos in the VLAN assignment. Always verify configurations from both ends of a link.

Common Pitfalls

1. Leaving the Native VLAN as Default: Using VLAN 1 as the native VLAN on trunks is a significant security risk. Attackers can potentially craft frames to hop VLANs. Correction: Always explicitly configure an unused VLAN (e.g., VLAN 999) as the native VLAN on both ends of every trunk link.

1. VLAN Mismatch on Trunk Ends: If the native VLAN is not identical on both sides of a trunk, or if the set of allowed VLANs is not aligned, it will cause Layer 2 issues. Traffic for the mismatched native VLAN will leak between VLANs. Correction: Use show interfaces trunk to verify consistency between connected switches and ensure configurations match.

1. Forgetting to Configure Both Ends of a Link: Configuring one switch port as a trunk is useless if the device on the other end is set to access mode or is not configured at all. Correction: Remember that network connectivity is a two-way street. Always configure the corresponding port on the neighboring switch appropriately—as a trunk to another switch or as an access port to an end device.

1. Using VLAN 1 for User Traffic: VLAN 1 is the default for control protocols. Placing user traffic here exposes it to unnecessary broadcast traffic and potential attacks targeting the management plane. Correction: Create new VLANs for all user, server, and device traffic. Use VLAN 1 only for its default switch management purposes, or better yet, move management to a dedicated VLAN.

Summary

• VLANs logically segment a physical network into multiple broadcast domains, improving performance, security, and manageability by containing broadcast traffic.
• Basic configuration involves creating VLANs in global configuration mode and assigning access ports to them using the switchport access vlan command.
• Trunk ports (using 802.1Q tagging) carry traffic for multiple VLANs between switches. The native VLAN on a trunk is untagged and must be set consistently on both ends to prevent security and connectivity problems.
• Special VLAN types include the default VLAN 1 (best reserved for management) and the voice VLAN, which allows an access port to support both a data device and an IP phone with QoS priority for voice.
• Consistent verification using commands like show vlan brief and show interfaces trunk is critical for successful implementation and troubleshooting.