Home/Labs/VLANs & Trunking
EasyCCNASwitching

VLANs & Trunking Lab

Create VLANs, configure access and trunk ports, set native VLANs, and enable inter-VLAN routing with Router-on-a-Stick.

โฑ 60 minutes๐Ÿ“‹ 9 steps๐Ÿ›  Cisco IOS / Packet Tracer

๐ŸŽฏ Lab Objectives

  • Create and name VLANs on Cisco switches
  • Assign switch ports to VLANs as access ports
  • Configure trunk ports using 802.1Q encapsulation
  • Set native VLAN and allowed VLAN list on trunks
  • Enable inter-VLAN routing using Router-on-a-Stick
  • Configure SVIs on a Layer 3 switch for inter-VLAN routing

VLAN Theory

A VLAN (Virtual LAN) is a logical grouping of switch ports that creates a separate broadcast domain. Devices in different VLANs cannot communicate at Layer 2 โ€” a router or Layer 3 switch is needed for inter-VLAN routing.

Trunks carry multiple VLANs between switches and to routers using 802.1Q tagging โ€” a 4-byte tag inserted into the Ethernet frame identifying which VLAN the frame belongs to.

Step 1 โ€” Create VLANs

# On Cisco switch
Switch> enable
Switch# configure terminal

# Create VLANs
vlan 10
 name SALES
vlan 20
 name IT
vlan 30
 name MANAGEMENT
vlan 99
 name NATIVE
vlan 999
 name UNUSED

# Verify VLANs were created
show vlan brief

Step 2 โ€” Access Port Configuration

# Assign a single port to a VLAN (PC connection)
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10
 no shutdown

interface FastEthernet0/2
 switchport mode access
 switchport access vlan 20
 no shutdown

# Configure a range of ports at once
interface range FastEthernet0/3-10
 switchport mode access
 switchport access vlan 10
 no shutdown

Step 3 โ€” Trunk Port Configuration

# Uplink to router or another switch (carries all VLANs)
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q   # required on older IOS
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,99
 no shutdown

# Add a VLAN to existing trunk allowed list
 switchport trunk allowed vlan add 40

# Remove a VLAN from trunk
 switchport trunk allowed vlan remove 30

Step 4 โ€” Native VLAN

โš ๏ธ
The native VLAN is not tagged on trunk ports. Mismatched native VLANs cause a STP loop warning. Change native VLAN away from VLAN 1 (default) as a security best practice to prevent VLAN hopping.
# Set native VLAN to VLAN 99 (must match on both ends!)
interface GigabitEthernet0/1
 switchport trunk native vlan 99

# Verify trunk config
show interfaces trunk

# Shut down VLAN 1 to prevent use
interface vlan 1
 shutdown

Step 5 โ€” Verify VLANs

# Show all VLANs and assigned ports
show vlan brief

# Show trunk ports
show interfaces trunk

# Show specific interface switchport config
show interfaces FastEthernet0/1 switchport

# Check what VLAN a port is in
show mac address-table vlan 10

Step 6 โ€” Router-on-a-Stick (Inter-VLAN Routing)

One physical router interface with sub-interfaces โ€” one per VLAN. The trunk carries all VLAN traffic to the router, which routes between them.

# On the switch: trunk port toward router
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

# On the router: sub-interfaces
interface GigabitEthernet0/0
 no ip address
 no shutdown

interface GigabitEthernet0/0.10
 encapsulation dot1q 10
 ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/0.20
 encapsulation dot1q 20
 ip address 192.168.20.1 255.255.255.0

interface GigabitEthernet0/0.30
 encapsulation dot1q 30
 ip address 192.168.30.1 255.255.255.0

# Hosts in VLAN 10 use 192.168.10.1 as default gateway
# Hosts in VLAN 20 use 192.168.20.1 as default gateway

Step 7 โ€” Layer 3 Switch (SVIs)

A Layer 3 switch has built-in routing. SVIs (Switched Virtual Interfaces) are virtual Layer 3 interfaces for each VLAN โ€” no external router needed.

# Enable IP routing on L3 switch
ip routing

# Create SVI for each VLAN
interface vlan 10
 ip address 192.168.10.1 255.255.255.0
 no shutdown

interface vlan 20
 ip address 192.168.20.1 255.255.255.0
 no shutdown

interface vlan 30
 ip address 192.168.30.1 255.255.255.0
 no shutdown

# Verify SVIs
show ip interface brief | include Vlan

Step 8 โ€” Voice VLANs

# Port with both data and voice VLAN (IP phone + PC)
interface FastEthernet0/5
 switchport mode access
 switchport access vlan 10      # data VLAN for PC
 switchport voice vlan 50       # voice VLAN for IP phone
 spanning-tree portfast

Step 9 โ€” Security & Trunk Pruning

# VLAN Pruning โ€” only allow needed VLANs on each trunk
# (Reduces broadcast traffic on trunks)
interface GigabitEthernet0/1
 switchport trunk allowed vlan 10,20   # only what's needed

# Disable DTP (Dynamic Trunking Protocol) โ€” prevent VLAN hopping
interface FastEthernet0/1
 switchport mode access
 switchport nonegotiate   # disable DTP

# Shutdown unused ports and assign to unused VLAN
interface range FastEthernet0/20-24
 switchport mode access
 switchport access vlan 999
 shutdown

๐Ÿ“‹ VLAN Command Reference

CommandPurpose
vlan 10 / name SALESCreate VLAN with name
switchport mode accessSet port as access port
switchport access vlan 10Assign port to VLAN 10
switchport mode trunkSet port as trunk
switchport trunk allowed vlan 10,20Restrict allowed VLANs on trunk
switchport trunk native vlan 99Set native VLAN
show vlan briefList all VLANs and ports
show interfaces trunkView trunk port details
ip routingEnable routing on L3 switch
interface vlan 10 / ip addressCreate SVI
โœ…
Lab Complete! You can now design, configure, and secure VLAN infrastructure. Practice building a full switched network in Packet Tracer with multiple switches and VLANs.
โ† All Labs CCNA Workbook