Back to 2.0 Network Access

2.1 Virtual LANs (VLANs)

Logically segmenting physical switches to isolate broadcast domains. Master 802.1Q trunking, port assignments, and Layer 2 security best practices.

Core Explanations

What is a VLAN?

A VLAN logically segments a physical switch into multiple, isolated virtual switches. Devices in different VLANs cannot communicate with each other without a Layer 3 device routing the traffic. This isolates broadcast domains, improves security, and reduces unnecessary network traffic.

802.1Q & Trunking

When sending traffic across multiple switches, the switch inserts a 4-byte 802.1Q Tag into the Ethernet frame so the receiving switch knows which VLAN the packet belongs to. Untagged traffic on a trunk link falls into the 'Native VLAN' (defaults to VLAN 1).

IOS Command Reference

Creating & Naming a VLAN

SW1(config)# vlan 10
SW1(config-vlan)# name DMZ_SERVICES
SW1(config-vlan)# exit

Configuring a Trunk Port

SW1(config)# interface g0/24
! Required on older Layer 3 switches
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 10,20,99

Assigning an Access Port (Connecting End Devices)

SW1(config)# interface g0/1
! Force the port into access mode (disables DTP)
SW1(config-if)# switchport mode access
! Assign the port to the specific VLAN
SW1(config-if)# switchport access vlan 10
! Security/Optimization best practice for PC/Server ports
SW1(config-if)# spanning-tree portfast

Enterprise Best Practices

Never Use VLAN 1

VLAN 1 is the default for all ports and management traffic. Hackers know this. Immediately move all active ports to custom VLANs and assign your management interface (SVI) to a dedicated management VLAN (e.g., VLAN 99).

Disable DTP

Never leave a switchport in 'dynamic auto' or 'dynamic desirable'. A malicious user can plug in a laptop running spoofing software to negotiate a trunk link and gain access to all VLANs. Always hardcode ports.

Park Unused Ports

Any physical port not currently patched to a device should be placed in an isolated 'black hole' VLAN (e.g., VLAN 999) and administratively shut down using the shutdown command.