What is a VLAN?
Logical segmentation of a physical switch
VLANs group switch ports into separate logical networks. Devices in different VLANs cannot communicate without a Layer 3 device — even on the same physical switch.
Benefits: Security isolation · Reduced broadcast domains · Traffic segmentation · Simplified management
10
Sales
Fa0/1–Fa0/8
20
HR
Fa0/9–Fa0/16
30
Eng
Fa0/17–22
99
Mgmt
SVI only
Default VLANVLAN 1 (all ports default)
Native VLANVLAN 1 — untagged on trunk
Voice VLANSeparate VLAN for IP phones
Max VLANs4096 (12-bit VLAN ID)
802.1Q Trunking
Carrying multiple VLANs over one link
A trunk port carries traffic for multiple VLANs by inserting a 4-byte 802.1Q tag into each Ethernet frame to identify its VLAN.
802.1Q Frame Structure
DST MAC
6B
SRC MAC
6B
802.1Q TAG ★
4B
EtherType
2B
Payload
46–1500B
FCS
4B
Tag contains: TPID (0x8100) + PCP (3b) + DEI (1b) + VLAN ID (12 bits → 0–4095)
Native VLAN framesSent UNTAGGED on trunk
All other VLAN framesSent TAGGED
DTP dynamic autoPassive — responds only
DTP dynamic desirableActive — initiates trunk
Security: Change native VLAN from VLAN 1 to prevent VLAN hopping attacks.
Inter-VLAN Routing Methods
Three ways to route between VLANs
METHOD 1 — Legacy
Separate Router Interfaces
One physical router port per VLAN. Doesn't scale — rarely used.
METHOD 2 — ROAS ★ Common in NetAcad labs
Router-on-a-Stick
One trunk link to router. Router subinterfaces per VLAN with
encapsulation dot1Q.METHOD 3 — Enterprise Best Practice
Layer 3 Switch + SVIs
Switch Virtual Interfaces per VLAN +
ip routing. Fastest, most scalable.STP & EtherChannel
Loop prevention and link aggregation
STP prevents Layer 2 broadcast storms in redundant topologies by blocking one or more paths. Elects a Root Bridge — lowest Bridge ID wins.
| Port Role | Description |
|---|---|
| Root Port | Best path to Root Bridge |
| Designated | Forwards frames on segment |
| Alternate | Blocked — standby path |
PortFastSkip Listening/Learning (access ports)
BPDU Guarderr-disable if BPDU received
PVST+STP per VLAN (Cisco default)
Rapid PVST+Fast convergence (~1–2s)
EtherChannel bundles 2–8 ports into one logical link. LACP (IEEE 802.3ad) or PAgP (Cisco). STP sees it as a single interface.
VLAN Knowledge Drills
Multiple choice questions on VLANs, trunking, STP, and EtherChannel.
0
Correct
0
Wrong
0
Streak 🔥
60s
QUESTION 1 · VLANS
Packet Tracer Labs
Step-by-step VLAN configuration walkthroughs.
VLAN Topology Diagrams
VLAN Cheatsheet
VTP — VLAN Trunking Protocol
Propagating VLAN databases across a switched network
VTP synchronises the VLAN database across switches in the same VTP domain. A Server creates/modifies VLANs and advertises them. Clients receive and apply updates but cannot make changes. Transparent mode ignores VTP but forwards advertisements.
| Mode | Create VLANs | Syncs DB | Forwards Ads | Saves to NVRAM |
|---|---|---|---|---|
| Server | Yes | Yes | Yes | Yes |
| Client | No | Yes | Yes | No |
| Transparent | Local only | No | Yes (v2) | Yes (local) |
VTP Danger: Adding a switch with a higher revision number can wipe all VLANs. Best practice: use Transparent mode or disable VTP entirely.
VTP Configuration
SW1(config)# vtp domain CORP
SW1(config)# vtp mode server
SW1(config)# vtp version 2
SW1(config)# vtp password Cisco123
SW1# show vtp status
DTP — Dynamic Trunking Protocol
Automatic trunk negotiation between Cisco switches
DTP negotiates whether a link becomes a trunk. Knowing which mode combinations form trunks is a direct exam question.
| Mode A \ Mode B | Auto | Desirable | Trunk |
|---|---|---|---|
| Dynamic Auto | Access | Trunk | Trunk |
| Dynamic Desirable | Trunk | Trunk | Trunk |
Best practice: Set trunks manually and use
switchport nonegotiate to disable DTP frames.Harden a Trunk Port
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport nonegotiate
SW1(config-if)# switchport trunk native vlan 999
SW1(config-if)# switchport trunk allowed vlan 10,20,30
Voice VLAN Configuration
Separating IP phone and PC traffic on one port
An IP phone daisy-chains to the switch port with the PC behind it. The port carries a data VLAN (untagged for PC) and a voice VLAN (802.1Q tagged, CoS 5 for phone) simultaneously.
Data VLANUntagged — for PC traffic
Voice VLANTagged with CoS 5 — learned via CDP
PortFastRequired — phone needs fast STP convergence
QoS trust
mls qos trust cos — trust phone CoS markingsVoice VLAN Config
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10
SW1(config-if)# switchport voice vlan 20
SW1(config-if)# spanning-tree portfast
SW1(config-if)# mls qos trust cos
STP Port States, Timers & Variants
802.1D vs 802.1w RSTP — convergence, roles, and timers
STP elects a Root Bridge (lowest Bridge ID = priority + MAC). Non-root switches elect a Root Port (best path to root) and each segment elects a Designated Port. All others block to prevent loops.
802.1D Port States
BlockingBPDUs only — no data, no MAC learning (20s)
ListeningElects roles — no data forwarding (15s)
LearningBuilds MAC table — no data yet (15s)
ForwardingNormal operation
DisabledAdmin shutdown
STP Timers
Hello2s — BPDU interval from root
Forward Delay15s — Listening and Learning phases
Max Age20s — BPDU expiry
Total convergence~50 seconds (802.1D)
Path Costs (802.1D)
10 GbpsCost = 2
1 GbpsCost = 4
100 MbpsCost = 19
10 MbpsCost = 100
| Feature | 802.1D STP | 802.1w RSTP | 802.1s MST |
|---|---|---|---|
| Convergence | ~50 seconds | Under 1 second | Under 1 second |
| Port states | 5 states | 3 (Discarding/Learning/Forwarding) | 3 (same as RSTP) |
| Additional roles | Root/Designated/Non-Desig | + Alternate + Backup | + Alternate + Backup |
| VLAN instances | 1 (CST) | 1 per VLAN (PVST+) | Multiple VLANs per instance |
| Cisco variant | PVST+ | Rapid PVST+ | MST |
Root Election & Verification
SW1(config)# spanning-tree vlan 10 priority 4096
SW1(config)# spanning-tree vlan 10 root primary ! macro
SW1# show spanning-tree vlan 10
SW1# show spanning-tree summary
EtherChannel — PAgP vs LACP Mode Matrix
Bundling physical links into one logical channel
EtherChannel bundles 2–8 links into a single logical port-channel. STP sees one link. PAgP is Cisco-proprietary. LACP (802.3ad) is the open IEEE standard — preferred for multi-vendor environments.
| Protocol | Mode A | Mode B | Forms Channel? |
|---|---|---|---|
| PAgP | Auto | Auto | No |
| PAgP | Auto | Desirable | Yes |
| PAgP | Desirable | Desirable | Yes |
| LACP | Passive | Passive | No |
| LACP | Passive | Active | Yes |
| LACP | Active | Active | Yes |
| Static | On | On | Yes (no negotiation) |
| Mismatch | On | Auto / Passive | No — never mix On with negotiating modes |
Requirements: All member interfaces must match — speed, duplex, VLAN assignments, trunk/access mode, and allowed VLANs.
EtherChannel Config (LACP)
SW1(config)# interface range Gi0/1 - 2
SW1(config-if-range)# switchport mode trunk
SW1(config-if-range)# channel-group 1 mode active
SW1(config)# interface port-channel 1
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 10,20,30
SW1# show etherchannel summary
VLAN & Trunk Configuration
# Create and name VLANs
S1(config)# vlan 10
S1(config-vlan)# name Sales
S1(config)# vlan 99
S1(config-vlan)# name Management
# Assign access port to VLAN
S1(config)# interface Fa0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
# Configure 802.1Q trunk
S1(config)# interface Gi0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# switchport trunk allowed vlan 10,20,99
# Verify
S1# show vlan brief
S1# show interfaces trunk
S1# show interfaces Gi0/1 switchport
ROAS & L3 Switch
# Router-on-a-Stick subinterfaces
R1(config)# interface G0/0/0.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 192.168.10.1 255.255.255.0
R1(config)# interface G0/0/0.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip address 192.168.20.1 255.255.255.0
R1(config)# interface G0/0/0
R1(config-if)# no shutdown
# L3 Switch SVIs
SW(config)# ip routing
SW(config)# interface vlan 10
SW(config-if)# ip address 192.168.10.1 255.255.255.0
SW(config-if)# no shutdown
STP Configuration
# Set root bridge (low priority wins)
S1(config)# spanning-tree vlan 1 priority 4096
S1(config)# spanning-tree vlan 1 root primary
# PortFast on access ports
S1(config-if)# spanning-tree portfast
S1(config-if)# spanning-tree bpduguard enable
# Enable Rapid PVST+
S1(config)# spanning-tree mode rapid-pvst
# Verify STP
S1# show spanning-tree
S1# show spanning-tree vlan 10
EtherChannel Configuration
# LACP EtherChannel (IEEE)
S1(config)# interface range Fa0/1-2
S1(config-if-range)# channel-group 1 mode active
# Neighbour uses: mode passive or active
# PAgP EtherChannel (Cisco)
S1(config-if-range)# channel-group 1 mode desirable
# Neighbour uses: mode auto or desirable
# Configure logical port-channel
S1(config)# interface port-channel 1
S1(config-if)# switchport mode trunk
# Verify
S1# show etherchannel summary
S1# show etherchannel port-channel
Topic Checklist
Track your progress through VLAN concepts.
0%
Complete