> VLAN 10 — STUDENTS........ ISOLATED ✓
> VLAN 100 — STAFF.......... ISOLATED ✓
> S1 Fa0/1 ←→ S2 Fa0/1..... TRUNK UP ✓
> PING PC1 → PC6............ SUCCESS ✓
> PING PC1 → PC3............ BLOCKED ✓_
A switch by default puts every port in the same broadcast domain. Plug in 24 devices and they can all reach each other — ARP broadcasts, DHCP requests, everything floods everywhere. That works for a small flat network. The moment you need to separate different groups of users or devices, you need VLANs.
This article walks through what VLANs are, how access and trunk ports work, and finishes with a free Packet Tracer lab — two switches, six PCs, two VLANs. Build it, configure it, break it, understand it.
★ WHAT A VLAN ACTUALLY IS
A VLAN (Virtual Local Area Network) is a logical partition on a switch. Devices on VLAN 10 can reach each other. Devices on VLAN 100 can reach each other. But VLAN 10 and VLAN 100 cannot talk at Layer 2 — they're in completely separate broadcast domains even though they share the same physical hardware.
[ THE ONE SENTENCE VERSION ]
A VLAN makes one physical switch behave like multiple separate switches — each isolated from the others unless you explicitly route between them at Layer 3.
To communicate between VLANs you need a Layer 3 device. That's inter-VLAN routing — covered in the next lab. For now: VLANs isolate at Layer 2, routing connects them at Layer 3.
★ ACCESS PORTS VS TRUNK PORTS
ACCESS PORTS
An access port belongs to exactly one VLAN. The connected device doesn't know VLANs exist — it just sends and receives normal Ethernet frames. The switch tags traffic internally and strips the tag before delivering it. Transparent to the end device.
[ ACCESS PORT ]
✓ One VLAN only
✓ Connected device is VLAN-unaware
✓ Switch tags frames internally on ingress, strips on egress
✓ Use for: PCs, printers, access points, servers
Switch(config)# interface fastethernet 0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# spanning-tree portfast
TRUNK PORTS
A trunk port carries multiple VLANs on one link using 802.1Q tagging. A 4-byte tag is inserted into each Ethernet frame identifying its VLAN. The receiving device reads the tag and handles the frame accordingly. This is how two switches stay VLAN-aware across an uplink.
[ TRUNK PORT ]
✓ Multiple VLANs on one physical link
✓ 802.1Q tag identifies each frame's VLAN
✓ Native VLAN carries untagged traffic — change from default VLAN 1
✓ Use for: switch-to-switch links, switch-to-router uplinks
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,100
Switch(config-if)# switchport trunk native vlan 99
[ ⚠ NATIVE VLAN ]
Default native VLAN is VLAN 1 — a known attack vector. Change it to an unused VLAN on both ends of every trunk. Mismatch between ends causes CDP warnings and potential traffic leakage.
★ IP ADDRESSING
| DEVICE |
IP |
MASK |
VLAN |
PORT |
| PC1 | 192.168.10.1 | /24 | 10 (Students) | S1 Fa0/2 |
| PC2 | 192.168.10.2 | /24 | 10 (Students) | S1 Fa0/3 |
| PC3 | 192.168.10.3 | /24 | 100 (Staff) | S1 Fa0/4 |
| PC4 | 192.168.10.4 | /24 | 100 (Staff) | S2 Fa0/2 |
| PC5 | 192.168.10.5 | /24 | 10 (Students) | S2 Fa0/3 |
| PC6 | 192.168.10.6 | /24 | 10 (Students) | S2 Fa0/4 |
★ SWITCH CONFIGURATION
STEP 1 — CREATE VLANS (BOTH SWITCHES)
Switch(config)# vlan 10
Switch(config-vlan)# name Students
Switch(config)# vlan 100
Switch(config-vlan)# name Staff
Switch(config)# vlan 99
Switch(config-vlan)# name Native_Unused
Switch# show vlan brief
STEP 2 — ACCESS PORTS ON S1
S1(config)# interface fastethernet 0/2
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# spanning-tree portfast
S1(config)# interface fastethernet 0/3
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# spanning-tree portfast
S1(config)# interface fastethernet 0/4
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 100
S1(config-if)# spanning-tree portfast
STEP 3 — ACCESS PORTS ON S2
S2(config)# interface fastethernet 0/2
S2(config-if)# switchport mode access
S2(config-if)# switchport access vlan 100
S2(config-if)# spanning-tree portfast
S2(config)# interface fastethernet 0/3
S2(config-if)# switchport mode access
S2(config-if)# switchport access vlan 100
S2(config-if)# spanning-tree portfast
S2(config)# interface fastethernet 0/4
S2(config-if)# switchport mode access
S2(config-if)# switchport access vlan 10
S2(config-if)# spanning-tree portfast
STEP 4 — TRUNK PORT (BOTH SWITCHES)
! Run on S1 AND S2
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,100
Switch(config-if)# switchport trunk native vlan 99
Switch# show interfaces trunk
★ LAB TASKS
Download the lab file below. The topology is pre-built and PCs are pre-configured with IPs. The switches are unconfigured — that's your job. Complete the tasks in order then verify with the ping tests.
TASK 1
Create VLAN 10 and VLAN 100 on both S1 and S2. Name them Students and Staff.
TASK 2
On S1 — set Fa0/2 and Fa0/3 as access ports for VLAN 10. Set Fa0/4 as access port for VLAN 100. Enable portfast on all three.
TASK 3
On S2 — set Fa0/2 and Fa0/3 as access ports for VLAN 100. Set Fa0/4 as access port for VLAN 10. Enable portfast on all three.
TASK 4
Configure Fa0/1 on both switches as a trunk. Allow VLANs 10 and 100 only. Set native VLAN to 99 on both ends.
TASK 5 — PING TEST
From PC1, ping PC6. This should succeed — both are Students (VLAN 10) on different switches. Traffic crosses the trunk tagged as VLAN 10.
TASK 6 — PING TEST
From PC1, ping PC3. This should fail — PC1 is Students (VLAN 10), PC3 is Staff (VLAN 100). Layer 2 cannot cross VLAN boundaries without a router.
BONUS — PORTFAST
Set portfast on all access ports. This skips the STP listening/learning states on ports connected to end devices — faster convergence, less waiting for pings to start working.
[ EXPECTED PING RESULTS ]
PC1 → PC2: SUCCESS (VLAN 10, same switch)
PC1 → PC5: SUCCESS (VLAN 10, across trunk)
PC1 → PC6: SUCCESS (VLAN 10, across trunk)
PC3 → PC4: SUCCESS (VLAN 100, across trunk)
PC1 → PC3: FAIL (VLAN 10 → VLAN 100)
PC1 → PC4: FAIL (VLAN 10 → VLAN 100)
PC5 → PC3: FAIL (VLAN 10 → VLAN 100)
PC6 → PC4: FAIL (VLAN 10 → VLAN 100)
⬇ FREE LAB — VLAN SEGMENTATION v1.0
Topology pre-built. PCs pre-configured.
Switches unconfigured — your job to build it.
TRAINEE
FREE
PACKET TRACER
⬇ DOWNLOAD LAB FILE