o Lesson 4 Switching Concepts & VLANs (Virtual LANs)

configurations
Switching Concepts

o MAC Address Table

o VLANs (Virtual LANs)

o Spanning Tree Protocol (STP)

o Link Aggregation and Redundancy Protocols

A switch

 A switch is a networking device that connects devices within a local area

network (LAN) and forwards data packets between them.
 It operates at the Data Link Layer (Layer 2) of the OSI model and uses MAC
addresses to determine where to send data. Switches are essential for creating
efficient and scalable networks.

Key Functions of a Switch

1. Forwarding Frames:

o A switch uses the MAC address table to forward frames to the correct
destination device.
o Example: If Device A sends a frame to Device B, the switch ensures the frame
reaches only Device B.

2. Learning MAC Addresses:

o A switch dynamically learns the MAC addresses of devices connected

to its ports and stores them in a MAC address table.
o Example: When Device A sends a frame, the switch records Device A's MAC
address and the port it is connected to.

3. Filtering Traffic:

o A switch forwards frames only to the port where the destination device
is located, reducing unnecessary traffic on other ports.
o Example: If Device A sends a frame to Device B, the switch does not forward
the frame to Device C.
4. Loop Prevention:

o Switches use protocols like Spanning Tree Protocol (STP) to prevent

network loops.

Page 1 of 25
 o Example: STP blocks redundant paths to avoid broadcast storms.
5. VLAN Support:

o Switches can segment a network into multiple Virtual LANs (VLANs),

improving security and performance.
o Example: Devices in the Sales VLAN cannot communicate directly with
devices in the IT VLAN unless a router is used.

Types of Switches
1. Unmanaged Switches:

o Basic switches with no configuration options.

o Example: Used in small home networks.

2. Managed Switches:

o Advanced switches that can be configured and monitored.

o Example: Used in enterprise networks for VLANs, QoS, and security.

3. Layer 2 Switches:

o Operate at the Data Link Layer (Layer 2) and use MAC addresses for
forwarding.
o Example: Most common type of switch.

4. Layer 3 Switches:

o Operate at both the Data Link Layer (Layer 2) and Network Layer
(Layer 3).

o Can perform routing functions in addition to switching.

o Example: Used in large networks to reduce the need for separate routers.

Example: Configuring a Cisco Switch

Step 1: Access the Switch

 Connect to the switch using a console cable or SSH.

 Enter global configuration mode:

bash

Page 2 of 25
Switch> enable

Switch# configure terminal

Step 2: Configure VLANs

 Create VLANs and assign ports:

bash

Switch(config)# vlan 10

Switch(config-vlan)# name Sales

Switch(config-vlan)# exit

Switch(config)# interface FastEthernet0/1

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan 10

Step 3: Enable Spanning Tree Protocol (STP)

 Enable STP to prevent loops:

bash

Switch(config)# spanning-tree mode rapid-pvst

Step 4: Verify Configuration

 Check the MAC address table:

bash

Switch# show mac address-table

 Check VLAN configuration:

bash

Switch# show vlan brief

Advantages of Using Switches

1. Improved Performance:
o Switches reduce collisions and improve network efficiency by
forwarding frames only to the intended destination.
2. Scalability:

Page 3 of 25
 o Switches allow networks to grow by adding more devices without
degrading performance.
3. Security:

o VLANs and port security features enhance network security.

4. Flexibility:

o Managed switches provide advanced features like QoS, link

aggregation, and monitoring.

Why Use MAC Address?

 MAC address is a unique number which is used to track a device in a

network. MAC address provides a secure way to find senders or receivers in
the network and helps prevent unwanted network access.
 Mac address is also used in Wi-Fi networks at the airport for a specific device
in order to identify it.

Page 4 of 25
What is a MAC Address Table?

 The MAC address table is a database stored in a switch that maps MAC
addresses (Media Access Control addresses) to the physical ports on the
switch.
 Each entry in the table contains:

o A MAC address (the hardware address of a device).

o The port number where the device is connected.

o The VLAN (if applicable) to which the device belongs.

Viewing entries of the CAM table

To view the entries of the CAM table, you can use the "show mac-address-
table" command in privileged-exec mode.

This command displays the CAM table's entries. If you use this command just after
starting the switch, it displays a blank CAM table.

Page 5 of 25
 A switch adds a device MAC address in the CAM table when it receives a frame
from that device on any of its ports.

Introduction to VLANs (Virtual Local Area Networks)

What is a VLAN?

A Virtual Local Area Network (VLAN) is a logical subgroup within a local area
network (LAN) that combines a collection of devices from different physical LAN
segments into a single broadcast domain. VLANs help in segmenting networks for
improved performance, security, and management.

Page 6 of 25
Key Features of VLANs

 Logical Grouping: Devices can be grouped logically regardless of their

physical location.

 Broadcast Control: Reduces broadcast traffic by segmenting traffic between

VLANs.

 Enhanced Security: VLANs can isolate sensitive data and resources from
unauthorized access.

 Improved Performance: By reducing unnecessary traffic, VLANs enhance

overall network performance.

VLAN ranges:

 VLAN 0, 4095: These are reserved VLAN which cannot be seen or used.
 VLAN 1: It is the default VLAN of switches. By default, all switch ports are in
VLAN. This VLAN can’t be deleted or edit but can be used.
 VLAN 2-1001: This is a normal VLAN range. We can create, edit and delete
these VLAN.
 VLAN 1002-1005: These are CISCO defaults for fddi and token rings. These
VLAN can’t be deleted.
 Vlan 1006-4094: This is the extended range of Vlan.

Here is an image that shows three VLANs thereby creating networks that
are logically defined:

Page 7 of 25
 Development of VLAN
 LAN is also referred to as a broadcast domain. This simply means in a
situation when a user uses his/her LAN to broadcast any information, it will
be sent to every user on the LAN.

o To prevent broadcasts from leaving a LAN, routers are used. This

method has a limitation.

o The time taken by routers to process incoming data is much higher compared
to that taken by a bridge or a switch.

o This led to the development of a Virtual Local Area Network as a

means of restricting a broadcast from leaving a LAN.

Page 8 of 25
How VLANs Work

 Tagging Protocols: VLANs use tagging protocols like IEEE 802.1Q to identify
VLAN membership in Ethernet frames.

 Switch Configuration: VLANs are configured on network switches, allowing

devices to communicate within the same VLAN while remaining isolated
from others.

 Inter-VLAN Routing: To allow communication between different VLANs, a

router or a Layer 3 switch is used.
Benefits of VLANs

1. Flexibility: Easily move devices between VLANs without changing physical

connections.

2. Scalability: Simplifies the expansion of networks by adding new devices to

existing VLANs.

3. Management: Simplifies network management through logical organization,

making troubleshooting easier.

4. Policy Implementation: Allows for the application of security policies at the

VLAN level.
Common Use Cases

 Departmental Segmentation: Different departments (e.g., HR, Finance, IT)

can be segmented into their own VLANs for security and management.

 Guest Networks: Creating a separate VLAN for guest access to limit access to
the main network.

Page 9 of 25
  Voice over IP (VoIP): Isolating VoIP traffic on its VLAN to ensure quality of
service (QoS).

 Port-Based VLANs assign devices to VLANs based on the physical switch

port they are connected to.

 All devices connected to the same port belong to the same VLAN.
Functions

1. Segmentation:

o Devices on different ports are isolated into separate VLANs.

o Example: Ports 1-5 are assigned to VLAN 10 (Sales), and Ports 6-10 are
assigned to VLAN 20 (IT).
2. Simplified Management:

o VLAN membership is determined by the port configuration, making it

easy to manage.
3. Security:

o Devices in one VLAN cannot communicate with devices in another

VLAN unless a router is used.

Page 10 of 25
Protocol-Based VLANs
Definition

 Protocol-Based VLANs assign devices to VLANs based on the network

protocol they are using (e.g., IP, IPX, AppleTalk).

 This is useful in networks where multiple protocols are used.

Functions

1. Traffic Segmentation:

o Segments traffic based on the protocol type.

o Example: IP traffic is assigned to VLAN 10, and IPX traffic is assigned

to VLAN 20.

2. Optimized Resource Utilization:

o Ensures that devices using the same protocol are grouped together,
improving efficiency.

3. Legacy Support:

o Supports legacy protocols that may still be in use.

Page 11 of 25
MAC-Based VLANs
Definition

 MAC-Based VLANs assign devices to VLANs based on their MAC addresses.

 This allows devices to be assigned to VLANs dynamically, regardless of the

port they are connected to.
Functions

1. Dynamic VLAN Assignment:

o Devices are automatically assigned to VLANs based on their MAC

addresses.

o Example: A laptop with MAC address 0000.1111.2222 is always

assigned to VLAN 10, regardless of which port it is connected to.

2. Flexibility:

o Devices can move between ports while retaining their VLAN

membership.

3. Enhanced Security:

o Ensures that only authorized devices can join specific VLANs.

Page 12 of 25
Configuring VLANs on switches

We will configure two VLANs in this network: VLAN-10 and VLAN-20. We will
use VLAN-10 for the network 10.0.0.0/8. We will use VLAN-20 for the network
20.0.0.0/8. We will keep one PC from each switch in a VLAN.

Access the first switch's CLI prompt. Enter global configuration mode and use
the vlan command to create a new VLAN. This command needs a VLAN number as
an argument. It checks the specified VLAN number for an existing VLAN before
creating a new VLAN. If it finds an existing VLAN having the specified number, it
does not create a new VLAN. It enters VLAN configuration mode for the existing
VLAN. If it does not find an existing VLAN having the specified number, it creates a
new VLAN and enters VLAN configuration mode for the new VLAN.

Page 13 of 25
VLAN configuration mode allows us to configure additional options such
as name and RSPAN. In a basic configuration, we do not need to configure these
options. Use the exit command to exit VLAN configuration mode.

The following commands create VLAN-10.

Switch>enable

Switch#configure terminal

Switch(config)#vlan 10

Switch(config-vlan)#exit

Switch(config)#

The following commands create VLAN-20.

Switch(config)#vlan 20

Switch(config-vlan)#exit

Switch(config)#

Since all three switches have PCs in these VLANs, you need to run the above
commands on all switches.

After creating VLANs, we need to assign them to the switch ports. The switchport
mode access vlan command assigns a VLAN to the switch port. It accepts a VLAN
number as an argument. It runs in the interface configuration mode of the port. It
assigns the specified VLAN number to the port. The device connected to the port
becomes a member of the specified port.

Page 14 of 25
The following commands make the device connected to port-1 a member of VLAN-
10.

Switch(config)#interface fastethernet 0/1

Switch(config-if)#vlan 10

Switch(config-vlan)#exit

The following commands make the device connected to port-2 a member of VLAN-
20.

Switch(config)#interface fastethernet 0/2

Switch(config-if)#vlan 20

Switch(config-vlan)#exit

Switch(config)#

You need to run the above commands on all switches.

A switch port can work in two modes: access and trunk. In access mode, it works
with a single VLAN. In trunk mode, it works with multiple VLANs.

Access mode is the default mode on all switch ports. If you connect an end device to
a switch port, you do not need to change the default mode. But if you connect a
switch port to another switch port, you need to change the default mode to trunk
mode on both ports.

Page 15 of 25
Change default mode to trunk mode on ports you used to connect switches. Use
the switchport mode trunk command to change the default mode. Run this command
in the interface configuration mode of the port.

The following commands change the default mode to trunk mode

on GigabitEtherent 0/1.

Switch(config)#interface gigabitEthernet 0/1

Switch(config-if)#switchport mode trunk

Switch(config-if)#exit

The following commands change the default mode to trunk mode

on GigabitEtherent 0/2.

Switch(config)#interface gigabitEthernet 0/2

Switch(config-if)#switchport mode trunk

Switch(config-if)#exit

Switch(config)#

Run the above commands on all switches.

Testing and verifying VLANs

Page 16 of 25
To test and verify VLAN configuration, you can check connectivity between PCs in
the same VLAN.

Click the PC icon, click Desktop, and click Command prompt. Use
the ping command to test connectivity.

PC0 is a member of VLAN-10. As we can see in the above image, it has connectivity
with PC2 and PC4. PC2 and PC4 are other members of VLAN-10.

Page 17 of 25
Similarly, you can also test connectivity between PC1, PC3, and PC5. These are
members of VLAN-20.

Page 18 of 25
Reference Materials

Cisco Switch basic Configuration | Cisco Switch Configuration Step by Step (Nice
video for practical)

https://www.youtube.com/watch?v=7dXBN8a-X2U

Cisco Packet Tracer Tutorial: Basic VLAN Configuration and Trunking

https://www.youtube.com/watch?v=b2Mbd3YA3Z4&t=188s

Page 19 of 25
Revision Example of VLAN Use:

Scenario: A company with three departments — HR, IT, and Sales. The network
administrator creates three VLANs to segregate traffic:

 VLAN 10 (HR): Only devices in the HR department can communicate with

each other. HR personnel can access sensitive payroll data without concern
about unauthorized access from other departments.

 VLAN 20 (IT): All IT equipment, like servers, switches, and network

management tools, reside in this VLAN. This ensures that only IT staff can
interact with critical network infrastructure.

 VLAN 30 (Sales): Sales staff are assigned to this VLAN, keeping their
activities separate from the HR and IT departments.

Benefits:

 Security: IT and HR cannot accidentally access each other's data because their
VLANs are isolated.

 Network Efficiency: Sales staff can communicate with one another without
causing congestion for HR or IT.

 Simplified Management: The network administrator can easily manage

policies for each department by targeting specific VLANs.
Conclusion:

VLANs provide network administrators with flexibility, security, and efficient

management of a network. By segmenting a network into smaller, logical units,
VLANs help optimize performance, reduce broadcast traffic, and secure sensitive
data. As organizations scale, VLANs become essential tools for maintaining a
structured and well-organized network environment.
You said:

VLAN configuration network question with case study

ChatGPT said:
VLAN Configuration Network Case Study
Case Study: XYZ Corporation Network Design

Background: XYZ Corporation has a large office building with four departments:
 HR (Human Resources)
 Finance
 Sales

Page 20 of 25
  IT (Information Technology)

The company wants to implement a VLAN-based network design to improve

network performance, security, and manageability. The company has 3 floors in
their office building, each with a number of networked devices. Currently, all
employees are on the same physical network, but this causes issues like too much
broadcast traffic, security concerns, and inefficient network management.
Requirements:

1. Departmental Segmentation: Each department should have its own isolated

network to avoid unauthorized access between departments.

2. Security: The HR and Finance departments handle sensitive data and need
extra security. Only authorized personnel should access certain data.

3. Network Performance: Reduce unnecessary traffic between departments and

improve overall network efficiency.

4. Inter-VLAN Routing: The departments should be able to communicate with

each other when necessary (e.g., IT needs to access HR for specific tasks).
Network Design Plan:

1. VLANs for Departmental Segmentation:

o VLAN 10 (HR): This VLAN will contain all HR-related devices such as
computers, printers, and other devices used by HR employees.

o VLAN 20 (Finance): All devices used by the finance department will

be placed in this VLAN.

o VLAN 30 (Sales): Devices used by the sales team will be part of this
VLAN.

o VLAN 40 (IT): This VLAN will be dedicated to IT infrastructure,

servers, switches, and other networking equipment that IT personnel
use.

2. Physical Setup:

o Switches: There will be Layer 2 switches at each floor. The switches

will be VLAN-aware to isolate traffic based on VLAN IDs.

o Router (Layer 3 Switch): A Layer 3 switch will be used for routing

traffic between VLANs. This switch will perform Inter-VLAN
Routing.
3. Access Ports vs. Trunk Ports:

Page 21 of 25
 o Access Ports: The ports that are connected to devices like computers,
printers, or IP phones will be assigned to specific VLANs (HR, Finance,
Sales, IT). Each port will belong to a single VLAN.

o Trunk Ports: The ports that connect switches and routers will be
configured as trunk ports, allowing multiple VLAN traffic to pass
through using VLAN tags (IEEE 802.1Q tagging).
VLAN Configuration Steps:

Step 1: Create VLANs on Layer 2 Switches On each Layer 2 switch, VLANs will be
created to segment the network.

bash

Switch(config)# vlan 10

Switch(config-vlan)# name HR

Switch(config)# vlan 20

Switch(config-vlan)# name Finance

Switch(config)# vlan 30

Switch(config-vlan)# name Sales

Switch(config)# vlan 40

Switch(config-vlan)# name IT

Step 2: Assign Ports to VLANs After creating the VLANs, the corresponding ports
will be assigned to each VLAN. Let's assume each department is on a specific floor,
and all the devices in each department will be connected to the same VLAN on that
floor.

 HR devices will connect to ports 1-10.

 Finance devices will connect to ports 11-20.

 Sales devices will connect to ports 21-30.

 IT devices will connect to ports 31-40.

bash

Switch(config)# interface range fa0/1 - 10

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# switchport access vlan 10

Switch(config)# interface range fa0/11 - 20

Page 22 of 25
Switch(config-if-range)# switchport mode access

Switch(config-if-range)# switchport access vlan 20

Switch(config)# interface range fa0/21 - 30

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# switchport access vlan 30

Switch(config)# interface range fa0/31 - 40

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# switchport access vlan 40

Step 3: Configure Trunk Ports for Switch-to-Switch Communication Switches that

connect to other switches or routers should be configured as trunk ports to allow
traffic from multiple VLANs to traverse a single link.

bash

Switch(config)# interface gig0/1

Switch(config-if)# switchport mode trunk

Switch(config-if)# switchport trunk allowed vlan 10,20,30,40

Step 4: Inter-VLAN Routing (Router Configuration) To allow devices in different

VLANs to communicate, a Layer 3 Switch or a router needs to be configured for
Inter-VLAN Routing. This can be done by creating subinterfaces for each VLAN.

Assuming the router interface connected to the Layer 3 switch is Gig0/1,

subinterfaces will be configured for each VLAN.

bash

Router(config)# interface gig0/1.10

Router(config-if)# encapsulation dot1Q 10

Router(config-if)# ip address 192.168.10.1 255.255.255.0

Router(config)# interface gig0/1.20

Router(config-if)# encapsulation dot1Q 20

Router(config-if)# ip address 192.168.20.1 255.255.255.0

Page 23 of 25
Router(config)# interface gig0/1.30

Router(config-if)# encapsulation dot1Q 30

Router(config-if)# ip address 192.168.30.1 255.255.255.0

Router(config)# interface gig0/1.40

Router(config-if)# encapsulation dot1Q 40

Router(config-if)# ip address 192.168.40.1 255.255.255.0

Step 5: Configure Routing If you're using a router, enable routing between these
VLANs (subnetting is automatically handled by the router for each VLAN).

bash

Router(config)# ip routing

Step 6: Verify VLAN Configuration Once the configuration is complete, use the
following commands to verify that the VLANs are properly configured:
1. Check VLAN Configuration:

bash

Switch# show vlan brief

2. Verify Trunk Ports:

bash

Switch# show interfaces trunk

3. Check Routing on the Router:

bash

Router# show ip route

Step 7: Test Connectivity

 Ensure devices in the same VLAN can communicate.

 Ensure devices in different VLANs can communicate through the router

(Inter-VLAN Routing).
Benefits of this VLAN Configuration:

1. Security: Sensitive departments (HR, Finance) are isolated from each other
and other departments (Sales, IT), reducing the risk of unauthorized access.

2. Network Efficiency: By isolating departments, unnecessary broadcast traffic

is minimized.

Page 24 of 25
3. Simplified Management: Changes in the network can be done by adjusting
VLAN configurations rather than physically re-cabling devices.

4. Performance: Traffic in one VLAN does not interfere with traffic in another,
leading to reduced congestion.

Page 25 of 25