Lab 11 - VLAN Configuration & Inter-VLAN Routing

Back to Labs

Lab Objective

To understand Virtual LAN (VLAN) concepts, configure VLANs on switches, and implement inter-VLAN routing using router-on-a-stick configuration.

1. Introduction to VLAN

Traditional LAN Issues

In a normal traditional LAN (Local Area Network), all computers are connected through hubs or repeaters. These devices create:

  • One big collision domain
  • One big broadcast domain

This means any broadcast message sent by one computer is received by every device in the network, and collisions can easily spread through the whole network.

What is a VLAN?

A Virtual Local Area Network (VLAN) is a logical grouping of computers into separate broadcast domains — not based on physical location, but on configuration.

This means:

  • Devices in the same VLAN can be in different rooms, floors, or buildings
  • VLANs divide a single switch into multiple virtual switches

Benefits of VLANs

Better Performance

Broadcast domains become smaller → less unnecessary traffic → faster network

Better Security

Only devices in the same VLAN can communicate without a router. Sensitive departments (e.g., HR or Finance) can be isolated.

Easy Management

When a user moves desks, you don't need to rewire anything — just change VLAN membership in software.

Flexibility

Users of the same function (e.g., Sales, Marketing) can belong to the same VLAN even if they are physically apart.

When do you need VLANs?

  • More than 200 devices are on the LAN
  • There is too much broadcast traffic
  • Users need security separation
  • Devices need to be in the same broadcast domain because of same applications (e.g., VoIP phones)

2. Types of VLAN Connections

1. Access Link (Access Port)

  • Connects VLAN-unaware devices (like PCs)
  • Frames are sent without VLAN tags
  • A port in access mode belongs to only ONE VLAN
  • Example: A PC connected on port Fa0/1 is in VLAN 10

2. Trunk Link (Trunk Port)

  • Connects VLAN-aware devices such as switches or routers
  • Used when multiple VLANs must pass through the same physical cable
  • Frames are sent with a VLAN tag so the receiving switch knows the VLAN number
  • A trunk carries traffic of all VLANs (unless restricted)

Native VLAN (802.1Q Concept)

  • Frames belonging to the native VLAN are sent without tags on trunk links
  • If an untagged frame is received on a trunk, the switch assumes it belongs to the native VLAN
  • Default native VLAN = VLAN 1
  • This feature exists to support old switches that cannot understand tags

3. Communication in VLANs

Same VLAN Communication

Devices in the same VLAN can communicate normally even if they are connected to different switches. Switches use trunk links between them and tag frames so VLAN identity is preserved.

Different VLANs Communication

Devices in different VLANs cannot communicate without a router. A router is needed for:

  • Filtering broadcast traffic
  • Security
  • Inter-VLAN routing (communication between different VLANs)

This routing is called Inter-VLAN Routing.

4. Configuring VLANs on a Switch

VLAN Configuration Commands

enable
Enter privileged mode
config terminal
Enter global configuration mode
vlan 10
Create VLAN 10
name Sales
Name the VLAN as "Sales"
interface fa0/1
Enter interface configuration mode
switchport mode access
Set port as access mode
switchport access vlan 10
Assign port to VLAN 10
switchport mode trunk
Set port as trunk mode

Complete VLAN Configuration Example

! Step 1 — Enter privileged mode
Switch> enable

! Step 2 — Enter global configuration
Switch# config terminal

! Step 3 — Create VLAN
Switch(config)# vlan 10
Switch(config-vlan)# name Sales

! Step 4 — Assign VLAN to a port (Access Port)
Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

! Step 5 — Configure Trunk Port
Switch(config)# interface fa0/24
Switch(config-if)# switchport mode trunk

5. Inter-VLAN Routing (Router-on-a-Stick)

Overview

To allow VLANs to talk to each other, we use a router. We create sub-interfaces on the router:

Example: Router physical port: fa0/0 divided as:

  • fa0/0.10 → for VLAN 10
  • fa0/0.20 → for VLAN 20

Each sub-interface gets an IP address (as gateway) and encapsulation (dot1q VLAN number)

Router Configuration Commands

! Enter router interface
Router(config)# interface fa0/0

! Create sub-interface for VLAN 10
Router(config)# interface fa0/0.10
Router(config-subif)# encapsulation dot1q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0

! Create sub-interface for VLAN 20
Router(config)# interface fa0/0.20
Router(config-subif)# encapsulation dot1q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0
Explanation:
This setup allows inter-VLAN routing over a single cable — hence the name Router on a Stick.

6. Example Topology Implementation

Topology Setup

Components:

  • 4 PCs connected to a switch
  • The switch connected to a router
  • PCs divided into two VLANs:
    • VLAN 10 → PC0, PC1
    • VLAN 20 → PC2, PC3
  • Switch port Fa0/5 (to router) is a trunk

Step-by-Step Configuration

Step A — Create VLANs

vlan 10
name Dept10
vlan 20
name Dept20

Step B — Assign Switch Ports

! Fa0/1 and Fa0/2 → VLAN 10
interface range fa0/1 - 2
switchport mode access
switchport access vlan 10

! Fa0/3 and Fa0/4 → VLAN 20
interface range fa0/3 - 4
switchport mode access
switchport access vlan 20

! Fa0/5 → Trunk
interface fa0/5
switchport mode trunk

Step C — Assign IPs to PCs

PC VLAN IP Address Gateway
PC0 10 192.168.10.2 192.168.10.1
PC1 10 192.168.10.3 192.168.10.1
PC2 20 192.168.20.2 192.168.20.1
PC3 20 192.168.20.3 192.168.20.1

Step D — Test Same VLAN Communication

  • PC0 can ping PC1 → Success (Same VLAN)
  • PC0 cannot ping PC2 → Fail (Expected - Different VLANs)
  • Because VLAN 20 is a different broadcast domain

Step E — Configure Router for Inter-VLAN Routing

! Sub-interface for VLAN 10
interface fa0/0.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0

! Sub-interface for VLAN 20
interface fa0/0.20
encapsulation dot1q 20
ip address 192.168.20.1 255.255.255.0

Step F — Test Inter-VLAN Communication

Ping from: PC1 (VLAN 10) → PC3 (VLAN 20)

Result: Now successful, because router is routing between VLANs

Final Summary

Key Concepts

  • VLAN divides a switch into multiple logical networks
  • Access ports connect PCs and carry untagged traffic
  • Trunk ports connect switches/routers and carry tagged traffic
  • Inter-VLAN communication requires a router
  • Router-on-a-stick uses sub-interfaces to route between VLANs
  • Devices in the same VLAN communicate freely
  • Devices in different VLANs need a router to communicate

Lab Resources

Lab 11 Task

Download PDF