Configuring VLANs and dot1q Tagging on Cisco Switches
In the last tutorial, we discussed VLANs and the tagging process. Now, let’s understand how to configure VLANs and dot1q tagging with two examples. In the first example, we will cover basic VLAN configuration and the commands to map ports to a VLAN. In the second example, we will configure tagged or trunk ports using IEEE 802.1q tagging. These examples will provide you with practical knowledge and a better understanding of how to implement VLANs effectively in your network.
Table of Contents
VLAN Configuration Example 1 : Configuring VLANs and Port Mapping
Objective: In this example, you will create two separate VLANs on a Cisco switch. For each VLAN, two physical ports will be assigned, and PCs will be connected to these ports. The goal is to verify that devices within the same VLAN can communicate with each other, while communication between devices in different VLANs is restricted. This topology demonstrates how VLANs can reduce the unwanted traffic, ensuring network segmentation and security.
Topology:
Configuration Procedure:
- Add VLAN 10 and VLAN 20 to the VLAN database.
- Configure ports FE1/0 and FE1/1 as part of VLAN 10.
- Configure ports FE1/2 and FE1/3 as part of VLAN 20.
- Configure IP addresses on all PCs. Ensure that PC1 and PC2 are on one network, and PC3 and PC4 are on another.
- Verify connectivity by checking if PC1 can ping PC2 and if PC3 can ping PC4.
- Verify that traffic from VLAN 10 is not reaching VLAN 20.
Before you start, you can go through this link : How to Configure VLANs on a Cisco Switch if you’re not familiar with VLAN configuration.
Step 1. Add VLAN 10 and VLAN 20 to the VLAN database : The following commands will configure VLAN 10 and VLAN 20 with the names ‘testers’ and ‘developers,’ respectively.
Switch# vlan database
Switch(vlan)# vlan 10 name testers
Switch(vlan)# vlan 20 name developers
Switch(vlan)# exit
Switch#Steps 2 and 3. Configure ports FE1/0 and FE1/1 as part of VLAN 10 and configure ports FE1/2 and FE1/3 as part of VLAN 20 :To configure ports FastEthernet 1/0 and FastEthernet 1/1 together, we will use the “interface range” command, and the same command will be used for FE1/2 and FE1/3, as shown below:
Switch# configure terminal
Switch(config)# int range fastethernet 1/0 - 1
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# no shutdown
Switch(config-if-range)# exit
Switch(config)# int range fastethernet 1/2 - 3
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 20
Switch(config-if-range)# no shutdown
Switch(config-if-range)# exit
Switch(config)# Step 4. Configure IP addresses on all PCs:
If you are using GNS3, on PC1 use the command “ip 10.1.1.1/8“, on PC2 use “ip 10.1.1.2/8“, on PC3 use “ip 20.1.1.1/8“, and on PC4 use “ip 20.1.1.2/8“.
Step 5. Verify Ping Connectivity between PCs:
In this topology, PC1 and PC2 are in the same network, so they should be able to ping each other. You can verify this by using the command “ping 10.1.1.2” on PC1. Similarly, PC3 and PC4 should be able to ping each other. Verify this by using the command “ping 20.1.1.2” on PC3. If the ping is not working, first cross-check the IP configuration on all the devices. Then, try using the shutdown and no shutdown commands on the switch interfaces to refresh them.
Step 6. Verify that traffic from VLAN 10 is not reaching VLAN 20:
1. Start a Wireshark capture on the link to PC3.
2. Ping from PC1 to 10.1.1.3.
3. While observing the Wireshark capture on PC3, you should not see any ARP request packets from PC1. This confirms that traffic from VLAN 10 is isolated and not being sent to VLAN 20
Explanation:
By starting a Wireshark capture on the link to PC3 and pinging from PC1 to an IP address (10.1.1.3) that does not exist in VLAN 10, PC1 will broadcast ARP requests to resolve the IP address to a MAC address. If VLANs are correctly configured, these ARP request packets from PC1 should not appear in the Wireshark capture on PC3, as PC3 belongs to VLAN 20. This confirms that traffic from a port in VLAN 10 does not go out to another VLAN.
Note: If you are using GNS3, switchports might not come up even after connecting cables. Verify the interface status with the “show ip interface brief” command to ensure the interfaces are “up.” If pings fail despite the interfaces being up, refresh the interfaces using the “shutdown” and “no shutdown” commands to resolve the issue.
Note: Check the VLAN configuration and port mappings using either the “show vlan brief” or “show vlan-switch brief” command.
VLAN Configuration Example 2 : Configuring Trunk or Tagged Ports
Switch ports are divided in to two types, Access (Untagged) ports and Trunk (Tagged) ports. An access port connects a switch to end devices like PCs, printers, and routers, whereas a trunk port connects a switch to another switch. To configure trunk ports, set the mode to trunk and configure the tagging protocol as dot1q or ISL. By default, configuring a port as a trunk allows all VLANs. You do not need to specify each VLAN explicitly unless you want to restrict the VLANs carried on the trunk.
Objective: Add one more switch to the existing topology with the same VLANs. Configure the ports between the switches as trunk ports and verify whether you can ping between the PCs on these switches.
Topology:
Configuration Procedure :
- Connect Switch2 to Switch1, and connect PC5 and PC6.
- Add VLAN 10 and VLAN 20 on Switch2.
- Configure the connecting ports on Switch1 and Switch2 as trunk ports.
- Configure the tagging protocol as Dot1Q.
- Configure IP addresses on PC5 and PC6.
- Verify whether PC1 can ping PC5 and PC3 can ping PC6.
Step 2. Add VLAN 10 and VLAN 20 on Switch2 :
Switch2# vlan database
Switch2(vlan)# vlan 10 name testers
Switch2(vlan)# vlan 20 name developers
Switch2(vlan)# exitSteps 3 and 4. Configure the connecting ports on Switch1 and Switch2 as trunk ports and Configure the tagging protocol as dot1q :
To configure trunk or tagged ports, you need to use two commands: “switchport mode trunk” and “switchport trunk encapsulation dot1q“. The first command configures the port as a trunk port, and the second command specifies the protocol used to carry VLAN information. In this case, we are using the IEEE 802.1q protocol, also known as dot1q.
Switch1(config)# interface fastethernet 1/4
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# exit
Switch2(config)# interface fastethernet 1/0
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# switchport trunk encapsulation dot1q
Switch2(config-if)# exitStep 5. Configure IP addresses on PC5 and PC6:
If you are using GNS3, On PC5 use the command “ip 10.1.1.3/8” and on PC6 use “ip 20.1.1.3/8”
Step 5. Verify Ping Connectivity Between PCs :
To check whether the trunk port configuration is working, you can ping from PC1 on Switch1 to PC5 on Switch2. Use the command “ping 10.1.1.3” on PC1, and the ping should be successful. Similarly, PC3 should be able to ping PC6. Use the command “ping 20.1.1.3” on PC3 to verify this.
Next >>> Understanding Inter-VLAN Communication Using Router on a Stick
Previous >>> What is a VLAN: Its Advantages and Configuration
Further reading : Cisco switch configurations
We’d love to hear your feedback and suggestions about this article. Feel free to reach out to us using the WhatsApp number below.
About The Author:
Sajith Achipra has been a trainer and testing consultant at Zframez Technologies since 2009. With 15+ years of experience, he specializes in networking, Python, development, and testing. He conducts online courses to help students and professionals enhance their skills. You can reach him on WhatsApp at +91 8884 884 844 for your training and testing requirements.