Implementing VLANs
How to implement a VLAN

To create or configure a VLAN and associate switch ports, follow these steps:

Step 1 Create the VLAN
Step 2 Verify the VLAN configuration
Step 3 Associate switch ports with the VLAN
Step 4 Verify the switch port configuration
Step 5 Test VLAN connectivity
Step 6 Implement switch and VLAN security measures

Figure has the steps, explained in greater detail:

1. Create or Configure a VLAN
Before assigning a switch port to a specific VLAN, the VLAN may need to be created. The example below shows the syntax for creating a VLAN using the IOS interface.

To create a VLAN or enter vlan configuration mode, use the vlan command:

Switch(config)# vlan vlan_id

2. Verify VLAN Configuration
Execute the show vlan command from privileged EXEC mode. It displays information about a particular VLAN. The fields in the show vlan command output are:

3. Associate Switch Ports with the VLAN
Switch ports that are to function at Layer 2 and carry traffic for a single VLAN are configured as access switch ports and are assigned an access VLAN.

To configure a Layer 2 switch port as an access port use:

Switch(config-if)#switchport mode access

To assign the access port to a specific VLAN:

Switch(config-if)#switchport access vlanvlan_id

4. Verify Switch Port Configuration
The following commands are useful for verifying that a switch port is configured as intended:

show interfacetype slot/port switchport
show running-config interfacetype slot/port
show vlan
Show Running-Config interface
Switch#show running-config interface fastethernet 5/6
Building configuration...
!
Current configuration :33 bytes
interface FastEthernet 5/6
switchport access vlan 200
switchport mode access
end

5. Test VLAN Connectivity
After placing a device on the configured switch port, these steps will help verify if the device is connecting to the VLAN as intended:

Step 1 Ensure that the connected device has a correctly configured IP address and a subnet mask that places it on the same network as the default gateway.
Step 2 Ping the default gateway.
Step 3 If the ping to default gateway is successful, the VLAN configuration and the IP address configuration have been verified.

6. Implement Switch and VLAN Security Measures

When implementing VLANs, there are a few measures that should be considered to secure the VLAN and the switch itself. The security policy of the organization will likely have more detailed recommendations, but these can provide a foundation. Security will be covered in more detail in the "Securing Your Multilayer Network to Minimize Service Loss and Data Theft" module.

  • Create a "parking-lot" VLAN with a VLAN ID other than VLAN1 and place all unused switch ports in this VLAN. This VLAN may provide the user with some minimal network connectivity. (Check on the security policy of your organization before implementing.)
  • Disable unused switch ports depending on the security policy of the organization.

Lab Activity

Lab Exercise: Catalyst 2950T and 3550 Series Static VLANS

Create and maintain VLANs on a Cisco Catalyst 2950T or 3550 series Ethernet switch using the command-line interface (CLI) mode.