To create or configure a VLAN and associate switch ports, follow
these steps:
Step 1 Create the VLAN
Step 2
Verify the VLAN configuration
Step 3 Associate
switch ports with the VLAN
Step 4 Verify the
switch port configuration
Step 5 Test VLAN
connectivity
Step 6 Implement switch and VLAN
security measures
Figure
has the
steps, explained in greater detail:
1. Create or Configure a VLAN Before assigning a switch port to a
specific VLAN, the VLAN may need to be created. The example below shows the
syntax for creating a VLAN using the IOS interface.
To create a VLAN or
enter vlan configuration mode, use the vlan command:
Switch(config)# vlan
vlan_id
2. Verify VLAN Configuration Execute the show
vlan command from privileged EXEC mode. It displays information
about a particular VLAN.
The fields in
the show vlan command output are:
3. Associate Switch Ports with the VLAN Switch ports that are to
function at Layer 2 and carry traffic for a single VLAN are configured as
access switch ports and are assigned an access VLAN.
To configure a Layer
2 switch port as an access port use:
Switch(config-if)#switchport mode
access
To assign the access port to a specific VLAN:
Switch(config-if)#switchport access vlanvlan_id
4. Verify Switch Port Configuration The following commands are
useful for verifying that a switch port is configured as intended:
Building
configuration... ! Current configuration :33
bytes interface FastEthernet 5/6 switchport
access vlan 200 switchport mode
access end
5. Test VLAN Connectivity After placing a device on the
configured switch port, these steps will help verify if the device is
connecting to the VLAN as intended:
Step 1 Ensure that
the connected device has a correctly configured IP address and a subnet mask
that places it on the same network as the default gateway.
Step 2 Ping the default gateway.
Step 3 If the ping to default gateway is successful, the
VLAN configuration and the IP address configuration have been
verified.
6. Implement Switch and VLAN Security
Measures
When implementing VLANs, there are a few measures that
should be considered to secure the VLAN and the switch itself. The security
policy of the organization will likely have more detailed recommendations, but
these can provide a foundation. Security will be covered in more detail in the
"Securing Your Multilayer Network to Minimize Service Loss and Data
Theft" module.
Create a "parking-lot" VLAN with a VLAN ID other than VLAN1 and
place all unused switch ports in this VLAN. This VLAN may provide the user with
some minimal network connectivity. (Check on the security policy of your
organization before implementing.)
Disable unused switch ports depending on the security policy of the
organization.