A switch by default puts every port in the same broadcast domain. Plug in 24 devices and they can all reach each other — ARP broadcasts, DHCP requests, everything floods everywhere. That works for a small flat network. The moment you need to separate different groups of users or devices, you need VLANs.
This article walks through what VLANs are, how access and trunk ports work, and finishes with a free Packet Tracer lab — two switches, six PCs, two VLANs. Build it, configure it, break it, understand it.
★ WHAT A VLAN ACTUALLY IS
A VLAN (Virtual Local Area Network) is a logical partition on a switch. Devices on VLAN 10 can reach each other. Devices on VLAN 100 can reach each other. But VLAN 10 and VLAN 100 cannot talk at Layer 2 — they're in completely separate broadcast domains even though they share the same physical hardware.
[ THE ONE SENTENCE VERSION ]
A VLAN makes one physical switch behave like multiple separate switches — each isolated from the others unless you explicitly route between them at Layer 3.
To communicate between VLANs you need a Layer 3 device. That's inter-VLAN routing — covered in the next lab. For now: VLANs isolate at Layer 2, routing connects them at Layer 3.
★ ACCESS PORTS VS TRUNK PORTS
ACCESS PORTS
An access port belongs to exactly one VLAN. The connected device doesn't know VLANs exist — it just sends and receives normal Ethernet frames. The switch tags traffic internally and strips the tag before delivering it. Transparent to the end device.
[ ACCESS PORT ]
✓ One VLAN only
✓ Connected device is VLAN-unaware
✓ Switch tags frames internally on ingress, strips on egress
✓ Use for: PCs, printers, access points, servers
A trunk port carries multiple VLANs on one link using 802.1Q tagging. A 4-byte tag is inserted into each Ethernet frame identifying its VLAN. The receiving device reads the tag and handles the frame accordingly. This is how two switches stay VLAN-aware across an uplink.
[ TRUNK PORT ]
✓ Multiple VLANs on one physical link
✓ 802.1Q tag identifies each frame's VLAN
✓ Native VLAN carries untagged traffic — change from default VLAN 1
✓ Use for: switch-to-switch links, switch-to-router uplinks
[ ⚠ NATIVE VLAN ]
Default native VLAN is VLAN 1 — a known attack vector. Change it to an unused VLAN on both ends of every trunk. Mismatch between ends causes CDP warnings and potential traffic leakage.
★ IP ADDRESSING
DEVICE
IP
MASK
VLAN
PORT
PC1
192.168.10.1
/24
10 (Students)
S1 Fa0/2
PC2
192.168.10.2
/24
10 (Students)
S1 Fa0/3
PC3
192.168.10.3
/24
100 (Staff)
S1 Fa0/4
PC4
192.168.10.4
/24
100 (Staff)
S2 Fa0/2
PC5
192.168.10.5
/24
10 (Students)
S2 Fa0/3
PC6
192.168.10.6
/24
10 (Students)
S2 Fa0/4
★ SWITCH CONFIGURATION
STEP 1 — CREATE VLANS (BOTH SWITCHES)
Switch(config)# vlan 10
Switch(config-vlan)# name Students
Switch(config)# vlan 100
Switch(config-vlan)# name Staff
Switch(config)# vlan 99
Switch(config-vlan)# name Native_Unused
Switch# show vlan brief
! Run on S1 AND S2
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,100
Switch(config-if)# switchport trunk native vlan 99
Switch# show interfaces trunk
★ LAB TASKS
Download the lab file below. The topology is pre-built and PCs are pre-configured with IPs. The switches are unconfigured — that's your job. Complete the tasks in order then verify with the ping tests.
[ CLICK TO REVEAL — TASKS & VERIFICATION ]▶
TASK 1Create VLAN 10 and VLAN 100 on both S1 and S2. Name them Students and Staff.
TASK 2On S1 — set Fa0/2 and Fa0/3 as access ports for VLAN 10. Set Fa0/4 as access port for VLAN 100. Enable portfast on all three.
TASK 3On S2 — set Fa0/2 and Fa0/3 as access ports for VLAN 100. Set Fa0/4 as access port for VLAN 10. Enable portfast on all three.
TASK 4Configure Fa0/1 on both switches as a trunk. Allow VLANs 10 and 100 only. Set native VLAN to 99 on both ends.
TASK 5 — PING TESTFrom PC1, ping PC6. This should succeed — both are Students (VLAN 10) on different switches. Traffic crosses the trunk tagged as VLAN 10.
TASK 6 — PING TESTFrom PC1, ping PC3. This should fail — PC1 is Students (VLAN 10), PC3 is Staff (VLAN 100). Layer 2 cannot cross VLAN boundaries without a router.
BONUS — PORTFASTSet portfast on all access ports. This skips the STP listening/learning states on ports connected to end devices — faster convergence, less waiting for pings to start working.
Get the full IPv4 subnetting cheat sheet — every prefix /8 to /32 with subnet mask, block size, host counts, and wildcard mask — the moment you subscribe. Then new labs and articles as they drop. No spam. Unsubscribe any time.
Running this lab on real Cisco hardware instead of Packet Tracer? You'll need a USB-to-RJ45 console cable — modern laptops have no serial port. Amazon affiliate.