With multiple hosts and servers on layer 2 switches, there are several issues arises that should be dealt by network administrators. One major problem is its broadcast can flood to all ports resulting to the consumption of unnecessary bandwidth. And, security vulnerability, since all devices attached to layer 2 devices can forward and receive frames to and from every other devices on that same switch.

One solution for this is through configuration of VLAN or Virtual Local Area Network. According to Cisco, “A VLAN is a logical broadcast domain that can span multiple physical LAN segments. It allows an administrator to group together stations by logical function, by project teams, or by applications, without regard to physical location of the users.”

There are 2 ways to configure a VLAN

1. Static VLAN which requires administrator to interactively assign each switch port to a specific VLAN

2. Dynamic VLAN which requires VLAN management policy server (VMPS) to scan for a match address from the database and temporarily assign the port used by the device  to the appropriate VLAN.

Through VLAN, we can group packets according to its vlan id as it goes in and out to switches. We can configure this using manageable switches.

Watch for the complete VLAN configuration

You can follow by downloading the preconfigured packet tracer activity file in this exercise.

Steps to Configure Private VLAN

1. Create VLAN ID and VLAN NAME

(config)#vlan <vlan id>
(config-vlan)#name <vlan name>

Specify the appropriate VLAN id for the assigned VLAN. In this activity, VLAN 10 for students, 20 for Instructors and 30 for admins. Assign a name which makes VLAN ID identifiable such as Students, Instructors, Administrators.

2. Assign ports to VLAN

By default, all ports are assigned as members of VLAN 1. There are two ways to add ports to VLAN. We can add ports individually or adding ports in range.

Assigning ports individually to VLAN

(config)#interface fa#/#
(config-if)#switchport access vlan <vlan id>

Assigning port range to VLAN

(config)#interface range fa#/start_of_range - end_of_range
(config-if)#switchport access vlan <vlan id>

In this activity, we will assign port ranges to specific VLAN groups. Interface range fa0/1-9 specifies ports 1-9 to be assigned for VLAN 10. Switchport mode access specifies port access function. Switchport access vlan 10 specifies the range of ports to be a member of VLAN 10. Do this to all switches that has VLAN groups.

3. Configure VLAN trunk port

This is configuration is required for multiple vlan frames to travel using a single port or link. Trunk port is necessary to forward frames from one device going to another. In this activity, we will enable fa0/24 of 3 floor switches to act as truck port in order to receive and forward vlan frames to main switch. To configure port for trunking, interface fa0/24 where fa0/24 is the specific port for trunking. Issue the command switchport mode trunk, this will change the port mode to accept multiple vlan frames. Supply the command switchport trunk allowed vlan all to allow all vlans to communicate with each other. 

(config)#interface <interface id> 
(config-if)#switchport mode trunk 
(config)#switchport trunk native vlan <vlan id> 
(config-if)#switchport trunk allowed vlan add <vlan list>

specify all necessary commands and save your vlan configuration.

4. Verify VLAN settings

You can view the configuration and effectivity of the configuration using the command

show interfaces {interface id | vlan <vlan id> | switchport}