This post will deal with configuring Layer 2 VLANs on Cisco switches. Up to 4094 VLANs can be configured on Cisco catalyst switches. By default, only VLAN 1 is configured on the switch, so if you connect hosts on an out-of-the-box switch they all belong to the same Layer 2 broadcast domain.

The need to configure several Layer 2 VLANs on a switch arises from the need to segment an internal Local Area Network (LAN) into different IP subnetworks. If you want for example to separate the different departments of your enterprise into different IP subnetworks, then each department should belong to its own Layer 2 VLAN. For example, let’s assume the following scenario:

• Accounting Department: IP Subnet 192.168.2.0/24 –> VLAN 2
• Management Department: IP Subnet 192.168.3.0/24 –> VLAN 3
• Engineering Department: IP Subnet 192.168.4.0/24 –> VLAN 4

By separating the internal LAN into different IP subnets (and thus different VLANs) allows the network administrators to enforce traffic restrictions if needed between departments and have better control of internal hosts.

VLAN assignment on a switch is configured on a per-interface basis. That is, each switch port interface is assigned individually into a Layer 2 VLAN. If you have more than one switch connected and you want the same VLANs to belong across all switches, then a Trunk Port must be configured between the switches. The Trunk Port passes all VLANs between the switches. Let’s see the following network scenario to help us clarify some concepts.

On the LAN network above, we have three VLANs. VLAN 2,3, and 4. VLAN 4 belongs both to SWITCH 1 and SWITCH 2, therefore we need a Trunk Port between the two switches in order for hosts in VLAN4 in Switch 1 to be able to communicate with hosts in VLAN4 in Switch 2.

The ports of the two switches shall be configured as following:

SWITCH 1:
Fe0/1 – Fe0/2 –> VLAN 2 (Accounting)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

SWITCH 2:
Fe0/1 – Fe0/2 –> VLAN 3 (Management)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

Configuration:

Switch 1 Configuration:
!  Create VLANs 2 and 4 in the switch database
Switch1# configure terminal
Switch1(config)# vlan 2
Switch1(config-vlan)# name Accounting
Switch1(config-vlan)# end

Switch1(config)# vlan 4
Switch1(config-vlan)# name Engineering
Switch1(config-vlan)# end

!  Assign Ports Fe0/1 and Fe0/2 in VLAN 2
Switch1(config)# interface fastethernet0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/2
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end

!  Assign Ports Fe0/10 and Fe0/11 in VLAN 4
Switch1(config)# interface fastethernet0/10
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/11
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end

!  Create Trunk Port Fe0/24
Switch1(config)# interface fastethernet0/24
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# end

Switch 2 Configuration:
!  Create VLANs 3 and 4 in the switch database
Switch2# configure terminal
Switch2(config)# vlan 3
Switch2(config-vlan)# name Management
Switch2(config-vlan)# end

Switch2(config)# vlan 4
Switch2(config-vlan)# name Engineering
Switch2(config-vlan)# end

!  Assign Ports Fe0/1 and Fe0/2 in VLAN 3
Switch2(config)# interface fastethernet0/1
Switch2(config-if)# switchport mode access
Switch2(config-if)# switchport access vlan 3
Switch2(config-if)# end
Switch2(config)# interface fastethernet0/2
Switch2(config-if)# switchport mode access
Switch2(config-if)# switchport access vlan 3
Switch2(config-if)# end

!  Assign Ports Fe0/10 and Fe0/11 in VLAN 4
Switch2(config)# interface fastethernet0/10
Switch2(config-if)# switchport mode access
Switch2(config-if)# switchport access vlan 4
Switch2(config-if)# end
Switch2(config)# interface fastethernet0/11
Switch2(config-if)# switchport mode access
Switch2(config-if)# switchport access vlan 4
Switch2(config-if)# end

!  Create Trunk Port Fe0/24
Switch2(config)# interface fastethernet0/24
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# switchport trunk encapsulation dot1q
Switch2(config-if)# end

Cisco has been supporting the standardized 802.3af power over ethernet feature since 2004. Catalyst switches with PoE are available as 10/100 PoE or even 10/100/1000 PoE. The Power over Ethernet feature is an excellent option for deployments of Cisco IP Phones. Wireless access points and security cameras can also be powered by PoE switches. The specific technology uses the Cat5/Cat6 ethernet cable to deliver power in addition to data, thus removing the need of using power adaptors for devices.

The following Cisco Models support PoE:

• 2960
• 3750
• 3560
• 4500
• 6500

For Network Engineers, the ability to mirror switch traffic and send it to a sniffer for analysis is an essential troubleshooting technique. All Cisco Catalyst switches support the Switched Port Analyzer (SPAN) feature which copies traffic from specified switch source ports or VLANs and mirrors this traffic to a specified destination switch port (SPAN port). Then, you can connect your PC having a sniffer tool (like WireShark) on the destination SPAN port to capture all mirrored traffic. The diagram below shows this:

To utilize the switch SPAN mirroring feature configure the following on the catalyst switch:

Configuration Example – Monitoring an entire VLAN traffic
c3750(config)#monitor session 1 source vlan 5
c3750(config)#monitor session 1 destination interface fastethernet 0/3

The configuration above will capture all traffic of VLAN 5 and send it to SPAN port fastethernet 0/3.

Configuration Example – Monitoring traffic from a specific interface
c3750(config)#monitor session 1 source interface fastethernet 0/1
c3750(config)#monitor session 1 destination interface fastethernet 0/2

The configuration above will capture all traffic from interface 0/1 and send it to SPAN port fastethernet 0/2.

Use the command show monitor session 1 to verify your configuration.

In this post I will explain how to provide routing between two VLANs on a simple Layer 2 switch using a Cisco router with just one interface. This is called also Router-on-a-stick. This configuration is usually asked as a question in CCNA exams, so I hope it will be helpful for people preparing for certification. Lets see the diagram below to get us started:

A Cisco Layer 2 switch carries two VLANs (VLAN 10 – RED and VLAN 20 – GREEN) with two hosts connected on them as shown on the diagram above. The first host belongs to Network 10.10.10.0/24 (VLAN10) and the second one to 20.20.20.0/24 (VLAN20). By default, if the switch is just a normal Layer 2 switch the two hosts can not communicate between them because they belong to different VLANs and there is no routing. Thus, if we want to provide network connectivity between the two VLANs we need to have a Layer 3 engine somewhere in the network. This can be accomplished either if the switch is Layer 3 or if there is a router in place. In our example we use a router to provide Layer 3 connectivity as shown in our diagram.

The router uses just a single interface connected to a trunk port on the switch. The Router interface can be divided into two subinterfaces, with each subinterface belonging to the appropriate VLAN. The switch port connected to the router must be a trunk in order to be able to carry both VLANs towards the router port. Lets see the configuration below:

SWITCH CONFIGURATION
# conf t
(config)# vlan database
(config-vlan)# vlan 10 name RED
(config-vlan)# vlan 20 name GREEN
(config-vlan)# exit
(config)# interface FastEthernet1/0/1
(config-if)# description trunk-to-router-on-a-stick
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport mode trunk
(config-if)# exit
(config)# interface FastEthernet1/0/2
(config-if)# description connection-to-RED-VLAN
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# exit
(config)# interface FastEthernet1/0/3
(config-if)# description connection-to-GREEN-VLAN
(config-if)# switchport mode access
(config-if)# switchport access vlan 20
(config-if)# exit
(config)# exit
# copy run start

ROUTER CONFIGURATION
# conf t
(config)# interface fastethernet 0/0.10
(config-if)# encapsulation dot1q 10
(config-if)# ip address 10.10.10.2 255.255.255.0
(config-if)# exit
(config)# interface fastethernet 0/0.20
(config-if)# encapsulation dot1q 20
(config-if)# ip address 20.20.20.2 255.255.255.0
(config-if)# exit

Now, in order for the two hosts to communicate between them, they must set as default gateway the IP address of the corresponding router subinterface address (e.g for host in VLAN 10 the gateway must be 10.10.10.2 and for host in VLAN 20 the gateway must be 20.20.20.2).