CCNA Lab 2: VLANs, Trunking, and Layer 2 Fundamentals

VLANs are the backbone of any switched network. A single misconfiguration can take down an entire segment.

What is a VLAN?

A VLAN (Virtual LAN) is a logical subgroup within a Layer 2 network. Devices in the same VLAN see each other’s broadcasts; devices in different VLANs do not. This segments broadcast domains without adding physical switches.

Creating VLANs

Static VLANs

vlan 10
 name DATA
 
vlan 20
 name VOICE
 
vlan 30
 name MANAGEMENT
 
vlan 99
 name NATIVE

VLAN 1 exists by default. Never use VLAN 1 for user traffic — it is the default management VLAN and a security risk.

Assign Ports to VLANs (Access Ports)

interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast

Portfast forces the port into forwarding state immediately, skipping STP listening/learning. Use it only on access ports connected to end devices — never on trunk ports.

Multiple Ports at Once

interface range GigabitEthernet0/1-24
 switchport mode access
 switchport access vlan 10

Trunk Ports

Trunks carry multiple VLANs between switches:

interface GigabitEthernet0/24
 switchport mode trunk
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10,20,30,99

Native VLAN

The native VLAN carries untagged traffic on the trunk. Both ends must match:

switchport trunk native vlan 99

A native VLAN mismatch causes traffic to leak between VLANs — one of the most common and dangerous misconfigurations.

Allowed VLAN List

Restrict the trunk to only the VLANs you need:

switchport trunk allowed vlan 10,20,30,99

VTP — VLAN Trunking Protocol

VTP propagates VLAN information across the network. It is useful in large environments but dangerous if misused.

vtp mode transparent

Best practice: set every switch to VTP transparent or disable VTP entirely. VTP server/client mode can wipe VLAN databases across your entire network if a switch with a higher revision number joins.

To reset VTP revision:

delete vlan.dat
reload

Verification Commands

show vlan brief
show vlan id 10
show interfaces trunk
show interfaces switchport
show interfaces status
show running-config | section interface

Common Pitfalls

Issue	Symptom	Fix
Native VLAN mismatch	Traffic leaking between VLANs	Match native VLAN on both trunk ends
Trunk allowed VLAN missing	No connectivity across trunk	Add VLAN to allowed list
Port not in correct VLAN	Device can’t reach gateway	Check `switchport access vlan`
VTP revision too high	VLAN database wiped	Set VTP transparent, delete vlan.dat
Missing `switchport mode trunk`	Port stays in DTP dynamic mode	Explicitly set mode trunk
STP blocking port	No link but port is up	Check STP topology, root bridge placement

STP — Spanning Tree Basics

STP prevents loops in redundant topologies:

spanning-tree vlan 1 root primary
spanning-tree vlan 10 root primary

Verify:

show spanning-tree
show spanning-tree root

Lab Scenario: Isolate a Problematic Port

When a switch port is flapping (up/down/up/down):

# On the switch
show log | include down
interface Gi0/5
 shutdown
 description DISABLED - flapping port
end
wr

Best Practices

Use VLAN numbering that makes sense — 10s for data, 20s for voice, 30s for management, 99x for native
Document every VLAN with a description in the config
Never extend VLANs across routed links — L3 at the distribution layer
Prune unused VLANs from trunks
Disable DTP: switchport nonegotiate
Set native VLAN to something other than VLAN 1
Use switchport port-security on access ports when needed