VLANs and Trunking

# CHAPTER 7

VLANs and Trunking #

1. Introduction #

In Chapter 6, we learned a hard rule: a single switch is a single Broadcast Domain. If you plug the HR department and the Guest Wi-Fi into the same 48-port switch, they will hear each other's broadcast traffic. Worse, they will have direct Layer 2 access to each other, a massive security violation. In the past, companies solved this by buying two separate physical switches. Today, we solve this with software. We can digitally slice one physical switch into multiple virtual switches using Virtual Local Area Networks (VLANs). In this chapter, we will master the creation of VLANs, understand the difference between Access Ports and Trunk Ports, and decode the 802.1Q tagging protocol.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Define the purpose and security benefits of Virtual LANs (VLANs).

• Differentiate between a Switch Access Port and a Trunk Port.

• Explain how the 802.1Q protocol "tags" Ethernet frames.

• Understand the concept of the Native VLAN.

• Describe the architectural requirement for Inter-VLAN Routing.

3. Beginner-friendly Explanations #

The Virtual Glass Walls: Imagine an open-plan office (a physical switch). Everyone can hear everyone else shouting (Broadcast traffic). You want the Accounting team to have a private conversation. Instead of building a physical brick wall to separate them, you drop a soundproof glass partition around their desks (A VLAN).

• VLAN 10 (Accounting)

• VLAN 20 (Marketing)

People inside VLAN 10 can only hear other people in VLAN 10. They are mathematically isolated from VLAN 20, even though they are sitting in the same physical room.

4. Access Ports vs. Trunk Ports #

When you configure a Cisco switch, you must assign every physical port a specific role.

1. Access Ports:

• Used for End Devices (Laptops, Printers).

• The port belongs to exactly ONE VLAN.

• *Example:* You configure Port 5 as an Access Port on VLAN 10. The laptop plugged into Port 5 has no idea VLAN 10 exists. The switch handles the isolation invisibly.

2. Trunk Ports:

• Used to connect Switches to other Switches, or Switches to Routers.

• A Trunk port carries traffic for ALL VLANs simultaneously down a single physical cable.

• *Why?* If you have 5 VLANs spread across two different buildings, you do not want to run 5 separate fiber-optic cables between the buildings. You run one Trunk cable.

5. 802.1Q VLAN Tagging #

If a Trunk port carries traffic for both VLAN 10 and VLAN 20 down the same cable, how does the receiving switch know which packet belongs to which VLAN? It uses the 802.1Q Protocol. Before the Switch sends the frame down the Trunk cable, it literally rips open the Ethernet Frame and injects a tiny 4-byte "Tag" containing the VLAN ID (e.g., 10). When the receiving switch gets the frame, it reads the Tag, says *"Ah, this goes to VLAN 10,"* strips the Tag off, and forwards the frame to the correct Access Port.

6. The Native VLAN #

There is one exception on a Trunk link: The Native VLAN (Usually VLAN 1 by default). Traffic belonging to the Native VLAN is Untagged. It travels down the trunk cable without the 802.1Q tag injected into it. *Security Rule:* Hackers can exploit the default Native VLAN (VLAN 1) to jump between networks. Professional network engineers always change the Native VLAN to an unused "dead" number (like VLAN 999) and disable VLAN 1 entirely.

7. Diagrams/Visual Suggestions #

*Visual Concept: The Trunk Cable* Draw two Switches (Switch A and Switch B). On Switch A, draw a Red PC (VLAN 10) and a Blue PC (VLAN 20). Do the same on Switch B. Draw a single, thick cable connecting the two switches labeled "Trunk Port". Show a Red packet moving onto the Trunk cable, and draw a tiny sticky-note being attached to it labeled "Tag: 10". This visually explains how multiple networks share one physical wire.

8. Best Practices #

• One Subnet per VLAN: This is the golden rule of network architecture. Every VLAN must be paired with its own unique IP Subnet.

• VLAN 10 = 10.0.10.0 /24

• VLAN 20 = 10.0.20.0 /24

This keeps the logic perfectly organized and makes routing tables much easier to read.

9. Common Mistakes #

• Trunking Mismatches: A junior engineer connects Switch A to Switch B. They configure Port 1 on Switch A as a Trunk. But they forget to configure Port 1 on Switch B, leaving it as an Access port. The link completely breaks. Trunk ports must be manually configured on *both* sides of the cable to function properly.

10. Mini Project: Inter-VLAN Routing (Theory) #

If VLAN 10 is mathematically isolated from VLAN 20, how does the Accounting team send an email to the Marketing team? *A Switch cannot do it.* Layer 2 switches cannot move data between different subnets. You must use a Router. You run a Trunk cable from the Switch up to the Router. The Router receives the VLAN 10 packet, uses its Routing Table to find the 10.0.20.0 network, changes the tag to VLAN 20, and sends it back down to the switch. This architecture is famously called Router-on-a-Stick.

11. Practice Exercises #

1. 1. Differentiate between the function of an Access Port and a Trunk Port on a Cisco network switch.

1. 2. Explain the mechanical purpose of the IEEE 802.1Q standard. Why is tagging necessary on a Trunk link but not on an Access link?

12. MCQs with Answers #

13. Interview Questions #

• Q: Explain the security and performance benefits of segmenting a single 48-port switch into three distinct VLANs. What happens to broadcast traffic in this scenario?

• Q: Walk me through the concept of "Router-on-a-Stick." Why is a router (or Layer 3 switch) required to allow communication between two computers on different VLANs?

• Q: A trunk link is established between two switches, but management traffic is failing. You discover that Switch A has a Native VLAN of 1, and Switch B has a Native VLAN of 99. Explain why this configuration breaks the network.

14. FAQs #

Q: Can a single PC be in two VLANs at the same time? A: Standard end-user laptops only have one network card, so they plug into one Access Port and belong to one VLAN. However, servers in a datacenter often use special network cards that understand 802.1Q. You can plug a server into a Trunk port, and the server itself can interact with multiple VLANs simultaneously!

15. Summary #

In Chapter 7, we unlocked the software-defined power of Layer 2 switches. We utilized Virtual LANs (VLANs) to segment a single physical hardware device into multiple isolated broadcast domains, radically improving network security and performance. We defined the strict roles of switch interfaces: Access Ports for End Devices, and Trunk Ports for interconnecting infrastructure. Finally, we decoded the 802.1Q tagging protocol, proving how thousands of isolated networks can safely share a single physical fiber-optic cable.

16. Next Chapter Recommendation #

VLANs lock computers into isolated rooms. How do we open the doors between those rooms? We need to move up to Layer 3. Proceed to Chapter 8: Routing Fundamentals.