HOW TO CONFIGURE VLAN

AND INTERVLAN ROUTING IN

PACKET TRACER
OBJECTIVES
• Define VLAN
• Discuss key terms and concepts under VLAN
• Create a VLAN using network simulator tool
What is a VLAN? (1 of 3)
A Virtual LAN (VLAN) is simply a logical
LAN, just as its name suggests. VLANs
have similar characteristics with those of
physical LANs, only that with VLANs, you
can logically group hosts even if they are
physically located on separate LAN
segments.
What is a VLAN? (2 of 3)
We treat each VLAN as a separate subnet
or broadcast domain. For this reason, to
move packets from one VLAN to another,
we have to use a router or a layer 3 switch.
What is a VLAN? (3 of 3)
VLANs are configured on switches by
placing some interfaces into one broadcast
domain and some interfaces into another.
For this tutorial, we’ll configure 2 VLANs on
a switch. We’ll then proceed and configure
a router to enable communication between
the two VLANs.
Advantages of VLAN
• Solve broadcast problem
• Reduce the size of broadcast domains
• Allow us to add additional layer of security
• Make device management easier
• Allow us to implement the logical grouping of
devices by function instead of location
Solve broadcast problem
When we connect devices into the switch ports, switch
creates separate collision domain for each port and single
broadcast domain for all ports. Switch forwards a broadcast
frame from all possible ports. In a large network having
hundreds of computers, it could create performance issue.
Of course we could use routers to solve broadcast
problem, but that would be costly solution since each
broadcast domain requires its own port on router. Switch
has a unique solution to broadcast issue known as VLAN.
In practical environment we use VLAN to solve broadcast
issue instead of router.
Reduce the size of broadcast domains
VLAN increase the numbers of broadcast domain while
reducing their size. For example we have a network of 100
devices. Without any VLAN implementation we have single
broadcast domain that contain 100 devices. We create 2
VLANs and assign 50 devices in each VLAN. Now we have
two broadcast domains with fifty devices in each. Thus
more VLAN means more broadcast domain with less
devices.
Allow us to add additional layer of security
VLANs enhance the network security. In a typical layer 2
network, all users can see all devices by default. Any user
can see network broadcast and responds to it. Users can
access any network resources located on that specific
network. Users could join a workgroup by just attaching
their system in existing switch. This could create real
trouble on security platform. Properly configured VLANs
gives us total control over each port and users. With
VLANs, you can control the users from gaining unwanted
access over the resources. We can put the group of users
that need high level security into their own VLAN so that
users outside from VLAN can’t communicate with them.
Make device management easier
Device management is easier with VLANs. Since VLANs
are a logical approach, a device can be located anywhere
in the switched network and still belong to the same
broadcast domain. We can move a user from one switch to
another switch in same network while keeping his original
VLAN. For example our company has a five story building
and a single layer two network. In this scenario, VLAN
allows us to move the users from one floor to another floor
while keeping his original VLAN ID. The only limitation we
have is that device when moved, must still be connected to
the same layer 2 network.
Allow us to implement the logical grouping
of devices by function instead of location

VLANs allow us to group the users by their function instead

of their geographic locations. Switches maintain the
integrity of your VLANs. Users will see only what they are
supposed to see regardless what their physical locations
are.
To understand VLAN more clearly let's
take an example
• Our company has three offices.
• All offices are connected with back links.
• Company has three departments Development,
Production and Administration.
• Development department has six computers.
• Production department has three computers.
• Administration department also has three
computers.
• Each office has two PCs from development
department and one from both production and
administration department.
• Administration and production department have
sensitive information and need to be separate
from development department.
• With default configuration, all computers share
same broadcast domain. Development
department can access the administration or
production department resources.
• With VLAN we could create logical boundaries
over the physical network. Assume that we
created three VLANs for our network and
assigned them to the related computers.
• VLAN Admin for Administration department
• VLAN Dev for Development department
• VLAN Pro for Production department
Physically we changed nothing but logically we
grouped devices according to their function. These
groups [VLANs] need router to communicate with
each other. Logically our network look likes
following diagram.
With the help of VLAN, we have separated our single
network in three small networks. These networks do
not share broadcast with each other improving network
performance. VLAN also enhances the security. Now
Development department cannot access the
Administration and Production department directly.
Different VLAN can communicate only via Router
where we can configure wild range of security options.
VLAN Membership
VLAN membership can be assigned to a device by
one of two methods
• Static
• Dynamic
Static
Assigning VLANs statically is the most common
and secure method. It is pretty easy to set up and
supervise. In this method we manually assign
VLAN to switch port. VLANs configured in this way
are usually known as port-based VLANs.

Static method is the most secure method also. As

any switch port that we have assigned a VLAN will
keep this association always unless we manually
change it. It works really well in a networking
environment where any user movement within the
network needs to be controlled.
Dynamic
In dynamic method, VLANs are assigned to port
automatically depending on the connected device.
In this method we have configure one switch from
network as a server. Server contains device
specific information like MAC address, IP address
etc.
VLAN Connections
During the configuration of VLAN on port, we need
to know what type of connection it has.

Switch supports two types of VLAN connection

• Access link
• Trunk link
Access link
Access link connection is the connection where
switch port is connected with a device that has a
standardized Ethernet NIC. Standard NIC only
understand IEEE 802.3 or Ethernet II frames.
Access link connection can only be assigned with
single VLAN. That means all devices connected to
this port will be in same broadcast domain.
Trunk link
Trunk link connection is the connection where
switch port is connected with a device that is
capable to understand multiple VLANs. Usually
trunk link connection is used to connect two
switches or switch to router. Remember earlier in
this article I said that VLAN can span anywhere in
network, that is happen due to trunk link
connection. Trunking allows us to send or receive
VLAN information across the network. To support
trunking, original Ethernet frame is modified to
carry VLAN information.
Access link and Trunk link
Now let’s try an example
Steps on How to create VLAN
1. In Cisco Packet Tracer, create the network topology as
shown below:
2. Create 2 VLANs on the switch: VLAN 10 and VLAN
20. You can give them custom names.

Note: to enter to Switch# mode just type enable and press enter. Example:
Switch>enable (then press enter)
Switch#
3. Assign switch ports to the VLANs. Remember each
VLAN is viewed as separate broadcast domain.

• And just before you configure, have in mind that switch

ports could be either access or trunk.

• An access port is assigned to a single VLAN . These

ports are configured for switch ports that connect to
devices with a normal network card, for example a PC in
a network.
• A trunk port on the other hand is a port that can be
connected to another switch or router. This port can carry
traffic of multiple VLANs.
• So in our case, we’ll configure switch interfaces fa 0/1
through fa 0/4 as access ports to connect to our PCs.
Here, interfaces fa 0/1 and fa 0/2 are assigned to VLAN
10 while interfaces fa 0/3 and fa 0/4 are assigned to
VLAN 20.

• Switch Interface fa0/5 will be configured as trunk port, as

it will be used to carry traffic between the two VLANs via
the router.
• Interface fa0/5 is configured as trunk and will be used
to for inter-VLAN communication.
4 . Assign static IP addresses to the four PCs which are
located in the separate VLANs. PC1 and PC2 fall in VLAN
10 while PC3 and PC4 fall in VLAN 20.
• And now it’s very clear that we treat a VLAN just like a
physical LAN when assigning IP addresses.

• At this point let’s try to test connectivity within VLANs

and between VLANs

• To test communication between hosts in the same VLAN:

Ping PC2 from PC1 both in VLAN 10. Ping test should be
successful.
To test connectivity between hosts in different VLANs:

• Ping PC3 in VLAN 20 from PC1 in VLAN 10. Ping here

will definitely fail. Why? Because inter-VLAN routing is
not yet enabled. Hope you can see how we’ve used
VLANs to place the hosts into two logical networks which
can be viewed as separate broadcast domains.

• Now, in order to allow the hosts in the two VLANs to

communicate, we need to do something extra. And you
can guess what. We’ll configure the router to permit inter-
VLAN communication. Let’s do that right away.
5. Configure inter-VLAN routing on the router
• We’ll configure the router so that it will enable
communication between the two vlans via a single
physical interface. How is this made possible? We’ll divide
the single physical interface on the router into logical
interfaces (sub interfaces). Each sub-interface will then
serve as a default gateway for each of the VLANs. This
scenario is called router on a stick (R.O.A.S) and will
allow the VLANs to communicate through the single
physical interface.

• Wort noting: We can’t assign an IP address to the

router’s physical interface that we have subdivided
into logical sub-interfaces. We’ll instead assign IP
addresses to the sub interfaces.
 The router configurations:

As you can notice from above, the routers physical interface fa0/0 was subdivided into two sub-
interfaces( fa0/0.10 and fa0/0.20) , which are then configured as trunk interfaces and given IP
addresses.
6. Test inter-VLAN connectivity.

• Here we’ll test connectivity between computers in

different VLANs . Don’t forget that its the router that
enables inter-VLAN routing.

• Ping PC3 in VLAN 20 from PC1 in VLAN 10. If

everything is well configured, then ping should work
perfectly.
END