Explained: VLANs and Trunking


Before the introduction of VLANs, in order to run multiple networks you needed separate hardware, while you ‘could’ just shove it all together this would decrease network stability and add a multitude of attack vectors.

One vector is the use of an Ethernet sniffer once network access is gained, allowing the capture of data from accounting, view employee records, or even read the CEOs email.


Expanding on the concepts of collision domains and broadcast domains lets get into VLANs (Virtual LANs). VLANs allow the use of the same set of physical hardware while maintaining multiple logical networks. Accounting, guest WiFi, netmon and netman, eCommerce, all to live on the same hardware but would be separated logically and perform as if they were on separate hardware.

There is one more concept you need to grasp in order for these virtual local area networks to communicate. The art of trunking. Good ol’ 802.1q or as the kids these days say. dot1q.



  • Increase security
  • Reduce hardware costs
  • Reduce broadcast domains


Let’s flesh this network out a bit. You will notice we have added a 1941 and labeled the Gig Eth interface on both the router and switch a trunk port.

VLAN tags are found in the L2 header right after the source address. If the network wants to communicate with the network the traffic must leave the switch go to the router and be sent back to the switch.

All inter-VLAN traffic must transact across the trunk port. The router is the gateway for all of these networks. All intra-VLAN traffic stays on the switch or switches, yes switch to switch trunk ports do exist! For now just understand the words coming out of my mouth.




Now that the base concepts have been sworn in, look for a post on how to configure a network as seen above with a few challenges for you to complete as well. I can’t have all the fun. While you wait check out my post on mac address tables out and complete those challenges.


Collision & Broadcast Domains


Let’s take a trip way back to a point in time when soldering your own ROM chip, vampire taps and thicknets were hip. A time when RadioShack was actually the place to be, at least for people like us.

Businesses ran coax cable for their Ethernet networks. 10Base2(thinnet) and 10Base5(thicknet). Computers would physically access these networks via vampire taps a device which would bite into the cable so bit transmission could occur.  To connect these runs of coax together a device called a hub was used. Hubs were for two things: One to aggregate the linear bus topology and turn the network into a star and Two, to repeat the signal clarity and strength of those 0’s and 1’s and then send them on their way.

A hub in the wild

Every message sent in one port of a hub is flooded out all the other ports which is why I relate this process to screaming.

You can see how electrically this is inherently chaos and leads to CSMA/CD firing off over and over. As a business grows there is a demand for technology thus, more devices are added to this single broadcast, single collision domain network which becomes unusable.

Imagine a small room with 90 yelling Donald Trumps, now laugh…and now cry because you couldn’t work in that environment, and YOU’RE FIRED! Now stop using your imagination, remember you have to go to work on Monday as I’ve crafted this amazing illustration for you.

Because the previous design was hell to support, the bridge was created which reduced the amount of broadcast and collision domains. Hubs are a purely physical layer 1 device, they are also quite dumb and have no built in logic. Bridges are a layer 2 device with logic built in allowing them to choose when and when not to send messages and when and where to send these messages. A bridge is smart enough to read the contents of a frame such as a source and destination MAC address. The memory is used to keep a short list of interfaces<>MACs. This is similar to how today’s switches work.

Below is a bridge in action, separating devices which in turn reduces the amount of collision domains but allows a single broadcast domain to remain. Each interface on a bridge is its own collision domain. In this scenario bridges were just invented and this bridge only has four ports so there is one free. Therefore each set of three devices are in a collision domain. If this bridge say had 12 ports, Each device would be on its own collision domain and 9 of 12 ports would be used.

Switches are what we use today and the line is being blurred here as well. Cisco no longer wants you to view a switch as a strictly layer 2 device. Each switch interface is its own collision domain and broadcast domains can be sliced and diced anyway you wish with the use of VLANs more to come on that in a separate post.


  • As technology progressed this device gained more ports
  • Example: An 8 port hub would connect 8 computers and create a LAN.
  • When the bits went into one port it would be broadcast throughout the other 7 ports
  • As you can see if many hubs were used in a LAN this would increase the potential for collisions especially if you were to network 50 to 100 devices together


  • I consider a repeater a basic signal extender but only for one device
  • A hub also performs the role of a repeater however it has multiple ports
 As demand grew and technology improved the Bridge was invented. This allowed the separation of collision domains and also the logical control of frames using processor/memory which was stored in the bridge. Previously as I said hubs/repeaters were dumb layer 1 devices and just screamed out on all the other ports whatever message came in. Creating a very noisy network.


  • Each interface on the bridge is now a separate collision domain
  • This fragments your LAN and helps reduce collisions while still allowing all devices to communicate.
  • Allows the logical control of data, using memory built into the bridge interface
  • Each port has a set of memory this allowed the bridge to store the bits in memory before forwarding the frame.
    • This is known as store and forward switching.
  • Bridging table
    • Short list of MACs and Interfaces
  • Each bridge was sold at a uniform speed. 10BaseT, FastEthernet. Interfaces could not be mixed and matched. Unlike today’s switches.


  • Higher Port Density, Multi-speed Ports: “Autosensing” 10BaseT, 100BaseT, 1000BaseT
  •  MAC Address-Table to keep record of devices. Ingress and Egress MAC<>Interface<>Frames.
  • Reduces collision domains to each interface
  • Custom control of broadcast domains with use of VLANs
  • Switches of today can look at Layer 3 IP Header and even route!

How To: Port Security


A Layer 2 security feature, defining allowed devices to forward frames. This is configured at a per port basis.


conf t
int fa0/1
switchport mode access
switchport port-security violation mode shutdown
switchport port-security mac-address sticky

With this configuration the first MAC that is learned on FastEthernet 0/1 is the one that is sticky. If you were to remove the device, add a hub and then reconnect the original ‘sticky’ device along with any other device the port would then go in to err-disable mode and shutdown. The security counter would then go up one, for one violation.


SW1# show run
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0001.6452.0BEC

SW1#show port-security int fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0


SW1#show int fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
Hardware is MV96340 , address is 0002.1765.2301 (bia 0002.1765.2301)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:08, output 00:00:05, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
956 packets input, 193351 bytes, 0 no buffer
Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
2357 packets output, 263570 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

SW1#show port-security int fa0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0001.4205.2154:1
Security Violation Count : 1

SW1#show interfaces switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none


Fa0/1 is down and no traffic can pass, what do you do? First you must make a physical and/or logical network change depending on the design and need. Clearing the error and bringing up the port again would only result in it going down again if this is not fixed.

  • Investigate before allowing the device on your network
    • That’s right YOUR network, take pride in your work just don’t be a dick.
  • Why was a device added without telling the Networking Team?
    • Policy was not followed
    • Policy does not exist
  • Is this device safe?
    • Compromised
      • Like Hillary’s Emails?
      • Like Ashley Madison?
    • Did Jim add a dummy switch to his office
      • See Policy
    • Implemented by Systems/Tech Dept
      • Allow it

There is a business need for Jim to have more devices. So we will increase the number of sticky macs allowed on fa0/1. Then we will clear the err-disable and bring the port back online.

SW1(config-if)# switchport port-security maximum 2
This allows for two MACs to be learned on Fa0/1. Once a third MAC is learned the port would be shutdown.

There is also a business need for Jim’s workflow to not be interrupted. We will change the violation mode from shutdown to restrict.

SW1(config-if)# switchport port-security violation restrict
SW1#(config-if)#no shut

Switch#show port-security int fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address:Vlan : 000C.85CA.8141:1
Security Violation Count : 15

SUCCESS! You saved the day, Jim can now edit Money.xlsb on X:/Jim/FY2015/


  • Restrict
    • Discards any frame that causes a violation and increases the Security Violation Count :
  •  Shutdown
    • Shutdown, place the port that experienced the violation into the err-disabled state. THIS IS THE DEFAULT MODE.
  • Protect
    • The violation mode of “Protect” simply silently discards any frame that causes a violation but does not increment the Security Violation Count :





In order to meet the deadline, we had to remove the shouting candidates from the room. This was done by summoning Trafaldor via IRC, he transcends time and space, and sent them to another dimension, for now… But never mind that! Please direct your attention to the diagram below.

Requirements: Create 5 sub interfaces on the router, Create 5 VLANs, Create a trunk between the router and switch, verify communications between all devices via ICMP.



Everyone who matters used that cheat. So now use it in real life! Go into the router and get rid of that pesky feature called domain lookup. Go into the switch and do the same.

conf t
no ip domain lookup

After that lets keep what your typing clear of logging messages so the console doesn’t look like this…sho%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to upw run

conf t
line vty 0 OR line con 0  *Note* depends how you are accessing the devices SSH OR Console, If you don’t know you can type show line and see what is being used, or you can ya know check layer 1…..
logging synchronous


Go into the router and turn on Gi0/1
conf t
int gi0/1
no shut
int gi0/1.1
encapsulation dot1q 1 native 
*Note* the native vlan receives no vlan tagging
ip address 
*Note* this assigns the sub-interface 1.1 to be the gateway address

Router interfaces are DOWN by default so you have to turn them on with no shut. Then we create logical sub interfaces starting with Gi0/1.1. Rinse and repeat for VLANs 2,3,5,7.

int gi0/1.2
encapsulation dot1q 2
ip address
int gi0/1.3
encapsulation dot1q 3
ip address
int gi0/1.5
encapsulation dot1q 5
ip address
int gi0/1.7
encapsulation dot1q 7
ip address

Verify proper sub-interface creation has occurred.

show run
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address
interface GigabitEthernet0/1.2
 encapsulation dot1Q 2
 ip address
interface GigabitEthernet0/1.3
 encapsulation dot1Q 3
 ip address
interface GigabitEthernet0/1.5
 encapsulation dot1Q 5
 ip address
interface GigabitEthernet0/1.7
 encapsulation dot1Q 7
 ip address

show ip int brief
Interface IP-Address OK? Method Status Protocol 
GigabitEthernet0/0 unassigned YES unset administratively down down 
GigabitEthernet0/1 unassigned YES unset up up 
GigabitEthernet0/1.1 YES manual up up
GigabitEthernet0/1.2 YES manual up up
GigabitEthernet0/1.3 YES manual up up
GigabitEthernet0/1.5 YES manual up up
GigabitEthernet0/1.710.1.7.1 YES manual up up
Vlan1 unassigned YES unset administratively down down


Stand up, breathe and stretch, because we all sit too long without doing so. Now go into your switch and create the VLANs.

conf t
vlan 1
vlan 2
vlan 3
vlan 5
vlan 7
do show vlan

VLAN    Name    Status    Ports
---- -------------------------------- --------- 
1       default active   Fa0/1, Fa0/2, Fa0/3, Fa0/4
                         Fa0/5, Fa0/6, Fa0/7, Fa0/8
                         Fa0/9, Fa0/10, Fa0/11, Fa0/12
                         Fa0/13, Fa0/14, Fa0/15, Fa0/16
                         Fa0/17, Fa0/18, Fa0/19, Fa0/20
                         Fa0/21, Fa0/22, Fa0/23, Fa0/24
                         Gig0/1, Gig0/2
2       VLAN0002 active 
3       VLAN0003 active 
5       VLAN0005 active 
7       VLAN0007 active

Now go into each interface and assign the respective interface a VLAN.

conf t
int fa0/1
switchport mode access
int fa0/2
switchport mode access
switchport access vlan 2
int fa0/3
switchport mode access
switchport access vlan 3
int fa0/5
switchport mode access
switchport access vlan 5
int fa0/7
switchport mode access
switchport access vlan 7

Verification show run, notice that Int fa0/1 does not have switchport access vlan 1, that is because vlan 1 is currently set to the native vlan.

interface FastEthernet0/1
 switchport mode access
interface FastEthernet0/2
 switchport access vlan 2
 switchport mode access
interface FastEthernet0/3
 switchport access vlan 3
 switchport mode access
interface FastEthernet0/4
interface FastEthernet0/5
 switchport access vlan 5
 switchport mode access
interface FastEthernet0/6
interface FastEthernet0/7
 switchport access vlan 7
 switchport mode access

Go into gi0/1 on the switch as we just configured the routers trunk port thus far.

conf t
int gi0/1
switchport mode trunk
switchport trunk allowed vlan all

Now test icmp from host to host. Success!


I’m too young to die – stop VLAN 7 from communicating over the trunk port between the router and switch. Hint – experiment with switchport trunk allowed vlan command
Bronze – Add another host on a new vlan (#) is your choice and verify all hosts can communicate
Silver – Change the native vlan to 11 and verify all hosts can communicate
Gold – Daisy chain switches, add another switch to Gi0/2 and move 3 of the hosts to that switch verify all hosts can communicate
Platinum  – Poll better than Kanye for the 2020 presidential election BRO!