Live Virtual Machine Lab 7.2 Module 07 Configuring Switching Features

Live Virtual Machine Lab 7.2 Module 07 Configuring Switching Features

Mastering the configuration of switching features is the critical bridge between theoretical network knowledge and the practical skills needed to build efficient, secure, and resilient local area networks. On the flip side, this hands-on lab, Live Virtual Machine Lab 7. That said, 2 Module 07, moves beyond basic switch functionality to immerse you in the core advanced features that define modern network segmentation and reliability. You will learn to implement VLANs (Virtual Local Area Networks), configure trunking protocols to carry multiple VLANs across a single link, and understand the foundational mechanisms of Spanning Tree Protocol (STP) that prevent catastrophic network loops. This module transforms a collection of standalone switches into an intelligent, coordinated system, directly mirroring the tasks of a networking professional designing a campus or enterprise network.

Lab 7.2 Topology and Objectives

The virtual lab environment typically presents a topology of three Cisco switches (often labeled S1, S2, S3) connected in a triangular fashion. PCs or servers are connected to access ports on these switches, representing different departments or user groups. The primary objectives are clear: logically segment the network using VLANs, establish reliable trunk links between switches to allow inter-VLAN communication, and observe how STP automatically blocks redundant paths to eliminate broadcast storms. So you will use Cisco IOS command-line interface (CLI) commands to configure each feature, followed by rigorous verification using show commands to confirm your configurations are active and functioning as intended. Success in this lab demonstrates competency in the fundamental switching technologies that underpin nearly every Ethernet network deployed today.

Configuring VLANs: Creating Logical Network Segments

The first and most powerful step is creating VLANs. Also, a VLAN allows you to partition a single physical switch into multiple, isolated broadcast domains. To give you an idea, you can place all Finance department devices in VLAN 10 and all Engineering devices in VLAN 20, even if they are connected to the same physical switch. This enhances security, reduces unnecessary broadcast traffic, and improves overall performance Small thing, real impact..

1. Creating VLANs: You begin in global configuration mode. The command vlan <vlan-id> (e.g., vlan 10) creates a VLAN and places you into VLAN configuration mode. Here, you can optionally name the VLAN for clarity with the name <name> command (e.g., name Finance). Repeat this process for each required VLAN (e.g., VLAN 20 for Engineering, VLAN 99 for Management).
2. Assigning Access Ports: Next, you assign specific switch ports to the VLANs you created. These are access ports, which carry traffic for only a single VLAN. figure out to the interface configuration mode for the port (e.g., interface FastEthernet0/1). The critical command is switchport mode access, which explicitly sets the port as an access port. Then, assign it to your VLAN with switchport access vlan <vlan-id> (e.g., switchport access vlan 10). You must configure this on every port connecting to an end device like a PC.
3. Verification: Use the command show vlan brief on each switch. This is your primary verification tool. It displays all configured VLANs, their names, and which switch ports are assigned to each. You should see your named VLANs listed and the correct ports (like Fa0/1, Fa0/2) tagged under them. Ports not assigned to a VLAN will be in the default VLAN 1.

Configuring Trunk Links: The Network's Backbone

Access ports connect to devices. Here's the thing — Trunk ports connect switches to each other (or to routers). A trunk link carries traffic for all VLANs simultaneously, using a tagging protocol like IEEE 802.So naturally, 1Q to identify which frame belongs to which VLAN. Without trunking, inter-switch communication would be limited to the native VLAN only.

1. Identifying Trunk Ports: In your topology, the links between S1, S2, and S3 must be configured as trunks. Select the interface (e.g., interface FastEthernet0/24).
2. Setting Trunk Mode: The command switchport mode trunk is the most secure and recommended method. It forces the port into a permanent trunking state, negotiating with the connected device using DTP (Dynamic Trunking Protocol). Avoid switchport mode dynamic desirable or dynamic auto in production, as they can lead to unpredictable trunk formation if misconfigured on the other end.
3. Configuring the Native VLAN (Optional but Important): The native VLAN is the one not tagged on an

802.1Q trunk link. By default, switches use VLAN 1 for this purpose, but leaving it unchanged introduces a well-known attack vector. To harden your infrastructure, assign a dedicated, unused VLAN as the native VLAN using switchport trunk native vlan <vlan-id>. Crucially, this setting must match exactly on both ends of the trunk; a native VLAN mismatch will trigger spanning-tree inconsistencies, generate syslog errors, and silently drop untagged frames.

For tighter traffic control, restrict which VLANs are permitted across each trunk. Instead of allowing all VLANs by default, use switchport trunk allowed vlan <vlan-list> (e.g.Plus, , switchport trunk allowed vlan 10,20,99). This practice, often called VLAN pruning, contains broadcast domains to only the switches and segments that actually require them, further optimizing bandwidth and reducing lateral movement opportunities for attackers.

Verification and Troubleshooting After applying trunk configurations, validate the setup with show interfaces trunk. This command reveals the port’s operational status, encapsulation method, native VLAN assignment, and the exact list of allowed VLANs. Cross-reference this output with show vlan brief and show running-config interface <interface-id> to ensure end-to-end consistency. If devices in the same VLAN cannot communicate across switches, systematically check for native VLAN mismatches, overly restrictive allowed VLAN lists, or spanning-tree port states blocking traffic And that's really what it comes down to..

Final Best Practices

• Always disable DTP on access ports with switchport nonegotiate to prevent unauthorized or accidental trunk negotiation.
• Place all unused switch ports in a dedicated, administratively shut-down VLAN with no active services or routing.
• Maintain a centralized VLAN registry. Documenting VLAN IDs, purposes, associated subnets, and trunk paths prevents configuration drift and accelerates troubleshooting during outages or staff transitions.

Conclusion

Implementing VLANs and trunk links is a foundational practice that transforms a flat, broadcast-heavy network into a structured, secure, and highly scalable infrastructure. By methodically segmenting traffic, enforcing strict access and trunk policies, and rigorously verifying configurations, network administrators can eliminate unnecessary broadcast storms, isolate sensitive workloads, and dramatically simplify fault isolation. While the CLI commands themselves are straightforward, long-term operational success hinges on disciplined design, consistent security hardening, and meticulous documentation. As modern networks grow increasingly complex with IoT deployments, cloud integrations, and zero-trust initiatives, a solid Layer 2 architecture remains the critical bedrock that ensures reliable performance, enforceable security boundaries, and seamless adaptability for the future Simple as that..