What You’ll Learn

What You’ll Need

Importing and Starting Your Lab Image

The following procedure walks you step-by-step through the process to get the lab imported and running. If you have experience using Cisco Modeling Labs, feel free to skip this step-by-step process. Just get your lab up and running and skip to the next section.

  1. Log in to your Cisco Modeling Labs server web interface and click the IMPORT button on the right side of the page.

Note: If you are using a reserved DevNet CML lab, you will need to stop any preconfigured lab topologies before importing and running the VLAN lab topology. This will free up all used lab resources, making them available for this new lab.

  1. Click the File(s) to import space or the paperclip icon in order to browse for the downloaded network topology file—VLAN-Trunking-Topology.yaml—that will be used for this lab.

  1. Click the IMPORT button to import the lab into the system. The Import Status window will appear, showing that the lab was successfully imported.

  1. Click GO TO LAB on the Import Status window to open the CML Workbench area and display the lab topology.

Note: If you are using the reserved DevNet CML lab, the lab topology may initially have objects like the dashed line borders offset like this image. To resolve this issue, resize your browser window temporarily, then adjust back to your liking.

  1. To spin up the VLAN lab, click the SIMULATE button on the panel below the topology diagram, and then click the START LAB button.

Note: Be sure that you do not have any of the devices in the topology selected when starting the lab or you’ll only start the selected device.

  1. Wait for all nodes to get green check marks, indicating that they are up and running. This process can take 1 to 5 minutes, depending on the Cisco Modeling Labs server’s load.

What is Trunking

If you performed the tutorial on using VLANs to segment local User Groups on a switch, then you understand the purpose of using VLANs. On a local switch, the port configuration determines which VLAN an endpoint belongs to when connected to that port. The VLAN assignment determines who that endpoint can communicate with on that same switch. Problem is, a typical network may have dozens (or more) of switches with attached endpoints who are members of the same User Group.

To enable communication between endpoints assigned to the same VLAN but attached to different network switches, we have to interconnect the switches in a manner that allows all VLAN endpoints to communicate.

There are different methods that can be used to achieve this configuration. One method is to use an interconnecting link for each VLAN to allow cross-communication between switches. This is not an issue if you have only a couple of VLANs. But if you have a lot of VLANs, the ports used to interconnect the VLANs between switches reduces the number of available ports to support endpoint connectivity.

An alternative and preferred method is using a single interconnecting link between switches and enabling a feature called trunking. Trunking allows traffic from different VLANs to traverse the same link. It differentiates the data frames by embedding a tag to identify to which VLAN the traffic belongs.

Review Switch VLAN Configuration

Before making any changes, you need to know how the current network environment is configured. Based on the information discovered, you can then take the necessary steps to configure the network to operate based on the topology design.

  1. Click switch SW1 in the lab topology to select it. The switch icon will turn blue, and the panel below the topology diagram will change to highlight topic areas for managing the switch.

  1. Click CONSOLE on the panel below the topology diagram, and then click OPEN CONSOLE.

  1. The console screen will display various messages as part of the switch bootup and configuration process. Click the displayed console screen and press the Enter/Return key several times until you see the switch prompt appear.

Note: If your console screen does nothing when hitting the key, click the console screen several times and make sure the white cursor is blinking on the console screen. Then try again.

  1. From the prompt, access privileged EXEC mode by entering the enable command.

  1. Run the show vlan command and review SW1’s port and VLAN assignments.

Based on the current switch configuration, PC1 is connected to interface Gi0/0 and is a member of VLAN 1. PC3 is connected to interface Gi0/1 and is a member of VLAN 2. As such, these two PCs should not be able to talk to each other. You can validate this.

  1. Select PC1 in the topology diagram and access its command prompt, using the CONSOLE menu option and login credentials cisco and cisco.

  1. From the prompt, use the ping command to test connectivity between PC1 and PC3, using the address information from the chart below. The ping test should fail if VLAN segmentation is working properly.

Remember, we are testing for reachability across a switch. That means everything is about Layer 2 connectivity, even though we are pinging a Layer 3 IP address. Address Resolution Protocol (ARP) will resolve the Layer 3 address to its respective Layer 2 address.

Note: A ping on a Linux-based PC will be continuous. To stop the ping, use the Control + C key combination. You also have the option to specify how many pings to send. For instance, ping -c 4 192.168.2.1 would only send a count of four pings, then return the test results and bring you automatically back to the prompt.

If we continue to investigate the results of the previous show vlan command on SW1, you should also see that interface Gi1/1, which is used to interconnect SW1 with SW2, is a member of VLAN 1. If SW2 has a similar configuration running like SW1, which you can validate, you could assume that interface Gi1/1 of SW2 also is a member of VLAN 1. If the interfaces on both ends of the link are in the same VLAN, the link would be configured as a dedicated VLAN link. Based on this, PC1 and PC2 should be able communicate with each other across this link, while PC3’s communication would be blocked to anyone.

Let’s validate this theory.

  1. Open the CONSOLE for SW2 and run the show vlan command. Review the configuration to confirm SW2’s port configuration.

As suspected, SW2’s Gi1/1 is a member of VLAN 1. Based on this, the single interconnecting link between the switches is a dedicated VLAN 1 link.

  1. Run a ping command from PC1’s console, testing reachability to PC2 and PC4, both of which are connected to SW2.

Note: When pinging from PC1 to PC2, you will see a response message displayed after each successful ping. However, for PC1 and PC4, there will be no response messages displayed because this communication is not permitted. If you are not using the ping -c option, allow the ping test to run a few seconds before stopping, using the Control + C key combination. Then, you can verify that packets were sent, but none were received.

The results confirm the present configuration on both switches. PC1 can communicate with PC2, but it can’t communicate with PC4.

  1. Click PC3 in the topology diagram and access its command prompt, using the CONSOLE menu option and login credentials cisco and cisco.

  2. Perform a similar ping test from PC3’s command prompt to PC2 and PC4.

Because PC3 is in VLAN 2, and the interconnecting link is for VLAN 1 endpoints only, PC3 can’t communicate with either PC connected to SW2. To resolve this issue, we would need to add a dedicated link for VLAN 2. Or, using the preferred method, we could configure the existing link as a trunk link, which would allow traffic from both VLANs to traverse the single connection.

To allow traffic from both VLANs to traverse the one link interconnecting SW1 and SW2, you need to convert the dedicated link to a trunk link.

  1. From privileged EXEC mode on SW1, enter the commands as illustrated in the following image. This will configure the link on SW1’s side to be a trunk link.

The configure terminal command moves your prompt into global configuration mode, where you have access to additional commands not found in user EXEC mode.

The interface GigabitEthernet 1/1 command specifies the interface that you want to make changes to and moves you into subinterface configuration mode, where additional configurations for that interface can be configured.

The switchport trunk encapsulation dot1q command tells the switch that the interface should use IEEE 802.1Q encapsulation on the frames. Most people simply refer to it as Dot1q; it’s one of the VLAN tagging protocols supported by Cisco switches. In other words, the switch will “tag” the frames with its respective VLAN number when the interface is configured as a trunk. This standard was created by the Institute of Electrical and Electronics Engineers (IEEE), so it is an open standard and can be used on non-Cisco switches as well.

The switchport mode trunk command tells the switch that the interface is a trunk link and to use it as such.

The final command, end, returns you back to the privileged EXEC mode prompt.

  1. To validate that interface Gi1/1 is now performing trunk functionality, run the show interfaces trunk command on SW1 and review the results. The interface status is “trunking.” Both VLANs 1 and 2 are allowed to traverse the interface. Something else to note here is the mode, which is set to “on.”

SW1’s current operating mode—on—is a result of the switchport mode trunk command. Depending on the operating mode of the interfaces used to interconnect switches, they may or may not automatically form a trunk link when connected together.

  1. Access SW2’s console, then run the show interfaces trunk command and review the results.

As you can see, interface Gi1/1 is also enabled for trunking functionality, yet you did not perform any configuration changes on the switch to enable trunking. The difference on this switch is that the trunking mode is set to “auto” by default. This means that the switch interface is passively waiting for the remote side to send a message saying, “Let’s form a trunk.”

When you changed SW1’s Gi1/1 interface to trunk mode, SW1 automatically changed Gi1/1’s mode from “auto” to “on,” and the interface began sending the “Let’s form a trunk” message across the link to SW2.

Validate Trunking and VLAN Segmentation

With our new trunking configuration in place, it’s time to see if the VLANs are functioning the way that they should. PC1 should only be able to communicate with PC2 but not the other PCs in VLAN 2. Following that same thought process, PC3 should only be able to communicate with PC4 and not the other two PCs.

  1. Access PC1’s console again.

  2. From the prompt, run the ping test again to all the other lab PCs. A ping between PC1 and PC2 should be successful. However, the ping tests between PC1 and PC3 or PC4 should fail.

  1. Access PC3’s command prompt and perform a ping test to all the other lab PCs. Because PC3 is in VLAN 2, it can’t communicate with PC 1 or PC2, but it should be able to communicate with PC4 because both are in VLAN 2.

Congrats on completing this training tutorial! Please continue your learning through our community’s many other resources, helping folks get started on their CCNA journey.

Training Resources

Learn More