What You’ll Learn

• Validate a switch’s default VLAN configuration
• Add a new VLAN
• Configure switch interfaces as members of the new VLAN
• Validate the new VLAN configuration is working

What You’ll Need

• Access to a Cisco Modeling Labs system to run the provided topology:
  • If you don’t have access to a Cisco Modeling Labs server, you can reserve and use a DevNet Cisco Modeling Labs Enterprise Sandbox.
  • Access to Cisco’s sandbox CML server requires the use of Cisco AnyConnect VPN Client Software, which must be installed on the client PC being used to access the lab.
• VLAN-Segmented-User-Topology network topology for Cisco Modeling Labs

Importing and Starting Your Lab Image

1. Log in to your Cisco Modeling Labs server web interface and click the IMPORT button on the right side of the page.

Note: If you are using a reserved DevNet CML lab, you will need to stop any preconfigured lab topologies before importing and running the VLAN lab topology. This will free up used environment resources, ensuring that your lab runs smoothly.

2. Click the File(s) to import paperclip icon in order to browse to find the downloaded network topology file—VLAN-Segmented-User-Topology.yaml—that will be used for this lab.

3. Click the IMPORT button to import the lab into the system. The Import Status window will appear, showing that the lab was successfully imported.

4. Click GO TO LAB on the Import Status window to open the CML Workbench area and display the lab topology.

Note: If you are using the reserved DevNet CML lab, the lab topology may initially have objects like the dashed line borders offset like this image. To resolve this issue, resize your browser window temporarily, then adjust back to your liking.

5. To spin up the VLAN lab resources, click the SIMULATE button on the panel below the topology diagram, and then click the START LAB button.

Note: Be sure that you do not have any of the devices in the topology selected when starting the lab or you’ll only start the selected device.

6. Wait for all nodes to get green check marks, indicating they are up and running. This process can take 1 to 5 minutes, depending on the Cisco Modeling Labs server’s load.

Validate Switch Default VLAN Configuration

VLANs segment a network on a per-port basis and can span across multiple switches. This allows network administrators to logically segment a switched network based on functions, project teams, or applications rather than on a physical or geographical basis.

By default, all switch port interfaces on a switch are configured as members of VLAN 1, the default VLAN on a Cisco switch. This configuration means that any user or device connected to any other port on the switch can freely communicate with each other. They are part of the same VLAN group. You can validate this.

1. Click switch SW1 in the lab topology to select it. The switch icon will turn blue, and the panel below the topology diagram will change to highlight topic areas for managing the switch.

2. Click CONSOLE on the panel below the topology diagram, and then click OPEN CONSOLE.

3. The console screen will display various messages as part of the switch bootup and configuration process. Click the displayed console screen and press the Enter/Return key several times until you see the switch prompt appear.

Note: If your console screen does nothing when hitting the key, click the console screen several times and make sure that the white cursor is blinking on the console screen. Then try again.

4. From the prompt, access privileged EXEC mode by entering the enable command.

5. Run the show vlan command and review the output. You will notice that all four switch ports are members of VLAN 1.

Based on this current switch configuration, all the PC users should be able to communicate with each other. You can validate this.

6. Select PC1 on the topology diagram and choose CONSOLE. This should bring you the PC1’s login prompt.

7. Log in to PC1 using the credentials cisco and cisco.

8. From the prompt, enter the ping command to test connectivity to all the other lab PCs, using the address information from the chart below. All ping tests should be successful.

Remember, we are testing for reachability across a switch. That means everything is about Layer 2 connectivity, even though we are pinging Layer 3 IP addresses. Address Resolution Protocol (ARP) will resolve the Layer 3 addresses into their respective Layer 2 addresses.

Note: A basic ping command, ping 10.10.10.1 on a Linux-based PC will be a continuous ping. To stop the ping, use the Control + C key combination. An alternative to the basic ping command is to specify how many pings to send and automatically stop. For instance, ping -c 4 192.168.2.1 would only send a count of four pings, then return the test results and bring you automatically back to the prompt.

Add a New VLAN

If you look at the topology diagram a little closer, you can see the design calls for two VLANs to be configured. PC1 and PC2 should be in the default VLAN, VLAN 1, while PC3 and PC4 should be in VLAN 2. By segmenting users or devices into different VLANs, communication is possible between members of the same VLAN while at the same time preventing communication between members of different VLANs. To implement this design, you first need to create VLAN 2.

1. From privileged EXEC mode on SW1, enter the commands as shown in the image below.

The configure terminal command moves your prompt into global configuration mode, where you have access to additional commands not found in user EXEC mode.

The vlan 2 command creates your second VLAN, VLAN 2, which is by default named “VLAN0002” by the switch. It also moves you into VLAN subconfiguration mode, where additional commands can be performed as necessary. It should be noted that if VLAN 2 had already existed, this command would simply move you into VLAN subconfiguration mode.

The final command, end, returns you back to the privileged EXEC mode prompt.

4. Validate that the new VLAN was created. Enter the show vlan command again. This time, we see that VLAN 2 is now added to the list. However, there are no ports assigned to this VLAN.

Configure VLAN Interfaces

To segment our PC users into the appropriate VLANs, we will need to configure the switch interfaces that PC3 and PC4 are connected to in order to be members of VLAN 2. Remember, PC1 and PC2 are supposed to be in VLAN 1, which they are by default.

If you look at the topology diagram again, PC3 and PC4 connect to the switch on ports Gi0/2 and Gi0/3, respectively. These ports need to be configured as members of VLAN 2.

1. Access global configuration mode on SW1.

2. Enter the command interface range GigabitEthernet 0/2 - 3. The range option allows the same configuration commands to be applied across a group of contiguous interfaces at the same time. “Contiguous” means one after another or together in sequence, like 1, 2, and 3 or 5, 6, and 7.

3. Enter the command switchport mode access, followed by a second command, switchport access vlan 2. These commands tell the switch that the two ports will be used by devices for network access and also that they are members of VLAN 2.

4. Use the end command to exit completely out of global configuration mode and return to the privileged EXEC prompt.

5. We can validate that the interfaces have been assigned to VLAN 2 by using the show vlan command again. This time, ports Gi0/2 and Gi0/3 are assigned to VLAN 2. Any users or devices connected to these ports will be members of VLAN 2, and their communication will be managed accordingly.

Validate New VLAN Configuration

With our new configuration in place, it’s time to see if the VLANs are functioning the way they should.

1. Access PC1 again.

2. From the prompt, use the ping command again to test connectivity to all the other lab PCs. The ping test between PC1 and PC2 should be successful. However, the ping tests between PC1 and PC3 or PC4 should fail.

Note: When pinging from PC1 to PC2, you will see a response message displayed after each successful ping. However, for PC3 and PC4, there will be no response messages displayed because this communication is no longer permitted. If you are not using the ping -c option, allow the ping test to run a few seconds before stopping,using the Control + C key combination. Then, you can verify that packets were sent, but none were received.

3. Access PC3’s console and log in using the same cisco and cisco credentials.

4. From the prompt, run the ping test again to all the other lab PCs.

As you would expect based on the new VLAN configuration, PC3 is not able to communicate with PC1 or PC2. However, PC3 can communicate with PC4 now that both are members of the same VLAN, VLAN 2.

Congrats on completing this training tutorial! Please continue your learning through our community’s many other resources, helping folks get started on their CCNA journey.

Training Resources

• CCNA E-Learning
• CCNA Study Materials
• CCNA Exam Topics

Learn More

• Cisco Learning Network
• Cisco Learning Network CCNA Certification Community