Mastering VLANs: Fundamentals, Types, and Step‑by‑Step Switch Configuration

VLAN Basics

VLAN (Virtual Local Area Network) is a logical segmentation technology defined by the IEEE 802.1Q standard (published June 1999). It allows a single physical LAN to be divided into multiple broadcast domains, improving flexibility, reducing unnecessary traffic, and enhancing security.

VLAN Division Methods

Port‑based VLAN : Assigns VLANs to physical switch ports; simple but requires reconfiguration when devices move.

MAC‑address‑based VLAN : Maps VLAN membership to individual MAC addresses, allowing users to retain VLAN membership across ports.

Network‑layer‑protocol‑based VLAN : Uses IP, IPX, AppleTalk, etc., to define VLANs, enabling protocol‑specific segmentation.

IP multicast‑based VLAN : Treats an IP multicast group as a VLAN, useful for spanning VLANs across wide‑area networks.

Policy‑based VLAN : Combines criteria such as port, MAC, IP, or protocol to assign VLANs.

User‑defined/non‑authorized VLAN : Custom VLANs defined per special user requirements, often protected by passwords.

Advantages of VLANs

Increased network flexibility – devices can be grouped logically regardless of physical location.

Broadcast control – each VLAN is an isolated broadcast domain, reducing broadcast storms.

Enhanced security – traffic between VLANs is blocked unless routed, protecting sensitive departments.

Simplified management – administrators can manage groups of users as single entities.

Cost reduction – fewer physical networks are needed while still providing separation.

Configuration Example

A typical medium‑size LAN with three managed switches (Switch1, Switch2, Switch3) and a router is used to illustrate port‑based VLAN configuration.

VLAN table:

VLAN 号  VLAN 名  端口号
2 Prod   Switch1 2‑21
3 Fina   Switch2 2‑16
4 Huma   Switch3 2‑9
5 Info   Switch3 10‑21

Step 1: Connect to the switch via a terminal program.

Step 2: Enter privileged mode: #enable Step 3: Set hostnames and privileged passwords (example for Switch1):

Switch1(config)#hostname Switch1
Switch1(config)#enable password level 15 XXXXX

Step 4: Create VLANs and assign names:

Switch1(config)#vlan 2 name Prod
Switch2(config)#vlan 3 name Fina
Switch3(config)#vlan 4 name Huma
Switch3(config)#vlan 5 name Info

Step 5: Assign ports to VLANs (static membership). Example for Switch1 (VLAN 2):

Switch1(config)#int e0/2
Switch1(config-if)#vlan-membership static 2
Switch1(config)#int e0/3
Switch1(config-if)#vlan-membership static 2
... (continue for ports e0/4‑e0/21)

Similar commands are applied to Switch2 (VLAN 3) and Switch3 (VLAN 4 and VLAN 5) for the respective port ranges.

After configuration, verify with: show vlan The configuration isolates the Production, Finance, Human Resources, and Information Center departments into separate VLANs, preventing unauthorized access and simplifying network management.