Lesson 22 of 60 intermediate

Switching, VLANs & Trunks

One cable, many logical networks

Open interactive version (quiz + challenge)

Real-world analogy

A switch is like a building’s mailroom — it reads the envelope (MAC address) and drops it at the right desk (port). VLANs are like separate floors the mailroom pretends exist, so Finance and Marketing never see each other’s mail even though they share the same building.

What is it?

VLANs and trunks let one physical network carry many logically separate networks. Access ports attach endpoints to a VLAN; trunks carry multiple VLANs between switches and routers; inter-VLAN routing enforces boundaries.

Real-world relevance

A bank runs a single switch fabric in a branch but separates VLAN 10 (tellers), VLAN 20 (ATMs), VLAN 30 (guest Wi-Fi), and VLAN 99 (management). A firewall between VLANs ensures guest Wi-Fi never sees ATM traffic — even though the cables share copper.

Key points

Switches vs hubs vs routers — Hub: dumb, broadcasts to everyone. Switch: smart, learns MAC-to-port mapping, forwards only to the right port. Router: moves packets between different networks (subnets/VLANs).
MAC learning and CAM table — When a frame arrives, the switch learns ‘MAC X lives on port Y’ and stores it in the CAM table. Unknown destinations are flooded until learned. This is why switches are nearly plug-and-play.
VLANs — logical segmentation — VLAN = broadcast domain. Two ports on the same switch can be on different VLANs and not see each other’s traffic without a router. Separation by VLAN improves security, performance, and management.
Access ports vs trunk ports — Access port: carries traffic for ONE VLAN (user ports). Trunk port: carries traffic for MANY VLANs between switches/routers, tagged with 802.1Q.
Native VLAN (with care) — The untagged VLAN on a trunk. Misconfigured native VLANs cause ‘VLAN hopping’ security issues. Keep native VLAN unused for security-sensitive segments.
Inter-VLAN routing — Two VLANs can’t talk without a router or a Layer-3 switch. Common design: users in VLAN 10, servers in VLAN 20, route between them via a firewall or L3 switch — enforcing policy on the way.
STP (Spanning Tree) awareness — If you connect switches in loops (for redundancy), frames could circle forever. STP detects loops and disables redundant links until needed. Juniors don’t configure STP; they recognize ‘loop → network meltdown’ as a symptom.
Port security & portfast — Port security limits which MAC(s) are allowed on a port; portfast skips the STP listening/learning delay on edge ports. Both are common CCNA and enterprise-support vocabulary.

Code example

// Simple VLAN mental model

Switch SW1
  Port 1  (access, VLAN 10)   <-- Alice's laptop
  Port 2  (access, VLAN 10)   <-- Bob's laptop
  Port 3  (access, VLAN 20)   <-- Printer
  Port 4  (trunk, 10 + 20)     <-- to SW2

Switch SW2
  Port 1  (trunk, 10 + 20)     <-- to SW1
  Port 2  (access, VLAN 10)   <-- Carol's laptop

To route between VLAN 10 and 20:
  L3 switch or router with an interface in each VLAN
  Firewall rule enforces which flows are allowed

Simple Cisco-style configuration (reference only):
  interface Gi0/1
    switchport mode access
    switchport access vlan 10
  !
  interface Gi0/4
    switchport mode trunk
    switchport trunk allowed vlan 10,20

Line-by-line walkthrough

1. VLAN mental model
2. Switch SW1 header
3. Port 1 user in VLAN 10
4. Port 2 user in VLAN 10
5. Port 3 printer in VLAN 20
6. Port 4 trunk up to SW2
7. Blank separator
8. Switch SW2 header
9. Trunk down to SW1
10. Port 2 user in VLAN 10
11. Blank separator
12. Routing requirement header
13. L3 router/switch needed between VLANs
14. Firewall enforces policy
15. Blank separator
16. Cisco-style config (reference only)
17. Access port config
18. Trunk config block
19. Allowed VLAN list

Spot the bug

Design: all users in VLAN 1 (default), ATMs in VLAN 1, guest Wi-Fi in VLAN 1, servers in VLAN 1. ‘It works fine and it’s simple.’

Need a hint?

What are the security and performance implications of this design?

Show answer

No segmentation. Guest Wi-Fi can talk to ATMs and servers; a single compromised guest device can pivot across the network. Broadcast traffic hits every device. Redesign with VLANs for tellers, ATMs, servers, management, and guest; enforce routing/firewall policy between VLANs. Avoid putting anything sensitive on the default VLAN 1.

Explain like I'm 5

A switch is a polite waiter: when a table (MAC) orders, the waiter only brings the plate to that table. VLANs are separate dining rooms — the waiter uses the same hallway (trunk) but never mixes up tables between rooms.

Fun fact

Early networks ran on dumb hubs where everyone saw everyone’s traffic. Early internet hackers mostly needed a hub in the room and Ethereal (the original Wireshark) to read everyone’s passwords. Switching + VLANs + encryption ended most of that era.

Hands-on challenge

In Packet Tracer or GNS3, build a 2-switch topology with VLAN 10 (tellers) and VLAN 20 (ATMs). Connect switches via a trunk. Add a router or L3 switch to route between VLANs. Verify each VLAN is isolated without routing.

More resources

Cisco VLAN fundamentals (Cisco)
Packet Tracer VLAN lab walkthrough (Jeremy’s IT Lab)
VLAN 802.1Q tagging explained (Wikipedia)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp