As we know VLAN (Virtual LAN)s divide a switch into multiple logical switches. There by providing traffic separation and security. VLANs absolve the location constraint allowing the PCs at different locations to communicate without compromising the security and network isolation. This is accomplished through trunking VLANs between the switches.
Let’s examine a scenario. A company wants to network HR and Finance departments, at the same time isolate one another. Meaning HR PCs should be able talk to other HR PCs and should not be able to talk to PCs belong to Finance dept and vice-versa. This is exactly why we have VLAN.
The switch should be configured with two VLANs: one for HR and another for Finance. Depending on the number of PCs in each of the departments, appropriate number of switch ports are associated with each of the VLANs. With that, the PC connected to a port belonging to say HR VLAN can only talk to HR PCs; same thing for the Finance PCs. The topology looks as shown below:
The VLAN configuration has two steps:
1. Create the VLANs
Switch(config)#vlan 10 ! Creates vlan 10 Switch(config-vlan)#name HR ! name of the vlan Switch(config-vlan)#exit Switch(config)#vlan 20 ! Creates vlan 20 Switch(config-vlan)#name Finance Switch(config-vlan)#exit
2. Associate the ports to VLANs
Switch(config)#int range fa0/1-3 ! associate ports fa0/1,0/2 & 0/3 to VLAN-10 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch(config-if-range)#exit Switch(config)#int range fa0/4-6 ! associate ports fa0/4,0/5 &amp; 0/6 to VLAN-20 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 20
The vlan configuration can be verified by running show vlan brief command.
Switch#sh vlan br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gig0/1, Gig0/2 10 HR active Fa0/1, Fa0/2, Fa0/3 20 Finance active Fa0/4, Fa0/5, Fa0/6 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active
With IP addresses set, the PCs can ping only the other PCs in the same department even though all are connected to the same switch.
Now what if the company wants to extend the network to a branch office which has its own HR and Finance departments and allow both the departments to communicate with that in the main office? That my friend, is why we have something called trunks.
A trunk port on the switch by default is a member of all the VLANs. In other words, a trunk port can carry the traffic of all the VLANs without destroying the VLAN identification on the packets. So by connecting the trunk ports of two geographically apart switches, we can not only forward the traffic between them but also keep the VLAN tags intact. In our example HR PCs of both main office and branch office can talk to each other but not to Finance PCs in either of the offices and vice-versa.
The topology now looks as follows:
The Switch2 (Branch office) has the exact configuration as that of Switch1(Main office) and the PCs belong to HR and Finance have the IP address belonging to the same networks as that of Main office.
Now we should configure Fa0/7 port connecting both the switches as trunk port on both sides.
Switch1(config)#int fa0/7 Switch1(config-if)#switchport trunk encapsulation dot1q ! VLAN tagging mechanism Switch1(config-if)#switchport mode trunk ! Makes the port trunk Switch2(config)#int fa0/7 Switch2(config-if)#switchport trunk encapsulation dot1q Switch2(config-if)#switchport mode trunk
The trunk link configured can be verified using the show interfaces trunk command.
Switch2#sh interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/7 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/7 1-1005 Port Vlans allowed and active in management domain Fa0/7 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Fa0/7 1,10,20
The mode should be on, which means the trunking is active.
Trunk encapsulation can be either 802.1q or ISL (Inter Switch Link). ISL is Cisco’s proprietary VLAN tagging mechanism whereas 802.1q is IEEE standard and is supported by all the vendors including Cisco. I’ll talk about them later. Now just know that 802.1q is the most widely used trunking encapsulation.
With the trunk port set on both the switches, the PCs don’t have any problem communicating between branch office and main office. Yet only Finance-to-Finance and HR-to-HR.
Note: Although I explained trunking switches between main office and branch office, this is not usually done in real-world scenarios. Trunking is usually done to connect switches in different floors or in neighboring buildings.