Exercise 13: Setting Up VLANs for Network Segmentation

Objective

Learn how to configure Virtual LANs (VLANs) on a managed switch to isolate network traffic and improve security. Understand how to enable communication between VLANs using inter-VLAN routing.

Scenario

You are a network administrator tasked with segmenting the network of a growing company to enhance security and reduce network congestion. The company requires separate VLANs for the HR Department (VLAN 10) and the IT Department (VLAN 20). Your goal is to configure VLANs on a managed switch, assign devices to the appropriate VLANs, and set up inter-VLAN routing to allow controlled communication between departments.

⚠️ Important: This exercise must be performed in a controlled lab environment. Incorrect VLAN configurations on production networks can cause connectivity issues.

Lab Instructions

Step 1: Set Up the Lab Environment

• Managed Switch: Cisco or similar switch supporting VLANs.
• Devices:
  • Two PCs for HR Department (e.g., PC1 and PC2).
  • Two PCs for IT Department (e.g., PC3 and PC4).
  • Router for inter-VLAN routing.

Step 2: Configure VLANs on the Managed Switch

Access the Switch:

Connect via console, SSH, or Telnet.

Enter Global Configuration Mode:

enable 
configure terminal

Create VLANs:

vlan 10 
name HR 
vlan 20 
name IT

Assign Ports to VLANs:

interface range fa0/1 - 2 
switchport mode access 
switchport access vlan 10 

interface range fa0/3 - 4 
switchport mode access 
switchport access vlan 20

Verify VLAN Configuration:

show vlan brief

Step 3: Verify VLAN Isolation

• Test Connectivity:
  • On PC1 (HR), ping PC2 (HR) → Success
  • On PC1 (HR), ping PC3 (IT) → Fail
  • On PC3 (IT), ping PC4 (IT) → Success

Step 4: Configure Inter-VLAN Routing (Router-on-a-Stick)

Connect the Router to the Switch:

Use port fa0/5 to connect the router.

Configure Sub-Interfaces on the Router:

interface fa0/0
no shutdown

interface fa0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0

interface fa0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0

Configure the Switch Port as a Trunk:

interface fa0/5 
switchport mode trunk

Step 5: Test Inter-VLAN Communication

• Test Connectivity:
  • On PC1 (HR), ping PC3 (IT) → Success
  • On PC3 (IT), access PC2 (HR) → Success

Step 6: Implement Access Control (Optional)

To restrict access between VLANs, configure Access Control Lists (ACLs):

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip any any

interface fa0/0.10
ip access-group 100 in

Solution & Explanation

VLAN Configuration

• VLAN 10 (HR): Isolates HR devices.
• VLAN 20 (IT): Isolates IT devices.
• Devices in different VLANs cannot communicate without routing.

Inter-VLAN Routing

• Configured sub-interfaces on the router with 802.1Q encapsulation enable communication between VLANs.
• Trunk ports allow traffic from multiple VLANs to pass between the switch and router.

Access Control

• ACLs provide granular control over which VLANs can communicate.

Testing & Verification

• Isolation: Devices within the same VLAN can communicate; cross-VLAN communication is blocked by default.
• Inter-VLAN Routing: Communication across VLANs is possible after router configuration.
• ACLs: Verify restrictions are enforced by testing blocked communication.

Security Benefits of VLANs

1. Traffic Segmentation: Limits broadcast traffic to specific VLANs, reducing network congestion.
2. Access Control: Prevents unauthorized devices from accessing sensitive network areas.
3. Containment of Threats: Isolates network segments to limit malware spread.
4. Enhanced Performance: Reduces unnecessary traffic across the network.

Additional Script (Optional)

Automate VLAN creation and port assignments (Cisco Switch):

#!/bin/bash
# VLAN Configuration Script

# Create VLANs
vlan 10
name HR
vlan 20
name IT

# Assign Ports to VLANs
interface range fa0/1 - 2
switchport mode access
switchport access vlan 10

interface range fa0/3 - 4
switchport mode access
switchport access vlan 20

# Configure Trunk Port
interface fa0/5
switchport mode trunk

Conclusion

In this exercise, you configured VLANs on a managed switch to isolate network traffic and enhance security. You also set up inter-VLAN routing to enable controlled communication between VLANs. VLANs are a critical tool for improving network security, performance, and management by segmenting network traffic effectively.