Lab 10: Departmental VLANs — 3 Sessions

0%

Lab 10: Departmental VLANs

Companion lab to Section 19 Understanding Switches.

Not marked. No file submission is required. Save your .pkt files between sessions so you can pick up where you left off.

Overview

SessionModeWhat you doWhat you see
1SoloBuild a three-department LAN from scratch; create and assign VLANs entirely from the switch CLI.Same-department pings succeed; all cross-department pings fail.
2SoloAdd a DHCP server per VLAN so all 10 hosts receive addresses automatically.Three isolated subnets; broadcasts stay inside each VLAN.
3PairsConnect two students’ switches via a trunk link (configured via CLI) using Multiuser.All three VLANs cross the trunk; VLAN isolation still holds.

Prerequisites

IOS CLI Quick Reference

What you wantCommand
Enter privileged modeenable
Enter global configconfigure terminal
Create a VLANvlan <id> then name <name>
Select one interfaceinterface Fa0/<n>
Select a range of interfacesinterface range Fa0/<a>-<b>
Make port an access portswitchport mode access
Assign VLAN to access portswitchport access vlan <id>
Make port a trunkswitchport mode trunk
Exit one levelexit
Exit to privileged modeend
Verify all VLANsshow vlan brief
Verify one portshow interfaces Fa0/<n> switchport

Shared Network Plan

Three separate subnets, one per VLAN. All sessions use these throughout.

ParameterVLAN 10 — HRVLAN 20 — SalesVLAN 30 — Students
Network192.168.10.0/24192.168.20.0/24192.168.30.0/24
Subnet mask255.255.255.0255.255.255.0255.255.255.0
DHCP server (static)192.168.10.5192.168.20.5192.168.30.5
DHCP scope.10.100.10.100.10.100

VLAN and Port Plan

Switch portVLANDevice
Fa0/120Sales-PC1
Fa0/220Sales-PC2
Fa0/310HR-PC1
Fa0/410HR-PC2
Fa0/520Sales-DHCP (Session 2+)
Fa0/610HR-DHCP (Session 2+)
Fa0/7TrunkUplink to second switch (Session 3)
Fa0/830Student-PC1
Fa0/930Student-PC2
Fa0/1030Student-PC3
Fa0/1130Student-PC4
Fa0/1230Student-PC5
Fa0/1330Student-PC6
Fa0/1430Student-DHCP (Session 2+)

Session 1 — Solo: Build the Topology and Configure VLANs via CLI

Time: ~50 min  •  Mode: Individual  •  Save as: Lab10_S1_<yourname>.pkt

Build the three-department LAN from scratch, then use IOS CLI commands to create VLANs and assign ports. No GUI Config tab for VLAN work — everything goes through the switch terminal.

1.1 Build the topology
  1. Open Packet Tracer → File → New.
  2. Drag onto the workspace:
    • 1 × 2960 Switch (Switches category)
    • 4 × PC — rename: HR-PC1, HR-PC2, Sales-PC1, Sales-PC2
    • 6 × PC — rename: Student-PC1 through Student-PC6
  3. Connect using Copper Straight-Through cables exactly as the port plan shows:
    • Sales-PC1Fa0/1, Sales-PC2Fa0/2
    • HR-PC1Fa0/3, HR-PC2Fa0/4
    • Student-PC1Fa0/8Student-PC6Fa0/13
  4. Wait for all link lights to turn green.
1.2 Assign static IP addresses

Click each PC → Desktop → IP Configuration → Static.

DeviceIP AddressSubnet Mask
HR-PC1192.168.10.11255.255.255.0
HR-PC2192.168.10.12255.255.255.0
Sales-PC1192.168.20.11255.255.255.0
Sales-PC2192.168.20.12255.255.255.0
Student-PC1192.168.30.11255.255.255.0
Student-PC2192.168.30.12255.255.255.0
Student-PC3192.168.30.13255.255.255.0
Student-PC4192.168.30.14255.255.255.0
Student-PC5192.168.30.15255.255.255.0
Student-PC6192.168.30.16255.255.255.0

Leave Default Gateway and DNS blank for now.

1.3 Baseline test before VLANs

All ports are in VLAN 1 (factory default). From HR-PC1 → Desktop → Command Prompt:

ping 192.168.10.12

Succeeds. Now:

ping 192.168.30.11

Fails — different subnet, no router. After VLAN configuration the cross-subnet ping fails for a new Layer 2 reason. Record both results.

1.4 Open the switch CLI

Click the switch → CLI tab. Press Enter to dismiss the banner. You land at:

Switch>
1.5 Create VLANs 10, 20, and 30 via CLI

Enter privileged mode, global config, then define all three VLANs:

Switch> enable
Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan)# name HR
Switch(config-vlan)# vlan 20
Switch(config-vlan)# name Sales
Switch(config-vlan)# vlan 30
Switch(config-vlan)# name Students
Switch(config-vlan)# end

Verify the VLANs were created:

Switch# show vlan brief

You should see VLAN 10 (HR), 20 (Sales), and 30 (Students) listed as active, each with no ports assigned yet.

Tip. You can chain VLAN creation: after vlan 10 / name HR, simply type vlan 20 without exiting — IOS stays in VLAN config mode and switches context.
1.6 Assign ports to their VLANs via CLI

Use interface range to assign multiple ports at once:

Switch# configure terminal

Switch(config)# interface range Fa0/1-2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 20
Switch(config-if-range)# exit

Switch(config)# interface range Fa0/3-4
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# exit

Switch(config)# interface range Fa0/8-13
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 30
Switch(config-if-range)# end

Verify the assignments:

Switch# show vlan brief

VLAN 10: Fa0/3, Fa0/4  |  VLAN 20: Fa0/1, Fa0/2  |  VLAN 30: Fa0/8–13

If you see % Invalid input detected: check your prompt level. Use end to return to Switch# and re-enter from configure terminal.
1.7 Verify same-VLAN communication

From HR-PC1: ping 192.168.10.12 — succeeds.

From Sales-PC1: ping 192.168.20.12 — succeeds.

From Student-PC1: ping 192.168.30.16 — succeeds.

1.8 & 1.9 Verify cross-VLAN isolation and Simulation mode

From HR-PC1:

ping 192.168.20.11

Times out. Also try ping 192.168.30.11 — also times out. Repeat from Sales-PC1 and Student-PC1 to confirm all three VLANs are isolated from each other.

Simulation mode tip. Switch to Simulation Mode and step through a cross-VLAN ping. Watch the ICMP echo request enter the switch and stop — never forwarded because source and destination ports are in different VLANs.

Session 1 completion checklist

Session 2 — Solo: DHCP Servers per VLAN

Time: ~45 min  •  Mode: Individual  •  Save as: Lab10_S2_<yourname>.pkt

Open your Session 1 file. Add one DHCP server per VLAN, assign their ports via CLI, and observe that broadcasts stay inside each VLAN.

2.1 Add the DHCP servers
  1. Drag three Server-PT devices onto the workspace. Rename: HR-DHCP, Sales-DHCP, Student-DHCP.
  2. Connect: HR-DHCPFa0/6, Sales-DHCPFa0/5, Student-DHCPFa0/14.
2.2 Assign static IPs to the servers
ServerIP AddressSubnet Mask
HR-DHCP192.168.10.5255.255.255.0
Sales-DHCP192.168.20.5255.255.255.0
Student-DHCP192.168.30.5255.255.255.0

Click each server → Desktop → IP Configuration → Static.

2.3 Assign server ports to their VLANs (CLI)

Click the switch → CLI tab:

Switch# configure terminal

Switch(config)# interface Fa0/6
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit

Switch(config)# interface Fa0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)# exit

Switch(config)# interface Fa0/14
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 30
Switch(config-if)# end

Verify:

Switch# show vlan brief

VLAN 10 now includes Fa0/3, Fa0/4, Fa0/6. VLAN 20 includes Fa0/1, Fa0/2, Fa0/5. VLAN 30 includes Fa0/8–13, Fa0/14.

2.4 Configure DHCP on HR-DHCP
  1. Click HR-DHCPServices → DHCP.
  2. Edit pool HR-Pool: Default Gateway 192.168.10.1, DNS 8.8.8.8, Start IP 192.168.10.10, Mask 255.255.255.0, Max Users 91.
  3. Click SaveService: On.
2.5 Configure DHCP on Sales-DHCP
  1. Click Sales-DHCPServices → DHCP.
  2. Pool Sales-Pool: Gateway 192.168.20.1, DNS 8.8.8.8, Start 192.168.20.10, Mask 255.255.255.0, Max 91.
  3. Click SaveService: On.
2.6 Configure DHCP on Student-DHCP
  1. Click Student-DHCPServices → DHCP.
  2. Pool Student-Pool: Gateway 192.168.30.1, DNS 8.8.8.8, Start 192.168.30.10, Mask 255.255.255.0, Max 91.
  3. Click SaveService: On.
2.7 Switch all PCs to DHCP and verify

For each of the 10 PCs → Desktop → IP Configuration → DHCP. Expected address ranges:

PC(s)Expected range
HR-PC1, HR-PC2192.168.10.10.100
Sales-PC1, Sales-PC2192.168.20.10.100
Student-PC1 – PC6192.168.30.10.100
If a PC shows 169.254.x.x: DHCP Discover couldn’t reach the server. Run show vlan brief on the switch — is the server port in the right VLAN? Is Service set to On?

Re-verify same-VLAN pings succeed and all cross-VLAN pings still time out.

2.8 Check the DHCP lease tables

On each DHCP server → Services → DHCP, scroll to the bottom:

  • HR-DHCP: 2 entries with 192.168.10.x addresses.
  • Sales-DHCP: 2 entries with 192.168.20.x addresses.
  • Student-DHCP: 6 entries with 192.168.30.x addresses.

Each server only served the hosts inside its own VLAN. Neither reached the other departments.

Session 2 completion checklist

Session 3 — Pairs: Inter-Switch Trunking with Multiuser

Time: ~50 min  •  Mode: Pairs  •  Save as: Lab10_S3_<yourname>.pkt

Each student runs their own Session 2 topology. Connect the two switches via a trunk link using Packet Tracer Multiuser, then configure the trunk port via CLI. Verify all three VLANs cross the trunk while VLAN isolation holds.

3.1 Verify host-OS network reachability

Windows

ipconfig

macOS / Linux

ifconfig

Note your IP. From Student B’s host: ping <Student A’s IP>. If it fails, use the Tailscale fallback.

Student A must allow inbound TCP 38000:

  • Windows: Windows Defender Firewall → Allow an app → Packet Tracer.
  • macOS: System Settings → Network → Firewall → allow Packet Tracer.
  • Linux: sudo ufw allow 38000/tcp
3.2 & 3.3 Student A — set up Multiuser listen
  1. Open Lab10_S2_<A>.pkt. Drag a Multiuser Connection cloud onto the workspace. Connect it to Fa0/7.
  2. Extensions → Multiuser → Listen… Port: 38000, Password: lab10trunk, New Remote Network: Always Accept → OK.
  3. Share with Student B: host IP, port 38000, password lab10trunk.

Save as Lab10_S3_<A>.pkt.

3.4 Student B — connect to Student A
  1. Open Lab10_S2_<B>.pkt. Drag a Multiuser Connection onto your workspace. Connect it to Fa0/7.
  2. Click the cloud → Outgoing Connections: Peer Address <A’s IP>, Port 38000, Password lab10trunk → Connect.
  3. Cloud turns green when the link is up.
3.5 Configure the trunk port on both switches (CLI)

Each student runs this on their own switch → CLI tab:

Switch# configure terminal
Switch(config)# interface Fa0/7
Switch(config-if)# switchport mode trunk
Switch(config-if)# end

Verify:

Switch# show interfaces Fa0/7 switchport

Look for Operational Mode: trunk and Trunking Encapsulation: dot1q.

Note. On a Cisco 2960, trunk ports allow all VLANs by default — no need to explicitly add VLANs to the allowed list.
3.6 – 3.8 Verify all VLANs cross the trunk, isolation holds

Exchange IPs with Student B (run ipconfig on their PCs).

VLAN 10 — HR across trunk:

ping 192.168.10.xx     <-- Student B's HR-PC1

Should succeed.

VLAN 20 — Sales across trunk:

ping 192.168.20.xx     <-- Student B's Sales-PC1

Should succeed.

VLAN 30 — Students across trunk:

ping 192.168.30.xx     <-- Student B's Student-PC1

Should succeed.

Cross-VLAN isolation across trunk:

ping 192.168.20.xx     <-- Student B's Sales-PC1 (from your HR-PC1)

Should time out. Also verify your HR-PC1 → Student B’s Student-PC1 times out, and your Student-PC1 → Student B’s Sales-PC1 times out.

Simulation mode tip. Step through a VLAN 10 ping across the trunk. As the frame exits Fa0/7, observe the 802.1Q tag with VLAN ID 10. When it arrives at Student B’s switch, the tag is stripped and the frame enters VLAN 10 on their side.

Session 3 completion checklist

Tailscale Fallback (Session 3 only)

Skip this section if your host-OS ping in step 3.1 already worked.

If campus Wi-Fi uses client isolation, install Tailscale on both computers, join the same tailnet, and use the 100.x.x.x Tailscale IP for the Multiuser Outgoing Connection. Full instructions are in Lab 9, Session 2.6.

Common Gotchas

SymptomLikely causeFix
PC shows 169.254.x.xServer port in wrong VLAN, or DHCP service OffRun show vlan brief — verify the server’s port is listed under the correct VLAN. Turn Service On.
show vlan brief shows VLAN but no portsPort assignment step was skippedRe-run the interface range / switchport access vlan commands.
% Invalid input detectedTypo or wrong IOS prompt levelUse end to return to Switch#, then re-enter from configure terminal.
Same-VLAN ping fails after DHCPPC received address from wrong poolRun ipconfig — if HR-PC shows 192.168.20.x, its port is in VLAN 20. Fix: switchport access vlan 10.
VLAN not in show vlan briefVLAN not created yetRun vlan <id> / name <name> from global config.
Multiuser cloud stays redWrong IP, password, or firewall blocks 38000Allow inbound TCP 38000 on Student A. Confirm host-OS ping works first.
Trunk port doesn’t carry VLANsPort not in trunk mode on one or both sidesRun show interfaces Fa0/7 switchport. Re-run switchport mode trunk if needed.
Cross-VLAN ping across trunk succeedsBoth PCs in same VLAN on one switchRun show vlan brief on both switches and compare membership.

Quick Reflection Questions

  1. Why do you enter switchport mode access before switchport access vlan? What would happen if you skipped it?
  2. Why does each VLAN need its own DHCP server (or a DHCP relay agent)?
  3. What is the difference between an access port and a trunk port?
  4. After configuring the trunk, why can A’s HR devices reach B’s HR devices but not B’s Sales devices?
  5. What would you need to add to allow controlled communication between the three VLANs?
  6. Which IOS command would you use in a real network to confirm a port is carrying the correct VLAN?
All done. This lab is not marked — nothing to submit. If you finish early, add an HTTP server to HR-DHCP (Services → HTTP → edit index.html) and visit http://192.168.10.5 from an HR PC’s Web Browser. Then try from a Sales PC or Student PC — the request should time out.