VLANs and Trunks Packet Tracer 6.1 Activity

VLANs and Trunks – Activity Overview

In this graded Packet Tracer 6.1 activity you will configure two Cisco Catalyst 2960 switches with VLANs and Trunks. The tasks include named VLANs, a trunk between two switches, and a management IP address on each switch using switched virtual interfaces or SVIs. You will also need to configure hostnames on the switches and each PC, with an IP address and subnet mask.

VLANS and Trunks Packet Tracer diagram and physical topology


1. Set the PC’s IP addresses based on the host address label and VLAN color code in the topology diagram
2. Assign the switch hostnames based on their labels.
3. Configure the switch VLAN numbers and VLAN names according to the diagram.
4. Configure Interface VLAN88 (SVI) addresses on both switches according to the diagram.
5. Change the switchports as access ports and assign them to VLANs according to the diagram.
6. Configure G0/1 as a Trunk. Allow the listed VLANs only across the trunk and configure the Native VLAN as shown
7. Shutdown the G0/2 interface.


For this graded activity you will need Packet Tracer version 6.1 or higher.


IOS CLI Commands for Switch S1

Switch> enable
Switch# configure terminal
Switch(config)# hostname S1
S1(config)# vlan 10
S1(config-vlan)# name students
S1(config-vlan)# vlan 20
S1(config-vlan)# name faculty
S1(config-vlan)# vlan 30
S1(config-vlan)# name administration
S1(config-vlan)# vlan 88
S1(config-vlan)# name management
S1(config-vlan)# vlan 99
S1(config-vlan)# name native
S1(config-vlan)# exit
S1(config)# int range f0/1 – 8
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# int range f0/9 – 16
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# int range f0/17 – 23
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 30
S1(config-if)# int f0/24
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 88
S1(config-if)# int vlan 88
S1(config-if)# ip address
S1(config-if)# int g0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 10,20,30,88,99
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# int g0/2
S1(config-if)# shut

Switch & VLAN Packet Tracer Challenge

Switch & VLAN Packet Tracer Challenge Overview

A Packet Tracer graded activity. It covers basic Cisco CCNA switch configurations, VLANs, native VLAN, trunk ports, port-security, and setting up secure remote administration with SSH. Great practice for the the Cisco CCNA!


The Packet Tracer file is created with Packet Tracer 5.3.3. The Packet Tracer Activity file will track your progress and give you a completion percentage and point total. You can download it here: BasicConfig-VLAN-Trunk-PortSec-SSH-challenge.zip

Activity Instructions

Configure the Network according to the Topology Diagram and Labels.
When you are finished, the PCs on the Student VLAN should be able to ping each other and so should the PCs on the Faculty VLAN. The Admin PC should be able to SSH into S1 and S2 from the command prompt (Eg. PC>ssh -l admin

1. IP address (see topology),
2. subnet mask (see topology),
3. default gateway address (first usable address in network)

Cisco 2960 Switches: S1 & S2
1. name: S1, S2
2. enable password, md5 encrypted: class
3. domain name: danscourses.com
4. message of the day banner: Unauthorized access is prohibited!
5. console password: cisco
6. vty 0 15 password: cisco
7. Security RSA Key size: 1024
8. SSH version 2
9. vty: ssh only
10. VLAN 10: student
11. VLAN 20: faculty
12. VLAN 99: Mgt
13. Interface VLAN 99: S1-IP address, S2-IP address
14. Native VLAN 99
15. fa0/1 Trunk
16. fa0/2-0/13 access VLAN 10
17. fa0/14-0/24 access VLAN 20
18. Gi1/1 access VLAN 99
19. Encrypt all passwords
20. Save running-config to startup-config

Cisco 2960 Switch: S1 Only
1. Gi1/1 Switchport Port-Security, sticky, maximum 1 mac address, violation shutdown

Packet Tracer Switching Final

Switching Practice Final – Packet Tracer

I created a Packet Tracer activity for a CCNA Switching class final. I hope this Packet Tracer final exercise will help prepare you for your VLAN and Switching final, as well as any cumulative lab simulation involving switching and VLANs. The packet tracer involves VLANs, VTP, STP, Inter-VLAN routing, port security and wireless. The instructions for the lab final are included in the Packet Tracer file. You can download it here: CCNA3-dansFinal.zip

Note: This lab was created for the older CCNA 4.0 Switching curriculum which at the time was part of the CCNA3 course. The switching content material is now part of the CCNA2 course

Cisco IOS Commands

You need to know the following commands for my Packet Tracer Switching Practice Final (see below). The commands below use sample data only, you will need to fill in your own specific names and numbers based on the requirements of the lab.

switch# show running-config
switch# show vlan
switch# show vtp status
switch# show spanning-tree
switch# configure terminal
switch(config)# line console 0
switch(config-line)# password cisco
switch(config-line)# login
switch(config)# line vty 0 15
switch(config-line)# password cisco
switch(config-line)# login
switch(config)# enable secret class
switch(config)# vlan 5
switch(config-vlan)# name danscourses-vlan
switch(config)# vtp mode server
switch(config)# vtp mode client
switch(config)# vtp domain dansvtpdomain
switch(config)# vtp password danspass
switch(config)# spanning-tree vlan 1-1005 priority 4096
switch(config)# int vlan 99
switch(config-if)# ip address
switch(config)# ip default-gateway
switch(config)# int range fa0/1-3
switch(config-if-range)# switchport mode trunk
switch(config-if-range)# switchport trunk allowed vlan 1-50
{loadposition adposition6}switch(config-if-range)# switchport trunk native vlan 22
switch(config)# int fa0/10
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan 10
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 3
switch(config-if)# switchport port-security violation shutdown
switch(config-if)# switchport port-security mac-address sticky
switch# copy run start

router# show running-config
router# show ip route
router# configure terminal
router(config)# line console 0
router(config-line)# password cisco
router(config-line)# login
router(config)# line vty 0 4
router(config-line)# password cisco
router(config-line)# login
router(config)# enable secret class
router(config)# int fa0/0
router(config-if)# no shutdown
router(config)# int fa0/0.5
router(config-subif)# encapsulation dot1q 5
router(config-subif)# ip address
router(config)# int fa0/0.44
router(config-subif)# encapsulation dot1q 44 native
router(config-subif)# ip address
router# copy run start


{loadposition adposition4}


{loadposition adposition5}Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol, that when enabled and configured correctly, uses advertisements to contact the switch on the other end of the link, and auto-negotiate a switchport to either an access or trunk link. When a switchport on either end of the link is misconfigured you will end up with a broken link (see chart below). DTP is enabled by default on the Cisco switches that are commonly used in the CCNA curriculum. There are four switchport modes that DTP will negotiate with in order to determine whether the link will be a trunk or an access link, the four modes are: Access, Trunk, Dynamic Auto, and Dynamic Desirable. The default switchport mode when DTP is enabled is Dynamic Auto. If both switches on either end of a link have DTP enabled, and both switchports are by default in Dynamic Auto mode then the resulting link modes will be Access on both ends of the link. By contrast, if one switchport, on one end of the link, is in Dynamic Auto mode, and the other switchport on the other end of the link, is configured for Trunk mode, then the DTP negotiation will result in the Dynamic Auto switchport changing its mode to Trunk mode and the link will become a trunk. See the chart below for the result when two DTP enabled Cisco switches negotiate switchport modes. Since only Cisco switches support DTP, when connecting to a non-Cisco switch DTP should be disabled.



{loadposition adposition9}

The following chart shows how the link will auto negotiate when DTP is enabled on both switches and different DTP modes are configured on either end of the link. When DTP is enabled by default on a switch, the default switchport mode is Dynamic Auto.

DTP auto-negotiation resulting link states
Port Mode Access Trunk Dynamic Auto Dynamic Desirable
Access access not recommended access access
Trunk not recommended trunk trunk trunk
Dynamic Auto access trunk access trunk
Dynamic Desirable access trunk trunk trunk


{loadposition adposition10}

Video Tutorial – Packet Tracer

In the following video tutorial, I demonstrate in Packet Tracer, how two Cisco switches running DTP, are able to auto-negotiate the link to either a trunking or access state. If you have Packet Tracer and would like to follow along with the demonstration you can download my PT files here: DTP-1-begin.zipDTP-1-Finished.zip 

{loadposition adposition4}

{loadposition adposition8}


VLANs & Voice PT Lab

Video Tutorials

In the following videos, I build off of previous Packet Tracer video tutorials (see VLANs & Trunking PT Lab) and add a trunk to a router, DHCP services, and a voice VLAN for VOIP phones. The tutorials should be easy to follow along with, if you have a current version of Packet Tracer, 5.3.2 or higher.

In this part, I configure a trunk to a router, subinterfaces, 802.1Q encapsulation, and a Voice VLAN

In this part, I configure DHCP services on the router, telephony services, and VOIP phones

Configure a Switch for SSH Secure Access

SSH Overview

The ability to remotely manage your Cisco switch or router is very important. Network administrators are usually not sitting next to the switch or router with a laptop and a console interface connection. There are various methods of managing a network device like a switch or router, remotely over the network. Remote management can be accomplished through a browser based interface (web browser) or more commonly through a terminal interface (CLI). Cisco switches and routers can be configured to use Telnet or SSH for remote terminal access. Telnet is not desirable because it is an unencrypted protocol that sends messages in clear text over the network. SSH is preferred to Telnet because it uses strong key based, encryption techniques to secure data transmission.

Video Tutorials

In the tutorial below, I use Packet Tracer to demonstrate how to configure a Cisco switch to accept SSH terminal connections.  The tutorial covers creating a management VLAN, assigning switchports to VLANs, configuring an IP address for the switch on a virtual interfaces, generating a public and private key pair, configuring the SSH server, and connecting from two different SSH clients.

Click here to download the starter file: CLI-SSHaccess-begin.zip

VLANs and Trunks

VLANs Overview

VLANs – A switches is used to set up a local area network (LAN). A VLAN stands for a virtual local area network. By default, all of the ports on a Cisco switch are part of the same default VLAN (VLAN1) and therefore the same network. A VLAN is a network and a network is a broadcast domain. If you configure various switch ports for separate VLANs, then the devices on those ports will belong to separate VLANs and therefore, will be segmented into separate broadcast domains and networks. This is effectively like dividing a switch into multiple switches. This is cost effective, because instead of having multiple switches, each for a different network, you can have one switch configured for multiple VLANs and you can assign the ports on that switch to belong to whatever VLAN you need the host to belong to.

VLAN Types

Data VLAN – A data VLAN carries only user data not management data, control data or voice data.

Default VLAN – On a Cisco switch the default VLAN is VLAN1. This means that by default, when a Cisco switch boots up for the first time all the ports are automatically assigned to the default VLAN, VLAN1. You cannot delete or rename VLAN1 but you can assign the ports on the switch to a different VLAN. It is considered best practice to make all of the user ports on the switch belong to a different default VLAN, one other than VLAN1. In this way, control data such as CDP and STP (spanning tree protocol) which are by default carried on VLAN1 would be on a separate VLAN from user data.

Native VLAN – The native VLAN, if not explicitly configured, will default to the default VLAN, (VLAN1). The Native VLAN is configured for an 802.1Q Trunk port. 802.1Q trunks carry traffic from multiple VLANs by tagging the traffic with VLAN identifiers (Tagged Traffic) which identifies which packets are associated with which VLANs, and they can also carry non VLAN traffic from legacy switches or non 802.1Q compliant switches (Untagged Traffic). The switch will place untagged traffic on the Native VLAN by using a PVID identifier. Native VLAN traffic is not tagged by the switch. It is a best practice to configure the Native VLAN to be different than VLAN1 and to configure it on both ends of the trunk.

Management VLAN – The management VLAN is any VLAN you configure to allow a host to connect to the switch and remotely manage it. The management VLAN will need to be configured with an IP address and subnet mask to allow a manager to connect to the switch by either a web interface (HTTP), Telnet, SSH, or SNMP.

VLAN ID Ranges

Normal Range

  • 1 to 1005
  • VLAN1 (default), created by default, cannot be deleted
  • VLAN1002-1005 (Token Ring and FDDI default), created by default and cannot be deleted
  • Stored in the VLAN.dat file in Flash memory

Extended Range

  • 1006 – 4094
  • Extended VLAN range used by ISPs
  • Stored in Running-Config

Trunks – If you have a switch that has ports variously configured on four different VLANs, then that switch has four different networks on it. When you connect that switch to a router or to another switch you will need four ethernet connections or links, one for each VLAN/network. A more cost effective way to connect a switch with multiple VLANs to a router or switch would be to configure a Trunk. A Trunk is a special kind of port configuration which allows multiple VLANs to travel over one link. This way multiple networks can travel over one trunk instead of wasting valuable ports to connect from switch to switch or switch to router. A Cisco trunk by default uses the 802.1Q protocol. The 802.1Q protocol places and strips VLAN tags on packets to identify which VLAN they belong to.

CLI Commands

switch#show vlan
switch#show interfaces trunk

switch(config)#vlan <vlan number>
switch(config-vlan)#name <vlan name>

switch(config)#interface fa0/x
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan <1-4096>

switch(config-if)#switchport mode trunk
switch(config-if)#switchport trunk allowed vlan <1-1005>
switch(config-if)#switchport trunk native vlan <1-1005>

Configuring VLANs and Trunks Video Tutorials

In the video tutorials below I demonstrate how to configure VLANs and Trunks on a Cisco switch using Packet Tracer.