Chapter 1: VLAN Fundamentals: 802.1Q, Tagging, Access vs. Trunk Ports

Introduction

In modern enterprise networks, efficiency, security, and scalability are paramount. Traditional flat networks, where all devices reside in a single broadcast domain, quickly become unmanageable as they grow. This is where Virtual Local Area Networks (VLANs) emerge as a foundational technology, offering a powerful solution for segmenting a physical network into multiple logical networks.

This chapter serves as your essential guide to VLAN fundamentals. We will demystify the core concepts, beginning with the purpose and benefits of VLANs. A deep dive into the IEEE 802.1Q standard will explain the mechanism of VLAN tagging and how switches differentiate traffic belonging to different logical networks. You will learn the crucial distinctions between access ports (for end devices) and trunk ports (for inter-switch communication) and understand the role of the native VLAN. We will also touch upon advanced concepts like double tagging (QinQ) for carrier networks.

Upon completing this chapter, you will be able to:

Articulate the purpose and advantages of using VLANs for network segmentation.
Understand the structure and function of the IEEE 802.1Q tag.
Differentiate between access and trunk ports and their configuration requirements.
Explain the concept of a native VLAN and its implications.
Implement basic VLAN configurations across multi-vendor network devices.
Identify common VLAN security vulnerabilities and mitigation strategies.
Perform initial verification and troubleshooting for VLAN deployments.
Leverage automation tools for efficient VLAN management.

Let’s embark on this journey to master VLANs, a cornerstone of robust network design.

Technical Concepts

What are VLANs? Logical Network Segmentation

A Virtual Local Area Network (VLAN) is a logical grouping of devices that are not restricted by physical location. Instead of being confined to a specific switch or port, devices in a VLAN communicate as if they were on the same physical segment, even if they are connected to different switches across a large network.

Purpose and Benefits:

Reduced Broadcast Domains: Each VLAN forms its own broadcast domain, limiting the scope of broadcast traffic and improving network performance.
Enhanced Security: VLANs logically isolate sensitive data. For example, a finance department’s traffic can be separated from guest Wi-Fi traffic, even if they share the same physical switch infrastructure.
Increased Flexibility: Devices can be moved within the network without requiring physical recabling or IP address changes, as long as the new port is assigned to the correct VLAN.
Simplified Network Management: Grouping users or devices by function (e.g., HR, IT, Voice, Guests) simplifies policy application and troubleshooting.
Cost Savings: VLANs allow for more efficient use of network equipment, reducing the need for multiple physical switches for different departments.

Consider the following simple illustration of VLANs segmenting a network:

nwdiag {
  network "VLAN 10 (HR)" {
    address = "192.168.10.0/24"
    color = "#E0FFFF";
    hr_pc1 [address = "192.168.10.10", label = "HR PC 1"];
    hr_pc2 [address = "192.168.10.11", label = "HR PC 2"];
  }
  network "VLAN 20 (IT)" {
    address = "192.168.20.0/24"
    color = "#FAFAD2";
    it_pc1 [address = "192.168.20.10", label = "IT PC 1"];
    it_pc2 [address = "192.168.20.11", label = "IT PC 2"];
  }

  switch [description = "Layer 2 Switch", address = "192.168.1.1"];

  hr_pc1 -- switch [label = "Fa0/1"];
  hr_pc2 -- switch [label = "Fa0/2"];
  it_pc1 -- switch [label = "Fa0/3"];
  it_pc2 -- switch [label = "Fa0/4"];

  // Implicit connections to networks via switch ports
  // Fa0/1 and Fa0/2 are assigned to VLAN 10
  // Fa0/3 and Fa0/4 are assigned to VLAN 20
}

IEEE 802.1Q Standard: VLAN Tagging

The magic of VLANs on Ethernet networks is enabled by the IEEE 802.1Q standard, also known as Dot1q. This standard defines a method for inserting a small, 4-byte tag into an Ethernet frame header to identify which VLAN the frame belongs to. This process is called VLAN tagging.

When an Ethernet frame passes through a trunk link (a link carrying multiple VLANs), a switch adds an 802.1Q tag to frames leaving its access ports or to frames originating from the switch itself (e.g., management traffic). When the frame arrives at another switch, that switch reads the tag to determine the destination VLAN. Before forwarding the frame out an access port, the tag is typically removed.

802.1Q Tag Structure (4 Bytes): The 802.1Q tag is inserted between the Source Address (SA) and the Length/Type fields of the original Ethernet frame.

Tag Protocol Identifier (TPID): (2 bytes) A fixed value of 0x8100. This value signifies that the frame carries an 802.1Q tag.
Tag Control Information (TCI): (2 bytes) This field contains three sub-fields:
- Priority Code Point (PCP): (3 bits) Used for Quality of Service (QoS), as defined by IEEE 802.1p. It assigns a priority level (0-7) to the frame.
- Drop Eligible Indicator (DEI): (1 bit) Also known as Canonical Format Indicator (CFI) in older standards. It indicates whether the frame can be dropped in the presence of congestion.
- VLAN Identifier (VID): (12 bits) This is the core of the VLAN tag, identifying the specific VLAN to which the frame belongs. It allows for 2^12 = 4096 possible VLANs (0 and 4095 are reserved, leaving 1-4094 for use).

RFC/Standard References:

IEEE 802.1Q-2022: The latest published standard for Bridges and Bridged Networks, which includes VLAN functionality.

Here’s a visual representation of the 802.1Q Ethernet frame structure:

packetdiag {
  colwidth = 32
  // Original Ethernet Frame fields
  0-15: DA (6 Bytes) [label = "Destination MAC Address"];
  16-31: SA (6 Bytes) [label = "Source MAC Address"];

  // 802.1Q Tag fields (inserted here)
  32-47: TPID (0x8100) [label = "Tag Protocol Identifier"];
  48-50: PCP (3 bits) [label = "Priority Code Point"];
  51: DEI (1 bit) [label = "Drop Eligible Indicator"];
  52-63: VID (12 bits) [label = "VLAN Identifier"];

  // Original Ethernet Frame fields (shifted)
  64-79: Length/Type [label = "Length/Type"];
  80-..: Data [label = "Payload"];
  ...-..: FCS (4 Bytes) [label = "Frame Check Sequence"];
}

Access Ports

An access port is a switch port that belongs to a single VLAN and is designed to connect to an end device such as a workstation, server, printer, or IP phone. All traffic entering or leaving an access port is untagged.

When a frame arrives at an access port, the switch automatically assigns it to the VLAN configured on that port. When a frame exits an access port, the switch removes any VLAN tag (if one was present internally) before sending it to the end device, as end devices typically do not understand 802.1Q tags.

Key characteristics of access ports:

Single VLAN: Carries traffic for only one specific VLAN.
Untagged Traffic: Sends and receives untagged Ethernet frames.
End Devices: Connects to devices that are not VLAN-aware.
Default Mode: Often the default mode for switch ports, or explicitly configured.

nwdiag {
  network "VLAN 10 (Users)" {
    address = "192.168.10.0/24"
    color = "#F0F8FF";
    user_pc [address = "192.168.10.50", label = "User PC\n(Untagged traffic)"];
  }
  switch [description = "Layer 2 Switch"];
  switch_port [description = "Fa0/1 (Access Port\nassigned to VLAN 10)"];

  user_pc -- switch_port;
  switch_port -- network "VLAN 10 (Users)"; // Logical association
}

Trunk Ports

A trunk port is a switch port that can carry traffic for multiple VLANs simultaneously. Trunk ports are typically used to connect switches to other switches, or switches to routers (for inter-VLAN routing), enabling VLANs to span across multiple physical devices.

Traffic traversing a trunk port is tagged with an 802.1Q header, allowing the receiving switch to identify which VLAN each frame belongs to.

Key characteristics of trunk ports:

Multiple VLANs: Carries traffic for all or a subset of configured VLANs.
Tagged Traffic: All VLAN traffic (except for the native VLAN, if configured) is tagged with an 802.1Q header.
Inter-Switch/Router Links: Connects network infrastructure devices.
Dynamic Trunking Protocol (DTP): Cisco proprietary protocol that can negotiate trunking, though it’s often disabled for security reasons (see Security Considerations).

nwdiag {
  network "VLAN 10 (HR)" {
    address = "192.168.10.0/24"
    color = "#E0FFFF";
    pc_hr_1 [address = "192.168.10.10", label = "HR PC"];
  }
  network "VLAN 20 (IT)" {
    address = "192.168.20.0/24"
    color = "#FAFAD2";
    pc_it_1 [address = "192.168.20.10", label = "IT PC"];
  }

  switch_a [description = "Switch A"];
  switch_b [description = "Switch B"];

  pc_hr_1 -- switch_a;
  pc_it_1 -- switch_b;

  switch_a -- switch_b [label = "Trunk Link\n(Carries VLANs 10, 20)\n(802.1Q Tagged Traffic)", style="dotted", color="blue"];
}

Native VLAN

On an 802.1Q trunk port, one VLAN is designated as the native VLAN. Frames belonging to the native VLAN are transmitted untagged across the trunk link. All other VLAN traffic on the trunk is tagged.

The concept of the native VLAN exists for backward compatibility with older Ethernet devices that might not understand 802.1Q tags, or for control plane protocols that operate untagged. It is crucial that the native VLAN ID matches on both ends of a trunk link. A native VLAN mismatch can lead to:

Connectivity Issues: Traffic from the mismatched native VLAN may not reach its destination.
Security Vulnerabilities: Untagged frames from an unauthorized VLAN could potentially traverse the trunk, leading to VLAN hopping attacks.

Best Practice: Always configure the native VLAN to an unused VLAN ID and ensure it’s explicitly matched on both sides of a trunk. Avoid using VLAN 1 (the default native VLAN on many switches) as the native VLAN for production traffic.

Double Tagging (QinQ / IEEE 802.1ad)

QinQ, also known as 802.1Q in 802.1Q, or Provider Bridging (IEEE 802.1ad), is an extension to the 802.1Q standard. It allows for the insertion of multiple 802.1Q headers into a single Ethernet frame. This technology is primarily used in service provider networks to provide VLAN services to multiple customers.

In a QinQ scenario, a customer’s 802.1Q tagged frame (C-VLAN) is encapsulated within another 802.1Q tag (S-VLAN, for “Service VLAN”) by the service provider’s edge equipment. This allows the service provider to maintain isolation between different customers’ traffic while carrying all of them over a shared backbone network using a single S-VLAN for each customer or service.

Reference:

IEEE 802.1ad: An amendment to 802.1Q that adds support for provider bridges and QinQ functionality.

packetdiag {
  colwidth = 32
  // Original Ethernet Frame fields
  0-15: DA (6 Bytes) [label = "Destination MAC Address"];
  16-31: SA (6 Bytes) [label = "Source MAC Address"];

  // Service Provider Tag (S-Tag) - Added by Provider Edge
  32-47: S-TPID (0x88A8) [label = "Service Tag Protocol Identifier"];
  48-50: S-PCP (3 bits) [label = "Service Priority Code Point"];
  51: S-DEI (1 bit) [label = "Service Drop Eligible Indicator"];
  52-63: S-VID (12 bits) [label = "Service VLAN Identifier"];

  // Customer Tag (C-Tag) - Original Customer 802.1Q Tag
  64-79: C-TPID (0x8100) [label = "Customer Tag Protocol Identifier"];
  80-82: C-PCP (3 bits) [label = "Customer Priority Code Point"];
  83: C-DEI (1 bit) [label = "Customer Drop Eligible Indicator"];
  84-95: C-VID (12 bits) [label = "Customer VLAN Identifier"];

  // Original Ethernet Frame fields (shifted further)
  96-111: Length/Type [label = "Length/Type"];
  112-..: Data [label = "Payload"];
  ...-..: FCS (4 Bytes) [label = "Frame Check Sequence"];
}

Configuration Examples

This section provides practical configuration examples for creating VLANs and configuring access and trunk ports on leading network vendor platforms: Cisco IOS XE, Juniper JunOS, and Arista EOS.

Common Scenario:

Create VLAN 10 (HR_Department) and VLAN 20 (IT_Department).
Assign GigabitEthernet1/0/1 (Cisco), ge-0/0/1 (Juniper), or Ethernet1 (Arista) as an access port for VLAN 10.
Assign GigabitEthernet1/0/2 (Cisco), ge-0/0/2 (Juniper), or Ethernet2 (Arista) as an access port for VLAN 20.
Configure GigabitEthernet1/0/24 (Cisco), ge-0/0/24 (Juniper), or Ethernet24 (Arista) as a trunk port, allowing VLANs 10 and 20.
Set Native VLAN to 999 (NATIVE_VLAN_UNUSED) on the trunk port.

Cisco IOS XE Configuration

! Global configuration mode
configure terminal

! 1. Create VLANs
vlan 10
 name HR_Department
vlan 20
 name IT_Department
vlan 999
 name NATIVE_VLAN_UNUSED

! 2. Configure Access Port for VLAN 10
interface GigabitEthernet1/0/1
 description HR Workstation Port
 switchport mode access
 switchport access vlan 10
 no shutdown
end

! 3. Configure Access Port for VLAN 20
interface GigabitEthernet1/0/2
 description IT Workstation Port
 switchport mode access
 switchport access vlan 20
 no shutdown
end

! 4. Configure Trunk Port
interface GigabitEthernet1/0/24
 description Link to Core_SW_2 - Trunk for HR/IT
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 switchport trunk native vlan 999
 no shutdown
end

! 5. Save configuration
write memory

Verification Commands (Cisco IOS XE):

show vlan brief
show interfaces GigabitEthernet1/0/1 switchport
show interfaces GigabitEthernet1/0/2 switchport
show interfaces GigabitEthernet1/0/24 trunk

Expected Output Example (Partial):

SW1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                ...
10   HR_Department                    active    Gi1/0/1
20   IT_Department                    active    Gi1/0/2
999  NATIVE_VLAN_UNUSED               active
SW1#show interfaces GigabitEthernet1/0/1 switchport
Name: GigabitEthernet1/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (HR_Department)
Trunking Native Mode VLAN: 1 (default)
...
SW1#show interfaces GigabitEthernet1/0/24 trunk
Port        Mode             Encapsulation  Status        Native VLAN
Gi1/0/24    on               802.1q         trunking      999

Port        Vlans allowed on trunk
Gi1/0/24    10,20

Port        Vlans allowed and active in management domain
Gi1/0/24    10,20

Warning: Notice that the Administrative Trunking Encapsulation: dot1q and Operational Trunking Encapsulation: dot1q are shown even for an access port. This indicates the switch’s capability, not the port’s current operational state for encapsulation. The key is Access Mode VLAN: 10 for access ports and Status: trunking, Native VLAN: 999, Vlans allowed: 10,20 for trunk ports. Also, the Negotiation of Trunking: Off is important for security; it means DTP is disabled.

Juniper JunOS Configuration

# Global configuration mode
edit

# 1. Create VLANs (within the [edit vlans] hierarchy)
set vlans HR_Department vlan-id 10
set vlans IT_Department vlan-id 20
set vlans NATIVE_VLAN_UNUSED vlan-id 999

# 2. Configure Access Port for VLAN 10 (interface ge-0/0/1)
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access vlan HR_Department
set interfaces ge-0/0/1 description "HR Workstation Port"

# 3. Configure Access Port for VLAN 20 (interface ge-0/0/2)
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access vlan IT_Department
set interfaces ge-0/0/2 description "IT Workstation Port"

# 4. Configure Trunk Port (interface ge-0/0/24)
# Note: JunOS uses VLAN names within 'vlan members' for better readability
set interfaces ge-0/0/24 unit 0 family ethernet-switching interface-mode trunk vlan members [ HR_Department IT_Department ]
set interfaces ge-0/0/24 unit 0 family ethernet-switching native-vlan-id 999
set interfaces ge-0/0/24 description "Link to Core_SW_2 - Trunk for HR/IT"

# 5. Commit configuration
commit
save

Verification Commands (Juniper JunOS):

show vlans
show ethernet-switching interfaces ge-0/0/1
show ethernet-switching interfaces ge-0/0/2
show interfaces ge-0/0/24 terse | match ethernet-switching
show interfaces ge-0/0/24 detail

Expected Output Example (Partial):

root@juniper-switch> show vlans
VLAN                Tag       Type    Interfaces
default             1         vlan
HR_Department       10        vlan    ge-0/0/1.0*, ge-0/0/24.0
IT_Department       20        vlan    ge-0/0/2.0*, ge-0/0/24.0
NATIVE_VLAN_UNUSED  999       vlan    ge-0/0/24.0
root@juniper-switch> show ethernet-switching interfaces ge-0/0/1
Interface: ge-0/0/1
  Description: HR Workstation Port
  Flow control: Enabled
  Ethernet-switching:
    Vlan members:
      HR_Department, tagged: No
    Mode: Access
root@juniper-switch> show ethernet-switching interfaces ge-0/0/24
Interface: ge-0/0/24
  Description: Link to Core_SW_2 - Trunk for HR/IT
  Flow control: Enabled
  Ethernet-switching:
    Vlan members:
      HR_Department, tagged: Yes
      IT_Department, tagged: Yes
      NATIVE_VLAN_UNUSED, tagged: No
    Mode: Trunk
    Native vlan id: 999

Arista EOS Configuration

! Global configuration mode
configure terminal

! 1. Create VLANs
vlan 10
 name HR_Department
vlan 20
 name IT_Department
vlan 999
 name NATIVE_VLAN_UNUSED

! 2. Configure Access Port for VLAN 10
interface Ethernet1
 description HR Workstation Port
 switchport mode access
 switchport access vlan 10
 no shutdown
end

! 3. Configure Access Port for VLAN 20
interface Ethernet2
 description IT Workstation Port
 switchport mode access
 switchport access vlan 20
 no shutdown
end

! 4. Configure Trunk Port
interface Ethernet24
 description Link to Core_SW_2 - Trunk for HR/IT
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 switchport trunk native vlan 999
 no shutdown
end

! 5. Save configuration
write memory

Verification Commands (Arista EOS):

show vlan
show interfaces Ethernet1 switchport
show interfaces Ethernet2 switchport
show interfaces Ethernet24 trunk

Expected Output Example (Partial):

AristaSW#show vlan

VLAN  Name             Status    Ports
----- ---------------- --------- -------------------------------
1     default          active    Et3-23, Et25-28, Ma1
10    HR_Department    active    Et1
20    IT_Department    active    Et2
999   NATIVE_VLAN_UNUSED active
AristaSW#show interfaces Ethernet1 switchport
Name: Ethernet1
Switchport: Enabled
Administrative Mode: access
Operational Mode: access
Access Mode VLAN: 10 (HR_Department)
Trunking Native Mode VLAN: 1 (default)
...
AristaSW#show interfaces Ethernet24 trunk
Port        Mode           Encapsulation  Status        Native VLAN
Et24        on             802.1q         trunking      999

Port        Vlans allowed on trunk
Et24        10,20

Port        Vlans allowed and active in management domain
Et24        10,20

Automation Examples

Automating VLAN configuration is critical for managing large-scale enterprise networks, reducing human error, and ensuring consistency. This section demonstrates how to manage VLANs using Ansible and Python (with Netmiko).

Ansible Playbook for VLAN Configuration (Multi-Vendor)

This Ansible playbook automates the creation of VLANs and the configuration of access and trunk ports across Cisco IOS, Juniper JunOS, and Arista EOS devices.

---
- name: Configure VLANs and Interfaces
  hosts: network_devices # Define this group in your inventory (e.g., inventory.ini)
  gather_facts: no
  connection: network_cli

  vars:
    vlans_to_create:
      - id: 10
        name: "HR_Department"
      - id: 20
        name: "IT_Department"
      - id: 999 # For native VLAN
        name: "NATIVE_VLAN_UNUSED"
    
    # Define access port configurations based on device type
    access_ports_config:
      cisco_ios:
        - interface: "GigabitEthernet1/0/1"
          vlan: 10
        - interface: "GigabitEthernet1/0/2"
          vlan: 20
      juniper_junos:
        - interface: "ge-0/0/1"
          vlan: 10
        - interface: "ge-0/0/2"
          vlan: 20
      arista_eos:
        - interface: "Ethernet1"
          vlan: 10
        - interface: "Ethernet2"
          vlan: 20

    # Define trunk port configurations based on device type
    trunk_ports_config:
      cisco_ios:
        - interface: "GigabitEthernet1/0/24"
          allowed_vlans: "10,20"
          native_vlan: 999
      juniper_junos:
        - interface: "ge-0/0/24"
          allowed_vlans: "10,20" # JunOS expects a list, will convert below
          native_vlan: 999
      arista_eos:
        - interface: "Ethernet24"
          allowed_vlans: "10,20"
          native_vlan: 999
          
  tasks:
    - name: Configure VLANs on Cisco IOS devices
      cisco.ios.ios_vlans:
        config: ""
        state: merged
      when: ansible_network_os == 'ios'

    - name: Configure access ports on Cisco IOS devices
      cisco.ios.ios_l2_interfaces:
        config:
          - name: ""
            mode: "access"
            access_vlan: ""
        state: merged
      when: ansible_network_os == 'ios' and access_ports_config.cisco_ios is defined
      loop: ""

    - name: Configure trunk ports on Cisco IOS devices
      cisco.ios.ios_l2_interfaces:
        config:
          - name: ""
            mode: "trunk"
            trunk_vlans: ""
            native_vlan: ""
        state: merged
      when: ansible_network_os == 'ios' and trunk_ports_config.cisco_ios is defined
      loop: ""

    - name: Configure VLANs on Juniper JunOS devices
      juniper.junos.junos_vlans:
        config: ""
        state: merged
      when: ansible_network_os == 'junos'

    - name: Configure access ports on Juniper JunOS devices
      juniper.junos.junos_l2_interfaces:
        config:
          - name: ""
            unit: 0
            description: "Access port for VLAN "
            vlan_mode: "access"
            access_vlan: ""
        state: merged
      when: ansible_network_os == 'junos' and access_ports_config.juniper_junos is defined
      loop: ""

    - name: Configure trunk ports on Juniper JunOS devices
      juniper.junos.junos_l2_interfaces:
        config:
          - name: ""
            unit: 0
            description: "Trunk port for VLANs "
            vlan_mode: "trunk"
            trunk_vlans: "" # Convert comma-separated string to list
            native_vlan: ""
        state: merged
      when: ansible_network_os == 'junos' and trunk_ports_config.juniper_junos is defined
      loop: ""

    - name: Configure VLANs on Arista EOS devices
      arista.eos.eos_vlans:
        config: ""
        state: merged
      when: ansible_network_os == 'eos'

    - name: Configure access ports on Arista EOS devices
      arista.eos.eos_l2_interfaces:
        config:
          - name: ""
            mode: "access"
            access_vlan: ""
        state: merged
      when: ansible_network_os == 'eos' and access_ports_config.arista_eos is defined
      loop: ""

    - name: Configure trunk ports on Arista EOS devices
      arista.eos.eos_l2_interfaces:
        config:
          - name: ""
            mode: "trunk"
            trunk_vlans: ""
            native_vlan: ""
        state: merged
      when: ansible_network_os == 'eos' and trunk_ports_config.arista_eos is defined
      loop: ""

To run this playbook, you would need an inventory.ini file similar to this:

[network_devices]
cisco_switch_1 ansible_host=192.168.1.10 ansible_network_os=ios
juniper_switch_1 ansible_host=192.168.1.11 ansible_network_os=junos
arista_switch_1  ansible_host=192.168.1.12 ansible_network_os=eos

[network_devices:vars]
ansible_user=admin
ansible_password=your_password
ansible_become=yes
ansible_become_method=enable # For Cisco, if needed

Python Script for VLAN Configuration (Netmiko)

This Python script uses the Netmiko library to connect to network devices and apply VLAN configurations. It includes basic error handling.

from netmiko import ConnectHandler
import sys

# Device inventory - In a production scenario, this would be dynamic (e.g., from a CMDB)
devices = [
    {
        "device_type": "cisco_ios",
        "host": "192.168.1.10",
        "username": "admin",
        "password": "cisco",
    },
    {
        "device_type": "juniper_junos",
        "host": "192.168.1.11",
        "username": "admin",
        "password": "juniper",
    },
    {
        "device_type": "arista_eos",
        "host": "192.168.1.12",
        "username": "admin",
        "password": "arista",
    },
]

vlans_to_configure = [
    {"id": 10, "name": "HR_Department"},
    {"id": 20, "name": "IT_Department"},
    {"id": 999, "name": "NATIVE_VLAN_UNUSED"},
]

access_ports_config = {
    "cisco_ios": [
        {"interface": "GigabitEthernet1/0/1", "vlan": 10},
        {"interface": "GigabitEthernet1/0/2", "vlan": 20},
    ],
    "juniper_junos": [
        {"interface": "ge-0/0/1", "vlan": 10},
        {"interface": "ge-0/0/2", "vlan": 20},
    ],
    "arista_eos": [
        {"interface": "Ethernet1", "vlan": 10},
        {"interface": "Ethernet2", "vlan": 20},
    ],
}

trunk_ports_config = {
    "cisco_ios": [
        {"interface": "GigabitEthernet1/0/24", "allowed_vlans": "10,20", "native_vlan": 999}
    ],
    "juniper_junos": [
        {"interface": "ge-0/0/24", "allowed_vlans": "10,20", "native_vlan": 999}
    ],
    "arista_eos": [
        {"interface": "Ethernet24", "allowed_vlans": "10,20", "native_vlan": 999}
    ],
}


def configure_vlan_on_device(device_info):
    """Connects to a network device and applies VLAN configuration."""
    try:
        print(f"Connecting to {device_info['host']} ({device_info['device_type']})...")
        net_connect = ConnectHandler(**device_info)
        print(f"Successfully connected to {device_info['host']}.")

        config_commands = []

        # Configure VLANs
        for vlan in vlans_to_configure:
            if device_info["device_type"] == "cisco_ios":
                config_commands.extend([
                    f"vlan {vlan['id']}",
                    f"name {vlan['name']}"
                ])
            elif device_info["device_type"] == "juniper_junos":
                # Juniper requires 'set' commands for configuration
                config_commands.extend([
                    f"set vlans {vlan['name']} vlan-id {vlan['id']}"
                ])
            elif device_info["device_type"] == "arista_eos":
                config_commands.extend([
                    f"vlan {vlan['id']}",
                    f"name {vlan['name']}"
                ])

        # Configure Access Ports
        for port in access_ports_config.get(device_info["device_type"], []):
            if device_info["device_type"] == "cisco_ios":
                config_commands.extend([
                    f"interface {port['interface']}",
                    "description Access Port for VLAN " + str(port['vlan']),
                    "switchport mode access",
                    f"switchport access vlan {port['vlan']}",
                    "no shutdown"
                ])
            elif device_info["device_type"] == "juniper_junos":
                config_commands.extend([
                    f"set interfaces {port['interface']} unit 0 family ethernet-switching interface-mode access vlan {vlans_to_configure[next((i for i, v in enumerate(vlans_to_configure) if v['id'] == port['vlan']), -1)]['name']}",
                    f"set interfaces {port['interface']} description \"Access port for VLAN {port['vlan']}\"",
                ])
            elif device_info["device_type"] == "arista_eos":
                config_commands.extend([
                    f"interface {port['interface']}",
                    "description Access Port for VLAN " + str(port['vlan']),
                    "switchport mode access",
                    f"switchport access vlan {port['vlan']}",
                    "no shutdown"
                ])

        # Configure Trunk Ports
        for port in trunk_ports_config.get(device_info["device_type"], []):
            if device_info["device_type"] == "cisco_ios":
                config_commands.extend([
                    f"interface {port['interface']}",
                    "description Trunk Link",
                    "switchport mode trunk",
                    f"switchport trunk allowed vlan {port['allowed_vlans']}",
                    f"switchport trunk native vlan {port['native_vlan']}",
                    "no shutdown"
                ])
            elif device_info["device_type"] == "juniper_junos":
                # Convert allowed_vlans (e.g., "10,20") to list of names for JunOS
                allowed_vlan_names = []
                for vlan_id in map(int, port['allowed_vlans'].split(',')):
                    vlan_name = next((v['name'] for v in vlans_to_configure if v['id'] == vlan_id), None)
                    if vlan_name:
                        allowed_vlan_names.append(vlan_name)
                
                native_vlan_name = next((v['name'] for v in vlans_to_configure if v['id'] == port['native_vlan']), None)

                config_commands.extend([
                    f"set interfaces {port['interface']} unit 0 family ethernet-switching interface-mode trunk vlan members [ {' '.join(allowed_vlan_names)} ]",
                    f"set interfaces {port['interface']} unit 0 family ethernet-switching native-vlan-id {port['native_vlan']}",
                    f"set interfaces {port['interface']} description \"Trunk port for VLANs {port['allowed_vlans']}\"",
                ])
            elif device_info["device_type"] == "arista_eos":
                config_commands.extend([
                    f"interface {port['interface']}",
                    "description Trunk Link",
                    "switchport mode trunk",
                    f"switchport trunk allowed vlan {port['allowed_vlans']}",
                    f"switchport trunk native vlan {port['native_vlan']}",
                    "no shutdown"
                ])

        print(f"Applying configuration to {device_info['host']}...")
        output = net_connect.send_config_set(config_commands)
        print(f"Configuration output for {device_info['host']}:\n{output}")

        if device_info["device_type"] == "juniper_junos":
            # JunOS requires an explicit commit
            print(f"Committing configuration on {device_info['host']}...")
            commit_output = net_connect.commit()
            print(f"Commit output:\n{commit_output}")
            
        # Save configuration
        net_connect.send_command('write memory' if device_info["device_type"] != "juniper_junos" else 'save')

        net_connect.disconnect()
        print(f"Disconnected from {device_info['host']}.")

    except Exception as e:
        print(f"Error configuring {device_info['host']}: {e}", file=sys.stderr)

if __name__ == "__main__":
    for dev in devices:
        configure_vlan_on_device(dev)

Security Considerations

While VLANs offer significant security benefits by segmenting networks, they are not immune to attacks. Network engineers must understand potential vulnerabilities and implement robust mitigation strategies.

Attack Vectors

VLAN Hopping (Switch Spoofing):
- Description: An attacker configures their device to impersonate a switch, sending DTP (Dynamic Trunking Protocol) messages to negotiate a trunk link with a legitimate switch. If successful, the attacker gains access to all VLANs on the trunk.
- Risk: Bypasses VLAN isolation, allowing unauthorized access to sensitive network segments.
VLAN Hopping (Double Tagging):
- Description: An attacker sends a frame with two 802.1Q tags. The outer tag corresponds to the native VLAN of the switch, which the first switch strips off. The inner tag (which the first switch did not process) is then exposed and interpreted by the second switch, tricking it into forwarding the frame to an unintended VLAN.
- Risk: Can bypass a single switch’s VLAN enforcement to reach a target VLAN.
Default VLAN 1 Exposure:
- Description: VLAN 1 is often the default native VLAN and is used for management traffic on many switches. If not secured or changed, it provides an easy target for attackers to access switch management interfaces.
- Risk: Unauthorized access to network device control planes.

Mitigation Strategies and Security Best Practices

Disable DTP on non-trunk ports: Ports connecting to end devices should always be explicitly configured as access ports with DTP disabled (switchport mode access and switchport nonegotiate on Cisco, for instance). This prevents an attacker from forming an unauthorized trunk.
Manually Configure Trunk Ports: Explicitly set trunk ports to switchport mode trunk and switchport nonegotiate (Cisco) or equivalent, instead of relying on DTP negotiation.
Move Native VLAN to an Unused, Isolated VLAN: Do not use VLAN 1 as the native VLAN. Assign an arbitrary, unused VLAN ID (e.g., 999) as the native VLAN on trunks and ensure it’s not used for any user or management traffic.
Prune Allowed VLANs on Trunks: Configure trunk ports to carry only the necessary VLANs (switchport trunk allowed vlan <vlan-list>). This limits the scope of any potential VLAN hopping attack.
Implement Private VLANs (PVLANs): For advanced segmentation, PVLANs can isolate ports within the same VLAN, preventing communication between devices even if they are in the same subnet (e.g., for guest Wi-Fi or server farms). This is an advanced topic typically covered in later chapters.
Enable Port Security: Limit the number of MAC addresses allowed on an access port to prevent unauthorized devices from connecting.
Implement BPDU Guard: On access ports, BPDU Guard (Bridge Protocol Data Unit Guard) shuts down a port if it receives a BPDU, preventing rogue switches from interfering with Spanning Tree Protocol.
Use Access Control Lists (ACLs) between VLANs: Even with VLANs, if inter-VLAN routing is enabled, traffic can flow between them. ACLs on Layer 3 devices (routers, Layer 3 switches) can restrict communication between VLANs based on IP addresses, protocols, and ports.
Isolate Management VLAN: Place all network device management interfaces in a dedicated VLAN, separate from user data, and restrict access to this VLAN.
Regular Security Audits: Periodically review VLAN configurations, port assignments, and trunking settings to ensure compliance with security policies.

Security Warning: Never rely solely on VLANs for comprehensive security. They provide network segmentation, but a multi-layered security approach, including firewalls, intrusion detection/prevention systems, and endpoint security, is always required.

Verification & Troubleshooting

Effective verification and troubleshooting are crucial for maintaining healthy VLAN deployments. This section outlines common issues, essential verification commands, and systematic troubleshooting steps.

Common VLAN Issues

Issue	Description	Potential Symptoms
VLAN Mismatch	An access port is assigned to one VLAN, but the connected device expects another.	Device cannot obtain IP address, no network connectivity.
Native VLAN Mismatch	Native VLAN ID differs on each side of an 802.1Q trunk link.	Untagged traffic (including some control protocols) fails, intermittent connectivity for affected VLANs, security vulnerabilities.
Missing VLANs	A required VLAN is not created on all switches participating in that VLAN’s path.	Devices in that VLAN cannot communicate across switches.
Incorrect Trunk Configuration	Trunk port not configured, or allowed VLANs list is incorrect/incomplete.	No connectivity for some or all VLANs across the trunk.
DTP Issues	Dynamic Trunking Protocol inadvertently configured, causing ports to become trunks or access ports unexpectedly.	Unexpected trunk links, unauthorized VLAN access, or lack of connectivity.
Spanning Tree Issues	STP inconsistencies (e.g., root bridge misplacement, port states) affecting VLAN-specific traffic.	Network loops, broadcast storms, intermittent connectivity for certain VLANs.
Layer 3 Configuration Error	Incorrect Subnet/IP address or inter-VLAN routing misconfiguration.	Devices cannot communicate between different VLANs.
Physical Connectivity	Bad cable, port down, duplex mismatch.	No link light, interface down, high error rates.

Verification Commands

Cisco IOS XE:

! Show all VLANs configured and their associated ports
show vlan brief

! Show detailed information for a specific VLAN
show vlan id 10

! Show switchport configuration for a specific interface (access/trunk mode, VLAN assignment)
show interfaces GigabitEthernet1/0/1 switchport

! Show all trunk ports and the VLANs allowed on them, including native VLAN
show interfaces trunk

! Show MAC address table, useful for seeing which MACs are learned on which VLANs/ports
show mac address-table

Juniper JunOS:

# Show all VLANs configured and their associated interfaces
show vlans

# Show detailed ethernet-switching information for a specific interface
show ethernet-switching interfaces ge-0/0/1

# Show interfaces configured for trunk mode (less explicit than Cisco's 'show interfaces trunk')
show interfaces extensive | match "Ethernet-switching Interface Mode: Trunk"
# Alternatively, examine individual interface config:
show configuration interfaces ge-0/0/24

# Show MAC address table per VLAN
show ethernet-switching table

Arista EOS:

! Show all VLANs configured and their associated ports
show vlan

! Show switchport configuration for a specific interface (access/trunk mode, VLAN assignment)
show interfaces Ethernet1 switchport

! Show all trunk ports and the VLANs allowed on them, including native VLAN
show interfaces trunk

! Show MAC address table, useful for seeing which MACs are learned on which VLANs/ports
show mac address-table

Troubleshooting Steps

Check Physical Layer:
- Verify cable connections. Are link lights on?
- Check interface status (show interfaces status or show interfaces brief). Is the port up/up?
- Check for duplex mismatches.
Verify VLAN Existence:
- On all switches in the traffic path, ensure the required VLANs are created using show vlan brief (Cisco), show vlans (Juniper), or show vlan (Arista).
Inspect Access Port Configuration:
- For end devices, ensure the port is in access mode and assigned to the correct VLAN.
- show interfaces <interface> switchport (Cisco/Arista) or show ethernet-switching interfaces <interface> (Juniper).
- Confirm switchport mode access and switchport access vlan <VLAN_ID>.
- Ensure DTP is disabled (switchport nonegotiate if on Cisco).
Inspect Trunk Port Configuration:
- On inter-switch links, confirm the port is in trunk mode.
- show interfaces trunk (Cisco/Arista) or examine individual interface configs for JunOS.
- Verify that the necessary VLANs are allowed on the trunk (switchport trunk allowed vlan or vlan members).
- CRITICAL: Verify the native VLAN ID matches on both ends of the trunk link. A mismatch will cause problems.
Check MAC Address Table:
- show mac address-table (Cisco/Arista) or show ethernet-switching table (Juniper).
- Can the switch learn the MAC address of the device in question? Is it learned on the correct VLAN and port?
Test Connectivity:
- From a device in one VLAN, try to ping another device in the same VLAN. If this fails, the issue is likely Layer 2 within that VLAN or local port configuration.
- If inter-VLAN routing is configured (covered in a later chapter), try to ping a device in a different VLAN. If this fails, investigate the Layer 3 switch or router configuration for VLAN interfaces/SVIs.
Review Spanning Tree Protocol (STP):
- VLANs rely on STP to prevent loops. Check show spanning-tree vlan <VLAN_ID> (Cisco) or equivalent to ensure ports are forwarding for the relevant VLANs.
Debug Commands (Use with Caution in Production!):
- debug vlan packet (Cisco - if available and carefully scoped).
- Packet captures (e.g., using monitor session on Cisco, or port mirroring to an analysis tool) can provide deep insight into VLAN tags on frames.

Root Cause Analysis Tip: Always work methodically from Layer 1 to Layer 7. Start with physical connectivity, then L2 (VLANs, trunks, MAC addresses), then L3 (IP addressing, routing), and so on.

Performance Optimization

Optimizing VLAN performance involves strategies to minimize unnecessary traffic, efficiently utilize network resources, and ensure scalability.

VLAN Pruning:
- Concept: VLAN pruning prevents unnecessary broadcast, multicast, and unknown unicast traffic from being sent across trunk links to switches that do not have active ports in those specific VLANs.
- Benefit: Reduces bandwidth consumption on trunk links, especially in large networks where many VLANs might be defined but only active on a few switches.
- Implementation: Many network vendors support VLAN pruning (e.g., Cisco VTP pruning, or manual switchport trunk allowed vlan configuration).
- As highlighted by Fortinet, “VLAN pruning prevents unnecessary traffic from unused VLANs by only allowing traffic from the VLANs required for the inter-switch link (ISL) trunks.”
Optimal Broadcast Domain Sizing:
- While VLANs reduce broadcast domains, very large VLANs can still suffer from excessive broadcast traffic. Design VLANs with an appropriate number of hosts (e.g., 50-200 users per VLAN is a common guideline) to balance administrative overhead with performance benefits.
- Avoid creating excessively small VLANs as this increases complexity.
Efficient Spanning Tree Protocol (STP) Design:
- When using per-VLAN STP (PVST+, RPVST+), ensure root bridges are appropriately placed to optimize traffic flow for each VLAN. Load balance VLANs across different root bridges to utilize redundant links more effectively.
- Proper STP tuning (portfast, BPDUGuard, LoopGuard, RootGuard) is essential for rapid convergence and preventing loops.
Hardware Offloading and ASIC Capabilities:
- Modern network switches utilize specialized Application-Specific Integrated Circuits (ASICs) for high-speed Layer 2 and Layer 3 forwarding. Ensure your network equipment is capable of handling the expected VLAN and inter-VLAN routing load at wire speed.
Jumbo Frames (if applicable):
- If your applications benefit from larger MTUs (e.g., storage, data backup), configure jumbo frames across VLANs and trunk links. This can reduce CPU overhead by processing fewer, larger frames. Ensure end-to-end compatibility.
Monitoring and Baselining:
- Regularly monitor network performance metrics such as bandwidth utilization on trunks, CPU usage on switches, and broadcast storm rates. Establish performance baselines to quickly identify deviations that might indicate VLAN-related issues or bottlenecks.

Hands-On Lab: Basic VLAN Deployment

This lab will guide you through configuring basic VLANs, access ports, and a trunk link between two switches.

Lab Topology:

nwdiag {
  network "VLAN 10 (HR)" {
    address = "192.168.10.0/24"
    color = "#E0FFFF";
    host_a_hr [address = "192.168.10.10", label = "HR PC A"];
    host_b_hr [address = "192.168.10.11", label = "HR PC B"];
  }
  network "VLAN 20 (IT)" {
    address = "192.168.20.0/24"
    color = "#FAFAD2";
    host_a_it [address = "192.168.20.10", label = "IT PC A"];
    host_b_it [address = "192.168.20.11", label = "IT PC B"];
  }
  network "Untagged Native VLAN 999" {
    address = "192.168.99.0/24"
    color = "#D3D3D3";
  }

  switch_1 [description = "Core Switch 1"];
  switch_2 [description = "Access Switch 2"];

  host_a_hr -- switch_1 [label = "Fa0/1 (Access VLAN 10)"];
  host_a_it -- switch_1 [label = "Fa0/2 (Access VLAN 20)"];

  host_b_hr -- switch_2 [label = "Fa0/1 (Access VLAN 10)"];
  host_b_it -- switch_2 [label = "Fa0/2 (Access VLAN 20)"];

  switch_1 -- switch_2 [label = "Trunk Link (Fa0/24)\nAllowed VLANs: 10,20\nNative VLAN: 999", style="dotted", color="blue"];
}

Objectives:

Configure VLAN 10 (HR) and VLAN 20 (IT) on both switch_1 and switch_2.
Configure VLAN 999 (NATIVE_VLAN_UNUSED) on both switches.
Assign Fa0/1 on both switches as an access port for VLAN 10.
Assign Fa0/2 on both switches as an access port for VLAN 20.
Configure Fa0/24 on both switches as an 802.1Q trunk link, allowing VLANs 10 and 20, and setting VLAN 999 as the native VLAN.
Assign IP addresses to host_a_hr (192.168.10.10/24), host_a_it (192.168.20.10/24), host_b_hr (192.168.10.11/24), and host_b_it (192.168.20.11/24).
Verify connectivity within and between VLANs across the trunk.

Step-by-Step Configuration (Cisco IOS XE Example):

(Assumptions: You have two Cisco switches, switch_1 and switch_2, and four end devices host_a_hr, host_a_it, host_b_hr, host_b_it (e.g., virtual machines or simulated PCs in GNS3/EVE-NG). All interfaces are in their default state.)

On switch_1:

configure terminal
hostname Core_SW_1

! 1. Create VLANs
vlan 10
 name HR_Department
vlan 20
 name IT_Department
vlan 999
 name NATIVE_VLAN_UNUSED

! 2. Configure Access Port for VLAN 10 (host_a_hr)
interface FastEthernet0/1
 description HR PC A Port
 switchport mode access
 switchport access vlan 10
 no shutdown

! 3. Configure Access Port for VLAN 20 (host_a_it)
interface FastEthernet0/2
 description IT PC A Port
 switchport mode access
 switchport access vlan 20
 no shutdown

! 4. Configure Trunk Port
interface FastEthernet0/24
 description Link to Access_SW_2 - Trunk for HR/IT
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 switchport trunk native vlan 999
 no shutdown

end
write memory

On switch_2:

configure terminal
hostname Access_SW_2

! 1. Create VLANs
vlan 10
 name HR_Department
vlan 20
 name IT_Department
vlan 999
 name NATIVE_VLAN_UNUSED

! 2. Configure Access Port for VLAN 10 (host_b_hr)
interface FastEthernet0/1
 description HR PC B Port
 switchport mode access
 switchport access vlan 10
 no shutdown

! 3. Configure Access Port for VLAN 20 (host_b_it)
interface FastEthernet0/2
 description IT PC B Port
 switchport mode access
 switchport access vlan 20
 no shutdown

! 4. Configure Trunk Port
interface FastEthernet0/24
 description Link to Core_SW_1 - Trunk for HR/IT
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 switchport trunk native vlan 999
 no shutdown

end
write memory

On End Hosts:

host_a_hr: Set IP address to 192.168.10.10, subnet mask 255.255.255.0.
host_a_it: Set IP address to 192.168.20.10, subnet mask 255.255.255.0.
host_b_hr: Set IP address to 192.168.10.11, subnet mask 255.255.255.0.
host_b_it: Set IP address to 192.168.20.11, subnet mask 255.255.255.0.

Verification Steps:

Verify VLANs on Switches:
```
Core_SW_1#show vlan brief
Access_SW_2#show vlan brief
```
Expected: VLANs 10, 20, and 999 should be listed as active.

Verify Access Ports:

Core_SW_1#show interfaces FastEthernet0/1 switchport
Core_SW_1#show interfaces FastEthernet0/2 switchport
Access_SW_2#show interfaces FastEthernet0/1 switchport
Access_SW_2#show interfaces FastEthernet0/2 switchport

Expected: Each port should be in access mode and show the correct Access Mode VLAN.

Verify Trunk Ports:
```
Core_SW_1#show interfaces FastEthernet0/24 trunk
Access_SW_2#show interfaces FastEthernet0/24 trunk
```
Expected: Both ports should show Status: trunking, Native VLAN: 999, and Vlans allowed on trunk: 10,20.
Test Connectivity (from end hosts):
- From host_a_hr (192.168.10.10):
  - ping 192.168.10.11 (to host_b_hr - same VLAN, different switch) - Should succeed.
  - ping 192.168.20.10 (to host_a_it - different VLAN, same switch) - Should fail (no inter-VLAN routing configured yet).
  - ping 192.168.20.11 (to host_b_it - different VLAN, different switch) - Should fail.
- From host_a_it (192.168.20.10):
  - ping 192.168.20.11 (to host_b_it - same VLAN, different switch) - Should succeed.

Challenge Exercises:

Introduce a third VLAN (e.g., VLAN 30 - Management) and assign a switch interface for management access to it.
Modify the trunk configuration to disallow VLAN 20 on switch_1’s trunk port (simulate VLAN pruning) and observe the impact on host_a_it and host_b_it connectivity.
Experiment with deliberately misconfiguring the native VLAN on one side of the trunk and observe the verification output and connectivity impact.

Best Practices Checklist

Adhering to best practices ensures a secure, efficient, and manageable VLAN deployment.

Configuration Best Practices:
- Use meaningful VLAN IDs and Names: Choose VLAN IDs (e.g., 10 for HR, 20 for IT, 30 for Voice) and assign descriptive names. Avoid sequential numbering if not necessary, leaving room for expansion (e.g., 20, 30, 40 instead of 2, 3, 4).
- Standardize VLANs across the Enterprise: Maintain a consistent VLAN numbering scheme and naming convention across all network devices.
- Prune Unused VLANs from Trunks: Use switchport trunk allowed vlan (Cisco/Arista) or equivalent to limit VLANs on trunks, preventing unnecessary traffic.
- Document VLAN Assignments: Keep detailed records of VLAN IDs, names, purpose, IP subnets, and associated ports.
- Plan for Growth: Design VLANs to accommodate future expansion without requiring major reconfigurations.
- Avoid using VLAN 1 for User/Production Traffic: VLAN 1 is often the default and less secure.
Security Hardening:
- Disable DTP (Dynamic Trunking Protocol): Explicitly configure access ports as access mode and trunk ports as trunk mode (nonegotiate if on Cisco).
- Change Native VLAN: Set the native VLAN on trunks to an unused VLAN ID (e.g., 999) and ensure it’s consistent on both ends. This VLAN should not be used for any user or production traffic.
- Implement Port Security: Limit MAC addresses on access ports.
- Enable BPDU Guard on Access Ports: Prevent rogue switches from impacting STP.
- Isolate Management VLAN: Dedicate a specific VLAN for network device management and restrict access to it.
- Use ACLs for Inter-VLAN Filtering: Restrict communication between VLANs at Layer 3.
Monitoring Setup:
- Monitor Trunk Link Utilization: Track bandwidth usage on trunk ports for capacity planning.
- Monitor VLAN-specific Traffic Counters: Observe broadcast/multicast rates within VLANs.
- Alert on Native VLAN Mismatches: Implement network monitoring tools to detect and alert on native VLAN discrepancies.
Documentation:
- Maintain up-to-date network diagrams (physical and logical).
- Document VLAN design rationale and IP addressing schemes.
Change Management:
- Follow a strict change control process for all VLAN modifications.
- Test changes in a lab environment before deploying to production.

Reference Links

IEEE 802.1Q-2022: Bridges and Bridged Networks
- https://standards.ieee.org/ieee/802.1Q/10323/
IEEE 802.1ad - Provider Bridges (QinQ):
- https://en.wikipedia.org/wiki/IEEE_802.1ad
Cisco VLAN Best Practices:
- https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/1778-tz-VLAN-Best-Practices-and-Security-Tips-for-Cisco-Business-Routers.html
Juniper VLAN Documentation: (Search specific JunOS version for exact syntax)
- https://www.juniper.net/documentation/
Arista EOS VLAN Documentation: (Search specific EOS version)
- https://www.arista.com/en/support/documentation
VLAN Hopping Attacks & Mitigation:
- https://www.imperva.com/learn/availability/vlan-hopping/
Network Automation with Ansible (VLANs):
- https://medium.com/@mickaelsoares/network-automation-with-ansible-lab4-configure-vlans-and-trunks-f97775cd2d61
Netmiko Documentation:
- https://github.com/ktbyers/netmiko

What’s Next

This chapter laid the groundwork for understanding VLANs, their fundamental principles, and practical application. You’ve learned about the 802.1Q standard, the difference between access and trunk ports, and essential configuration and troubleshooting steps across multiple vendors.

In the next chapter, we will build upon this foundation by exploring Chapter 2: Inter-VLAN Routing: Layer 3 Switches, Router-on-a-Stick, and SVI Configuration. We will cover how devices in different VLANs can communicate, the role of Layer 3 switches, and detailed configuration of Switched Virtual Interfaces (SVIs) and Router-on-a-Stick setups. This will complete your understanding of how VLANs enable a truly segmented and scalable network.