VLAN & Network Topology Design

Intermediate Networking · 2025
VLANTrunkingCiscoVoIP

Objective

Design and implement a multi-VLAN network for a three-floor office building using Cisco Packet Tracer. The scenario required logical segmentation for four user groups — Management, Staff, VoIP phones, and a Guest Wi-Fi network — across two distribution switches and one core switch. Trunk links connected switches, and a Layer 3 router handled inter-VLAN routing for authorized traffic flows while isolating the Guest VLAN.

Tools & Technologies

  • Cisco Packet Tracer 8.x — network simulation
  • Cisco IOS (Catalyst 2960/3560) — switch OS
  • 802.1Q VLAN trunking — multi-VLAN over single link
  • VTP (VLAN Trunking Protocol) — VLAN database propagation
  • Cisco IP Phone 7960 — VoIP endpoint simulation
  • DHCP pools on router — per-VLAN address assignment
  • Port security — MAC address limiting on access ports
  • STP (Spanning Tree Protocol) — loop prevention

Architecture Overview

flowchart TD Router[Core Router\nRtr-HQ\nInter-VLAN routing] --> Core[Core Switch\nSW-CORE\nVLAN 10/20/30/40] Core -->|trunk| Dist1[Distribution SW\nFloor 1-2] Core -->|trunk| Dist2[Distribution SW\nFloor 3] Dist1 --> Acc1[Access Ports\nVLAN 10 Mgmt] Dist1 --> Acc2[Access Ports\nVLAN 20 Staff] Dist1 --> Acc3[Access Ports\nVLAN 30 VoIP] Dist2 --> Acc4[Access Ports\nVLAN 20 Staff] Dist2 --> Acc5[Access Ports\nVLAN 40 Guest] style Router fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style Core fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style Dist1 fill:#181818,stroke:#1e1e1e,color:#888 style Dist2 fill:#181818,stroke:#1e1e1e,color:#888 style Acc1 fill:#181818,stroke:#1e1e1e,color:#888 style Acc2 fill:#181818,stroke:#1e1e1e,color:#888 style Acc3 fill:#181818,stroke:#1e1e1e,color:#888 style Acc4 fill:#181818,stroke:#1e1e1e,color:#888 style Acc5 fill:#1a1a2e,stroke:#00ff88,color:#e0e0e0

Step-by-Step Process

01
VLAN Design & IP Address Plan

Defined four VLANs with distinct subnets, names, and purposes before touching any device configuration.

! VLAN Plan
! VLAN 10 — Management  — 192.168.10.0/24
! VLAN 20 — Staff       — 192.168.20.0/24
! VLAN 30 — VoIP        — 192.168.30.0/24
! VLAN 40 — Guest       — 192.168.40.0/24 (isolated, internet only)
!
! Core switch acts as VTP server
! Distribution switches act as VTP clients
02
Core Switch VLAN & Trunk Configuration

Created all VLANs on the core switch (VTP server mode), configured trunk ports to both distribution switches, and set STP root priority.

! Core Switch (SW-CORE)
enable
configure terminal

! Set VTP server mode and domain
vtp mode server
vtp domain OFFICE-HQ
vtp password Cisco123

! Create VLANs
vlan 10
 name MANAGEMENT
vlan 20
 name STAFF
vlan 30
 name VOIP
vlan 40
 name GUEST

! Configure trunk ports to distribution switches
interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40
 switchport trunk native vlan 99
interface GigabitEthernet0/2
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40
 switchport trunk native vlan 99

! Set STP root for all VLANs
spanning-tree vlan 10,20,30,40 root primary
end
show vlan brief
03
Access Port & VoIP Configuration

Configured access ports on distribution switches with appropriate VLANs. VoIP ports use a voice VLAN alongside the data VLAN so IP phones receive QoS-tagged traffic.

! Distribution Switch — Staff access port
interface range FastEthernet0/1 - 12
 switchport mode access
 switchport access vlan 20
 switchport nonegotiate
 spanning-tree portfast
 port-security maximum 2
 port-security violation restrict

! VoIP port — data VLAN 20 + voice VLAN 30
interface range FastEthernet0/13 - 20
 switchport mode access
 switchport access vlan 20
 switchport voice vlan 30
 mls qos trust cos
 spanning-tree portfast
04
Router Sub-Interfaces for Inter-VLAN Routing

Configured 802.1Q sub-interfaces on the router's uplink to the core switch. Each sub-interface has a gateway IP for its VLAN and serves as the DHCP server for that subnet.

! Router (Rtr-HQ)
interface GigabitEthernet0/0
 no shutdown

interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.10.1

interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0

interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0

interface GigabitEthernet0/0.40
 encapsulation dot1Q 40
 ip address 192.168.40.1 255.255.255.0

! DHCP pools
ip dhcp pool STAFF-POOL
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 8.8.8.8

ip dhcp pool VOIP-POOL
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1
 option 150 ip 192.168.30.10  ! TFTP server for phone configs
05
Guest VLAN Isolation & Verification

Applied ACLs on the router to block Guest VLAN traffic from reaching internal VLANs (10, 20, 30), while permitting internet-bound traffic. Verified with Packet Tracer's simulation mode.

! Block Guest from internal subnets
ip access-list extended GUEST-ISOLATION
 deny ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
 deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
 permit ip any any

interface GigabitEthernet0/0.40
 ip access-group GUEST-ISOLATION in

! Verification commands
show vlan brief
show interfaces trunk
show ip route
show ip dhcp binding

Complete Workflow

flowchart LR A[Define VLAN Plan\n& IP Scheme] --> B[Configure VTP\nServer on Core SW] B --> C[Create VLANs\n10/20/30/40] C --> D[Configure Trunk\nLinks Core ↔ Dist] D --> E[Configure Access\nPorts + VoIP Ports] E --> F[Router Sub-Interfaces\nDot1Q + DHCP] F --> G[Guest ACL\nIsolation] G --> H[Verify with\nPing + Simulation Mode] style A fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style H fill:#1a1a2e,stroke:#00ff88,color:#e0e0e0 style B fill:#181818,stroke:#1e1e1e,color:#888 style C fill:#181818,stroke:#1e1e1e,color:#888 style D fill:#181818,stroke:#1e1e1e,color:#888 style E fill:#181818,stroke:#1e1e1e,color:#888 style F fill:#181818,stroke:#1e1e1e,color:#888 style G fill:#181818,stroke:#1e1e1e,color:#888

Challenges & Solutions

  • VTP clients not receiving VLAN database — VTP revision number on one client was higher than the server. Reset by setting it to transparent mode briefly, then back to client, which zeroed the revision counter.
  • VoIP phones not registering — The voice VLAN was configured on the switch port but the DHCP pool was missing option 150 (TFTP server IP). Adding it let phones download their configuration.
  • Inter-VLAN routing not working for VLAN 30 — The sub-interface was created but the physical parent interface GigabitEthernet0/0 was in shutdown state. Running no shutdown on the parent fixed all sub-interfaces.
  • Guest VLAN could still ping Staff VLAN — ACL was applied in the out direction instead of in. Outbound ACLs filter traffic leaving the interface, not arriving from the guest segment.

Key Takeaways

  • Always plan the IP addressing scheme and VLAN table before configuring any device — changes mid-way through cause cascading mismatches.
  • VoIP ports require both a data VLAN and a voice VLAN on the same access port, plus QoS trust settings so the phone's CoS markings are honored.
  • Router-on-a-stick inter-VLAN routing works well for small topologies; the parent interface must be up even though traffic flows through sub-interfaces.
  • Guest network isolation requires inbound ACLs on the router sub-interface — outbound ACLs apply too late in the routing path to block internal communication.