What is the easiest way to configure Cisco switches to use Vlans and Trunks?

Martin_01 used Ask the Experts™
What is the easiest way to configure Cisco switches to use Vlans and Trunks?

- 6 Cisco switches
Fiber in
- VoIP
- PC
- IP cameras
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I suppose it depends on the model.  We tend to use SG300-xxx switches.

Here's what we did to incorporate VOIP (although one need not use a VLAN for VOIP but we had security issues having to do with a unique, separate internet feed for VOIP).  The idea was that both phones (one one VLAN) and PCs (on another VLAN) would coexist on the same cabling.  The phones are capable of using the VOIP VLAN while forwarding the PC VLAN to the connected PCs.  So these are trunked all the way down.

We set up the same VLANs on all the switches.
We set up a VOIP firewall and fed it into a switch port assigned only to the VOIP VLAN.  Nothing needed on the firewall for this.
We mostly trunked all the switch ports with a few exceptions.  Certainly you need to do this on ports connecting the switches.  But, it's flexible to trunk most other ports if PCs and phones are going to share cables. And, this because the VOIP phones are VLAN-aware.

We created a single VOIP VLAN port on each of the switches so we could test the VLAN with a laptop when needed.

You might set up separate ports and cables for the cameras that are on a 3rd VLAN and only trunk this one between switches.
Like this:
Trunk the camera VLAN going upstream and use separate VLAN-assigned ports at the most downstream connections.

There is no QoS - and, of course, that's a choice that might be first based on *need*.

If youre using the normal catalyst switches. and alle the switces need the same vlans, then maybe its nice to use vtp. and let the vlans automaticly be created on member switches. youre core will be running as master and the others as slave. on youre uplinks, allow all vlans and use youre native a management vlan.
Sr. Network Engineer
VLANS are intended to provide one primary function - the ability to install multiple broadcast domains on a single switch.  Start your project from that position.

The entire intent of the broadcast domain is to allow associated hosts to easily communicate without traversal to layer 3.  This is a two edged sword, easy communications with a notable absence of the ability to secure an individual host.  When you account for these points you arrive at the most common reason for implementing VLANs, the ability to segment and therefore provide some degree of security between host groups or domains.

Keep the above in mind.  If you deploy all your hosts to a single broadcast domain, you have to remember that any two hosts inside that domain have unfettered access to each other.  Directly.  So, to answer the question of where and when you should vlan, ask the question of whether or not everyone in the network should have unrestricted access to a particular group of resources?  In your case, should a receptionist have direct access to a camera?  To a phone?  Should employees have direct access to your servers?  Remember, bad actor does not always mean some nefarious shadow figure skulking about in the early hours of midnight.  It can also mean a nosy employee or the employee who is in school for technology and "just wanted to test" what they've been learning.  Or it could be that irresponsible manager who just can't resist loading that free-ware.  The list goes on.

In addition to the ideas above, remember that security also means availability.  If your manager above downloads that free-ware and it is super chatty on the network, would it be a problem when it becomes so chatty that it starts to disrupt communications for your servers?  For your phones?  Remember, broadcast traffic is convenient but that doesn't necessarily translate to helpful.

So, all of the above noted?  As a general rule, anyone that thinks the problem through realizes that living on a flat network, if you don't have to, is inefficient at best.  Once you get past the flat network argument, the next question is where to segment.  Go with what makes sense from a security standpoint first.  In the example you post above, I'd build at least 4 vlans:

1. PC
2. Voice
3. Camera
4. Native (always move your native vlan away from vlan 1)

If you've got servers or depending on what your different employees are doing, I may even segment further.

The last thing is the trunks.  A lot of folks will tell you to just let everything pass on a trunk.  I would advise against this.  If you are going down the path of vlaning your network, you are either trying to contain excess traffic or secure things.  In either case, why would then pass a vlan to a switch that its not going active on?  Limit the vlans to what are needed on the downward path.

Hope that helps.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial