Ever tried to set up a tiny lab and felt like you were juggling wires blindfolded?
One minute you’ve got a switch flashing green, the next you’re staring at a “no IP address” error on a laptop that refuses to cooperate. It’s the classic “I‑just‑got‑the‑gear, now what?” moment that makes anyone new to networking sigh Nothing fancy..
Below is the play‑by‑play for a 2‑switch, 2‑lab (2.Still, 9 2) basic switch and end‑device configuration. I’ll walk you through what the gear actually does, why you should care, and—most importantly—how to get everything talking without pulling your hair out The details matter here. And it works..
What Is a 2.9 2 Lab?
A “2.9 2 lab” is shorthand for a two‑switch, two‑device hands‑on environment. It’s the sweet spot for beginners who want to practice VLANs, trunking, and basic IP routing without drowning in a sea of equipment.
You typically see it in Cisco‑CCNA training, but the concepts translate to any managed switch—Juniper, HP, even a cheap Netgear that supports VLANs. The goal? Connect two end devices (usually a laptop and a server or another laptop) through two switches, configure a few VLANs, and make sure traffic flows exactly where you want it It's one of those things that adds up. Nothing fancy..
Counterintuitive, but true.
The Core Pieces
| Piece | Why it matters |
|---|---|
| Switch 1 (Access) | Hosts the first end device, often set as an access port on VLAN 10. In practice, |
| Switch 2 (Trunk) | Carries multiple VLANs between the two switches via a trunk link. |
| End Device A | Usually a PC or laptop that you’ll give an IP on VLAN 10. Even so, |
| End Device B | Another PC or a server, often on VLAN 20. |
| Console cable | Your lifeline for the initial CLI configuration. |
That’s it. No fancy routing protocols, no spanning‑tree gymnastics—just pure Layer 2 basics.
Why It Matters
If you’ve ever wondered why some labs feel “real” while others feel like a toy set, the answer is real‑world relevance.
- Confidence building – When you can ping across two switches, you’ve proven you understand the fundamentals of VLAN tagging and trunking.
- Troubleshooting foundation – Most network outages start with a mis‑configured access port or a missing trunk. This lab forces you to confront those exact scenarios.
- Portability – The same steps you follow on a Cisco Catalyst 2960 will work on a Dell N1524 or a MikroTik switch, with only syntax tweaks.
In practice, the short version is: master this lab and you’ll stop guessing why a device can’t reach the internet in a real office.
How It Works
Below is the step‑by‑step. I’ll use Cisco‑style IOS commands because they’re the most common in training, but I’ll note the equivalent for other vendors where it matters.
1. Connect to the Switches
- Plug the console cable into the RJ‑45 console port of Switch 1.
- Open your terminal emulator (PuTTY, Tera Term, or the built‑in macOS Terminal with
screen). - Hit Enter a couple of times; you should see the
Switch>prompt.
Do the same for Switch 2.
Pro tip: If the terminal window looks garbled, set the baud rate to 9600, data bits 8, stop bits 1, no parity.
2. Basic Switch Settings
You only need a few global commands to get the switches out of the factory‑default state Most people skip this — try not to..
Switch> enable
Switch# configure terminal
Switch(config)# hostname SW1 <-- rename for clarity
SW1(config)# no ip domain-lookup <-- stop the “% Invalid input” DNS lookups
SW1(config)# service timestamps log datetime msec
SW1(config)# line vty 0 4
SW1(config-line)# transport input ssh
SW1(config-line)# login local
SW1(config-line)# exit
SW1(config)# username admin secret Pa$w0rd
Repeat on SW2, calling it SW2.
3. Create VLANs
SW1(config)# vlan 10
SW1(config-vlan)# name Sales
SW1(config)# vlan 20
SW1(config-vlan)# name Engineering
Same on SW2. Remember: VLAN numbers must match on both switches, otherwise the trunk won’t carry the traffic you expect.
4. Assign Access Ports
Plug End Device A into port FastEthernet0/1 on SW1 Simple as that..
SW1(config)# interface fa0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10
SW1(config-if)# spanning-tree portfast
Plug End Device B into port FastEthernet0/2 on SW2 That alone is useful..
SW2(config)# interface fa0/2
SW2(config-if)# switchport mode access
SW2(config-if)# switchport access vlan 20
SW2(config-if)# spanning-tree portfast
5. Configure the Trunk Link
Pick a pair of ports that will link the switches—commonly fa0/24 on both.
SW1(config)# interface fa0/24
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 10,20
SW1(config-if)# spanning-tree portfast trunk
On SW2:
SW2(config)# interface fa0/24
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan 10,20
SW2(config-if)# spanning-tree portfast trunk
What’s happening? The trunk tags frames with VLAN IDs, letting both VLAN 10 and VLAN 20 travel over the same physical cable.
6. Assign IP Addresses (Optional Management)
If you want to SSH into the switches later, give each a management IP on a dedicated VLAN (often VLAN 99).
SW1(config)# vlan 99
SW1(config-vlan)# name Management
SW1(config)# interface vlan 99
SW1(config-if)# ip address 192.168.99.1 255.255.255.0
SW1(config-if)# no shutdown
On SW2:
SW2(config)# interface vlan 99
SW2(config-if)# ip address 192.168.99.2 255.255.255.0
SW2(config-if)# no shutdown
Don’t forget to add the VLAN 99 to the trunk:
SW1(config-if)# switchport trunk allowed vlan add 99
SW2(config-if)# switchport trunk allowed vlan add 99
7. Configure the End Devices
Give Device A an IP in the 10‑VLAN subnet:
IP: 192.168.10.10
Mask: 255.255.255.0
Gateway: 192.168.10.1 <-- optional if you add a Layer‑3 device later
Give Device B an IP in the 20‑VLAN subnet:
IP: 192.168.20.10
Mask: 255.255.255.0
Gateway: 192.168.20.1
If you only have the two switches (Layer 2), there’s no router yet, so the devices won’t ping each other across VLANs. That’s intentional—you’ll see the limitation in the next section.
8. Verify Connectivity
On Device A, run:
ping 192.168.10.10 # loopback, should work
ping 192.168.99.2 # management VLAN, should succeed
ping 192.168.20.10 # cross‑VLAN, will *fail* until you add a router
On the switches, use:
SW1# show vlan brief
SW1# show interfaces trunk
SW1# show mac address-table
If the MAC table shows the correct VLAN for each port, you’ve nailed the Layer 2 part.
Common Mistakes / What Most People Get Wrong
| Mistake | Why it hurts | Fix |
|---|---|---|
Forgetting spanning-tree portfast on access ports |
Port goes into listening/learning state for 30 seconds, causing a “ping timeout” that looks like a config error. | |
| Mismatched VLAN numbers | The trunk will carry VLAN 10, but the access port is on VLAN 20, so traffic never meets. And | |
| Leaving the default VLAN 1 active on the trunk | Some security policies block VLAN 1, and you’ll get “native VLAN mismatch” warnings. Because of that, , . In real terms, 1 and . | |
Using switchport mode dynamic desirable on the trunk |
The link may negotiate down to access if the neighbor isn’t set to trunk, silently dropping VLAN tags. | Double‑check the VLAN list on both switches (show vlan). Also, |
| Assigning the same IP to both management VLAN interfaces | ARP conflicts make the switches disappear from the network. In practice, | Either change the native VLAN on both ends (switchport trunk native vlan 99) or disable VLAN 1 on the trunk. g.2). |
Most of these slip-ups happen because people treat the CLI like a “type‑once, forget‑it” script. In reality, you need to verify after each step; the show commands are your best friends.
Practical Tips / What Actually Works
- Label your cables. A simple piece of masking tape with “SW1‑FA0/24 ↔ SW2‑FA0/24” saves you from swapping trunks later.
- Save the config after you finish.
write memoryorcopy running-config startup-config. Forgetting this is the fastest way to lose an hour of work. - Use a spreadsheet for IP planning. Even a tiny lab benefits from a clear map: VLAN 10 → 192.168.10.0/24, VLAN 20 → 192.168.20.0/24, etc.
- Test with a single cable first. Connect Device A to SW1, ping the switch’s management IP. If that fails, you know the problem is local, not the trunk.
- Enable LLDP (
lldp run) on both switches. It’ll show you exactly which ports are neighbors, handy when you have more than two switches later. - Document the default VLAN on each port (
show interfaces status). If you ever need to wipe the config, you’ll know where to start.
FAQ
Q1: Do I need a router to make VLAN 10 and VLAN 20 talk?
Yes. With only Layer 2 switches, each VLAN is a separate broadcast domain. Add a router or a Layer 3 switch and configure inter‑VLAN routing (e.g., interface vlan 10 with an IP, then ip routing).
Q2: My trunk shows “status: down”. What’s wrong?
Common culprits: mismatched trunk mode, a bad cable, or the port is administratively shut down (shutdown). Run show interfaces status and show running-config interface fa0/24 on both switches.
Q3: Can I use a single physical port for both access and trunk?
No. A port can be either access or trunk. If you need both, you must use a separate port or a more advanced feature like voice VLAN on a Cisco phone port, which is a special case.
Q4: Is VLAN 99 required for management?
Not strictly. It’s a best practice to keep management traffic off the default VLAN 1 for security. You can also use VLAN 1 if you’re in a closed lab, but be aware of the risk.
Q5: My PC still can’t ping the other PC after I add a router. What now?
Check the router’s sub‑interfaces: each VLAN needs its own interface with the correct IP and encapsulation dot1q <vlan-id> (Cisco) or equivalent. Also verify that the router’s firewall isn’t blocking ICMP.
When you finish this lab, you’ll have a solid mental model of access vs. Even so, trunk ports, VLAN tagging, and the basics of Layer 2 troubleshooting. That foundation will pay off every time you step into a real data‑center or a small office network And it works..
So go ahead—grab those switches, plug them in, and start typing. Now, the only thing standing between you and a working lab is a few commands and a little patience. Happy configuring!
7. Verify End‑to‑End Connectivity
Now that the physical layer is up, the VLANs are defined, and the trunk is alive, it’s time to confirm that the two hosts can actually talk to each other through the router. Follow these steps in order; stop at the first failure and troubleshoot before moving on Easy to understand, harder to ignore..
| Step | Command (Host) | Expected Result | What to Check if It Fails |
|---|---|---|---|
| 7.5 | `traceroute 192.168.10. | ||
| 7.168.6 | show ip route on the router |
Two directly‑connected routes: `192.2 | ping 192.Day to day, 20 (or tracert) |
| 7.Day to day, 168. But 20/24** | Wrong subnet mask, duplicate IP, or DHCP mis‑assignment. Even so, 1` from Host A (router’s VLAN 10 SVI) | Replies within < 5 ms | Verify that the router’s VLAN 10 interface is up (show ip interface brief). So 20. Now, 20` from Host A |
| 7. 10.10.1` from Host A | Replies | Same as above, but for VLAN 20. In practice, | |
| 7. 3 | ping 192.But 0/24 and `192. |
||
| 7.And 168. 168.20.0/24` | Missing routes indicate the sub‑interfaces are down or not assigned an IP. |
People argue about this. Here's where I land on it Not complicated — just consistent..
If every ping succeeds, you have a fully functional Layer 2/3 lab. If not, go back through the checklist in the “FAQ” and “Tips & Tricks” sections—most problems boil down to one of three things:
- Mismatched VLAN IDs on the switch vs. router sub‑interface.
- Incorrect trunk encapsulation (dot1q vs. ISL) or a disabled trunk.
- ACL/firewall rules that block ICMP or the entire subnet.
8. Clean‑up and Backup
Before you power down the lab or move on to the next exercise, take a few minutes to lock in your work:
# On each switch
write memory # or copy running-config startup-config
show running-config # copy the output to a text file for future reference
# On the router
write memory
show running-config
If you’re using a terminal emulator (PuTTY, Tera Term, SecureCRT, etc.But ), log the session. Having a saved copy of the exact commands you typed makes it trivial to rebuild the lab later or to compare against a colleague’s configuration.
9. Extending the Lab (Optional)
Once you’re comfortable with the basics, try one of the following to deepen your skill set:
| Extension | What You’ll Learn |
|---|---|
| Add a third VLAN (e.g.Practically speaking, , VLAN 30 for a “guest” network) | Multiple trunk tags, scaling the IP plan, and configuring a separate DHCP pool. |
| Enable Port‑Security on the access ports | MAC‑address limiting, violation actions, and basic switch‑level security. |
| Introduce a Layer 3 switch instead of a router | Inter‑VLAN routing on a single device, routing protocols (OSPF, EIGRP) in a small campus. So |
| Create an ACL that blocks traffic from VLAN 20 to VLAN 10 | Policy‑based segmentation and testing firewall concepts. |
| Set up a simple HSRP/VRRP pair | Redundancy, virtual IP address, and failover testing. |
Each addition builds on the same core concepts you’ve just mastered, so you’ll see how a modest lab can evolve into a miniature production environment.
Conclusion
Building a two‑switch, two‑VLAN lab may look like a handful of commands, but the process teaches you the foundations of modern networking:
- Physical connectivity – a single, correctly‑cabled trunk links the whole fabric.
- VLAN design – logical separation of traffic, with a clear IP schema.
- Layer 2 vs. Layer 3 – access ports keep devices on a single broadcast domain, while a router (or Layer 3 switch) stitches those domains together.
- Verification & documentation –
showcommands, ping tests, and a spreadsheet keep you from wandering in the dark.
When you walk away from the lab and the LEDs on those switches are solid green, you’ve not just configured hardware—you’ve internalized a repeatable workflow that will serve you in any real‑world deployment, from a 10‑port office switch to a multi‑site data‑center spine But it adds up..
So power down the devices, save your configs, and give yourself a pat on the back. Think about it: you’ve earned it. And when the next network challenge appears, you’ll already know the first three things to check: cable, VLAN, and routing. Happy networking!
10. Troubleshooting Checklist
Even with a simple topology, things can go sideways. Keep this quick‑reference list handy the next time you stare at a blinking port LED and wonder why nothing is moving.
| Symptom | First‑Check | Next Steps |
|---|---|---|
| No link on the trunk | Verify the physical cable (straight‑through vs. | |
| Hosts can’t ping the router | show ip interface brief – are the VLAN interfaces up and have the correct IP? On top of that, |
Confirm both ends are set to trunk mode. On the flip side, if that works, the router is routing correctly. |
| Port‑Security violations | show port-security interface <interface> – look for “Security Violation Count”. |
Verify the host’s default gateway, subnet mask, and that the access port is in the correct VLAN (show vlan brief). Even so, |
| Only one VLAN is reachable | show interfaces trunk – does the missing VLAN appear in the allowed list? |
Add the missing VLAN to the trunk (switchport trunk allowed vlan add X). Look for “DTP mismatched” messages in the log (show logging). On top of that, crossover) and that both ports are up (show interfaces status). That said, |
| Hosts can’t ping each other across VLANs | Ping the router from each host (ping the SVIs). | Decide whether to shut the port, clear the violation (clear port-security violation), or adjust the MAC‑address limit. |
Having a printed copy of this checklist on your desk can shave minutes off any debugging session.
11. Back‑Up and Restore Strategies
When you’ve spent time fine‑tuning the lab, you’ll want to protect that work No workaround needed..
- Export the running config to a TFTP server
copy running-config tftp: Address or name of remote host []: 192.168.1.250 Destination filename [router-confg]: lab‑router.cfg - Schedule a nightly backup (if you have a Linux box acting as a TFTP/FTP server). A simple cron entry does the trick:
0 2 * * * /usr/bin/expect -c ' spawn ssh admin@192.168.1.1 expect "Password:" { send "cisco\r" } expect "#" { send "copy running-config tftp:\r" } expect "Address or name of remote host" { send "192.168.1.250\r" } expect "Destination filename" { send "router-$(date +%F).cfg\r" } expect "#" { send "exit\r" } ' - Version control – treat each config file like source code. Commit the text files to a Git repository; you’ll instantly see what changed, when, and why.
These habits mirror what production teams do in the field and make transitioning from a lab to a live environment painless.
12. What to Do Next
Now that the fundamentals are solid, consider expanding your skill set in one of the following directions:
- Automation – Use Python with Netmiko or NAPALM to push the same configuration to dozens of switches in seconds.
- SDN basics – Deploy an OpenFlow‑compatible switch (e.g., Open vSwitch) and experiment with a simple controller like Ryu.
- Network monitoring – Add a Syslog server, SNMP manager, or NetFlow collector to see traffic patterns in real time.
- Security hardening – Implement 802.1X, DHCP snooping, and dynamic ARP inspection to protect the lab from rogue devices.
Each path reinforces the core concepts you just built, while exposing you to the tools and practices that modern network engineers rely on daily.
Final Thoughts
A modest two‑switch, two‑VLAN lab is more than a “hello‑world” exercise; it is a microcosm of the larger networks you’ll manage later. By deliberately documenting each step, validating with focused show commands, and backing up your work, you’ve cultivated a repeatable methodology that scales from a home lab to enterprise deployments.
Take a moment to archive the configuration files, jot down any quirks you encountered, and then power down the devices with confidence. When the next project lands on your desk—whether it’s a multi‑site WAN rollout or a data‑center fabric upgrade—you’ll already have the mental model and procedural checklist to hit the ground running Simple, but easy to overlook..
Happy labbing, and may your packets always find their destination!
13. Troubleshooting Checklist – A Quick‑Reference Sheet
| Symptom | Likely Cause | Command(s) to Run | What to Look For |
|---|---|---|---|
| Devices can’t ping each other | VLAN mismatch or trunk not propagating | show vlan brief <br> show interfaces trunk |
Same VLAN ID on both ends? interface) |
| “Invalid input” when entering a command | Wrong IOS mode (global vs. Also, | ||
| Only one side sees the other | Native‑VLAN mis‑configuration (often 1) | show interfaces switchport |
Native VLAN should be none (or a dedicated VLAN not used for user traffic). In real terms, |
| No traffic between PCs after adding a second switch | STP blocked port | show spanning-tree |
Port should be Forwarding; if Blocking, consider adjusting port‑fast or BPDU‑guard. |
| Config changes disappear after reboot | No write memory / copy running-config startup-config |
show startup-config |
Confirm the startup config matches the running config. Trunk status up and allowed VLANs include 10/20? |
| Duplicate IP address errors in the network | Overlapping static IPs or DHCP pool conflict | show ip interface brief <br> `show running-config |
include ip address` |
Print this table, tape it to your lab desk, and you’ll have a handy “first‑aid kit” for the most common hiccups Small thing, real impact..
14. Scaling the Lab Without Adding Hardware
If you’re limited by physical ports or rack space, Cisco’s virtual switching options let you stretch the same topology:
- Cisco Packet Tracer – A free, Cisco‑approved simulator that supports the exact commands used above, plus a visual drag‑and‑drop interface. Great for quick prototyping and exam prep.
- GNS3 / EVE‑NG – Run actual IOS images in QEMU/KVM. You can spin up dozens of virtual switches, connect them with virtual Ethernet links, and even attach real NICs for external connectivity.
- Cisco Modeling Labs (CML) – The commercial counterpart to GNS3, offering a polished UI, built‑in labs, and support for IOS‑XE, IOS‑XR, and NX‑OS. Ideal for teams that need a repeatable, version‑controlled environment.
These platforms let you experiment with stacking, VSS, or VPC without buying extra hardware. The same configuration snippets you practiced on the physical switches apply verbatim, reinforcing muscle memory while you explore more advanced concepts.
15. Documenting the Lab for Future Reference
A well‑documented lab becomes a reusable asset. Here’s a minimal template you can copy into a Markdown file or a wiki page:
# Lab Overview
- **Goal:** Two‑switch, two‑VLAN connectivity with inter‑VLAN routing (optional)
- **Devices:**
- Switch‑A (Catalyst 2960, IOS 15.2)
- Switch‑B (Catalyst 2960, IOS 15.2)
# Physical Topology
[PC‑A]---(Fa0/1) Switch‑A (Gi0/1)---(Gi0/1) Switch‑B (Fa0/1)---[PC‑B]
# VLAN Configuration
| VLAN | Name | Subnet | Ports |
|------|------|--------|-------|
| 10 | Sales| 192.168.10.0/24 | S‑A Fa0/2‑5, S‑B Fa0/2‑5 |
| 20 | Engineering | 192.168.20.0/24 | S‑A Fa0/6‑9, S‑B Fa0/6‑9 |
# Trunk Port Settings
- Switch‑A Gi0/1: `switchport mode trunk`, `switchport trunk allowed vlan 10,20`
- Switch‑B Gi0/1: same as above
# Verification Commands
- `show vlan brief`
- `show interfaces trunk`
- `show spanning-tree`
- `ping 192.168.10.x` from PC‑B, etc.
# Backup Procedure
1. `copy running-config tftp:` → 192.168.1.250
2. Commit to Git repo: `git add *.cfg && git commit -m "Daily backup $(date +%F)"`
# Known Issues / Gotchas
- Do **not** use VLAN 1 for user traffic.
- Ensure both switches run the same IOS version to avoid trunk negotiation problems.
- If you enable `portfast` on access ports, also enable `bpduguard` to protect against loops.
# Next Steps
- Add a Layer‑3 switch for inter‑VLAN routing.
- Implement 802.1X authentication.
- Automate config pushes with Ansible.
Having this living document means that when a colleague asks “How did you set up VLAN 20 again?” you can point them to a single source rather than digging through command history.
16. Real‑World Parallel – How Enterprises Deploy This Design
In a corporate campus, the pattern you just built is the foundation of the access layer:
| Enterprise Layer | Typical Device | Role |
|---|---|---|
| Core | High‑throughput multilayer switches (e.g., Catalyst 9500) | Routing, aggregation, redundancy |
| Distribution | Multilayer switches (Catalyst 9300) | VLAN trunking, policy enforcement, QoS |
| Access | Stackable Layer‑2 switches (Catalyst 2960‑X/3500‑X) | Host connectivity, PoE, port‑security |
Your two‑switch lab mirrors the access segment, where most day‑to‑day work happens: defining VLANs, securing ports, and ensuring a clean trunk to the distribution layer. By mastering this slice, you’re already fluent in the language that enterprise architects use when they design large‑scale networks.
Conclusion
Building a two‑switch, two‑VLAN lab may feel like a modest exercise, but it encapsulates every core principle a network engineer must master—layer‑2 segmentation, trunking, spanning‑tree dynamics, configuration hygiene, and backup discipline. By following the step‑by‑step guide, validating each command with focused show outputs, and committing the results to version control, you’ve laid down a repeatable workflow that scales from a home sandbox to a production data center.
Take the time now to archive your configs, annotate any quirks you ran into, and perhaps script the nightly backup so that the lab becomes a living, self‑healing environment. Think about it: then, push the boundary: automate with Python, add a routing layer, or virtualize the whole topology. Each new layer will feel familiar because the fundamentals are already ingrained Practical, not theoretical..
Worth pausing on this one And that's really what it comes down to..
In the end, the true value of this lab isn’t just the ability to ping between two PCs—it’s the confidence that you can design, implement, and troubleshoot a reliable network from the ground up. Keep that confidence, keep the documentation fresh, and let every new project be an extension of the solid foundation you’ve built today. Happy networking!
17. Extending the Lab with Automation (Optional but Highly Recommended)
If you’ve reached this point and feel comfortable with the manual steps, the next logical leap is to let a script do the heavy lifting. Below is a minimal Ansible playbook that pushes the entire VLAN‑and‑trunk configuration to both switches in one run.
Most guides skip this. Don't And that's really what it comes down to..
---
- name: Deploy VLAN & trunk config to access switches
hosts: access_switches
gather_facts: no
connection: network_cli
vars:
vlan_cfg:
- { id: 10, name: "User_VLAN" }
- { id: 20, name: "Guest_VLAN" }
tasks:
- name: Ensure VLANs exist
ios_vlan:
vlan_id: "{{ item.id }}"
name: "{{ item.name }}"
state: present
loop: "{{ vlan_cfg }}"
- name: Configure trunk on uplink ports
ios_interface:
name: "{{ item }}"
mode: trunk
trunk_allowed_vlans: "10,20"
spanning_tree_portfast: enabled
spanning_tree_bpduguard: enabled
loop:
- GigabitEthernet1/0/24 # Switch‑A uplink
- GigabitEthernet1/0/24 # Switch‑B uplink
- name: Configure access ports for VLAN 10
ios_interface:
name: "{{ item }}"
mode: access
access_vlan: 10
spanning_tree_portfast: enabled
spanning_tree_bpduguard: enabled
loop:
- GigabitEthernet1/0/1
- GigabitEthernet1/0/2
- GigabitEthernet1/0/3
- GigabitEthernet1/0/4
- name: Configure access ports for VLAN 20
ios_interface:
name: "{{ item }}"
mode: access
access_vlan: 20
spanning_tree_portfast: enabled
spanning_tree_bpduguard: enabled
loop:
- GigabitEthernet1/0/5
- GigabitEthernet1/0/6
- GigabitEthernet1/0/7
- GigabitEthernet1/0/8
- name: Save the running config
ios_config:
save_when: modified
How it works
| Section | What it does |
|---|---|
ios_vlan |
Creates VLAN 10 and VLAN 20 if they don’t already exist. And |
ios_interface (access) |
Sets the four “user” ports to VLAN 10 and the four “guest” ports to VLAN 20, again with PortFast and BPDU‑Guard. Because of that, 1Q trunks, limits the VLAN list, and applies PortFast + BPDU‑Guard. In practice, |
ios_interface (trunk) |
Turns the designated uplink ports into 802. |
ios_config |
Persists the changes to NVRAM only when a modification occurred, preventing unnecessary writes. |
Add the two switches to your Ansible inventory:
[access_switches]
switchA ansible_host=10.0.0.11 ansible_user=admin ansible_password=secret
switchB ansible_host=10.0.0.12 ansible_user=admin ansible_password=secret
Run the playbook:
ansible-playbook -i inventory.cfg deploy_vlan_trunk.yml
You’ll see a concise output that tells you exactly which commands were sent, which ones were already present, and whether the config was saved. This approach eliminates human error, gives you an audit trail, and scales effortlessly when you add more switches.
18. Troubleshooting Checklist – When Things Don’t Work
Even a perfectly scripted deployment can hit snags. Keep this one‑page checklist handy:
| Symptom | Likely Cause | Quick Test |
|---|---|---|
| PC A cannot ping PC B | VLAN mismatch on access ports | show vlan brief → verify ports are in the correct VLAN |
| Trunk link shows “down” | Wrong trunk mode or physical cable | show interface status → look for err‑disable or notconnect |
| Only one VLAN passes | Trunk allowed‑list missing VLAN | show interfaces trunk → confirm Vlans in spanning tree forwarding state includes both 10 and 20 |
| Spanning‑tree blocks a port | BPDU received on a PortFast port | show spanning-tree blockedports → locate offending port |
| Switches keep rebooting after config change | Corrupt NVRAM or incomplete write memory |
show logging → look for “config register” or “bootup” errors |
| PCs receive no IP address | DHCP server on wrong VLAN or not reachable | show ip dhcp binding on the router (or verify DHCP relay) |
If you hit a dead end, revert to the last known‑good configuration (copy flash:startup-config running-config) and re‑apply changes incrementally, testing after each step.
19. Documenting for the Future
A well‑structured document not only helps you today but also serves as a knowledge‑transfer artifact. Below is a template you can copy into your repository’s README.md for every new lab:
# Lab – Two‑Switch, Two‑VLAN Access Layer
## Objective
- Isolate user and guest traffic using VLAN 10 and VLAN 20.
- Verify inter‑VLAN connectivity via a router‑on‑a‑stick.
## Topology Diagram
*(Insert a simple ASCII or Visio diagram)*
## Device Inventory
| Hostname | Model | Management IP |
|----------|-------|----------------|
| Switch‑A | Catalyst 2960‑X | 10.0.0.11 |
| Switch‑B | Catalyst 2960‑X | 10.0.0.12 |
| Router | ISR 4321 | 10.0.0.1 |
## Configuration Files
- `switchA.cfg`
- `switchB.cfg`
- `router.cfg`
## Validation Steps
1. `show vlan brief`
2. `show interfaces trunk`
3. `show spanning-tree`
4. Ping tests
## Known Issues / Work‑arounds
- *Issue*: Port‑fast on trunk can cause BPDU storms on older IOS.
*Fix*: Disable `portfast` on trunk ports.
## Change Log
| Date | Author | Change |
|------|--------|--------|
| 2026‑06‑04 | Jane Doe | Initial lab build |
| 2026‑06‑07 | John Smith | Added Ansible playbook |
With a living markdown file in the same repo as your configs, anyone cloning the repository instantly knows what exists, why it exists, and how to verify it.
20. Final Thoughts
You’ve just walked through the complete lifecycle of a small‑scale, production‑grade network segment:
- Design – Identify VLANs, decide on port roles, and sketch the physical layout.
- Implementation – Write deterministic IOS commands, apply them, and verify with targeted
showcommands. - Protection – Harden ports with PortFast, BPDU‑Guard, and static MAC limits.
- Backup & Version Control – Archive configs, use Git, and schedule automated backups.
- Automation – Translate the manual steps into an Ansible playbook that can be re‑run on demand.
- Documentation – Capture topology, configs, validation steps, and change history in a single, searchable file.
By mastering each of these stages on a modest two‑switch lab, you’ve built a reusable framework that scales to dozens or hundreds of devices with only incremental effort. The next time you’re asked to provision a new floor, a branch office, or a temporary event network, you’ll be able to spin up a reliable, documented, and automated solution in minutes rather than hours Practical, not theoretical..
Keep iterating. Add a routing layer, experiment with VXLAN, or integrate a network‑policy engine like Cisco DNA Center. Every new feature you test should be recorded, versioned, and, when stable, folded back into the core playbooks. That disciplined loop—design → build → validate → document → automate—is the hallmark of a professional network engineer.
Happy building, and may your trunks stay up and your loops stay down!
