Managed Switch Configuration — VLANs, Trunking, STP, and Port Security
A step-by-step guide to configuring managed network switches — VLAN setup, trunk ports, Spanning Tree Protocol, port security, and monitoring for enterprise networks.
Why Managed Switches?
Unmanaged switches are plug-and-play — no configuration needed. But for any network beyond a small home setup, managed switches provide essential features:
| Feature | Unmanaged | Managed | |---------|-----------|---------| | VLANs | No | Yes | | Trunking | No | Yes | | STP | Basic or None | Full control | | Port Security | No | Yes | | QoS | No | Yes | | Monitoring (SNMP) | No | Yes | | Port Mirroring | No | Yes | | Link Aggregation | No | Yes | | Cost | Low | Higher |
Initial Switch Setup
Accessing the Switch
Most managed switches offer multiple management interfaces:
# Console cable (serial)
# Connect via USB/Serial console cable
screen /dev/ttyUSB0 9600
# SSH (after initial IP assignment)
ssh admin@192.168.1.1
# Web GUI
# Browse to https://192.168.1.1Basic Configuration
! Set hostname
hostname CORE-SW-01
! Set management IP
interface vlan 1
ip address 192.168.1.1 255.255.255.0
no shutdown
! Set default gateway
ip default-gateway 192.168.1.254
! Enable SSH
crypto key generate rsa modulus 2048
ip ssh version 2
! Create admin user
username admin privilege 15 secret YourStr0ngP@ssword
! Enable SSH-only access
line vty 0 15
transport input ssh
login local
! Disable unused services
no ip http server
no cdp run
VLAN Configuration
Creating VLANs
! Create VLANs
vlan 10
name Management
vlan 20
name Staff
vlan 30
name Servers
vlan 40
name IoT-Devices
vlan 50
name Guest-WiFi
vlan 99
name Native-Unused
Access Ports
Access ports belong to a single VLAN:
! Staff workstations (VLAN 20)
interface range GigabitEthernet0/1-20
switchport mode access
switchport access vlan 20
spanning-tree portfast
no shutdown
! Server ports (VLAN 30)
interface range GigabitEthernet0/21-24
switchport mode access
switchport access vlan 30
spanning-tree portfast
no shutdown
! IoT devices (VLAN 40)
interface range FastEthernet0/1-12
switchport mode access
switchport access vlan 40
spanning-tree portfast
no shutdown
Trunk Ports
Trunk ports carry multiple VLANs between switches:
! Trunk to core switch
interface GigabitEthernet0/48
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30,40,50
switchport trunk native vlan 99
no shutdown
! Verify trunk
show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/48 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/48 10,20,30,40,50
Best Practice: Trunk Security
! Only allow needed VLANs on trunk (don't allow all)
switchport trunk allowed vlan 10,20,30,40,50
! Set unused native VLAN (prevent VLAN hopping)
switchport trunk native vlan 99
! Disable DTP negotiation
switchport nonegotiate
Spanning Tree Protocol (STP)
STP prevents broadcast loops in networks with redundant paths.
STP Modes
| Mode | Standard | Convergence | Use Case | |------|----------|-------------|----------| | STP | 802.1D | 30-50 seconds | Legacy | | RSTP | 802.1w | 1-2 seconds | Standard | | MSTP | 802.1s | 1-2 seconds | Multiple instances | | PVST+ | Cisco | Per-VLAN, 30-50s | Cisco networks | | Rapid PVST+ | Cisco | Per-VLAN, 1-2s | Cisco recommended |
RSTP Configuration
! Enable Rapid PVST+
spanning-tree mode rapid-pvst
! Set root bridge priority (lower = root)
spanning-tree vlan 10,20,30,40,50 priority 4096
! PortFast on access ports (skip STP learning)
interface range GigabitEthernet0/1-24
spanning-tree portfast
! BPDU Guard (protect against rogue switches)
spanning-tree portfast bpduguard default
! Root Guard on ports that should never become root
interface GigabitEthernet0/48
spanning-tree guard root
! Verify STP
show spanning-tree summary
show spanning-tree vlan 20
STP Best Practices
- Always designate a root bridge — Don't let STP elect randomly
- Enable PortFast on access ports — Faster connectivity for end devices
- Enable BPDU Guard — Prevent loops from unauthorized switches
- Use RSTP — Much faster convergence than legacy STP
- Document your STP topology — Know which paths are active/blocked
Port Security
Restrict which devices can connect to each port:
! Enable port security
interface GigabitEthernet0/1
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
! Violation actions:
! protect — Drop unknown MAC silently
! restrict — Drop + log (recommended)
! shutdown — Disable port (strictest)
! View port security status
show port-security interface GigabitEthernet0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Sticky MAC Addresses : 1
DHCP Snooping
Prevent rogue DHCP servers:
! Enable DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 20,30,40
! Trust the port connected to legitimate DHCP server
interface GigabitEthernet0/21
ip dhcp snooping trust
! All other ports are untrusted by default (will block rogue DHCP)
Quality of Service (QoS)
Prioritize critical traffic:
! Enable QoS
mls qos
! Trust CoS markings on trunk ports
interface GigabitEthernet0/48
mls qos trust cos
! Prioritize VoIP traffic (VLAN 60)
interface range GigabitEthernet0/25-30
mls qos trust dscp
switchport access vlan 60
Link Aggregation (LACP)
Bundle multiple physical links for more bandwidth and redundancy:
! Create LAG using LACP
interface range GigabitEthernet0/47-48
channel-group 1 mode active
channel-protocol lacp
interface Port-channel1
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40,50
switchport trunk native vlan 99
! Verify
show etherchannel summary
Group Port-channel Protocol Ports
------+-------------+---------+------
1 Po1(SU) LACP Gi0/47(P) Gi0/48(P)
Monitoring and Management
SNMP Configuration
! Enable SNMP v3 (secure)
snmp-server group MONITOR v3 priv
snmp-server user snmpuser MONITOR v3 auth sha AuthP@ss priv aes 128 PrivP@ss
! Enable SNMP traps
snmp-server enable traps
snmp-server host 10.0.10.50 version 3 priv snmpuser
Port Mirroring (SPAN)
Mirror traffic from one port to a monitoring port:
! Mirror traffic from Gi0/1 to Gi0/48 (for Wireshark capture)
monitor session 1 source interface GigabitEthernet0/1 both
monitor session 1 destination interface GigabitEthernet0/48
Syslog
! Send logs to syslog server
logging host 10.0.10.50
logging trap informational
logging source-interface vlan 10
Save Configuration
! Save running config to startup config
copy running-config startup-config
! Or shorthand
write memory
Conclusion
Properly configured managed switches are the foundation of a secure, performant network. VLANs for segmentation, STP for loop prevention, port security for access control, and SNMP for monitoring — these features work together to create a robust network infrastructure that scales from small offices to enterprise deployments.
Related: 1 Gbps Data Transfer Using VLAN and Network Topology Design.