Designed and configured a segmented enterprise network in Cisco Packet Tracer using VLANs, 802.1Q trunking, and router-on-a-stick inter-VLAN routing. Applied extended ACLs to isolate the Guest VLAN from the IT and Staff networks.
// 01
All three VLANs share one physical switch and one router interface. Inter-VLAN traffic flows up to R1 and back down. The ACL on fa0/0.30 intercepts Guest traffic before routing, blocking lateral movement to IT and Staff.
// 02
Create the VLANs on SW1
Created three VLANs on the switch — VLAN 10 (IT), VLAN 20 (Staff), and VLAN 30 (Guest). VLANs exist only in the switch's VLAN database until you assign ports to them — creating them is just the first step. Verified with show vlan brief to confirm all three showed as active.
Configure access ports and the trunk port
Assigned each host-facing port to its VLAN using switchport mode access. The port connected to the router was configured as a trunk with switchport mode trunk and restricted to only carry the three VLANs in use. A trunk without an allowed VLAN list carries all VLANs by default — limiting it is cleaner.
Set up router-on-a-stick with dot1Q subinterfaces
Created a logical subinterface on R1 for each VLAN, configured encapsulation dot1Q with the matching VLAN ID, then assigned the gateway IP. The encapsulation line must come before the IP address — IOS accepts the reverse order but inter-VLAN routing breaks silently. Enabled the physical interface with no shutdown.
Configure DHCP pools with excluded ranges
Set up a DHCP pool per VLAN on R1. The excluded-address command reserves the first ten IPs in each subnet before the pool starts handing them out — so routers, servers, and printers can be assigned static addresses without conflicting with DHCP leases. Each pool specifies the network, default gateway, and DNS server.
Apply an extended ACL to block Guest from IT and Staff
Created a named extended ACL with two deny statements covering both protected subnets, then a blanket permit ip any any so Guest traffic can still reach the internet. Applied it inbound on the Guest subinterface — this intercepts traffic the moment it arrives at the router, before any routing decision is made. The wildcard mask 0.0.0.255 matches any host in the /24.
// 03
VLANs & Layer 2 Segmentation
VLANs logically divide a single physical switch into multiple isolated broadcast domains. Hosts in VLAN 10 can't communicate with VLAN 20 at Layer 2 — the switch simply won't forward frames between them. Segmentation without VLANs would require separate physical switches per network.
Net+ Domain 2802.1Q Trunking
Trunk ports carry traffic for multiple VLANs by inserting a 4-byte 802.1Q tag into each Ethernet frame containing the VLAN ID. Access ports strip the tag before delivering frames to end devices. Without trunking, you'd need a dedicated physical link per VLAN between the switch and router.
Net+ Domain 2Access vs Trunk Ports
An access port belongs to exactly one VLAN — it adds no tag to outgoing frames and expects no tag on incoming ones. A trunk port carries multiple VLANs, tagging every frame except the native VLAN. Misconfiguring one as the other is the most common reason inter-VLAN routing silently fails.
Net+Router-on-a-Stick & Inter-VLAN Routing
One physical router interface is subdivided into logical subinterfaces, each acting as the default gateway for its VLAN. All traffic between VLANs must traverse the router — a bottleneck at scale, which is why enterprise networks use Layer 3 switches instead. For a lab, router-on-a-stick is the correct starting point.
Net+ / SAA-C03DHCP Scopes & Excluded Ranges
Each VLAN needs its own DHCP scope because hosts in different VLANs live in different IP subnets. The excluded-address command reserves addresses before the pool starts — this prevents DHCP from handing out IPs already assigned statically to gateways, servers, or printers.
Extended ACLs & Wildcard Masks
Extended ACLs match on source IP, destination IP, protocol, and port — not just source like standard ACLs. Wildcard masks are the bitwise inverse of subnet masks: 0.0.0.255 means match any host in the /24. ACLs are processed top-down and stop at the first match — order matters.
ARP & First-Ping Drop
The first ping to any new host always drops in this topology. The router has no ARP cache entry for the destination, so it sends an ARP request and queues the ICMP packet. The ARP reply comes back, the cache is populated, and every subsequent ping succeeds. This is expected Layer 2 behavior — not a misconfiguration.
Deep DiveInbound vs Outbound ACL Placement
Applying an ACL inbound on a subinterface filters traffic before the routing engine processes it — more efficient and the correct pattern for blocking a source network. Outbound ACLs filter after routing and apply to egress traffic. The general rule: place extended ACLs as close to the source as possible.
SAA-C03The first ping always drops — and that's fine. I spent ten minutes convinced my ACL was broken before I realized it was ARP. The router queues the ICMP packet while it waits for an ARP reply. Second ping succeeds every time. Understanding why this happens is one of those things that separates memorized facts from actual networking knowledge.
Wildcard masks are the inverse of subnet masks, not the same thing. 0.0.0.255 matches 256 hosts — the entire /24. The zero bits mean "must match this bit exactly," the one bits mean "don't care." It clicked once I stopped thinking about them like subnet masks and started thinking about them as bit-level filters.
permit ip any any at the end is not optional. Every ACL has an implicit deny-all at the bottom. Without the explicit permit, the ACL would block all Guest traffic — including internet access — not just lateral movement to IT and Staff. The goal is controlled segmentation, not complete isolation.
This is directly on the Net+ exam — and now it makes sense. I'd memorized VLAN concepts from flashcards, but building it end-to-end in Packet Tracer made the theory stick. The moment inter-VLAN ping worked for the first time after configuring the subinterfaces, the whole model clicked in a way studying never did.