VLANs – Concepts & Overview

1. What Is a VLAN and Why Does It Matter?

A Virtual Local Area Network (VLAN) is a logical grouping of devices on one or more switches, treated as if they were on their own isolated physical network — regardless of their physical location. Without VLANs, every device connected to the same switch fabric shares a single broadcast domain: one broadcast from any device reaches every other device, wasting bandwidth, exposing traffic to unintended recipients, and making the network harder to manage.

VLANs solve this by partitioning a switch (or group of switches) into multiple virtual broadcast domains at Layer 2. Traffic cannot cross a VLAN boundary without passing through a Layer 3 device — a router or a Layer 3 switch performing inter-VLAN routing.

Benefit	How VLANs Provide It
Reduced broadcast traffic	Each VLAN is its own broadcast domain. Broadcasts stay within the VLAN and are never forwarded to other VLANs
Security isolation	Devices in different VLANs cannot communicate directly at Layer 2. ACLs on routers/L3 switches control what inter-VLAN traffic is permitted
Logical grouping by function	Users from the same department (e.g., Finance) can be in the same VLAN even if they are on different floors or buildings
Simplified management	Adding, moving, or changing a user's VLAN is a software configuration change — no physical rewiring required
Better performance	Smaller broadcast domains mean less unnecessary traffic, freeing bandwidth for real data
Flexible design	VLANs can span multiple switches using trunk links, enabling campus-wide logical segmentation over a shared physical infrastructure

2. Broadcast Domains — With and Without VLANs

Understanding what a broadcast domain is — and how VLANs change its scope — is fundamental to CCNA and to real-world network design.

Without VLANs — One Large Broadcast Domain

  Physical topology: 4 departments, all connected to the same switch

  [PC-Finance-1] --+
  [PC-Finance-2] --+
  [PC-HR-1]      --+-- [Switch] -- [Router] -- Internet
  [PC-HR-2]      --+
  [PC-IT-1]      --+
  [PC-Sales-1]   --+

  A broadcast from PC-Finance-1 reaches EVERY other device on the switch.
  One broadcast domain = entire switch.
  Result: unnecessary traffic, security exposure, difficult troubleshooting.

With VLANs — Multiple Logical Broadcast Domains

  Same physical switch, now divided into 3 VLANs:

  VLAN 10 (Finance):  [PC-Finance-1]  [PC-Finance-2]
  VLAN 20 (HR):       [PC-HR-1]       [PC-HR-2]
  VLAN 30 (IT):       [PC-IT-1]

  A broadcast from PC-Finance-1 stays within VLAN 10.
  PC-HR-1 and PC-IT-1 never see it.

  To communicate across VLANs, traffic must be routed:
  VLAN 10 <--[Layer 3 device]--> VLAN 20  (inter-VLAN routing)

Key rule: Routers separate broadcast domains at Layer 3. Switches (without VLANs) forward broadcasts to all ports — they do NOT separate broadcast domains. VLANs create logical broadcast domain boundaries within a switch (or switch fabric).

3. VLAN IDs — Ranges and Significance

Every VLAN is identified by a VLAN ID (VID), a 12-bit number carried in the 802.1Q tag. This gives a theoretical range of 0–4095, though not all values are available for use.

VLAN ID Range	Name	Description
0	Reserved	Used to indicate that the 802.1Q tag carries only a priority value (CoS) and no VLAN membership. Not configurable.
1	Default VLAN	Factory default VLAN on Cisco switches. All ports belong to VLAN 1 out of the box. Cannot be deleted or renamed.
2 – 1001	Normal Range VLANs	Standard user-configurable VLANs. Stored in flash in the `vlan.dat` file. Supported by VTP (VLAN Trunking Protocol).
1002 – 1005	Legacy Reserved	Reserved for Token Ring and FDDI. Present by default on Cisco switches; cannot be deleted.
1006 – 4094	Extended Range VLANs	Available for large-scale environments (service providers, data centres). Stored in the running configuration, not `vlan.dat`. VTP must be in transparent or off mode to use them.
4095	Reserved	Reserved by the IEEE 802.1Q standard. Not configurable.

CCNA exam tip: Remember the normal range is 1–1001 and the extended range is 1006–4094. VLANs 1002–1005 exist by default and cannot be removed — they account for legacy media types that are no longer used in modern networks.

4. Types of VLANs — Default, Data, Management, Native, Voice

Cisco documentation defines several named VLAN types based on their purpose. These are roles assigned to VLANs — not mutually exclusive technical categories. Any VLAN ID can be assigned any of these roles (with important exceptions for VLAN 1).

4.1 Default VLAN — VLAN 1

VLAN 1 is the default VLAN on all Cisco switches. Every port is assigned to VLAN 1 when the switch ships from the factory. VLAN 1 is also the default native VLAN and default management VLAN unless explicitly changed.

Security best practice: VLAN 1 should not carry user data in production networks. Because all ports default to VLAN 1, an attacker who plugs an unauthorised device into any unconfigured port immediately has Layer 2 access to the same broadcast domain as management traffic. Best practice is to move management to a dedicated VLAN and assign all unused ports to an isolated "parking lot" VLAN.

4.2 Data VLAN (User VLAN)

A data VLAN carries standard user-generated traffic — file sharing, web browsing, email, and so on. Each department or logical group is typically assigned its own data VLAN to achieve broadcast isolation and security segmentation.

  Typical data VLAN assignment:

  VLAN 10  --  Finance department
  VLAN 20  --  Human Resources
  VLAN 30  --  Engineering / IT
  VLAN 40  --  Sales
  VLAN 50  --  Guest Wi-Fi

4.3 Management VLAN

The management VLAN is the VLAN through which network administrators access and manage switches — via SSH, Telnet, SNMP, or a web GUI. An IP address is assigned to the switch's SVI (Switch Virtual Interface) for the management VLAN, which is the only Layer 3 interface a Layer 2 switch has by default.

  Configuring the management VLAN SVI on a Cisco switch:

  Switch(config)# vlan 99
  Switch(config-vlan)# name Management
  Switch(config-vlan)# exit
  Switch(config)# interface vlan 99
  Switch(config-if)# ip address 192.168.99.10 255.255.255.0
  Switch(config-if)# no shutdown
  Switch(config)# ip default-gateway 192.168.99.1

Best practice: Use a dedicated VLAN (not VLAN 1) for management. This restricts administrative access to authorised ports and subnets, and reduces the attack surface if user-facing ports are compromised.

4.4 Native VLAN

The native VLAN is special to trunk links. On an 802.1Q trunk, frames belonging to the native VLAN are sent untagged — no 802.1Q header is added. All other VLANs on the trunk are tagged. The native VLAN must match on both ends of a trunk link, or a VLAN mismatch error occurs and traffic is misdelivered.

  Trunk link between Switch A and Switch B:

  Frame from VLAN 10  →  tagged with 802.1Q tag (VLAN ID = 10)  →  received and decoded
  Frame from VLAN 20  →  tagged with 802.1Q tag (VLAN ID = 20)  →  received and decoded
  Frame from VLAN 99  →  sent UNTAGGED (native VLAN = 99)        →  accepted as native VLAN

  If Switch A native VLAN = 99 but Switch B native VLAN = 1:
  Untagged frames from Switch A land in VLAN 1 on Switch B
  → VLAN hopping / data in wrong domain → security and connectivity issue

Security note: Cisco recommends changing the native VLAN from the default VLAN 1 to an unused VLAN (e.g., VLAN 999) that carries no user traffic. This prevents double-tagging VLAN-hopping attacks.

4.5 Voice VLAN

A voice VLAN is a dedicated VLAN for VoIP (Voice over IP) traffic. IP phones require predictable low latency and jitter, so their traffic is separated from data traffic and marked with a higher QoS class (typically CoS 5 / DSCP EF). A switch access port configured with a voice VLAN effectively operates as two logical ports: one access port for data (for a PC daisy-chained through the phone) and one for voice.

  Access port serving both a PC and an IP phone:

  [PC] ─── [IP Phone] ─── [Switch port Fa0/1]
              │                    │
           data VLAN 10      voice VLAN 150

  Switch config:
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 10
  Switch(config-if)# switchport voice vlan 150

5. Access Ports vs Trunk Ports

Switch ports operate in one of two primary modes regarding VLANs: access mode or trunk mode.

Feature	Access Port	Trunk Port
VLAN membership	Belongs to exactly one VLAN (the access VLAN)	Carries multiple VLANs simultaneously
Frame tagging	Frames are untagged — no 802.1Q header added/expected	Frames are tagged with 802.1Q VLAN ID (except native VLAN)
Typical connection	End devices: PCs, printers, IP phones, servers	Switch-to-switch, switch-to-router uplinks
Cisco IOS command	`switchport mode access`	`switchport mode trunk`
VLAN assignment	`switchport access vlan <id>`	`switchport trunk allowed vlan <list>`

6. How 802.1Q Frame Tagging Works

When a frame travels across a trunk link, the switch inserts a 4-byte 802.1Q tag into the Ethernet frame header — between the Source MAC address and the EtherType/Length field. This tag identifies which VLAN the frame belongs to so the receiving switch knows how to handle it.

802.1Q Tag Structure

  Standard Ethernet frame (untagged):
  ┌──────────────┬──────────────┬──────────┬──────────────────┬─────┐
  │  Dest MAC    │  Src MAC     │ EtherType│     Payload      │ FCS │
  │  (6 bytes)   │  (6 bytes)   │ (2 bytes)│  (46-1500 bytes) │(4B) │
  └──────────────┴──────────────┴──────────┴──────────────────┴─────┘

  802.1Q tagged frame (trunk link):
  ┌──────────────┬──────────────┬──────────┬──────────┬──────────────────┬─────┐
  │  Dest MAC    │  Src MAC     │  TPID    │  TCI     │     Payload      │ FCS │
  │  (6 bytes)   │  (6 bytes)   │ 0x8100   │ (2 bytes)│  (46-1500 bytes) │(4B) │
  └──────────────┴──────────────┴──────────┴──────────┴──────────────────┴─────┘
                                 ◄────────── 4-byte 802.1Q tag ──────────►

  TCI (Tag Control Information) breakdown — 16 bits total:
  ┌───────────────────┬───┬────────────────────────────────┐
  │  PCP (3 bits)     │ DEI│        VID (12 bits)           │
  │  Priority Code    │(1b)│   VLAN Identifier 0–4095       │
  │  CoS 0–7          │   │                                │
  └───────────────────┴───┴────────────────────────────────┘

  TPID  = Tag Protocol Identifier = 0x8100 (identifies this as an 802.1Q frame)
  PCP   = Priority Code Point (Class of Service / QoS — 0 lowest, 7 highest)
  DEI   = Drop Eligible Indicator (formerly CFI)
  VID   = VLAN ID (the 12-bit value identifying the VLAN: 0–4095)

Tagging Process — Step by Step

  1. PC in VLAN 10 sends an untagged Ethernet frame to its switch port (access port).
  2. Switch receives the frame on access port Fa0/1 (VLAN 10).
  3. Switch looks up destination MAC in the CAM table.
     - If destination is on another port in VLAN 10 (same switch): forward untagged.
     - If destination is on a trunk link: INSERT 802.1Q tag with VID = 10.
  4. Tagged frame travels across the trunk to the next switch (or router).
  5. Receiving switch reads the VID (10) → forwards out the correct access port → STRIPS
     the 802.1Q tag before delivering the untagged frame to the end device.

  End devices never see the 802.1Q tag — tagging/stripping is done by the switch.

MTU consideration: The 4-byte 802.1Q tag increases the Ethernet frame size from a maximum of 1518 bytes to 1522 bytes. Network interfaces must support "baby giant" frames, or MTU mismatches can cause fragmentation or dropped frames on trunk links.

See full detail: VLAN Tagging & 802.1Q

7. VLAN Membership — How Ports Are Assigned

A port can be assigned to a VLAN in two ways: statically (by an administrator) or dynamically (by a VMPS or 802.1X policy server). Static assignment is overwhelmingly the most common method in production.

Static VLAN Assignment

The administrator manually assigns each switch port to a VLAN. This is straightforward and predictable — the VLAN membership of a port does not change unless an administrator explicitly changes it.

  Assign ports to VLANs on a Cisco switch:

  ! First, create the VLAN
  Switch(config)# vlan 10
  Switch(config-vlan)# name Finance
  Switch(config-vlan)# exit

  Switch(config)# vlan 20
  Switch(config-vlan)# name HR
  Switch(config-vlan)# exit

  ! Then assign ports
  Switch(config)# interface fastEthernet 0/1
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 10   ! Finance

  Switch(config)# interface fastEthernet 0/2
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 20   ! HR

  ! Verify
  Switch# show vlan brief

Dynamic VLAN Assignment

Dynamic assignment uses a VLAN Membership Policy Server (VMPS) or 802.1X authentication to assign a VLAN based on device identity (MAC address) or user credentials at login time. This is more complex to implement but allows consistent VLAN membership for a user regardless of which physical port they connect to.

See: 802.1X Port Authentication

8. VLANs Across Multiple Switches — Trunking

VLANs are not limited to a single physical switch. In a campus network, the same VLAN (e.g., VLAN 10 — Finance) can span multiple switches. The switches carry multiple VLANs over shared trunk links using 802.1Q tagging. This allows users in the same VLAN to be distributed across different floors or buildings while remaining in the same broadcast domain.

  Two switches connected by a trunk link, sharing VLANs 10, 20, and 99:

  Switch A                                        Switch B
  ┌─────────────────────┐   Trunk (802.1Q)   ┌─────────────────────┐
  │ Fa0/1 → VLAN 10     │───────────────────►│ Fa0/1 → VLAN 10     │
  │ Fa0/2 → VLAN 20     │  VLANs 10,20,99   │ Fa0/2 → VLAN 20     │
  │ Fa0/24 (trunk)     ─┼───────────────────►│ Fa0/24 (trunk)      │
  └─────────────────────┘                    └─────────────────────┘

  A broadcast from a VLAN 10 device on Switch A is forwarded across
  the trunk and received by all VLAN 10 ports on Switch B — but NOT
  by VLAN 20 ports on Switch B.

Allowed VLANs on a trunk: By default, a Cisco trunk allows all VLANs (1–4094). It is best practice to restrict the allowed VLANs to only those that are actually needed on that link, reducing unnecessary traffic. Use: switchport trunk allowed vlan <list>

9. Inter-VLAN Routing — Getting Traffic Between VLANs

Devices in different VLANs cannot communicate at Layer 2. To allow traffic to flow between VLANs, a Layer 3 device is required. There are three main approaches:

Method	Description	Pros / Cons
Legacy: Router with separate physical interfaces	One physical router interface per VLAN. Each interface connects to a separate switch port configured as an access port for that VLAN.	Simple but does not scale — requires one physical interface per VLAN
Router-on-a-Stick (ROAS)	A single physical router interface is divided into logical sub-interfaces, one per VLAN. The router connects via a trunk port. Each sub-interface has an IP address serving as the default gateway for its VLAN.	Scales to many VLANs on one physical link; the single uplink can become a bottleneck under heavy load
Layer 3 Switch (SVI-based routing)	A multilayer switch creates a Switch Virtual Interface (SVI) per VLAN with an IP address. Routing occurs in hardware at wire speed. No external router required for inter-VLAN traffic.	Best performance and scalability for campus networks; higher cost than a Layer 2 switch

See full guides: Inter-VLAN Routing Overview | Router-on-a-Stick / Inter-VLAN | Layer 3 Switch Routing Lab | ROAS Lab | L3 Switch Inter-VLAN Lab

10. VLAN Summary — Key Facts to Remember

Topic	Key Fact
Default VLAN	VLAN 1 — all ports assigned by default; cannot be deleted or renamed
Normal range	VLANs 1–1001 — stored in `vlan.dat` on flash
Extended range	VLANs 1006–4094 — stored in running-config; requires VTP transparent/off
Native VLAN	VLAN 1 by default; untagged on 802.1Q trunk; must match on both ends
Management VLAN	VLAN assigned an SVI IP for switch administration; should not be VLAN 1
Voice VLAN	Dedicated VLAN for VoIP; tagged at CoS 5 / DSCP EF for QoS priority
802.1Q tag size	4 bytes inserted between Src MAC and EtherType fields
VLAN ID field	12 bits → values 0–4095 (0 and 4095 reserved)
Access port	Belongs to one VLAN; frames are untagged; connects end devices
Trunk port	Carries multiple VLANs; frames tagged with 802.1Q; connects switches/routers
Inter-VLAN routing	Requires a Layer 3 device (router or L3 switch); VLANs cannot route at L2
vlan.dat	VLAN database file stored in flash; persists across reboots independently of running-config

11. VLAN Concepts Quiz

1. What is the primary purpose of a VLAN?

A. To increase the physical speed of switch ports B. To logically segment a switch into multiple broadcast domains, isolating traffic between groups of devices C. To replace the need for IP addressing on a LAN D. To encrypt all traffic passing through a switch

Correct answer is B. VLANs create logical broadcast domain boundaries within a switch or switch fabric. Without VLANs, every device on the switch shares one broadcast domain. VLANs have no effect on port speed and do not replace IP addressing — inter-VLAN communication still requires Layer 3 routing.

2. Which VLAN ID is the default VLAN on a Cisco switch, and what is a key characteristic of it?

A. VLAN 0 — it is the management VLAN B. VLAN 99 — it is assigned by default to all ports C. VLAN 1 — all switch ports belong to it by default and it cannot be deleted or renamed D. VLAN 1002 — it is the first user-configurable VLAN

Correct answer is C. VLAN 1 is the factory default VLAN on every Cisco switch. All ports belong to VLAN 1 out of the box. It cannot be deleted or renamed. It is also the default native VLAN on trunk ports. Best practice is to avoid using VLAN 1 for user or management traffic in production.

3. How many bytes does an 802.1Q VLAN tag add to an Ethernet frame, and where is it inserted?

A. 4 bytes — inserted between the Source MAC address field and the EtherType/Length field B. 2 bytes — appended to the end of the frame before the FCS C. 8 bytes — inserted before the Destination MAC address D. 4 bytes — inserted before the Destination MAC address

Correct answer is A. The 802.1Q tag is exactly 4 bytes (32 bits) and is inserted between the Source MAC address and the EtherType/Length field. It consists of a 2-byte TPID (0x8100) and a 2-byte TCI containing the 3-bit PCP, 1-bit DEI, and 12-bit VLAN ID. This increases the maximum Ethernet frame size from 1518 to 1522 bytes.

4. What is the native VLAN on an 802.1Q trunk, and what is the security risk if it is left as VLAN 1?

A. The native VLAN is always tagged; there is no security risk from VLAN 1 B. The native VLAN carries only management traffic and should not be changed C. The native VLAN is the highest-priority VLAN on the trunk and defaults to VLAN 4094 D. The native VLAN frames are sent untagged on the trunk. Leaving it as VLAN 1 enables double-tagging VLAN hopping attacks because VLAN 1 is the default on all access ports

Correct answer is D. The native VLAN is the one VLAN whose frames travel across a trunk without an 802.1Q tag. The native VLAN defaults to VLAN 1 on Cisco switches. An attacker on an access port in VLAN 1 can craft a double-tagged frame: the first tag (VLAN 1) is stripped by the first switch (native VLAN), and the second tag (target VLAN) carries the frame across the trunk into a different VLAN. Best practice: change the native VLAN to an unused VLAN (e.g., VLAN 999).

5. A network administrator needs to allow management access to a switch via SSH. Which interface should be assigned an IP address for this purpose?

A. A physical FastEthernet port set to routed mode B. The Switch Virtual Interface (SVI) of the management VLAN, e.g., interface vlan 99 C. The console port — it automatically gets an IP address D. Any physical port can be assigned an IP address directly

Correct answer is B. A Layer 2 Cisco switch does not have routed physical interfaces. To allow IP-based management (SSH, Telnet, SNMP), the administrator assigns an IP address to the SVI (Switch Virtual Interface) of the management VLAN using interface vlan <id> followed by ip address. A default gateway must also be set for remote management from a different subnet.

6. What is the extended VLAN range on Cisco switches, and what VTP mode is required to use it?

A. VLANs 1002–2000; VTP server mode is required B. VLANs 1001–4094; VTP client mode is required C. VLANs 1006–4094; VTP must be in transparent or off mode D. VLANs 2000–4094; VTP is not required at all

Correct answer is C. The extended VLAN range on Cisco switches is 1006–4094. VTP (VLAN Trunking Protocol) in server or client mode does not propagate extended-range VLANs — the switch must be in VTP transparent mode or VTP must be disabled (off). Extended-range VLANs are stored in the running configuration rather than in the vlan.dat file on flash.

7. What happens when two switches are connected via a trunk link and their native VLANs do not match?

A. Untagged frames from one switch are placed in the wrong VLAN on the other switch, causing misrouted traffic and potential security issues. CDP/Cisco generates a native VLAN mismatch error. B. The trunk link is automatically shut down by STP C. The switches negotiate a new native VLAN automatically using DTP D. All tagged traffic on the trunk is dropped

Correct answer is A. When native VLANs mismatch on a trunk, untagged frames from Switch A (native VLAN X) arrive at Switch B and are placed into Switch B's native VLAN Y — a different VLAN. This causes traffic to appear in the wrong VLAN. Cisco switches generate a CDP "Native VLAN mismatch" syslog message. Tagged traffic for other VLANs is unaffected. The native VLAN must be manually configured to match on both ends of every trunk.

8. An IP phone and a PC are connected to the same switch port. The switch port is configured with access VLAN 10 and voice VLAN 150. How does the switch handle frames from the IP phone vs the PC?

A. Both the phone and PC use VLAN 10; the voice VLAN is only used for management B. The phone uses VLAN 10 and the PC uses VLAN 150 C. Both devices share VLAN 150 and traffic is prioritised by MAC address D. The IP phone sends 802.1Q-tagged frames with VLAN 150 and CoS 5. The PC sends untagged frames placed into VLAN 10. The switch port logically operates as both an access port (VLAN 10) and a voice port (VLAN 150).

Correct answer is D. With a voice VLAN configured, the IP phone tags its own voice frames with the voice VLAN ID (150) and sets a CoS value of 5 for QoS priority. The PC (daisy-chained through the phone's built-in switch) sends untagged frames, which the switch places into the access VLAN (10). The switch port effectively handles two VLANs simultaneously on one physical port — data (untagged, VLAN 10) and voice (tagged, VLAN 150).

9. Which of the following commands verifies VLAN assignment and port membership on a Cisco switch?

A. show ip interface brief B. show vlan brief C. show interfaces trunk D. show running-config vlan

Correct answer is B. show vlan brief displays all VLANs configured on the switch, their names, status, and the access ports assigned to each VLAN. Note: trunk ports do NOT appear in the port list of show vlan brief because they carry multiple VLANs rather than belonging to one. Use show interfaces trunk to verify trunk ports and their allowed VLANs. See: show vlan Command

10. A PC in VLAN 10 on Switch A needs to communicate with a server in VLAN 20 on the same Switch A. What is required, and why?

A. Nothing — VLANs on the same switch can communicate directly at Layer 2 B. A second switch is required — different VLANs must be on separate physical switches C. A Layer 3 device is required (router or L3 switch). VLANs are separate broadcast domains; Layer 2 frames cannot cross VLAN boundaries. The traffic must be routed at Layer 3 using inter-VLAN routing. D. The PC and server must be configured with the same subnet mask to communicate across VLANs

Correct answer is C. VLANs are Layer 2 broadcast domain boundaries. A frame originating in VLAN 10 cannot be forwarded by the switch to a port in VLAN 20 — the switch simply drops it at Layer 2. To enable communication between VLANs, a Layer 3 routing decision must be made. This can be done by a router (router-on-a-stick) or a Layer 3 switch with SVIs. Both the PC and server need IP addresses in their respective VLAN subnets and must point to the inter-VLAN routing device as their default gateway. See: Inter-VLAN Routing

← Back to Home