VLANs – Concepts & Overview

1. What Is a VLAN and Why Does It Matter?

A Virtual Local Area Network (VLAN) is a logical grouping of devices on one or more switches, treated as if they were on their own isolated physical network — regardless of their physical location. Without VLANs, every device connected to the same switch fabric shares a single broadcast domain: one broadcast from any device reaches every other device, wasting bandwidth, exposing traffic to unintended recipients, and making the network harder to manage.

VLANs solve this by partitioning a switch (or group of switches) into multiple virtual broadcast domains at Layer 2. Traffic cannot cross a VLAN boundary without passing through a Layer 3 device — a router or a Layer 3 switch performing inter-VLAN routing.

Benefit How VLANs Provide It
Reduced broadcast traffic Each VLAN is its own broadcast domain. Broadcasts stay within the VLAN and are never forwarded to other VLANs
Security isolation Devices in different VLANs cannot communicate directly at Layer 2. ACLs on routers/L3 switches control what inter-VLAN traffic is permitted
Logical grouping by function Users from the same department (e.g., Finance) can be in the same VLAN even if they are on different floors or buildings
Simplified management Adding, moving, or changing a user's VLAN is a software configuration change — no physical rewiring required
Better performance Smaller broadcast domains mean less unnecessary traffic, freeing bandwidth for real data
Flexible design VLANs can span multiple switches using trunk links, enabling campus-wide logical segmentation over a shared physical infrastructure

Related pages: VLAN Tagging & 802.1Q | show vlan | Inter-VLAN Routing | Voice VLAN | MAC Address Table | Spanning Tree Protocol | VLAN Creation & Management Lab | Trunk Port Configuration Lab

2. Broadcast Domains — With and Without VLANs

Understanding what a broadcast domain is — and how VLANs change its scope — is fundamental to CCNA and to real-world network design.

Without VLANs — One Large Broadcast Domain

Physical topology: 4 departments, all connected to the same switch
[PC-Finance-1] --+
[PC-Finance-2] --+
[PC-HR-1]      --+-- [Switch] -- [Router] -- Internet
[PC-HR-2]      --+
[PC-IT-1]      --+
[PC-Sales-1]   --+
A broadcast from PC-Finance-1 reaches EVERY other device on the switch.
One broadcast domain = entire switch.
Result: unnecessary traffic, security exposure, difficult troubleshooting.

With VLANs — Multiple Logical Broadcast Domains

Same physical switch, now divided into 3 VLANs:VLAN 10 (Finance): [PC-Finance-1] [PC-Finance-2]VLAN 20 (HR): [PC-HR-1] [PC-HR-2]VLAN 30 (IT): [PC-IT-1]A broadcast from PC-Finance-1 stays within VLAN 10.PC-HR-1 and PC-IT-1 never see it.To communicate across VLANs, traffic must be routed:VLAN 10 <--[Layer 3 device]--> VLAN 20 (inter-VLAN routing)
Key rule: Routers separate broadcast domains at Layer 3. Switches (without VLANs) forward broadcasts to all ports — they do NOT separate broadcast domains. VLANs create logical broadcast domain boundaries within a switch (or switch fabric).

3. VLAN IDs — Ranges and Significance

Every VLAN is identified by a VLAN ID (VID), a 12-bit number carried in the 802.1Q tag. This gives a theoretical range of 0–4095, though not all values are available for use.

VLAN ID Range Name Description
0 Reserved Used to indicate that the 802.1Q tag carries only a priority value (CoS) and no VLAN membership. Not configurable.
1 Default VLAN Factory default VLAN on Cisco switches. All ports belong to VLAN 1 out of the box. Cannot be deleted or renamed.
2 – 1001 Normal Range VLANs Standard user-configurable VLANs. Stored in flash in the vlan.dat file. Supported by VTP (VLAN Trunking Protocol).
1002 – 1005 Legacy Reserved Reserved for Token Ring and FDDI. Present by default on Cisco switches; cannot be deleted.
1006 – 4094 Extended Range VLANs Available for large-scale environments (service providers, data centres). Stored in the running configuration, not vlan.dat. VTP must be in transparent or off mode to use them.
4095 Reserved Reserved by the IEEE 802.1Q standard. Not configurable.
CCNA exam tip: Remember the normal range is 1–1001 and the extended range is 1006–4094. VLANs 1002–1005 exist by default and cannot be removed — they account for legacy media types that are no longer used in modern networks.

4. Types of VLANs — Default, Data, Management, Native, Voice

Cisco documentation defines several named VLAN types based on their purpose. These are roles assigned to VLANs — not mutually exclusive technical categories. Any VLAN ID can be assigned any of these roles (with important exceptions for VLAN 1).

4.1 Default VLAN — VLAN 1

VLAN 1 is the default VLAN on all Cisco switches. Every port is assigned to VLAN 1 when the switch ships from the factory. VLAN 1 is also the default native VLAN and default management VLAN unless explicitly changed.

Security best practice: VLAN 1 should not carry user data in production networks. Because all ports default to VLAN 1, an attacker who plugs an unauthorised device into any unconfigured port immediately has Layer 2 access to the same broadcast domain as management traffic. Best practice is to move management to a dedicated VLAN and assign all unused ports to an isolated "parking lot" VLAN.

4.2 Data VLAN (User VLAN)

A data VLAN carries standard user-generated traffic — file sharing, web browsing, email, and so on. Each department or logical group is typically assigned its own data VLAN to achieve broadcast isolation and security segmentation.

Typical data VLAN assignment:VLAN 10 -- Finance departmentVLAN 20 -- Human ResourcesVLAN 30 -- Engineering / ITVLAN 40 -- SalesVLAN 50 -- Guest Wi-Fi

4.3 Management VLAN

The management VLAN is the VLAN through which network administrators access and manage switches — via SSH, Telnet, SNMP, or a web GUI. An IP address is assigned to the switch's SVI (Switch Virtual Interface) for the management VLAN, which is the only Layer 3 interface a Layer 2 switch has by default. 

  Configuring the management VLAN SVI on a Cisco switch:

  Switch(config)# vlan 99
  Switch(config-vlan)# name Management
  Switch(config-vlan)# exit
  Switch(config)# interface vlan 99
  Switch(config-if)# ip address 192.168.99.10 255.255.255.0
  Switch(config-if)# no shutdown
  Switch(config)# ip default-gateway 192.168.99.1
Best practice: Use a dedicated VLAN (not VLAN 1) for management. This restricts administrative access to authorised ports and subnets, and reduces the attack surface if user-facing ports are compromised.

4.4 Native VLAN

The native VLAN is special to trunk links. On an 802.1Q trunk, frames belonging to the native VLAN are sent untagged — no 802.1Q header is added. All other VLANs on the trunk are tagged. The native VLAN must match on both ends of a trunk link, or a VLAN mismatch error occurs and traffic is misdelivered.

Trunk link between Switch A and Switch B:Frame from VLAN 10 → tagged with 802.1Q tag (VLAN ID = 10) → received and de…Frame from VLAN 20 → tagged with 802.1Q tag (VLAN ID = 20) → received and de…Frame from VLAN 99 → sent UNTAGGED (native VLAN = 99) → accepted as na…If Switch A native VLAN = 99 but Switch B native VLAN = 1:Untagged frames from Switch A land in VLAN 1 on Switch B→ VLAN hopping / data in wrong domain → security and connectivity issue
Security note: Cisco recommends changing the native VLAN from the default VLAN 1 to an unused VLAN (e.g., VLAN 999) that carries no user traffic. This prevents double-tagging VLAN-hopping attacks.

4.5 Voice VLAN

A voice VLAN is a dedicated VLAN for VoIP (Voice over IP) traffic. IP phones require predictable low latency and jitter, so their traffic is separated from data traffic and marked with a higher QoS class (typically CoS 5 / DSCP EF). A switch access port configured with a voice VLAN effectively operates as two logical ports: one access port for data (for a PC daisy-chained through the phone) and one for voice. 

  Access port serving both a PC and an IP phone:

  [PC] ─── [IP Phone] ─── [Switch port Fa0/1]
              │                    │
           data VLAN 10      voice VLAN 150

  Switch config:
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 10
  Switch(config-if)# switchport voice vlan 150

See also: Voice VLAN – Full Guide | Voice VLAN Configuration Lab

5. Access Ports vs Trunk Ports

Switch ports operate in one of two primary modes regarding VLANs: access mode or trunk mode.

Feature Access Port Trunk Port
VLAN membership Belongs to exactly one VLAN (the access VLAN) Carries multiple VLANs simultaneously
Frame tagging Frames are untagged — no 802.1Q header added/expected Frames are tagged with 802.1Q VLAN ID (except native VLAN)
Typical connection End devices: PCs, printers, IP phones, servers Switch-to-switch, switch-to-router uplinks
Cisco IOS command switchport mode access switchport mode trunk
VLAN assignment switchport access vlan <id> switchport trunk allowed vlan <list>

See also: Access vs Trunk Ports | Trunk Port Configuration Lab

6. How 802.1Q Frame Tagging Works

When a frame travels across a trunk link, the switch inserts a 4-byte 802.1Q tag into the Ethernet frame header — between the Source MAC address and the EtherType/Length field. This tag identifies which VLAN the frame belongs to so the receiving switch knows how to handle it.

802.1Q Tag Structure

Standard Ethernet frame (untagged):
Dest MAC      Src MAC      EtherType     Payload       FCS
(6 bytes)     (6 bytes)    (2 bytes)  (46-1500 bytes) (4B)
802.1Q tagged frame (trunk link):
Dest MAC      Src MAC       TPID      TCI          Payload       FCS
(6 bytes)     (6 bytes)    0x8100    (2 bytes)  (46-1500 bytes) (4B)
◄ 4-byte 802.1Q tag ►
TCI (Tag Control Information) breakdown — 16 bits total:
PCP (3 bits)      DEI        VID (12 bits)
Priority Code    (1b)   VLAN Identifier 0–4095
CoS 0–7
TPID  = Tag Protocol Identifier = 0x8100 (identifies this as an 802.1Q frame)
PCP   = Priority Code Point (Class of Service / QoS — 0 lowest, 7 highest)
DEI   = Drop Eligible Indicator (formerly CFI)
VID   = VLAN ID (the 12-bit value identifying the VLAN: 0–4095)

Tagging Process — Step by Step

1. PC in VLAN 10 sends an untagged Ethernet frame to its switch port (access por…2. Switch receives the frame on access port Fa0/1 (VLAN 10).3. Switch looks up destination MAC in the CAM table.- If destination is on another port in VLAN 10 (same switch): forward untagged.- If destination is on a trunk link: INSERT 802.1Q tag with VID = 10.4. Tagged frame travels across the trunk to the next switch (or router).5. Receiving switch reads the VID (10) → forwards out the correct access port → …the 802.1Q tag before delivering the untagged frame to the end device.End devices never see the 802.1Q tag — tagging/stripping is done by the switch.
MTU consideration: The 4-byte 802.1Q tag increases the Ethernet frame size from a maximum of 1518 bytes to 1522 bytes. Network interfaces must support "baby giant" frames, or MTU mismatches can cause fragmentation or dropped frames on trunk links.

See full detail: VLAN Tagging & 802.1Q

7. VLAN Membership — How Ports Are Assigned

A port can be assigned to a VLAN in two ways: statically (by an administrator) or dynamically (by a VMPS or 802.1X policy server). Static assignment is overwhelmingly the most common method in production.

Static VLAN Assignment

The administrator manually assigns each switch port to a VLAN. This is straightforward and predictable — the VLAN membership of a port does not change unless an administrator explicitly changes it. 

  Assign ports to VLANs on a Cisco switch:

  ! First, create the VLAN
  Switch(config)# vlan 10
  Switch(config-vlan)# name Finance
  Switch(config-vlan)# exit

  Switch(config)# vlan 20
  Switch(config-vlan)# name HR
  Switch(config-vlan)# exit

  ! Then assign ports
  Switch(config)# interface fastEthernet 0/1
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 10   ! Finance

  Switch(config)# interface fastEthernet 0/2
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 20   ! HR

  ! Verify
  Switch# show vlan brief

Dynamic VLAN Assignment

Dynamic assignment uses a VLAN Membership Policy Server (VMPS) or 802.1X authentication to assign a VLAN based on device identity (MAC address) or user credentials at login time. This is more complex to implement but allows consistent VLAN membership for a user regardless of which physical port they connect to.

See: 802.1X Port Authentication

8. VLANs Across Multiple Switches — Trunking

VLANs are not limited to a single physical switch. In a campus network, the same VLAN (e.g., VLAN 10 — Finance) can span multiple switches. The switches carry multiple VLANs over shared trunk links using 802.1Q tagging. This allows users in the same VLAN to be distributed across different floors or buildings while remaining in the same broadcast domain.

Two switches connected by a trunk link, sharing VLANs 10, 20, and 99:
Switch A                                        Switch B
┌─────────────────────┐   Trunk (802.1Q)   ┌─────────────────────┐
│ Fa0/1 → VLAN 10     │───────────────────►│ Fa0/1 → VLAN 10     │
│ Fa0/2 → VLAN 20     │  VLANs 10,20,99   │ Fa0/2 → VLAN 20     │
│ Fa0/24 (trunk)     ─┼───────────────────►│ Fa0/24 (trunk)      │
└─────────────────────┘                    └─────────────────────┘
A broadcast from a VLAN 10 device on Switch A is forwarded across
the trunk and received by all VLAN 10 ports on Switch B — but NOT
by VLAN 20 ports on Switch B.
Allowed VLANs on a trunk: By default, a Cisco trunk allows all VLANs (1–4094). It is best practice to restrict the allowed VLANs to only those that are actually needed on that link, reducing unnecessary traffic. Use: switchport trunk allowed vlan <list>

See also: Access vs Trunk Ports | show vlan Command | Trunk Port Configuration Lab

9. Inter-VLAN Routing — Getting Traffic Between VLANs

Devices in different VLANs cannot communicate at Layer 2. To allow traffic to flow between VLANs, a Layer 3 device is required. There are three main approaches:

Method Description Pros / Cons
Legacy: Router with separate physical interfaces One physical router interface per VLAN. Each interface connects to a separate switch port configured as an access port for that VLAN. Simple but does not scale — requires one physical interface per VLAN
Router-on-a-Stick (ROAS) A single physical router interface is divided into logical sub-interfaces, one per VLAN. The router connects via a trunk port. Each sub-interface has an IP address serving as the default gateway for its VLAN. Scales to many VLANs on one physical link; the single uplink can become a bottleneck under heavy load
Layer 3 Switch (SVI-based routing) A multilayer switch creates a Switch Virtual Interface (SVI) per VLAN with an IP address. Routing occurs in hardware at wire speed. No external router required for inter-VLAN traffic. Best performance and scalability for campus networks; higher cost than a Layer 2 switch

See full guides: Inter-VLAN Routing Overview | Router-on-a-Stick / Inter-VLAN | Layer 3 Switch Routing Lab | ROAS Lab | L3 Switch Inter-VLAN Lab

10. VLAN Summary — Key Facts to Remember

Topic Key Fact
Default VLAN VLAN 1 — all ports assigned by default; cannot be deleted or renamed
Normal range VLANs 1–1001 — stored in vlan.dat on flash
Extended range VLANs 1006–4094 — stored in running-config; requires VTP transparent/off
Native VLAN VLAN 1 by default; untagged on 802.1Q trunk; must match on both ends
Management VLAN VLAN assigned an SVI IP for switch administration; should not be VLAN 1
Voice VLAN Dedicated VLAN for VoIP; tagged at CoS 5 / DSCP EF for QoS priority
802.1Q tag size 4 bytes inserted between Src MAC and EtherType fields
VLAN ID field 12 bits → values 0–4095 (0 and 4095 reserved)
Access port Belongs to one VLAN; frames are untagged; connects end devices
Trunk port Carries multiple VLANs; frames tagged with 802.1Q; connects switches/routers
Inter-VLAN routing Requires a Layer 3 device (router or L3 switch); VLANs cannot route at L2
vlan.dat VLAN database file stored in flash; persists across reboots independently of running-config

11. VLAN Concepts Quiz

What is the primary purpose of a VLAN?

Correct answer is B. VLANs create logical broadcast domain boundaries within a switch or switch fabric. Without VLANs, every device on the switch shares one broadcast domain. VLANs have no effect on port speed and do not replace IP addressing — inter-VLAN communication still requires Layer 3 routing.

Which VLAN ID is the default VLAN on a Cisco switch, and what is a key characteristic of it?

Correct answer is C. VLAN 1 is the factory default VLAN on every Cisco switch. All ports belong to VLAN 1 out of the box. It cannot be deleted or renamed. It is also the default native VLAN on trunk ports. Best practice is to avoid using VLAN 1 for user or management traffic in production.

How many bytes does an 802.1Q VLAN tag add to an Ethernet frame, and where is it inserted?

Correct answer is A. The 802.1Q tag is exactly 4 bytes (32 bits) and is inserted between the Source MAC address and the EtherType/Length field. It consists of a 2-byte TPID (0x8100) and a 2-byte TCI containing the 3-bit PCP, 1-bit DEI, and 12-bit VLAN ID. This increases the maximum Ethernet frame size from 1518 to 1522 bytes.

What is the native VLAN on an 802.1Q trunk, and what is the security risk if it is left as VLAN 1?

Correct answer is D. The native VLAN is the one VLAN whose frames travel across a trunk without an 802.1Q tag. The native VLAN defaults to VLAN 1 on Cisco switches. An attacker on an access port in VLAN 1 can craft a double-tagged frame: the first tag (VLAN 1) is stripped by the first switch (native VLAN), and the second tag (target VLAN) carries the frame across the trunk into a different VLAN. Best practice: change the native VLAN to an unused VLAN (e.g., VLAN 999).

A network administrator needs to allow management access to a switch via SSH. Which interface should be assigned an IP address for this purpose?

Correct answer is B. A Layer 2 Cisco switch does not have routed physical interfaces. To allow IP-based management (SSH, Telnet, SNMP), the administrator assigns an IP address to the SVI (Switch Virtual Interface) of the management VLAN using interface vlan <id> followed by ip address. A default gateway must also be set for remote management from a different subnet.

What is the extended VLAN range on Cisco switches, and what VTP mode is required to use it?

Correct answer is C. The extended VLAN range on Cisco switches is 1006–4094. VTP (VLAN Trunking Protocol) in server or client mode does not propagate extended-range VLANs — the switch must be in VTP transparent mode or VTP must be disabled (off). Extended-range VLANs are stored in the running configuration rather than in the vlan.dat file on flash.

What happens when two switches are connected via a trunk link and their native VLANs do not match?

Correct answer is A. When native VLANs mismatch on a trunk, untagged frames from Switch A (native VLAN X) arrive at Switch B and are placed into Switch B's native VLAN Y — a different VLAN. This causes traffic to appear in the wrong VLAN. Cisco switches generate a CDP "Native VLAN mismatch" syslog message. Tagged traffic for other VLANs is unaffected. The native VLAN must be manually configured to match on both ends of every trunk.

An IP phone and a PC are connected to the same switch port. The switch port is configured with access VLAN 10 and voice VLAN 150. How does the switch handle frames from the IP phone vs the PC?

Correct answer is D. With a voice VLAN configured, the IP phone tags its own voice frames with the voice VLAN ID (150) and sets a CoS value of 5 for QoS priority. The PC (daisy-chained through the phone's built-in switch) sends untagged frames, which the switch places into the access VLAN (10). The switch port effectively handles two VLANs simultaneously on one physical port — data (untagged, VLAN 10) and voice (tagged, VLAN 150).

Which of the following commands verifies VLAN assignment and port membership on a Cisco switch?

Correct answer is B. show vlan brief displays all VLANs configured on the switch, their names, status, and the access ports assigned to each VLAN. Note: trunk ports do NOT appear in the port list of show vlan brief because they carry multiple VLANs rather than belonging to one. Use show interfaces trunk to verify trunk ports and their allowed VLANs. See: show vlan Command

A PC in VLAN 10 on Switch A needs to communicate with a server in VLAN 20 on the same Switch A. What is required, and why?

Correct answer is C. VLANs are Layer 2 broadcast domain boundaries. A frame originating in VLAN 10 cannot be forwarded by the switch to a port in VLAN 20 — the switch simply drops it at Layer 2. To enable communication between VLANs, a Layer 3 routing decision must be made. This can be done by a router (router-on-a-stick) or a Layer 3 switch with SVIs. Both the PC and server need IP addresses in their respective VLAN subnets and must point to the inter-VLAN routing device as their default gateway. See: Inter-VLAN Routing

Related Topics & Step-by-Step Tutorials

Continue your VLAN and switching studies:

Back to Home