VLAN Technology
What is VLAN
A VLAN (Virtual Local Area Network) is a logical way to divide one physical network into multiple smaller and secure networks without using separate switches or cables. It allows network administrators to group devices based on function, department, or security needs instead of their physical location. For example, computers in the Accounts department can be placed in one VLAN and computers in the IT department in another VLAN, even if they are connected to the same switch. VLANs reduce unnecessary broadcast traffic, improve network performance, and increase security by isolating sensitive data from other users. In short, VLAN helps create organized, efficient, and secure networks within a single physical infrastructure.
Types of VLANs
Default VLAN – This is the VLAN that all switch ports belong to when a switch is first installed (usually VLAN 1). It is used for basic network communication before any custom VLANs are created.
Data VLAN (User VLAN) – This VLAN carries normal user data traffic such as computers, laptops, and printers. It separates user traffic from other types of traffic for better performance and security.
Management VLAN – This VLAN is used to manage network devices like switches and routers (for SSH, Telnet, SNMP, web management, etc.). Keeping management traffic in a separate VLAN improves network security.
Voice VLAN – This VLAN is specially created for IP phones. It gives priority to voice traffic to ensure good call quality and avoid delay or jitter.
Native VLAN – This VLAN is used on trunk ports to carry untagged traffic between switches. It is mainly used for compatibility with older devices.
Private VLAN (PVLAN) – This VLAN provides extra security by isolating devices within the same VLAN so they cannot communicate directly with each other, only with a central server or gateway.
Guest VLAN – This VLAN is used for visitors or guest users, keeping them separate from the internal company network for security reasons.
In summary, VLAN types are created to separate traffic based on purpose—such as user data, voice calls, management access, and security—making the network more organized, efficient, and safe.
VLAN Range
The VLAN range defines the possible VLAN ID numbers that can be created on a switch. VLAN IDs are 12-bit numbers, so they range from 1 to 4094. This range is divided into two main categories:
Normal Range VLANs (1–1005)
These VLANs are commonly used in most networks and are stored in the switch’s VLAN database. VLAN 1 is the default VLAN and is used for management and control traffic by default. VLANs from 2 to 1005 can be created for different departments such as HR, IT, Finance, or Servers.Extended Range VLANs (1006–4094)
These VLANs are mainly used in large or service-provider networks where many VLANs are required. They are stored in the running configuration instead of the VLAN database and are usually supported on newer switches.
In short, the valid VLAN ID range is 1 to 4094, with 1–1005 for normal use and 1006–4094 for extended use.
VLAN Range
| Range | Description |
| VLAN 0-4095 | This range of VLAN IDs is to be used on switches. |
| VLAN 1 | This is the default VLAN of switches. It can be used, but you can’t delete or edit it. |
| VLAN 2-1001 | It is a normal VLAN range. It can be created, edited, and deleted by you. |
| VLAN 1002-1005 | These ranges are CISCO defaults for token rings and FDDI. You cannot delete this VLAN. |
| VLAN 1006-4094 | It is an extended range of VLANs. |
Why Need VLAN
VLAN is needed to make a network more organized, secure, efficient, and easy to manage. In a normal network without VLAN, all devices are in one large broadcast domain, which means every broadcast message is sent to every device. This creates heavy traffic, slows down the network, and increases the chance of security problems. VLAN solves these issues by logically dividing a single physical network into multiple smaller networks based on department, function, or security level, such as HR, Accounts, IT, or Guest users.
VLAN improves network security by isolating users and sensitive systems from each other. For example, employees in the Finance VLAN cannot directly access systems in the Guest VLAN. It also improves performance by reducing unnecessary broadcast traffic and keeping data local to each group. VLAN makes network management easier because administrators can control access, apply policies, and troubleshoot problems more efficiently. Additionally, VLAN allows flexible network design, meaning users can be in the same VLAN even if they are on different floors or buildings. Overall, VLAN is essential for building a safe, fast, and well-structured company network.
Without VLAN Problem in Company Network
In a company network without VLAN, all computers, printers, servers, and devices are placed in one single network (one broadcast domain). This creates many serious problems. First, network traffic becomes very high because every broadcast message is sent to all devices, which slows down the network and reduces performance, especially as the number of users increases. Second, security risks increase because all users can see and access the same network. For example, guest users or regular employees may be able to access important servers or sensitive company data, which can lead to data theft or misuse.
Another big problem is poor network management and troubleshooting. If a virus, loop, or misconfiguration happens, it can affect the entire company network at once, causing downtime for all departments. There is also no control over user access, meaning HR, Finance, and IT departments cannot be separated logically. This makes it difficult to apply different rules or policies for different users. Finally, the network becomes hard to scale because adding more users increases congestion and confusion. In short, without VLAN, a c
VLAN Benefits in a Company Network
VLAN provides many important benefits in a company network by making it more secure, efficient, and well-organized. One major benefit is improved security because users and devices are separated into different VLANs based on departments such as HR, Finance, IT, and Guest users. This prevents unauthorized access to sensitive data and reduces the risk of internal attacks. Even though all devices may be connected to the same physical switch, VLAN keeps their traffic logically isolated.
Another key benefit is better network performance. VLAN reduces unnecessary broadcast traffic by dividing one large network into smaller broadcast domains, which helps the network run faster and more smoothly. VLAN also makes network management easier because administrators can control access, apply policies, and troubleshoot problems for each department separately. It allows flexible network design, meaning users can be in the same VLAN even if they are on different floors or buildings. Overall, VLAN helps a company build a secure, scalable, and efficient network while using the same physical infrastructure, saving cost and improving reliability.
✅ Advantages of VLAN
Improved Security – VLAN separates users and devices into different groups (HR, Finance, IT, Guest), so unauthorized users cannot easily access sensitive data.
Better Network Performance – By dividing one large broadcast domain into smaller ones, VLAN reduces broadcast traffic and improves overall network speed.
Easy Network Management – Administrators can control and manage each VLAN separately, making troubleshooting and monitoring easier.
Flexibility – Users can be placed in the same VLAN even if they are in different physical locations (floors or buildings).
Cost Effective – VLAN works on the same physical switches and cables, so there is no need to buy extra hardware for separate networks.
Scalability – New users or departments can be added easily without redesigning the whole network.
❌ Disadvantages of VLAN
Initial Configuration Complexity – Setting up VLANs requires skilled network administrators and proper planning.
Inter-VLAN Routing Required – Devices in different VLANs cannot communicate without a Layer 3 device (router or Layer 3 switch), which adds cost and complexity.
Misconfiguration Risk – Wrong VLAN or trunk configuration can cause network issues or security problems.
Troubleshooting Can Be Difficult – VLAN problems are harder to identify compared to a simple flat network.
Hardware Dependency – VLAN requires managed switches; unmanaged switches cannot support VLANs.
📌 Conclusion
VLAN is very useful for security and performance in company networks, but it needs proper design and skilled management. When configured correctly, the advantages of VLAN are much greater than its disadvantages.
Here are the key Differences Between LAN and VLAN explained clearly in a table and short points:
| Feature | LAN (Local Area Network) | VLAN (Virtual Local Area Network) |
|---|---|---|
| Meaning | A physical network that connects devices in a limited area (office, building, campus). | A logical network created within a LAN to divide it into smaller networks. |
| Basis | Based on physical connection and location of devices. | Based on logical grouping (department, function, security). |
| Broadcast Domain | One LAN usually has one broadcast domain. | Each VLAN is a separate broadcast domain. |
| Security | Low security because all devices can access the same network. | Higher security because users are isolated into different VLANs. |
| Performance | More broadcast traffic, which can slow down the network. | Less broadcast traffic, so performance is better. |
| Flexibility | Devices must be physically close to be in the same LAN. | Devices can be in the same VLAN even if they are in different locations. |
| Management | Harder to manage in large networks. | Easier to manage and control users with policies. |
| Cost | May require more hardware to separate networks. | Cost-effective because it uses the same physical infrastructure. |
| Communication | All devices communicate directly in the same network. | Different VLANs need a router or Layer 3 switch to communicate (Inter-VLAN routing). |
Summary
LAN is a physical network of connected devices.
VLAN is a logical division inside a LAN to improve security, performance, and management.
In simple words:
👉 LAN = Physical network
👉 VLAN = Virtual (logical) network inside LAN
Switch VLAN Configuration
config t
vlan 10
name HR
exit
vlan 20
name SERVICES
exit
show vlan <This Commnd Checking All Created Vlan>
Assign Switch Port
config t
interface fa0/1
switchport mode acces
switchport acces vlan 10
exit
interface range fa0/22-24
switchport mode acces
switchport acces vlan 20
show vlan
show run <This Commnd View All Switch Configuration>
Configure Trunk For Cary Multiple VLAN Pass
interface fa0/24
switchport mode trunk
VLAN Trunking
In order to overcome this scaling limitation, we can use another Ethernet technology called VLAN trunking. It creates only one link between the switches that support as many VLAN as needed. At the same time, it also keeps the VLAN traffic separate, so frames from VLAN 20 won’t go to devices in VLAN 10 and vice-versa. An example could be seen in figure 3. The link between switch 1 and switch 2 is a trunk link and you can see that both VLAN 10 and VLAN 20 pass through the link.
Two trunking protocols have been used on Cisco switches over the years – Inter-Switch Link (ISL) and IEEE 802.1Q. ISL was a Cisco proprietary tagging protocol predecessor of 802.1Q, it has been deprecated and is not used anymore. IEEE 802.1Q is the industry-standard trunking encapsulation at present and is typically the only one supported on modern switches.
It is important to note that the tag adds 4 additional bytes to the Ethernet header of the frames. The most important field in the tag is the VLAN ID which is 12 bits long. It specifies the VLAN to which the frame belongs. Because values of 0x000 and 0xFFF are reserved, there are 4,094 possible VLAN numbers.
VLAN Tagging
VLAN trunking allows switches to forwards frames from different VLANs over a single link called trunk. This is done by adding an additional header information called tag to the Ethernet frame. The process of adding this small header is called VLAN tagging. If you look at Figure 4, end-station 1 is sending a broadcast frame. When switch 1 receives the frame, it knows that this is a broadcast frame and it has to send it out all its ports. However, switch 1 must tell switch 2 that this frame belongs to VLAN10. So before sending the frame to switch 2, SW1 adds a VLAN header to the original ethernet frame, with VLAN number 10 as shown in figure 4.
When switch 2 receives the frame, it sees that the frame belongs to VLAN 10, then it removes the header and forwards to the original ethernet frame to all its interfaces configured in VLAN10.
So in the given examples, when the ethernet frames are sent between the switches over the trunk link, they are tagged with VLAN header. When the receiving switch gets them, removes the VLAN tag and sends them to the clients in the VLAN, the frames are untagged.
Switch interface modes
Each switch interface can operate as access or trunk port. Because in typical LAN deployment, there are hundreds or even thousands of switch ports, there is a protocol called Dynamic Trunking Protocol (DTP) that helps network administrators set the operational mode of interfaces automatically. By default, all Cisco switch ports are in operational state dynamic auto, which means that this Dynamic Trunking Protocol (DTP) is listening and trying to understand what is configured on the other side of the cable, and based on that to decide whether to become an access or trunk port. For example, if we have a link between SW1 and SW2, if we configure the interface on SW1 to be a trunk port, DTP will advertise this to the other side and the interface on SW2 will automatically set itelf in trunk mode and a trunk link will be formed between the switches.
| Mode | Behaviour |
|---|---|
| switchport mode dynamic auto | DEFAULT MODE for layer 2 interfaces of Cisco switches Passively waiting to convert the port into a trunk. (DTP listening for messages from the far side saying “let’s form a trunk”) Becomes a trunk if the other side of the link is configured with trunk or dynamic desirable mode |
| switchport mode dynamic desirable | Actively trying to convert the link to a trunk. (DTP actively sending messages to the far side saying “let’s form a trunk”) Becomes a trunk if the other side of the link is configured with trunk or dynamic desirable or dynamic auto. |
| switchport mode access | The interface becomes an access port. DTP negotiates the link as nontrunk link. |
| switchport mode trunk | The interface becomes a trunk port. DTP negotiates the link as trunk link. (DTP actively sending messages to the far side saying “let’s form a trunk”) |
| switchport mode nonegotiate | Disables the Dynamic Trunking Protocol (DTP). Interface mode is configured manually. |
Configuring Trunk ports
As we have already said, the default mode for Cisco switchports is dynamic auto. Therefore, in order to form a trunk, only one side of the link must be configured to actively negotiate it. Let’s configure Gi0/1 on SW1 to be actively trying to form a trunk and see what happens.
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
SW1(config-if)#switchport mode dynamic ?
auto Set trunking mode dynamic negotiation parameter to AUTO
desirable Set trunking mode dynamic negotiation parameter to DESIRABLE
SW1(config-if)#switchport mode dynamic desirable
SW1(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console
SW1#show interface trunk
Port Mode Encapsulation Status Native vlan
Gig0/1 desirable n-802.1q trunking 1
Port Vlans allowed on trunk
Gig0/1 1-1005
Port Vlans allowed and active in management domain
Gig0/1 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Gig0/1 1,10,20
You can see from the output of show interface trunk command that a trunk link formed, even though we haven’t configured anything on the other side of the link on switch 2. That is the function of the dynamic trunking protocol. Let’s check what is the status of the link according to switch 2.
SW2#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Gig0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Gig0/1 1-1005
Port Vlans allowed and active in management domain
Gig0/1 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Gig0/1 1,10,20
VLAN Interview QNA
Here are common VLAN Interview Questions and Answers (Q&A) that are frequently asked in networking interviews (CCNA / system & network admin level):
1. What is VLAN?
A VLAN (Virtual Local Area Network) is a logical network that divides one physical LAN into multiple broadcast domains to improve security, performance, and management.
2. Why is VLAN used?
VLAN is used to reduce broadcast traffic, improve network performance, increase security, and logically separate departments like HR, IT, Finance, and Guest users.
3. What is the VLAN ID range?
VLAN IDs range from 1 to 4094.
- Normal range: 1–1005
- Extended range: 1006–4094
4. What is a default VLAN?
Default VLAN is VLAN 1. All switch ports belong to VLAN 1 by default.
5. What is an access port?
An access port belongs to only one VLAN and is used to connect end devices like PCs and printers.
6. What is a trunk port?
A trunk port carries traffic for multiple VLANs between switches using VLAN tagging (802.1Q).
7. What is native VLAN?
Native VLAN is the VLAN that carries untagged traffic on a trunk port (by default VLAN 1).
8. What is inter-VLAN routing?
Inter-VLAN routing allows communication between different VLANs using a router or Layer 3 switch.
9. Difference between LAN and VLAN?
LAN is a physical network, while VLAN is a logical network created inside a LAN for segmentation and security.
10. What is broadcast domain?
A broadcast domain is a network area where broadcast packets are sent to all devices. Each VLAN is one broadcast domain.
11. What is management VLAN?
A VLAN used to manage switches and routers (SSH, Telnet, SNMP).
12. What is voice VLAN?
A VLAN specially created for IP phones to give priority to voice traffic.
13. What happens if VLAN is not used?
The network becomes slow, insecure, hard to manage, and vulnerable to broadcast storms.
14. Which protocol is used for VLAN tagging?
IEEE 802.1Q protocol is used for VLAN tagging.
15. What is Private VLAN (PVLAN)?
PVLAN isolates devices within the same VLAN to improve security.
16. Can two VLANs communicate directly?
No. They need a router or Layer 3 switch (Inter-VLAN routing).
17. What is VLAN hopping?
A security attack where a device gains access to another VLAN illegally.
18. What is the benefit of VLAN in company networks?
Security, performance, reduced broadcast traffic, easy management, and scalability.
19. Difference between access VLAN and trunk VLAN?
Access VLAN carries traffic for one VLAN; trunk VLAN carries traffic for multiple VLANs.
20. What devices support VLAN?
Managed switches and Layer 3 switches support VLAN.
Frequently Asked Questions
Q1. What is VLAN and why it is used?
A VLAN (Virtual Local Area Network) is a method of creating virtual networks within a physical network infrastructure. It is used to improve network flexibility, security, and performance by logically separating devices into distinct groups, regardless of their physical location. VLANs enable efficient network management and enhance overall network efficiency.
Q2. What is a VLAN with example?
A VLAN (Virtual Local Area Network) is a virtual network that allows devices to communicate as if they were on the same physical network, providing segmentation and security. For example, in an educational institution, VLANs can be set up for students, faculty, and administration, enabling separate networks while utilizing the same network infrastructure.
Q3. What are the 3 types of VLANs?
The three types of VLANs are:
- Port-based VLAN: Devices are grouped into VLANs based on the physical switch ports they are connected to.
- MAC-based VLAN: Devices are assigned to VLANs based on their MAC addresses, allowing for flexibility when devices are moved to different ports.
- Protocol-based VLAN: Devices are assigned to VLANs based on the network protocol used, such as IP addresses or specific application requirements.
Q4. Why is VLAN trunking used?
VLAN trunking is used to transport traffic for multiple VLANs over a single network link, enabling efficient utilization of network resources. It simplifies network design, reduces the number of physical connections needed, and facilitates the exchange of VLAN traffic between switches or network devices.