A VLAN, or virtual local area network, is a way to segment a physical network into multiple logical networks(broadcast domains) to improve security and performance. Devices in a VLAN can communicate with each other as if they were on a single network, even if they are on different switches or physically separated.
Broadcast Domain
A logical network used by managed switch in where a broadcast message sent by one device will by heard by all devices on that segment.
- VLAN’s are commonly used to subdivide and manage this for optimization, organization, and security purposes.
- Routers typically function this way
- VLANS are a way to break this down further
- Full duplex
Collision Domain
A logical network used by a unmanaged switch where all devices connected to that device can receive traffic/broadcasts.
- Inefficient
- Largely eliminated my managed switches
- Half duplex
Key Corrections & Clarifications:
Broadcast Domain:
- Not exclusive to managed switches - unmanaged switches also create broadcast domains
- The key difference is that managed switches can create MULTIPLE broadcast domains (VLANs), while unmanaged switches create only ONE broadcast domain per switch
Collision Domain:
- Modern switches (both managed and unmanaged) create separate collision domains for each port
- Collision domains are more about physical layer conflicts, not logical segmentation
- Hubs (largely obsolete) created single collision domains for all connected devices
Additional VLAN Benefits:
Security: Isolate sensitive traffic (e.g., HR systems from guest networks)
Performance: Reduce broadcast traffic by limiting broadcast domains
Flexibility: Logically group devices regardless of physical location
Cost Efficiency: Use one physical switch for multiple logical networks
VLAN Types:
- Data VLANs: Regular user traffic
- Voice VLANs: VoIP traffic prioritization
- Management VLANs: Network device management
- Native VLAN: Untagged traffic on trunk ports
Quick Memory Aid:
- Physical switch ports = Collision domains (one per port)
- VLANs = Broadcast domains (multiple per managed switch)
- Routers = Connect different VLANs/subnets
VLAN (Virtual Local Area Network)
A VLAN is a logical network segmentation method that divides a single physical switch into multiple isolated broadcast domains, improving security, performance, and network organization without requiring additional hardware.
- VLANs operate at Layer 2 and create separate broadcast domains on the same physical switch
- Devices in the same VLAN communicate as if on a dedicated switch, even when physically separated across multiple switches
- Each VLAN requires a separate subnet and typically needs a router or Layer 3 switch for inter-VLAN communication
VLAN Types
- Data VLAN: Standard user traffic (VLAN 10, 20, etc.)
- Voice VLAN: Dedicated for VoIP traffic with QoS prioritization
- Management VLAN: Network device administration (often VLAN 1, though security best practice suggests changing this)
- Native VLAN: Handles untagged traffic on trunk links (default VLAN 1)
- Default VLAN: VLAN 1 - all ports belong here initially (security risk if left unchanged)
VLAN Configuration Modes
| Port Type | Description | Use Case | Tagging |
|---|---|---|---|
| Access | Belongs to single VLAN | End devices (PCs, printers) | Untagged |
| Trunk | Carries multiple VLANs | Switch-to-switch links | Tagged (802.1Q) |
- Access ports:
switchport mode access+switchport access vlan X - Trunk ports:
switchport mode trunk+switchport trunk allowed vlan X,Y,Z - Native VLAN:
switchport trunk native vlan X(security: change from default VLAN 1)
802.1Q Tagging
- Industry standard for VLAN tagging on trunk links
- Adds 4-byte tag to Ethernet frame containing VLAN ID (1-4094)
- Native VLAN traffic remains untagged on trunk ports
- Maximum frame size increases from 1518 to 1522 bytes
Inter-VLAN Routing Methods
| Method | Description | Scalability | Performance |
|---|---|---|---|
| Router-on-a-Stick | Single router interface with subinterfaces | Limited | Lower |
| Layer 3 Switch | Switch with routing capabilities | High | Higher |
| Separate Router Interfaces | One physical interface per VLAN | Very Limited | Moderate |
Router-on-a-Stick Example:
- Router Gi0/0.10 (VLAN 10): 192.168.10.1/24
- Router Gi0/0.20 (VLAN 20): 192.168.20.1/24
- Switch trunk port connects to router carrying both VLANs
VLAN Benefits & Use Cases
Security Benefits:
- Isolate sensitive departments (HR, Finance) from general network
- Separate guest networks from corporate resources
- Limit broadcast domain scope for security protocols
Performance Optimization:
- Reduce broadcast traffic by containing it within VLANs
- Prioritize voice traffic using dedicated Voice VLANs
- Segment high-bandwidth applications
Administrative Flexibility:
- Group users by function rather than physical location
- Easily move users between VLANs without physical recabling
- Centralized VLAN management across multiple switches
Vocabulary
Broadcast Domain: Network segment where broadcast frames are contained (VLAN = broadcast domain)
Collision Domain: Network segment where frame collisions can occur (each switch port = separate collision domain)
VLAN ID (VID): 12-bit identifier (1-4094) that tags frames for VLAN membership
Trunk: Link carrying multiple VLANs using 802.1Q tagging
Access Port: Switch port belonging to single VLAN, sends/receives untagged frames
Notes
- VLAN 1 cannot be deleted - it’s the default VLAN but should not be used for security reasons
- VLAN range: 1-4094 (0 and 4095 reserved)
- Extended VLANs: 1006-4094 (stored in running-config, not vlan.dat)
- Use
show vlan briefto verify VLAN assignments andshow interfaces trunkfor trunk status - DTP (Dynamic Trunking Protocol) can automatically negotiate trunk links but creates security risks - manually configure trunk ports when possible
- VLANs must span the same broadcast domain - routers naturally separate VLANs into different subnets