Skip to content
My Docs

Vlan Virtual Local Area Networks

Category: Routing and Switching
Type: Network Concepts
Generated on: 2025-07-10 09:02:28
For: Network Engineering, Administration & Technical Interviews

VLAN Cheatsheet: Virtual Local Area Networks

Section titled “VLAN Cheatsheet: Virtual Local Area Networks”

What is a VLAN?

A VLAN (Virtual Local Area Network) is a logical grouping of network devices, allowing them to communicate as if they were on the same physical network, regardless of their physical location. It allows you to segment a physical network into multiple broadcast domains.

Why are VLANs Important?

  • Security: Isolate sensitive data or devices into separate VLANs.

  • Performance: Reduce broadcast traffic within a VLAN, improving overall network performance.

  • Flexibility: Easily move devices between networks without physical rewiring.

  • Management: Simplify network administration by grouping devices based on function or department.

  • Scalability: Allows for easier network expansion and segmentation.

  • Broadcast Domain: A logical division of a network where devices can communicate via broadcasts. VLANs create separate broadcast domains.

  • VLAN ID: A unique identifier (1-4094) assigned to each VLAN. VLAN IDs 1-1005 are considered normal range and are typically used for general network administration. VLAN IDs 1006-4094 are extended range and are often used by service providers or larger networks.

  • Trunk Port: A switch port configured to carry traffic for multiple VLANs. It uses tagging (e.g., 802.1Q) to identify which VLAN each frame belongs to.

  • Access Port: A switch port configured for a single VLAN. It does not tag frames.

  • Native VLAN: A VLAN assigned to untagged traffic on a trunk port. It’s important for backward compatibility and control plane traffic. Best practice is to choose a VLAN ID other than 1 for the native VLAN.

  • VLAN Tagging (802.1Q): A standard protocol for adding VLAN information to Ethernet frames. It inserts a 4-byte tag containing the VLAN ID.

  • VTP (VLAN Trunking Protocol): Cisco proprietary protocol for propagating VLAN configurations across a network. Modern networks often use manual VLAN configuration or other management tools instead of VTP due to security concerns and complexity.

  • Inter-VLAN Routing: The process of routing traffic between different VLANs, typically handled by a router or a Layer 3 switch. This is required for devices in different VLANs to communicate.

  • Layer 2 Switch: A switch that forwards traffic based on MAC addresses and VLAN information.

  • Layer 3 Switch: A switch that can perform routing functions in addition to Layer 2 switching. It can route traffic between VLANs.

  • Default VLAN (VLAN 1): The VLAN assigned to all switch ports by default. It should be changed for security reasons.

Access Port Operation:

  1. A device connected to an access port sends an untagged frame.
  2. The switch receives the frame and adds a VLAN tag based on the VLAN configured for that port.
  3. The switch forwards the frame within the VLAN.
  4. When a frame is sent out an access port, the VLAN tag is removed.

Trunk Port Operation:

  1. A device connected to an access port sends an untagged frame. The switch adds the VLAN tag.
  2. The switch forwards the tagged frame out the trunk port.
  3. The receiving switch reads the VLAN tag and forwards the frame accordingly.
  4. When a frame is sent out an access port, the VLAN tag is removed.

Simple VLAN Diagram:

+-------+     +-------+     +-------+
| PC A  |-----| Switch|-----| PC B  |  (VLAN 10)
+-------+     +-------+     +-------+
      |         |
      |         |
+-------+     +-------+     +-------+
| PC C  |-----| Switch|-----| PC D  |  (VLAN 20)
+-------+     +-------+     +-------+

In this diagram, PC A and PC B are in VLAN 10, while PC C and PC D are in VLAN 20. They cannot directly communicate without inter-VLAN routing.

Inter-VLAN Routing Diagram:

+-------+     +-------+     +-------+
| PC A  |-----| Switch|-----| Router|  (VLAN 10)
+-------+     +-------+     +-------+
              |       |      /|\
              |       |       |
              |       |       |
+-------+     +-------+     +-------+
| PC C  |-----| Switch|-----| PC D  |  (VLAN 20)
+-------+     +-------+     +-------+

Here, the router provides the necessary routing to allow PC A and PC C to communicate. The router has interfaces configured for both VLAN 10 and VLAN 20. The switch needs to be configured with trunk ports to allow the router to receive tagged traffic from both VLANs.

802.1Q Header Format:

+----------------------------------------------------+
| Destination MAC Address (6 bytes)                |
+----------------------------------------------------+
| Source MAC Address (6 bytes)                       |
+----------------------------------------------------+
| 802.1Q Tag (4 bytes)                               |
+----------------------------------------------------+
| EtherType (2 bytes)                                |
+----------------------------------------------------+
| Payload (Data) (variable)                           |
+----------------------------------------------------+
| Frame Check Sequence (FCS) (4 bytes)                  |
+----------------------------------------------------+


802.1Q Tag Details:


+----------------------------------------------------+
| Priority (3 bits)                                  |
+----------------------------------------------------+
| CFI (Canonical Format Indicator) (1 bit)            |
+----------------------------------------------------+
| VLAN ID (VID) (12 bits)                            |
+----------------------------------------------------+
  • Priority: Used for Quality of Service (QoS).
  • CFI: Used for compatibility with Token Ring networks.
  • VID: The VLAN ID (1-4094).

Message Flow (Example: PC A in VLAN 10 pings PC C in VLAN 20):

  1. PC A (VLAN 10) sends an ICMP Echo Request (ping) to PC C (VLAN 20). The frame is untagged.
  2. Switch receives the frame on an access port configured for VLAN 10.
  3. Switch adds an 802.1Q tag with VLAN ID 10.
  4. Switch forwards the tagged frame out a trunk port.
  5. Router receives the tagged frame on a trunk port.
  6. Router examines the VLAN tag (10).
  7. Router determines the destination IP address is in a different subnet (VLAN 20).
  8. Router routes the packet to its interface configured for VLAN 20.
  9. Router encapsulates the packet in a new Ethernet frame with an 802.1Q tag with VLAN ID 20.
  10. Router sends the tagged frame out a trunk port.
  11. Switch receives the tagged frame.
  12. Switch forwards the frame out an access port configured for VLAN 20. The tag is removed.
  13. PC C receives the untagged ICMP Echo Request.
  14. PC C sends an ICMP Echo Reply back, following the reverse process.

  • Separating Departments: Create VLANs for Sales, Engineering, and HR departments to isolate their network traffic and improve security.

  • Guest Network: Implement a separate VLAN for guest Wi-Fi access to prevent unauthorized access to the internal network.

  • Voice over IP (VoIP): Use a dedicated VLAN for VoIP traffic to prioritize voice packets and ensure call quality.

  • Server Isolation: Isolate servers containing sensitive data in a separate VLAN to restrict access.

  • DMZ (Demilitarized Zone): Place publicly accessible servers (e.g., web servers) in a DMZ VLAN to protect the internal network from external threats.

  • VLAN Mismatch: Devices in different VLANs unable to communicate due to misconfigured VLAN assignments.

    • Troubleshooting: Verify VLAN configurations on switches and routers. Use show vlan brief (Cisco) or equivalent commands.

  • Trunking Problems: Trunk links not properly configured, preventing VLAN traffic from being carried between switches.

    • Troubleshooting: Verify trunk port configurations (encapsulation, allowed VLANs). Use show interface trunk (Cisco) or equivalent commands.

  • Native VLAN Mismatch: Native VLAN mismatch between switches, leading to unexpected traffic behavior.

    • Troubleshooting: Ensure the native VLAN is consistently configured on all trunk ports.

  • Spanning Tree Protocol (STP) Issues: STP blocking ports incorrectly, preventing VLAN traffic from flowing.

    • Troubleshooting: Check STP configurations and topology. Use show spanning-tree (Cisco) or equivalent commands.

  • Inter-VLAN Routing Problems: Routing not configured correctly, preventing communication between VLANs.

    • Troubleshooting: Verify routing configurations on the router or Layer 3 switch. Check IP addresses, subnet masks, and routing tables.

  • Security Issues: VLAN hopping attacks, where attackers can gain access to unauthorized VLANs.

    • Solution: Disable DTP (Dynamic Trunking Protocol), explicitly configure trunk ports, and use strong authentication. Avoid using VLAN 1 as a native VLAN.

  • MTU (Maximum Transmission Unit) Problems: The increased packet size due to the 802.1Q tag can cause fragmentation issues if MTU is not properly configured.

    • Troubleshooting: Ensure consistent MTU settings across the network, including the router and switches.

Creating a VLAN:

Switch(config)# vlan 10
Switch(config-vlan)# name Sales
Switch(config-vlan)# exit

Assigning a port to a VLAN (Access Port):

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit

Configuring a Trunk Port:

Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# exit

Verifying VLAN Configuration:

Switch# show vlan brief

Deleting a VLAN:

Switch(config)# no vlan 10

Inter-VLAN Routing (Router-on-a-Stick):

Router(config)# interface GigabitEthernet0/0
Router(config-if)# no ip address
Router(config-if)# no shutdown


Router(config)# interface GigabitEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0
Router(config-subif)# exit


Router(config)# interface GigabitEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0
Router(config-subif)# exit


Router(config)# ip routing  (enable if not already enabled)

Layer 3 Switch Configuration (SVI - Switch Virtual Interface):

Switch(config)# vlan 10
Switch(config-vlan)# name Sales
Switch(config-vlan)# exit


Switch(config)# vlan 20
Switch(config-vlan)# name Marketing
Switch(config-vlan)# exit


Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# no shutdown


Switch(config)# interface vlan 20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config-if)# no shutdown


Switch(config)# ip routing (enable if not already enabled)
  • What is a VLAN and why is it used? (See Quick Overview)
  • Explain the difference between an access port and a trunk port. (See Key Concepts)
  • What is the purpose of 802.1Q? (See Protocol Details)
  • What is the native VLAN and why is it important? (See Key Concepts)
  • How does inter-VLAN routing work? (See How It Works and Configuration Examples)
  • What are some common VLAN security vulnerabilities? (VLAN hopping, double tagging, etc.) How can you mitigate them? (Disable DTP, explicit trunk configuration, avoid VLAN 1 as native VLAN).
  • What is VTP and why is it often not used in modern networks? (Cisco proprietary, security risks, complexity, replaced by manual configuration or other management tools).
  • How do you troubleshoot VLAN connectivity issues? (See Common Issues)
  • What is the VLAN ID range? (1-4094. 1-1005 normal, 1006-4094 extended).
  • What is an SVI (Switch Virtual Interface)? It’s a virtual interface associated with a VLAN on a Layer 3 switch, used to provide IP connectivity for that VLAN.

Detailed Answer Example:

Question: Explain the difference between an access port and a trunk port.

Answer: An access port is a switch port configured for a single VLAN. It’s typically used to connect end devices like computers or printers to the network. Access ports forward traffic only for the VLAN they are assigned to, and they do not tag frames with VLAN information. When a frame is received on an access port, the switch adds the VLAN tag internally. When a frame is sent out an access port, the VLAN tag is removed.

In contrast, a trunk port is a switch port configured to carry traffic for multiple VLANs. It’s used to connect switches together or to connect a switch to a router that performs inter-VLAN routing. Trunk ports use VLAN tagging (typically 802.1Q) to identify which VLAN each frame belongs to. This allows multiple VLANs to share the same physical link. Trunk ports are essential for building scalable and segmented networks.

  • Spanning Tree Protocol (STP): Prevents loops in a switched network.
  • Quality of Service (QoS): Prioritizes network traffic based on different criteria.
  • Network Segmentation: Dividing a network into smaller, more manageable segments.
  • Subnetting: Dividing a network into smaller logical networks based on IP addresses.
  • VRF (Virtual Routing and Forwarding): Allows multiple routing tables to exist on a single router.
  • SDN (Software-Defined Networking): A network architecture that allows for centralized control and management of network devices.

This cheatsheet provides a solid foundation for understanding and working with VLANs. Remember to practice configuring VLANs in a lab environment to solidify your knowledge.