VLAN, subnet, and broadcast domain are three terms that get used interchangeably in conversation and treated as identical in most network drawings. They are not identical. Each one describes a different thing, sitting at a different layer of the stack, and the relationship between them is what trips up engineers when they design or troubleshoot anything past the basics.
For the L2 fundamentals, see the VLAN and Layer 2 switching pillar. For why the same conversation matters at L3, see the IPv6 pillar.
Quick definitions, then the relationships
| Term | Layer | What it is |
|---|---|---|
| Broadcast domain | L2 | The set of devices that receive a frame sent to the broadcast MAC (FF:FF:FF:FF:FF:FF). Defined by what is physically and logically reachable without crossing a Layer 3 hop. |
| VLAN | L2 | A logical partition of a physical switch that creates a separate broadcast domain inside the switch. Identified by a 12-bit VLAN ID (1-4094). |
| Subnet | L3 | A range of IP addresses with a common prefix length. Defined by network address and subnet mask. Pure IP concept; switches do not care. |
The relationship that matters most:
- One VLAN = one broadcast domain. Every VLAN creates a separate L2 segment. Frames flooded inside VLAN 10 do not leak into VLAN 20 on the same switch.
- One VLAN usually = one subnet. In conventional designs, you assign a single subnet (say 10.10.10.0/24) to a single VLAN (say VLAN 10). This is convention, not law. The two concepts live at different layers.
- One subnet does not have to map to one VLAN. You can put one subnet across multiple VLANs (rare, usually a mistake) or multiple subnets inside one VLAN (called secondary IPs, also usually a mistake).
Why a broadcast domain matters
Every broadcast frame is processed by every device in the broadcast domain. ARP requests, DHCP discovers, NetBIOS announcements, IPv6 ND (multicast, but inside the same L2 segment), STP BPDUs, link-local services. The more devices in a broadcast domain, the more "background noise" every device has to ignore, and the larger the blast radius of any L2 misbehavior (a broadcast storm, a misbehaving printer flooding NetBIOS, a duplicate IP causing ARP confusion).
Practical sizing rule from the field: keep a broadcast domain under 250 to 500 active hosts. Beyond that, ARP table churn alone starts to cost CPU on the L3 gateway. Routers handle a few hundred broadcasts per second without breaking a sweat. A flat /16 network with 8,000 devices generates enough ARP and DHCP noise to make troubleshooting miserable.
Why a VLAN is not the same as a broadcast domain
A VLAN is the mechanism. The broadcast domain is the consequence. If you turn off STP and connect two access ports on different VLANs by accident with a crossover cable, you have just merged two broadcast domains while leaving the VLAN configuration on each switch unchanged. The configuration says VLAN 10 and VLAN 20 are separate. The traffic disagrees.
This is why VLAN configuration alone is not a security boundary. VLAN-hopping attacks (double-tagging on access ports configured as trunks, switch-spoofing) exploit exactly this gap between "what the config says" and "what the broadcast domain actually contains."
Why a subnet is not the same as a VLAN
A switch does not look at IP addresses to decide where to flood a broadcast frame. It looks at VLAN tags and MAC tables. So the subnet a host belongs to has no influence on which broadcast domain it lives in.
You can put a host with IP 10.10.10.5/24 in VLAN 20. It will work. The host will broadcast ARP for its 10.10.10.0/24 subnet mates. Those ARPs will reach every other device in VLAN 20, including hosts with completely different IPs (172.16.5.0/24, say). None of them will answer because none of them are in the right subnet. The host will conclude its neighbors are unreachable. The configuration is "valid" at every layer. It just does not work.
This is why misalignment between VLAN and subnet is one of the most common access-port misconfigurations. The right intuition is: a VLAN is a fence; a subnet is a phone book. The fence keeps frames from crossing. The phone book tells hosts who to call. Both have to agree.
Inter-VLAN routing: where the layers meet
The moment two subnets live in two different VLANs, traffic between them needs a router. A switch will not move a frame from VLAN 10 to VLAN 20. The standard mechanisms are:
| Method | How it works | When to use |
|---|---|---|
| Switched Virtual Interfaces (SVIs) | A Layer 3 switch creates a virtual interface per VLAN with an IP address. The switch routes between SVIs in hardware. | Default modern design. Used on any L3 switch from a Catalyst 9300 upward. |
| Router-on-a-stick | A trunk from the switch to a router. The router has a sub-interface per VLAN, each with its own IP. | Lab work, or branches with an L2-only access switch and a single router for L3. |
| External L3 gateway (firewall, FHRP) | The L2 switch trunks all VLANs to a firewall pair or a routed pair running HSRP/VRRP. | Security-sensitive segments where you want all inter-VLAN traffic to traverse a stateful firewall. |
A worked example
You have a switch with three VLANs and three subnets:
- VLAN 10, 10.10.10.0/24, the user VLAN
- VLAN 20, 10.10.20.0/24, the server VLAN
- VLAN 30, 10.10.30.0/24, the voice VLAN
You have three broadcast domains (one per VLAN). You have three subnets. A broadcast sent from a user in VLAN 10 reaches every other user in VLAN 10, no servers in VLAN 20, and no phones in VLAN 30. A user wanting to reach a server in VLAN 20 sends the packet to its default gateway (the SVI for VLAN 10), which routes it into VLAN 20 and forwards the frame to the destination MAC.
Now consider a different scenario: someone configures a server's NIC manually with 10.10.20.5/24 but plugs it into a switch port assigned to VLAN 10. The server is in:
- Broadcast domain: VLAN 10
- VLAN: 10
- Subnet: 10.10.20.0/24
It will ARP for 10.10.20.1 (its configured gateway). The ARP request flies across VLAN 10. Nothing in VLAN 10 has IP 10.10.20.1. The server's default gateway resolution fails. No traffic leaves the server. The cable is fine, the switch port is up, the IP looks correct, but the subnet is wrong for that VLAN. This is the canonical "VLAN and subnet are not the same thing" failure.
IPv6, link-local scope, and where this changes
IPv6 reuses the same architecture but renames the pieces. The "broadcast domain" concept becomes the "link" or "link-local scope." IPv6 has no broadcast at all; ARP is replaced by Neighbor Discovery, which uses multicast scoped to the link. Everything about VLANs and links and subnets still maps cleanly: one VLAN equals one link, one link usually equals one IPv6 prefix, and a host with the wrong prefix on the right link fails the same way it does in IPv4.
Key takeaways
VLAN, subnet, and broadcast domain describe different things at different layers. A VLAN is an L2 mechanism. A broadcast domain is the L2 consequence. A subnet is an L3 concept that lives entirely above the switch's awareness. By convention, one VLAN equals one broadcast domain equals one subnet, and this convention works because nobody benefits from breaking it. When the three get out of alignment, hosts come up clean at every individual layer but cannot talk to anything, and the misalignment is invisible without checking all three.
For the L2 mechanics that enforce these boundaries, see the VLAN pillar.
