VLANs (Virtual LANs) are the foundation of every modern switched network. They let you carve a single physical switching fabric into multiple isolated broadcast domains, which is the only sane way to scale Ethernet past a few hundred hosts. If you are studying for CCNA, designing a campus network, or troubleshooting an inter-VLAN routing issue, VLANs are the layer 2 concept you must own cold.
This is the cluster overview for the full PingLabz VLAN and Layer 2 switching series: 22 articles covering fundamentals, configuration, inter-VLAN routing, EtherChannel, troubleshooting, and campus design. Every article is written for engineers working with Cisco Catalyst switches on IOS XE. Real configs, real show commands, real troubleshooting. Start here, then drill into the deeper articles where you need them.
What a VLAN Actually Is
A VLAN is a logical broadcast domain. Two hosts on the same VLAN behave as if they were on the same physical Ethernet segment, even if they are connected to different switches in different buildings. Two hosts on different VLANs cannot reach each other at Layer 2 at all; they need Layer 3 routing to communicate.
The problem VLANs solve: a flat Layer 2 network is fragile. One misbehaving host floods broadcasts to every other host. Spanning Tree gets harder to reason about. Security policy lives only in firewalls at the edge, with nothing in the middle. VLANs let you draw boundaries inside the switching fabric, which gives you four immediate wins:
- Smaller broadcast domains - a broadcast storm on one VLAN does not affect the others
- Logical grouping - hosts can share a VLAN regardless of physical location (same building, same room, even same closet)
- Security boundaries - inter-VLAN traffic must traverse a router or L3 switch where you can apply ACLs and inspection
- Reusable IP space - each VLAN gets its own subnet, so you can plan the address space once and re-use the pattern across sites
The full intro is in What Is a VLAN? Virtual LANs Explained for Network Engineers, with the broadcast-domain mechanics in How VLANs Work: Tagging, Broadcast Domains, and Frame Forwarding.
How VLANs Work on the Wire
A switch tracks which VLAN each port belongs to in its CAM table. When a frame arrives on an access port, the switch tags it internally with the VLAN ID, looks up the destination MAC, and forwards only to ports in the same VLAN. If the destination MAC is unknown, the flood is also limited to the same VLAN.
So far so simple. The complication arrives when frames need to traverse between switches: how does the second switch know which VLAN a frame belonged to? The answer is 802.1Q trunking. On a trunk port, the switch inserts a 4-byte 802.1Q tag into the Ethernet header carrying the VLAN ID, the receiving switch strips it back off, and the VLAN identity is preserved across the link.
The 802.1Q tag has four fields: TPID (always 0x8100), PCP (3-bit priority for QoS), DEI (drop-eligible indicator), and the VLAN ID itself (12 bits, so theoretical range 0-4095, but 0 and 4095 are reserved, leaving 1-4094 usable). Frame size grows from 1518 bytes to 1522 bytes, which is why you sometimes see "baby giant" support on switch ports. The byte-by-byte deep dive is in 802.1Q VLAN Tag Explained: The 4 Bytes That Make Trunking Work.
Port Modes: Access, Trunk, Dynamic
Every Cisco switch port operates in one of three modes:
| Mode | Carries | Tagging | Use for |
|---|---|---|---|
| Access | One VLAN | Untagged | End hosts (PCs, printers, IP phones via voice VLAN) |
| Trunk | Multiple VLANs | Tagged with 802.1Q (except native VLAN) | Switch-to-switch links, switch-to-router links |
| Dynamic auto/desirable | Negotiates via DTP | Negotiates via DTP | Don't (security risk) |
Always set ports explicitly. Dynamic Trunking Protocol (DTP) is enabled by default on every Catalyst port and is a documented attack vector (a malicious host can negotiate trunking, see all VLANs, and pivot - see VLAN Hopping Attacks: Switch Spoofing and Double Tagging for the full attack walkthrough). The PingLabz hardening pattern: switchport mode access on every host port and switchport nonegotiate on every trunk to disable DTP.
The per-port view in show interfaces ... switchport spells out the mode and the VLAN assignments. Compare an access port (with a voice VLAN) against a trunk port from the same lab switch:
SW1#show interfaces Gi0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 10 (DATA)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 20 (VOICE)
...
SW1#show interfaces Gi0/0 switchport
Administrative Mode: trunk
Operational Mode: trunk
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Trunking VLANs Enabled: 10,20,99Three things to read in those two outputs. Administrative Mode is the configured intent (static access on Gi0/2, trunk on Gi0/0); "static" means DTP will not talk the port into anything else. Access Mode VLAN: 10 (DATA) on Gi0/2 plus Voice VLAN: 20 (VOICE) is the IP-phone-on-the-same-cable pattern - the phone tags voice VLAN 20, the PC behind it sends untagged frames that fall into VLAN 10. Trunking VLANs Enabled: 10,20,99 on Gi0/0 is the explicit allowed-VLAN list - the default would be "ALL", which is the wrong production default. Detail in DTP: How It Works and Why You Should Disable It and VLAN Access Ports and Switchport Modes.
802.1Q Trunking and the Native VLAN Quirk
The full mental model for tagged vs untagged frames (and the cross-vendor vocabulary) is in Tagged vs Untagged VLANs: How Trunks and Access Ports Really Work.
On a trunk port, every VLAN gets tagged with 802.1Q except one: the native VLAN. The native VLAN is sent untagged, which exists for backwards compatibility with hubs and other devices that do not understand 802.1Q. By default, the native VLAN is VLAN 1.
This default is dangerous for two reasons:
- VLAN 1 is everywhere. CDP, VTP, PAgP, DTP all use VLAN 1. Leaving the native VLAN as VLAN 1 means you are mixing control plane and user data on the same untagged segment.
- Native VLAN hopping attacks. If an attacker is in the native VLAN, they can inject double-tagged frames that the first switch strips one tag from, then forwards to the next switch with the inner tag intact - landing in any VLAN they target. VLAN Security Hardening covers this and the complete set of L2 controls you need in production.
The fix is simple: change the native VLAN to a dedicated unused VLAN (e.g. VLAN 999) and never let a host port be in it. Native VLAN Configuration and Security on Cisco Switches walks through the change.
Trunk configuration itself is straightforward:
Switch(config)# interface GigabitEthernet1/0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 999
Switch(config-if)# switchport trunk allowed vlan 10,20,30,40
Switch(config-if)# switchport nonegotiateNotice the allowed vlan list. By default trunks carry every VLAN that exists on the switch, which is rarely what you want; explicitly listing VLANs reduces the broadcast spread and limits attack surface. The trunk inventory in show interfaces trunk consolidates every trunk on the switch into one capture, including the per-trunk allowed VLAN list and what is actually forwarding through STP:
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/0 on 802.1q trunking 99
Gi0/1 on 802.1q trunking 99
Po1 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/0 10,20,99
Gi0/1 10,20,99
Po1 10,20,99
Port Vlans allowed and active in management domain
Gi0/0 10,20,99
Gi0/1 10,20,99
Po1 10,20,99
Port Vlans in spanning tree forwarding state and not pruned
Gi0/0 10,20,99
Gi0/1 10,20,99
Po1 10,20Three things to notice. Mode on means unconditional trunk (no DTP negotiation, the production default). Native VLAN 99 is set explicitly across all three trunks, not left at VLAN 1. The fourth table is the most useful diagnostic: VLAN 99 appears in the allowed list for Po1 but NOT in its STP-forwarding column, because STP is breaking a loop on the native VLAN by blocking Po1 for VLAN 99 specifically. Reading those four tables against each other immediately tells you whether a trunk problem is allowed-list, native-VLAN, or STP-pruning. Configuring 802.1Q Trunks on Cisco Catalyst Switches has the full pattern.
Basic VLAN Configuration on Cisco IOS XE
The minimum to create a VLAN and assign a host port:
Switch(config)# vlan 10
Switch(config-vlan)# name USERS
Switch(config-vlan)# exit
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport nonegotiate
Switch(config-if)# spanning-tree portfast
Switch(config-if)# spanning-tree bpduguard enableThe last two lines are not optional in production. PortFast skips the listening/learning states for end-host ports (so PCs DHCP cleanly within seconds rather than 30+ seconds), and BPDU Guard error-disables the port immediately if anyone plugs a switch into it. See the STP cluster at Spanning Tree Protocol (STP) for the why.
Verification on the lab switch:
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
10 DATA active Gi0/2
20 VOICE active Gi0/2
99 NATIVE active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsupVLAN 1 (default) always exists - you cannot delete it. VLAN 10/20/99 were created by config. Gi0/2 appears under both VLAN 10 and VLAN 20 because of the voice-VLAN configuration (data on VLAN 10, voice on VLAN 20, same physical port). Trunk ports do NOT appear in this list - trunks are not "assigned" to a VLAN, they carry many. The 1002-1005 entries are the FDDI/Token Ring reserved range from the original 1990s spec; they cannot be used for production VLANs. Detail and edge cases in Configuring VLANs on Cisco Catalyst Switches and VLAN Naming, Ranges, and Management Best Practices on Cisco IOS XE.
Inter-VLAN Routing: Three Ways to Cross VLAN Boundaries
VLANs by themselves only isolate; they do not communicate. To let one VLAN reach another you need a Layer 3 device. The three options, in order of modern preference:
| Approach | Where the routing happens | Pros | Cons |
|---|---|---|---|
| L3 Switch with SVIs | Hardware ASIC on the switch | Wire-rate, scales to many VLANs, modern default | Requires L3 license / hardware |
| Router-on-a-stick | External router with subinterfaces over a single trunk | Cheap, works on any router | Bottleneck on the trunk; software routing |
| External router with multiple physical interfaces | One physical link per VLAN | Conceptually simple | Doesn't scale past a few VLANs |
The L3 switch SVI pattern is what almost every modern campus uses. You configure a Switch Virtual Interface (SVI) for each VLAN with the gateway IP, enable IP routing on the switch, and the ASIC routes between VLANs at line rate:
Switch(config)# ip routing
Switch(config)# interface vlan 10
Switch(config-if)# ip address 10.10.10.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config)# interface vlan 20
Switch(config-if)# ip address 10.10.20.1 255.255.255.0
Switch(config-if)# no shutdownThe full walkthrough for each approach lives in Configuring SVIs for Inter-VLAN Routing, Inter-VLAN Routing with Router-on-a-Stick, and Inter-VLAN Routing on a Layer 3 Switch.
Specialized VLANs: Voice, Private, Management
Beyond plain data VLANs, three specialized variants come up constantly:
Voice VLANs. Cisco IP phones tag their voice traffic with one VLAN ID and pass through PC traffic untagged on a different VLAN. The same physical port carries both. Configuring Voice VLANs on Cisco Switches for IP Phones covers the syntax (switchport voice vlan) and the QoS implications.
Private VLANs (PVLANs). Sometimes you need hosts in the same subnet to be isolated from each other (think shared hosting, hotel guest networks, certain DMZs). PVLANs subdivide a VLAN into Primary, Isolated, and Community sub-domains, all sharing one Layer 3 gateway. Private VLANs on Cisco Catalyst Switches walks through the configuration.
Management VLAN. The VLAN your network management traffic (SSH, SNMP, syslog, NTP) lives in. Should always be a dedicated VLAN, never VLAN 1, and accessible only from your jump hosts. Set the SVI in this VLAN as the source for management protocols.
VTP: Use With Caution
VLAN Trunking Protocol (VTP) propagates VLAN database changes across switches to save you typing. It also has a famous failure mode: a switch with a higher VTP revision number plugged into a VTP domain wipes every other switch's VLAN database to match its own, and entire networks have gone down because someone connected a lab switch to production.
The PingLabz default: VTP transparent mode on every switch (each switch maintains its own VLAN database, propagates VTP advertisements but ignores them). VTP version 3 with controlled primary/secondary servers is acceptable in tightly-managed environments. VTP Configuration on Cisco Switches has the full pattern, including the rollover-incident-prevention drill.
EtherChannel: Bundling Links for Redundancy and Bandwidth
EtherChannel (also called LAG, Link Aggregation, or port-channel) bundles 2-8 physical links into a single logical link. It is essential for two reasons: it defeats the Layer 2 redundancy paradox (multiple links between the same two switches without Spanning Tree blocking some), and it scales bandwidth linearly without requiring faster physical interfaces.
Three control protocols:
| Protocol | Standard | Modes | When to use |
|---|---|---|---|
| LACP | IEEE 802.3ad | active, passive | Default modern choice; vendor-neutral |
| PAgP | Cisco-proprietary | desirable, auto | Cisco-only environments; legacy |
| Static (on) | None | on | Avoid; no negotiation means misconfig fails silently |
LACP is the modern default. Both ends should be in active, with passive only used on one side intentionally. Load balancing is configured separately and matters for actual throughput; the default src-dst-ip usually works but is worth checking for high-throughput links. The lab has a single channel-group between SW1 and SW2 running LACP active on both ends; show etherchannel summary is the one-line health check:
SW1#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator
...
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Gi0/3(P)Two flags do the work. Po1(SU) means the port-channel is in use and Layer 2 - the bundle is forwarding and is a switchport (not a routed link). Gi0/3(P) means the physical port is bundled in the port-channel. Protocol LACP confirms dynamic negotiation; if the peer had been misconfigured as mode on the flag would shift to s (suspended) and the channel would never form - a common interop failure that this exact capture catches in five seconds. EtherChannel Fundamentals and Configuring EtherChannel with LACP on Cisco Catalyst Switches have the full configurations.
Layer 2 Security: The VLAN Hardening Checklist
Layer 2 attacks bypass every firewall above them. The minimum production hardening:
- Disable DTP everywhere.
switchport nonegotiateon every port that is not specifically engineered for trunking negotiation. - Move the native VLAN away from VLAN 1 to a dedicated, unused VLAN. Disable hosts in this VLAN.
- Prune VLANs from trunks. Use
switchport trunk allowed vlanwith an explicit list, not the default. - BPDU Guard on every host port. Combined with PortFast, this prevents an attacker from connecting a rogue switch.
- Storm Control on host ports to limit broadcast/multicast flood from a misbehaving NIC.
- DHCP Snooping + Dynamic ARP Inspection to block rogue DHCP servers and ARP spoofing.
- Port Security to limit MAC addresses per port (with caution on voice + PC ports, which legitimately need 2).
- Disable VLAN 1. No SVI, no host ports, no trunks carrying it.
The full hardening pattern with configurations is in VLAN Security Hardening: Protecting Your Layer 2 Network.
Campus VLAN Design
The dominant pattern for campus networks is access-distribution-core. VLANs live at the access layer, get extended (or terminated) at the distribution layer, and the core routes between distribution blocks. Two key design choices:
- Where do you terminate Layer 2? Modern best practice: terminate at the access layer (each access switch is its own L3 device, no VLANs span between access switches). This eliminates Spanning Tree as a critical failure mode and lets you use ECMP routing for redundancy.
- How do you address? One VLAN per access switch (small subnet, /24 or smaller) is cleaner than VLANs spanning multiple closets. Voice and data on the same port using voice VLAN.
The full design pattern with diagrams and worked examples is in VLAN Design for Campus Networks: From Access to Core.
Troubleshooting: Where VLAN Problems Hide
- Troubleshooting VLAN and Trunk Problems on Cisco Switches - allowed list mismatches, native VLAN mismatches, and DTP misfires
- Troubleshooting Inter-VLAN Routing - missing SVIs, ACLs, ARP issues
- Troubleshooting SVI Up/Down Issues - the SVI that won't come up
The one obscure-but-useful diagnostic worth knowing about is show vlan internal usage. Catalyst switches use the extended VLAN range (1006-4094) for internal allocations when you configure routed ports, L3 SVIs, or certain hardware features - and if you later try to configure a user VLAN on a number the platform has silently grabbed, the VLAN will refuse to come up with an unhelpful error. On the small lab switch the table is empty because no L3 features are configured:
SW1#show vlan internal usage
VLAN Usage
---- --------------------On a production Catalyst 9000 with several L3 routed ports and SVIs, this same command shows the dynamic VLAN-to-feature mappings. The diagnostic move: if VLAN N refuses to come up and the error does not explain why, this is the command that explains it.
The Full VLAN Cluster, in Reading Order
Fundamentals
1. What Is a VLAN? Virtual LANs Explained for Network Engineers
2. How VLANs Work: Tagging, Broadcast Domains, and Frame Forwarding
3. VLAN Access Ports and Switchport Modes
4. VLAN Trunking Explained: 802.1Q, Allowed Lists, and Trunk Negotiation
5. DTP (Dynamic Trunking Protocol)
VLAN Configuration
6. Configuring VLANs on Cisco Catalyst Switches
7. VLAN Naming, Ranges, and Management Best Practices
8. Configuring 802.1Q Trunks on Cisco Catalyst Switches
9. Native VLAN Configuration and Security
10. VTP Configuration on Cisco Switches
SVIs and Inter-VLAN Routing
11. Configuring SVIs for Inter-VLAN Routing
12. Inter-VLAN Routing with Router-on-a-Stick
13. Inter-VLAN Routing on a Layer 3 Switch
Specialized VLANs
14. Configuring Voice VLANs on Cisco Switches for IP Phones
15. Private VLANs on Cisco Catalyst Switches
EtherChannel
16. EtherChannel Fundamentals
17. Configuring EtherChannel with LACP
Troubleshooting
18. Troubleshooting VLAN and Trunk Problems
19. Troubleshooting Inter-VLAN Routing
20. Troubleshooting SVI Up/Down Issues
Design and Security
21. VLAN Security Hardening
22. VLAN Design for Campus Networks
Hands-on VLANs - 14 CCNA Network Access labs
Configure VLANs, 802.1Q trunks, VTP, DTP, voice VLAN, EtherChannel (LACP + PAgP), and inter-VLAN routing on three Cisco IOSvL2 switches. VLANs+Trunks+VTP lab is free preview. Open the PingLabz CCNA Labs library.
Frequently Asked Questions
What does VLAN stand for?
VLAN stands for Virtual Local Area Network. It is a logical broadcast domain that can span multiple physical switches.
How many VLANs can I have?
The 802.1Q tag uses 12 bits for the VLAN ID, giving a theoretical range of 0-4095. VLANs 0 and 4095 are reserved by the standard. Cisco extends-range VLANs (1006-4094) require VTP transparent mode or VTP v3. Most networks use IDs 2-1001 (the "normal range").
Is a VLAN the same as a subnet?
No, but in a typical design they map one-to-one. A VLAN is a Layer 2 broadcast domain. A subnet is a Layer 3 IP network. You can technically run multiple subnets on the same VLAN (secondary IPs on an SVI) or one subnet across multiple VLANs (with bridging), but neither is recommended.
What is the difference between an access port and a trunk port?
An access port carries traffic for one VLAN, untagged. End hosts (PCs, printers, IP phones) connect to access ports. A trunk port carries traffic for multiple VLANs, with each frame tagged with its VLAN ID using 802.1Q (except the native VLAN). Switch-to-switch and switch-to-router links are trunks.
What is a native VLAN?
The native VLAN is the one VLAN on a trunk port whose frames are sent untagged. It exists for backwards compatibility. By default it is VLAN 1, but you should change it to a dedicated unused VLAN for security; mismatched native VLANs across a trunk also cause CDP/STP errors and possible double-tagging vulnerabilities.
Can VLANs be attacked?
Yes. Two main attacks: switch spoofing (a malicious host negotiates DTP and becomes a trunk, gaining access to all VLANs) and double tagging (an attacker injects a frame with two 802.1Q tags so the first switch strips one and forwards to the inner-tagged VLAN). Both are mitigated by disabling DTP, moving the native VLAN, and pruning trunk allowed lists. See VLAN Security Hardening.
Key Takeaways
If you take one thing away from this guide, make it this: VLANs are how you scale Ethernet, but they only buy you isolation if you configure them defensively. Disable DTP. Move the native VLAN. Prune trunks. Use BPDU Guard and PortFast on host ports. Pick one inter-VLAN routing approach and apply it consistently. Bookmark this page, work through the cluster articles in order, and run every configuration in a lab. By the time you finish, you will be ready for any VLAN question a CCNA/CCNP exam or a 3 AM ticket can throw at you.