Ping Labz

What Is a VLAN? Virtual LANs Explained for Network Engineers

VLANs let you carve one physical switch into multiple isolated broadcast domains — without buying more hardware. Here's how they work and why every network uses them.

Every switch you pull out of the box puts all its ports in a single broadcast domain. Plug in fifty devices and every ARP request, DHCP discover, and NetBIOS announcement hits all fifty ports — whether those devices need to talk to each other or not. VLANs solve this problem by letting you split one physical switch into multiple logical switches, each with its own broadcast domain, without adding hardware.

If you manage Cisco Catalyst switches in any capacity, VLANs are not optional knowledge — they are the foundation everything else sits on: trunking, inter-VLAN routing, QoS, access control, and spanning tree all depend on a solid VLAN design.

Why VLANs Exist

Before VLANs, the only way to separate broadcast domains was to use separate physical switches connected through a router. A finance department that needed isolation from engineering meant a dedicated switch for finance, a dedicated switch for engineering, and a router between them. That approach works at small scale but falls apart quickly:

Hardware cost doubles with every new segment. Cable runs multiply. The router becomes a bottleneck. And every time someone moves desks, you are re-patching cables instead of typing a single command.

VLANs eliminate all of this. With a VLAN-capable switch, you assign ports to logical groups. Ports in VLAN 10 behave as if they are on their own isolated switch — they share a broadcast domain, learn each other's MAC addresses, and forward frames among themselves. Ports in VLAN 20 do the same, completely unaware that VLAN 10 exists on the same hardware.

Broadcast Domains and Collision Domains

Understanding VLANs requires understanding what they actually control: broadcast domains.

A broadcast domain is the set of devices that receive a Layer 2 broadcast frame (destination FF:FF:FF:FF:FF:FF). On a flat, unVLANed switch, the broadcast domain spans every port. On a switch with VLANs configured, each VLAN is its own broadcast domain.

A collision domain is irrelevant on modern switches — each switchport is its own collision domain thanks to full-duplex operation — but the distinction matters on exams and in legacy contexts.

The key takeaway: one VLAN = one broadcast domain = one IP subnet. This is the fundamental relationship you will see throughout this series.

How VLANs Work at the Frame Level

When a frame enters a switchport assigned to VLAN 10, the switch internally tags that frame with VLAN ID 10. The MAC address table maps the source MAC to that port and that VLAN. When the switch needs to forward the frame, it only considers ports in the same VLAN.

On access ports (ports connected to end devices), the VLAN tag is added on ingress and stripped on egress — the end device never sees it. On trunk ports (switch-to-switch links), the 802.1Q tag stays in the frame so the receiving switch knows which VLAN the frame belongs to.

This is worth internalizing: the end device has no idea VLANs exist. A PC in VLAN 10 and a PC in VLAN 20 could be plugged into adjacent ports on the same switch, and from their perspective they are on completely separate networks.

VLAN Types

Cisco IOS XE supports several VLAN categories, each with a specific purpose:

Data VLANs

Standard VLANs carrying user traffic. In the PingLabz Switching Lab, VLAN 10 (Users) and VLAN 20 (Servers) are data VLANs. These are what most people mean when they say "VLAN."

Native VLAN

The native VLAN is the one VLAN on a trunk that does not get an 802.1Q tag. By default this is VLAN 1. Untagged frames arriving on a trunk are placed into the native VLAN. For security reasons you should change the native VLAN to an unused VLAN (like VLAN 99) — we cover this in detail in Native VLAN Configuration and Security on Cisco Switches.

Management VLAN

The VLAN where switch management traffic lives — SSH sessions, SNMP, syslog. In our lab, VLAN 30 (10.10.30.0/24) is the management VLAN. The switch's SVI (Switch Virtual Interface) for remote access sits in this VLAN.

Voice VLAN

A dedicated VLAN for IP phone traffic. Cisco switches support a special "voice VLAN" feature where a single access port can carry both a data VLAN (for the PC behind the phone) and a voice VLAN (for the phone itself). We configure this in Configuring Voice VLANs on Cisco Switches for IP Phones.

Default VLAN

VLAN 1. Every port on a new switch starts in VLAN 1. It cannot be deleted or renamed. Best practice is to move all user and management traffic out of VLAN 1 and use it only as a legacy placeholder.

Black Hole VLAN

An unused VLAN (like VLAN 999 in our lab) where you assign all inactive ports. This is a security measure — any device plugged into an unused port lands in a VLAN with no SVI, no routing, and no connectivity.

VLAN Ranges on Cisco IOS XE

Cisco divides the 4,094 possible VLAN IDs into ranges:

Range VLAN IDs Name Notes
0 0 Reserved Cannot be used
Normal 1–1005 Normal range Stored in vlan.dat, supported by VTP
Extended 1006–4094 Extended range Requires VTP transparent or VTPv3, stored in running-config
Reserved 4095 Reserved Cannot be used

For most campus networks, normal-range VLANs (1–1005) are more than sufficient. Extended-range VLANs become relevant in large service provider or multi-tenant environments.

VLANs and IP Subnets

The standard design maps one VLAN to one IP subnet. VLAN 10 uses 10.10.10.0/24, VLAN 20 uses 10.10.20.0/24, and so on. This is not a technical requirement — the switch does not enforce it — but violating this convention creates confusion and breaks standard routing assumptions.

Traffic between VLANs requires a Layer 3 device: either a router performing router-on-a-stick or a Layer 3 switch performing SVI-based inter-VLAN routing. The switch will not forward frames between VLANs at Layer 2, no matter what. This isolation is the entire point.

VLANs in the PingLabz Switching Lab

Throughout this series, we use a consistent campus topology:

[DIAGRAM: Three-tier campus topology showing CORE-SW1 at the top, DIST-SW1 and DIST-SW2 in the middle, and ACC-SW1/ACC-SW2/ACC-SW3 at the bottom. Trunk links labeled between tiers. VLAN legend on the side showing VLAN 10 Users, VLAN 20 Servers, VLAN 30 Mgmt, VLAN 40 Voice, VLAN 50 Guest, VLAN 99 Native, VLAN 999 Parking.]

The topology includes:

  • CORE-SW1 (Catalyst 9300) — Layer 3 switch handling inter-VLAN routing via SVIs
  • DIST-SW1 / DIST-SW2 (Catalyst 9200) — Distribution switches with trunk uplinks to the core and downlinks to access
  • ACC-SW1 / ACC-SW2 / ACC-SW3 (Catalyst 9200L) — Access switches where endpoints connect

All switch-to-switch links are 802.1Q trunks carrying VLANs 10, 20, 30, 40, 50, and 99. Access ports on ACC-SW1/2/3 are assigned to VLANs based on function: user workstations in VLAN 10, IP phones in VLAN 40, and any unused ports parked in VLAN 999.

Verifying VLANs on a Cisco Switch

Even before we start configuring VLANs (that is the next article), you can inspect the default VLAN state on any Catalyst switch:

ACC-SW1# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3,
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6,
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9,
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12,
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15,
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18,
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21,
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Every port sits in VLAN 1. VLANs 1002–1005 are legacy holdovers from FDDI and Token Ring — they cannot be deleted and you can safely ignore them.

Where VLANs Fit in the Bigger Picture

VLANs do not operate in isolation. They interact with nearly every other Layer 2 and Layer 3 technology on your network:

  • Spanning Tree Protocol runs a separate instance per VLAN (in PVST+ mode). Misconfigure your VLANs and STP will surprise you. See the STP series for deep coverage.
  • 802.1X can dynamically assign a port to a VLAN based on authentication results. The 802.1X series covers dynamic VLAN assignment, guest VLANs, and auth-fail VLANs.
  • OSPF and other routing protocols run on SVIs, which means your VLAN design directly affects your routing topology. The OSPF series covers this extensively.
  • QoS policies often key off VLAN membership — voice VLAN traffic gets priority queuing, guest VLAN traffic gets rate-limited.

Key Takeaways

  • A VLAN is a logical broadcast domain within a switch — one VLAN equals one broadcast domain equals one IP subnet.
  • VLANs provide segmentation without additional hardware. Ports in different VLANs cannot communicate at Layer 2.
  • Access ports carry one VLAN (untagged). Trunk ports carry multiple VLANs using 802.1Q tags.
  • Always move management and user traffic out of VLAN 1. Park unused ports in a black hole VLAN.
  • VLANs are the foundation for trunking, inter-VLAN routing, STP, 802.1X, and QoS — everything in this series builds on them.

Next up: How VLANs Work: Tagging, Broadcast Domains, and Frame Forwarding takes you inside the switch to see exactly what happens when a frame enters a VLAN-enabled port.

Share Share Share Share Share Email

Read next

© 2025 Ping Labz. All rights reserved.