VLANs
π§ VLANs (Virtual LANs) - Complete Technical Notes
π Overview
A Virtual LAN (VLAN) is a logical group of devices segmented at Layer 2 (Data Link Layer) of the OSI model. Unlike subnetting (Layer 3), VLANs enable multiple virtual broadcast domains on a single physical switch.
β 1. Why VLANs? β The Problem They Solve
πΈ Without VLANs:
All devices on a switch share one broadcast domain
Flooded frames (broadcast, unknown unicast) reach every port
Security concerns: Every host can talk to every other host
Performance issues due to excessive broadcast traffic
πΈ Traditional Layer 3 Segmentation (Subnetting):
Different departments = Different subnets (e.g., HR, Sales, Eng.)
Requires a router to pass traffic between subnets
But: Switches donβt recognize IP subnets, so all ports still receive broadcast traffic
πΈ VLAN Solution:
Segments Layer 2 broadcast domains logically
Devices in different VLANs cannot communicate unless routed
Reduces broadcast traffic & improves security
π CCNA Rule of Thumb: One VLAN = One Subnet
π 2. VLAN ID Ranges
Total VLANs: 4096 (IDs 0 to 4095 β 12-bit field in 802.1Q)
Usable VLANs: 1β1001 (normal), 1006β4094 (extended)
Reserved VLANs:
0and4095: Reserved, not usable1002β1005: Legacy VLANs (FDDI, Token Ring)
Default VLAN: VLAN 1 (cannot be deleted or renamed)
π§ 3. VLAN Configuration on Switches
π 3.1 View VLANs
1
show vlan brief
Shows existing VLANs and port assignments.
β 3.2 Create and Name VLANs
1
2
3
conf t
vlan 10
name HR
β Disable/Delete VLANs
1
2
3
vlan 10
shutdown # Disables VLAN
no vlan 10 # Deletes VLAN
π 3.3 Assign Access Ports to VLANs
Access ports = Untagged, belong to one VLAN only
1
2
3
interface fa0/1
switchport mode access
switchport access vlan 10
If the VLAN doesnβt exist, itβs auto-created
DTP (Dynamic Trunking Protocol): Tries to negotiate trunk/access mode. Disable for static configuration.
β οΈ Access ports = Used for end hosts (PCs, printers, etc.)
π 4. Trunk Links β Connecting VLANs Across Switches
𧡠4.1 What is a Trunk Port?
Carries traffic for multiple VLANs
Adds a VLAN tag (802.1Q) to identify VLAN
4.2 Access vs Trunk Port
| Access Port | Trunk Port |
|---|---|
| One VLAN | Multiple VLANs |
| Untagged | Tagged (802.1Q) |
| End-host connections | Switch-to-switch/Router |
π·οΈ 4.3 802.1Q Tagging (Dot1Q)
Tag = 4 bytes, inserted after Source MAC
Fields:
TPID (0x8100): Identifies 802.1Q
PCP (3-bit): QoS Priority
DEI (1-bit): Drop Eligible
VID (12-bit): VLAN ID (0β4095)
π Only 802.1Q is supported on modern Cisco switches (ISL is deprecated: Cisco proprietary, adds 30 bytes)
βοΈ 4.4 Trunk Port Configuration
1
2
3
interface g0/1
switchport trunk encapsulation dot1q # Only if required
switchport mode trunk
π Verify Trunks
1
show interfaces trunk
β Trunk ports wonβt show in show vlan brief
β 4.5 Allowing Specific VLANs on Trunks
By default, all VLANs (1β4094) are allowed. Best practice: limit to required VLANs.
1
2
3
switchport trunk allowed vlan 10,20
switchport trunk allowed vlan add 30
switchport trunk allowed vlan remove 20
π§ Exam Tip: Using switchport trunk allowed vlan 20 (without add) will replace, not add.
β οΈ 4.6 Native VLAN (Untagged Traffic)
Frames in native VLAN are sent without a tag
Default: VLAN 1
Config:
1
2
interface g0/1
switchport trunk native vlan 99
β οΈ Mismatch = Misrouting risk
Avoid native VLANs for user traffic. Use unused VLANs instead.
π 5. Inter-VLAN Routing
π§ Method 1: Router with Physical Interfaces
Each VLAN/subnet connects to its own router interface
Not scalable
π Method 2: Router-on-a-Stick (ROAS)
One physical port on router used as trunk
Create subinterfaces for each VLAN
βοΈ Switch:
1
2
interface g0/1
switchport mode trunk
βοΈ Router:
1
2
3
interface g0/1.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
π All subinterfaces share one MAC address
Set native VLAN withencapsulation dot1q 99 nativeif needed
π§ Method 3: Multilayer Switch (Layer 3 Switch)
- Use Switch Virtual Interfaces (SVIs)
Configuration:
1
2
3
4
5
ip routing # Enable routing
vlan 10
interface vlan 10
ip address 192.168.10.1 255.255.255.0
no shutdown
- SVI only works if:
VLAN exists
At least one port is up in the VLAN
VLAN is not shut
SVI is not shut
β Routed Ports (Optional)
1
2
3
interface g0/1
no switchport
ip address 192.168.100.1 255.255.255.0
π‘ 6. VLAN Management and Advanced Features
π 6.1 VLAN MIB (RFC 2674)
Used for SNMP-based VLAN management
Q-BRIDGE-MIB: Manages VLANs, memberships, port mappings
Objects:
dot1qVlan: VLAN config/statusdot1qTp: Forwarding infodot1qStatic: Static MAC/VLAN info
π 6.2 RADIUS Attributes for VLANs (RFC 4675)
VLAN assignment per-user via RADIUS
Attributes:
Egress-VLANID (56): Tagged/untagged VLAN
Ingress-Filters (57): Restrict incoming VLANs
Egress-VLAN-Name (58): Use VLAN name instead of ID
User-Priority-Table (59): Remap QoS priority
β οΈ Misconfigured RADIUS policies can allow VLAN hopping or DoS
π Summary for Interview or Revision
| Concept | Key Point |
|---|---|
| VLAN Purpose | Segments L2 broadcast domains |
| VLAN ID Range | 1β1001, 1006β4094 usable |
| Access Port | Belongs to 1 VLAN, untagged |
| Trunk Port | Carries multiple VLANs, tagged (802.1Q) |
| Native VLAN | Untagged traffic assigned to it |
| Inter-VLAN Routing | ROAS (Router Subinterfaces), SVIs (Layer 3 Switch), Physical Interfaces |
show vlan brief | See VLAN assignments |
show interfaces trunk | See trunk status/config |
| Best Practices | Disable VLAN 1, limit allowed VLANs on trunk, avoid native VLAN mismatches |
π Useful Commands (Cheat Sheet)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Create VLAN
vlan 10
name HR
# Assign Access Port
interface fa0/1
switchport mode access
switchport access vlan 10
# Set Trunk
interface g0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20
# Native VLAN
switchport trunk native vlan 99
# Inter-VLAN Routing (Router)
interface g0/0.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
# Inter-VLAN Routing (Layer 3 Switch)
ip routing
interface vlan 10
ip address 192.168.10.1 255.255.255.0
no shutdown
π Connect With Me
