Network+CCNAIntermediate13 min read

What Does VLAN Mean?

Also known as: Virtual LAN, VLAN, 802.1Q

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A Virtual Local Area Network (VLAN) is a logical grouping of devices within a physical network that behave as if they are connected to their own independent network segment. VLANs are created by configuring network switches to assign specific ports or traffic to a particular VLAN identifier (VID). This allows network administrators to segment traffic based on function, department, or security requirements rather than physical location. VLANs operate at Layer 2 (Data Link Layer) of the OSI model, using Ethernet frames tagged with 802.1Q headers to identify VLAN membership. The primary purpose of VLANs is to improve network performance by reducing broadcast traffic, enhance security by isolating sensitive data, and simplify network management by allowing logical reconfiguration without rewiring. Without VLANs, all devices on the same physical switch would share a single broadcast domain, leading to unnecessary traffic and reduced security.

Must Know for Exams

CompTIA Network+ (N10-008/009) tests VLAN knowledge in several distinct areas: (1) VLAN Fundamentals – you must explain what a VLAN is, its purpose (broadcast domain segmentation, security, performance), and how it differs from a subnet (Layer 2 vs Layer 3). (2) 802.1Q Tagging – you need to understand how trunk ports add a 4-byte tag to Ethernet frames, the concept of native VLAN (untagged traffic), and that VLAN IDs range from 1 to 4094.

(3) VLAN Configuration – you should know how to assign ports to VLANs on a managed switch, differentiate between access ports (single VLAN) and trunk ports (multiple VLANs), and understand that inter-VLAN routing requires a router or Layer 3 switch. (4) Troubleshooting – exam questions often present scenarios where devices in the same VLAN cannot communicate; you must identify misconfigured VLAN assignments, trunk port mismatches, or native VLAN inconsistencies. (5) Security Implications – you need to recognize that VLANs provide isolation but are not a complete security solution (e.

g., VLAN hopping attacks). Network+ expects you to know these concepts conceptually rather than command-line syntax, but CCNA adds configuration and verification commands.

Simple Meaning

Imagine a large office building with multiple departments: Sales, HR, and IT. Without VLANs, it's like having everyone in one giant room where any announcement (broadcast) is heard by everyone, causing noise and distractions. With VLANs, it's like giving each department its own soundproof glass room.

People in Sales can only hear announcements from Sales, HR from HR, and IT from IT, even though they are all in the same building. If the Sales team moves to a different floor, you don't need to physically move their desks—you just update the room assignments (reconfigure the VLAN). This keeps conversations private, reduces noise, and makes it easy to reorganize teams without moving furniture.

VLANs do the same for network traffic: they create separate virtual networks on the same physical switches, keeping broadcast traffic contained and improving security.

Full Technical Definition

A VLAN is a logical broadcast domain created at Layer 2 (Data Link Layer) of the OSI model, defined by the IEEE 802.1Q standard. VLANs segment a physical Ethernet network into multiple isolated broadcast domains, meaning broadcast frames (e.

g., ARP requests) are only forwarded within the same VLAN. Each VLAN is identified by a 12-bit VLAN ID (VID) ranging from 1 to 4094, with VLAN 1 typically reserved for default management traffic.

The 802.1Q standard inserts a 4-byte tag into the Ethernet frame header between the Source MAC Address and the EtherType/Length field. This tag contains a Tag Protocol Identifier (TPID) set to 0x8100 and a Tag Control Information (TCI) field that includes the 3-bit Priority Code Point (PCP), 1-bit Drop Eligible Indicator (DEI), and 12-bit VID.

Switches use the VID to determine frame forwarding decisions, ensuring traffic only reaches ports in the same VLAN. VLANs can be port-based (assigning a port to a VLAN), MAC-based (assigning based on source MAC), or protocol-based (assigning based on protocol type). Trunk links carry traffic for multiple VLANs between switches using 802.

1Q tagging. Compared to separate physical switches, VLANs reduce hardware costs, simplify cabling, and allow dynamic reconfiguration. However, inter-VLAN communication requires a Layer 3 device (router or Layer 3 switch) to route between VLANs, as VLANs are isolated at Layer 2.

Native VLAN (default VLAN 1) is used on trunk ports for untagged traffic and is a common security concern if not changed.

Real-Life Example

A medium-sized company, TechCorp, has three departments: Engineering, Finance, and Guest Wi-Fi. They have a single physical switch with 24 ports. The network administrator configures ports 1-8 as VLAN 10 (Engineering), ports 9-16 as VLAN 20 (Finance), and ports 17-24 as VLAN 30 (Guest).

Each department's devices are connected to their respective ports. When an Engineering workstation sends a broadcast ARP request, the switch forwards it only to ports 1-8, not to Finance or Guest ports. This prevents Finance from seeing Engineering broadcasts and isolates Guest traffic from internal resources.

To allow Engineering to access a Finance server, a router is configured with subinterfaces on a trunk link to the switch, each subinterface assigned to the respective VLAN. The router performs inter-VLAN routing, forwarding packets between VLANs based on IP addresses. The outcome is improved security (Finance data isolated), reduced broadcast traffic (each VLAN has a smaller broadcast domain), and simplified management (adding a new Engineering user just requires assigning a port to VLAN 10).

Why This Term Matters

VLANs are fundamental to modern network design because they enable network segmentation without additional hardware, directly impacting security, performance, and manageability. IT professionals must understand VLANs to design efficient networks, troubleshoot connectivity issues (e.g.

, when devices in the same VLAN cannot communicate), and implement security policies (e.g., isolating guest Wi-Fi from internal resources). Misconfiguring VLANs can lead to broadcast storms, security breaches, or complete network outages.

On the job, you'll encounter VLANs in switch configurations, trunk links, and inter-VLAN routing setups. Mastery of VLANs is essential for roles like network administrator, security engineer, and systems architect. In exams like Network+ and CCNA, VLAN questions test your ability to configure, verify, and troubleshoot VLANs, making it a high-weight topic.

How It Appears in Exam Questions

Exam questions for VLANs typically follow these patterns: (1) Definition/Concept – 'Which of the following best describes a VLAN?' with options like 'A physical network segment,' 'A logical broadcast domain,' 'A routing protocol,' or 'A type of firewall.' The correct answer is 'A logical broadcast domain.'

(2) Configuration – 'A switch port is configured as an access port in VLAN 10. What type of traffic does it carry?' Wrong answers include 'Traffic for all VLANs' or 'Only tagged traffic.'

Correct: 'Untagged traffic for VLAN 10.' (3) Troubleshooting – 'Users in VLAN 20 cannot communicate with users in VLAN 30. What is the most likely cause?' Wrong answers: 'Incorrect subnet mask' or 'Duplicate IP address.'

Correct: 'No router or Layer 3 switch configured for inter-VLAN routing.' (4) Trunking – 'Which standard is used for VLAN tagging on trunk links?' Options: 'IEEE 802.3,' 'IEEE 802.11,' 'IEEE 802.

1Q,' 'IEEE 802.1X.' Correct: 'IEEE 802.1Q.' Common traps include confusing VLAN with subnet (Layer 2 vs Layer 3) or thinking VLANs provide routing.

Practise VLAN Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

1. A network administrator has a 24-port switch and wants to separate the Accounting and Marketing departments. 2. They create VLAN 10 named 'Accounting' and VLAN 20 named 'Marketing' in the switch configuration.

3. They assign ports 1-12 to VLAN 10 (Accounting) and ports 13-24 to VLAN 20 (Marketing). 4. An Accounting computer on port 5 sends a broadcast message. The switch forwards it only to ports 1-12, not to ports 13-24.

5. A Marketing computer on port 15 tries to ping the Accounting computer. The ping fails because they are in different VLANs and no router is configured. 6. The administrator then configures a router with a trunk link to the switch, creating subinterfaces for VLAN 10 and VLAN 20 with IP addresses in different subnets.

7. Now, the Marketing computer can ping the Accounting computer, but the traffic passes through the router, which enforces security policies. This demonstrates VLAN isolation and the need for Layer 3 routing for inter-VLAN communication.

Common Mistakes

Thinking VLANs provide routing between networks.

VLANs operate at Layer 2 and only isolate broadcast domains. They do not route packets. Routing between VLANs requires a Layer 3 device like a router or Layer 3 switch.

VLANs = Layer 2 isolation; Router = Layer 3 connectivity.

Believing that devices in the same VLAN must be on the same subnet.

While best practice is to map one VLAN to one subnet, it is technically possible to have multiple subnets in the same VLAN, but this causes communication issues because ARP broadcasts are contained within the VLAN.

One VLAN = one broadcast domain; typically one subnet per VLAN.

Confusing access ports with trunk ports.

An access port carries traffic for only one VLAN (untagged), while a trunk port carries traffic for multiple VLANs (tagged). Candidates often think access ports can carry multiple VLANs.

Access = single VLAN, untagged; Trunk = multiple VLANs, tagged.

Exam Trap — Don't Get Fooled

{"trap":"The most dangerous misconception is that VLANs can route traffic between each other without a router. Candidates often pick 'VLANs provide inter-VLAN routing' as a correct statement.","why_learners_choose_it":"Because VLANs logically separate networks, learners assume they also handle communication between those networks, similar to how a router connects different physical networks."

,"how_to_avoid_it":"Remember: VLANs are Layer 2 only. They isolate broadcast domains. For devices in different VLANs to communicate, you MUST have a Layer 3 device (router or Layer 3 switch) performing inter-VLAN routing.

VLAN ≠ router."

Commonly Confused With

VLANvsSubnet

A subnet is a logical division at Layer 3 (IP network), while a VLAN is a Layer 2 broadcast domain. Subnets are defined by IP addresses and subnet masks; VLANs are defined by switch configuration and 802.1Q tags. They often align but are not the same.

VLAN 10 is a broadcast domain; subnet 192.168.10.0/24 is an IP network. Devices in VLAN 10 typically use that subnet, but the VLAN itself does not route.

VLANvsVPN (Virtual Private Network)

A VPN creates a secure, encrypted tunnel over a public network (like the internet), while a VLAN segments a local physical network into logical groups. VPNs operate at Layer 3 or above; VLANs at Layer 2.

A VLAN separates departments in an office; a VPN connects a remote worker to the office network securely over the internet.

Step-by-Step Breakdown

1

Step 1 — Create VLANs on the Switch

The administrator defines VLAN IDs (e.g., VLAN 10, VLAN 20) and optionally assigns names. This creates the logical broadcast domains on the switch.

2

Step 2 — Assign Ports to VLANs

Each switch port is configured as an access port and assigned to a specific VLAN. For example, ports 1-8 go to VLAN 10. This determines which devices belong to which VLAN.

3

Step 3 — Configure Trunk Ports (if needed)

To connect multiple switches or a router, trunk ports are configured to carry traffic for multiple VLANs using 802.1Q tagging. The native VLAN is set for untagged traffic.

4

Step 4 — Verify VLAN Membership

Use show commands (e.g., 'show vlan brief') to verify that ports are in the correct VLAN and that trunk links are operational. This ensures proper segmentation.

5

Step 5 — Configure Inter-VLAN Routing (if needed)

If devices in different VLANs need to communicate, a router or Layer 3 switch is configured with subinterfaces or SVIs, each assigned an IP address in the respective VLAN's subnet.

Practical Mini-Lesson

Core Concept: A VLAN (Virtual Local Area Network) is a logical grouping of devices on the same physical network that behave as if they are on their own separate network. VLANs operate at Layer 2 (Data Link Layer) and create isolated broadcast domains. This means broadcast traffic (like ARP requests) is contained within the VLAN, reducing unnecessary network load and improving performance.

VLANs also enhance security by preventing devices in one VLAN from directly accessing devices in another VLAN without a router. How It Works: Switches use VLAN IDs (VIDs) to tag Ethernet frames. On access ports, the switch adds the VLAN tag internally; on trunk ports, the 802.

1Q tag is inserted into the frame. The switch's forwarding table maps MAC addresses to VLANs, ensuring frames only go to ports in the same VLAN. Inter-VLAN routing requires a Layer 3 device (router or Layer 3 switch) that can forward packets between VLANs based on IP addresses.

Comparison to Similar Technologies: VLANs are often compared to subnets. A subnet is a logical division at Layer 3 (IP), while a VLAN is a Layer 2 broadcast domain. Typically, one VLAN maps to one subnet, but they are not the same.

VLANs are also compared to VPNs: VLANs segment a local network, while VPNs create secure tunnels over a public network. Key Takeaway: VLANs are essential for network segmentation, security, and performance. The most exam-critical property is that VLANs isolate broadcast domains at Layer 2, and inter-VLAN communication requires a Layer 3 device.

Remember: VLAN = Layer 2 isolation; Router = Layer 3 connectivity.

Memory Tip

VLAN = 'Very Logical ANswer' for network segmentation. Think of a VLAN as a 'Virtual LAN' that acts like a separate physical cable. The key exam fact: VLANs isolate broadcast domains at Layer 2. Mnemonic: 'VLANs Keep Broadcasts Contained' – VKBC (Very Kind Broadcast Containment).

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)

Related Glossary Terms

Frequently Asked Questions

What is the difference between an access port and a trunk port?

An access port belongs to a single VLAN and carries untagged traffic. A trunk port carries traffic for multiple VLANs and uses 802.1Q tags to identify each frame's VLAN. Access ports are used for end devices; trunk ports connect switches or routers.

How does a VLAN compare to a subnet?

A VLAN is a Layer 2 broadcast domain; a subnet is a Layer 3 IP network. They often align (one VLAN per subnet) but are different concepts. VLANs isolate traffic at Layer 2; subnets define IP addressing and routing at Layer 3.

Can devices in different VLANs communicate without a router?

No. VLANs isolate traffic at Layer 2, so devices in different VLANs cannot communicate directly. A router or Layer 3 switch is required to forward packets between VLANs, a process called inter-VLAN routing.

What is the native VLAN and why is it important?

The native VLAN is the VLAN that carries untagged traffic on a trunk port. By default, it is VLAN 1. It is important because mismatched native VLANs on trunk links can cause connectivity issues or security vulnerabilities (e.g., VLAN hopping).

When would you use a VLAN instead of a separate physical switch?

VLANs are used when you want to segment traffic without buying additional hardware. They reduce cost, simplify cabling, and allow flexible reconfiguration. For example, separating guest Wi-Fi from internal traffic on the same switch.

Summary

(1) A VLAN is a logical broadcast domain created at Layer 2 that segments a physical network into isolated groups, reducing broadcast traffic and improving security. (2) The key technical property is that VLANs use 802.1Q tagging to identify VLAN membership, and devices in different VLANs cannot communicate without a Layer 3 router.

(3) The most important exam fact: VLANs operate at Layer 2, not Layer 3; they do not provide routing. Inter-VLAN routing requires a router or Layer 3 switch. Remember: VLAN = broadcast domain isolation, not IP subnetting.