Part 12 – How VLANs Work

How VLANs Work

Table Of Contents
  1. How VLANs Work
  2. Resources

Introduction

Welcome to Part 12 of the Network Fundamentals study notes! If you haven’t already, we recommend watching the video first.

Is it better to have one large network or several smaller ones? In many cases, smaller is better — for security, for management, and for performance. VLANs are the key tool that makes this possible without buying a separate switch for every segment.

What is a LAN?

For this video, we’re defining a LAN as a Layer 2 broadcast domain. A broadcast frame (destination MAC address of all Fs) is forwarded by switches and bridges, but stopped by routers. Everything that receives that broadcast — one connected group of switches — is the broadcast domain, and that’s what we’re calling a LAN.

The symbol used in network diagrams to represent each LAN is a cloud-like shape with devices attached to it.

Why Break a Network Into Smaller Parts?

Imagine a network where everything — workstations, printers, servers — is on a single LAN. This might work fine when the network is small, but it creates problems as it grows. A server holding sensitive data should probably not be on the same broadcast domain as every workstation. A network problem in one area could ripple across the entire network.

The obvious solution is to use separate switches and connect them through a router or firewall. But this gets expensive quickly, especially if you want many segments. The more scalable answer is VLANs — Virtual LANs.

What is a VLAN?

A VLAN lets you create multiple virtual switches inside a single physical switch. Some ports belong to one VLAN, others belong to a different VLAN — and from a networking perspective, they behave as if they’re on completely separate switches.

VLANs can be tricky to grasp at first — that’s completely normal. They’ll make more sense the more you work with them.

Reasons to Use VLANs

  • Security – keep sensitive resources (like servers) isolated from the rest of the network. A firewall can then control exactly what traffic passes between segments.
  • Cost savings – achieve logical separation without buying extra switches.
  • Organisation – group devices by function, department, or type (e.g. a separate VLAN for guest Wi-Fi, or one for voice traffic).
  • Traffic management – separate data and voice traffic allows different settings (like quality of service) to be applied to each.
  • Broadcast control – broadcasts and floods are contained within a VLAN, reducing unnecessary traffic across the entire network.
  • Smaller failure domains – if something goes wrong in one VLAN, it’s less likely to affect others.

VLAN IDs

Every VLAN has a numeric VLAN ID. This is a 12-bit number, giving a theoretical range of 0–4095. IDs 0 and 4095 are reserved, so the usable range is 1–4094. Each port on a switch is assigned to a VLAN using this ID. You can optionally give each VLAN a name for organisational purposes — but the name is just a label; the ID is what matters.

On Cisco switches specifically, VLANs 1002–1005 are reserved for compatibility with older legacy equipment. Cisco also divides the VLAN space into a normal range (1–1005) and an extended range (1006–4094), which may behave slightly differently internally and with features like VTP.

How VLANs Contain Traffic

When a broadcast frame arrives on a switch port, it’s forwarded out all other ports in the same VLAN only. It will not cross into other VLANs. The same applies to flooding — if a switch doesn’t know where to send a frame, it floods it within the VLAN but not beyond it. This is the fundamental promise of a VLAN: layer 2 traffic stays within its VLAN.

VLANs and IP Addressing

VLANs operate at layer 2, but they interact closely with layer 3 (IP addressing). The best practice is one subnet per VLAN. While it’s technically possible to have multiple subnets in one VLAN, this creates messy network boundaries and is considered poor form. Keep it clean: one VLAN, one subnet.

Inter-VLAN Routing

Since frames can’t cross from one VLAN to another at layer 2, you need a router to move traffic between VLANs. The router has an interface connected to each VLAN, with an IP address from that VLAN’s subnet. Each device uses that router interface as its default gateway.

When a device needs to send traffic to a different VLAN, it sends the frame to the router’s MAC address. The router receives it, looks at the destination IP, and forwards the packet out the appropriate interface into the target VLAN — rewriting the destination MAC address to match the target device.

But how does a device know the router’s MAC address in the first place? It uses a protocol called ARP (Address Resolution Protocol) — the device broadcasts an ARP request asking “who has this IP address?”, and the owner responds with its MAC. We’ll cover ARP in detail in a future video.

Useful Tools: Ping and Traceroute

Two tools you’ll use constantly when working with VLANs (and networks generally):

  • Ping – sends a small test packet to an IP address and waits for a reply. If you get replies, the path is working. If you don’t, something is blocking or broken.
  • Traceroute – like ping, but maps every layer 3 device (router) along the path from source to destination. This is how you can confirm that traffic is actually going through the router rather than being switched directly. On Linux use traceroute -n (the -n skips hostname lookups and speeds things up); on Windows use tracert -d.

Resources

Test your knowledge with the Introduction to Networking quizzes.