Introduction
A Virtual LAN (VLAN) is a logical network segment created on a switch. VLANs allow one physical switching infrastructure to behave like multiple separate Layer 2 networks.
Learning Goals
By the end of this module, you should be able to:
- Define VLANs and explain why they are useful.
- Identify common VLAN types.
- Explain trunk links and 802.1Q tagging.
- Configure VLANs and assign switch ports.
- Configure and verify trunk ports.
- Explain Dynamic Trunking Protocol (DTP) behavior.
VLAN Definitions
A VLAN groups switch ports into a separate broadcast domain. Devices in the same VLAN can communicate at Layer 2 as if they were connected to the same physical switch segment. Devices in different VLANs need routing to communicate.
VLANs are commonly used to separate departments, device types, management traffic, guest users, voice traffic, and security zones.
Benefits of VLAN Design
A good VLAN design can:
- reduce unnecessary broadcast traffic,
- improve security by separating user groups,
- simplify moves and changes,
- organize the network by function instead of only physical location,
- support special traffic requirements such as voice VLANs.
Common VLAN Types
Default VLAN
On many Cisco switches, VLAN 1 exists by default and all ports initially belong to it. It should not be used as the main management or user VLAN in a secure design.
Data VLAN
A data VLAN carries regular user traffic such as workstation, laptop, or printer traffic.
Native VLAN
On an 802.1Q trunk, untagged frames are placed into the native VLAN. For security, use a native VLAN that is not used for normal data traffic.
Voice VLAN
A voice VLAN separates IP phone traffic from regular data traffic. This helps with traffic management and quality of service.
Management VLAN
A management VLAN is used for switch management access, such as SSH to the switch SVI.
VLANs Across Multiple Switches
When VLANs exist across more than one switch, switches use trunk links to carry traffic for multiple VLANs over one physical connection.
Without VLANs, all switch ports are part of one broadcast domain. With VLANs, each VLAN becomes a separate broadcast domain even if devices are connected to the same physical switch.
VLAN Identification with 802.1Q Tags
802.1Q tagging adds VLAN information to Ethernet frames as they cross trunk links. The tag tells the receiving switch which VLAN the frame belongs to.
The native VLAN is an exception because frames in the native VLAN are usually sent untagged. Because of this, both ends of a trunk should use the same native VLAN to avoid mismatch problems.
Voice VLAN Tagging
A switch port connected to an IP phone and a PC may carry two kinds of traffic:
- voice traffic tagged for the voice VLAN,
- data traffic from the connected PC assigned to the access VLAN.
This design allows the phone and PC to share one physical switch port while keeping traffic logically separated.
Activity: Create VLANs
Activity: Assign Access Ports
VLAN Ranges on Catalyst Switches
Cisco switches support normal-range and extended-range VLANs. In many basic labs, VLANs 1-1005 are treated as the normal range. VLANs above that may have platform-specific requirements. Always check the device model and IOS version before relying on extended VLAN behavior.
Activity: Change or Delete VLAN Membership
VLAN Trunks
A trunk port carries traffic for multiple VLANs. Trunks are commonly used between switches, between a switch and a router in router-on-a-stick designs, and between a switch and some servers or virtualization hosts.
Trunk configuration usually includes:
- setting the port to trunk mode,
- choosing the native VLAN,
- limiting the allowed VLAN list,
- disabling unnecessary trunk negotiation when appropriate.
Activity: Configure a Trunk
Dynamic Trunking Protocol
Dynamic Trunking Protocol (DTP) can negotiate whether a Cisco switch port becomes a trunk. Common modes include:
- access: Forces the port to act as an access port.
- trunk: Forces the port to act as a trunk.
- dynamic desirable: Actively tries to form a trunk.
- dynamic auto: Waits for the other side to request trunking.
For predictable and secure networks, manually configure trunk or access mode instead of relying on negotiation. On many switchports, switchport nonegotiate can disable DTP messages when the port is manually configured as a trunk.
Activity: Verify DTP and Trunking
Summary
VLANs divide a switched network into separate broadcast domains. Access ports carry one data VLAN, voice-enabled access ports can support a voice VLAN, and trunk ports carry multiple VLANs using 802.1Q tags. Consistent trunk configuration and careful VLAN assignment are essential for reliable switched networks.