InfraRunBook
    Back to articles

    What Is VLAN and Why It Is Used in Cisco Networks

    Cisco
    Published: Apr 1, 2026
    Updated: Apr 13, 2026

    A comprehensive technical guide to VLANs in Cisco networks, covering what VLANs are, why they are used, and how to configure them on IOS-XE switches. Includes step-by-step CLI examples for VLAN...

    What Is VLAN and Why It Is Used in Cisco Networks

    VLAN (Virtual Local Area Network) is one of the most fundamental technologies in modern Cisco network design. Whether you are managing a small office switch stack or a multi-site enterprise campus, understanding VLANs is essential to building networks that are secure, scalable, and straightforward to troubleshoot. This article covers what VLANs are, why they matter, how they work on Cisco IOS and IOS-XE platforms, and how to configure them step by step on a real switch.

    What Is a VLAN?

    A VLAN is a logical segmentation of a physical switched network. Without VLANs, every device connected to a switch belongs to the same broadcast domain. Any broadcast frame sent by one device — an ARP request, a DHCP discover, a spanning-tree BPDU — is forwarded out every other port on the switch. As networks grow, this creates unnecessary traffic, security risks, and operational complexity.

    A VLAN solves this by partitioning the switch into multiple isolated Layer 2 broadcast domains. Devices in VLAN 10 cannot directly communicate with devices in VLAN 20 at Layer 2, even if they share the same physical switch chassis. Traffic must be routed at Layer 3 to pass between VLANs, giving network administrators a natural enforcement point for security policies and access control lists.

    VLANs are standardized by IEEE 802.1Q, the industry-standard tagging protocol that carries VLAN membership information across trunk links between switches, routers, and firewalls.

    Why Are VLANs Used in Cisco Networks?

    Broadcast Domain Reduction

    In a flat network with several hundred devices, every ARP request and DHCP discover is flooded to all switch ports simultaneously. VLANs contain these broadcasts within logical groups, dramatically reducing unnecessary traffic and improving switch forwarding performance. Smaller broadcast domains mean faster convergence, less CPU load on end hosts processing unwanted frames, and a quieter network baseline that is easier to monitor.

    Security Segmentation

    VLANs enforce Layer 2 isolation between departments, security zones, or device categories. A guest wireless VLAN can be kept entirely separate from the internal server VLAN. Even if a guest device is physically connected to the same switch as a production server, it cannot send Ethernet frames directly to that server without traversing a Layer 3 device where access control policies, firewall rules, and inspection engines can be applied.

    Operational Flexibility

    Users and devices can be grouped by function or security policy rather than by physical location. Moving a user from one department to another is a configuration change on the switch port, not a physical recabling operation. This is particularly valuable in environments with frequent organizational changes, hot-desking arrangements, or dynamic workloads.

    Voice and Data Separation

    Cisco IP phones use a dedicated voice VLAN to separate VoIP traffic from workstation data traffic on the same physical port. This allows QoS policies to prioritize voice packets with the correct Differentiated Services Code Point (DSCP) markings and Class of Service (CoS) values without affecting regular data traffic. The phone tags its own frames with the voice VLAN ID, while untagged frames from a PC connected behind the phone remain in the data VLAN.

    Compliance and Regulatory Segmentation

    Frameworks such as PCI-DSS require that cardholder data environments be isolated from general corporate networks. VLANs provide the Layer 2 segmentation boundary that, combined with Layer 3 access control and stateful firewall policies, satisfies these isolation requirements. Proper VLAN design documented with network diagrams and port assignments is often a direct requirement during compliance audits.

    VLAN Types on Cisco Switches

    Data VLAN

    The standard VLAN type for carrying user-generated traffic from workstations, servers, and printers. Each access port is assigned to exactly one data VLAN. The terms data VLAN and access VLAN are often used interchangeably in Cisco documentation and in day-to-day operations.

    Voice VLAN

    Configured on access ports connected to Cisco IP phones. The switch sends a CDP or LLDP advertisement to the phone, instructing it to tag its voice traffic with the voice VLAN ID. The PC sitting behind the phone sends untagged frames that are placed into the data VLAN. Both VLANs operate simultaneously on a single physical access port, which is the defining characteristic of a voice VLAN configuration.

    Native VLAN

    On an 802.1Q trunk link, frames belonging to the native VLAN are transmitted without a VLAN tag. By default, the native VLAN is VLAN 1 on all Cisco switches. Cisco best practice is to change the native VLAN to an unused, dedicated VLAN on all trunk ports to prevent double-tagging VLAN hopping attacks.

    Management VLAN

    A dedicated VLAN used exclusively for switch management traffic — SSH sessions, SNMP polling, syslog messages, and NTP synchronization. Isolating management traffic in its own VLAN limits the attack surface of the switch control plane and makes it straightforward to apply ACLs that restrict management access to authorized administrative hosts only.

    Default VLAN

    VLAN 1 is the factory default on all Cisco switches. All ports begin as members of VLAN 1 and it cannot be deleted or renamed. Every Cisco control-plane protocol — CDP, VTP, PAgP, and DTP — operates on VLAN 1 by default. Best practice is to move all production and user-facing traffic off VLAN 1 and leave it carrying only unavoidable control-plane traffic.

    How IEEE 802.1Q Tagging Works

    When a frame crosses a trunk link, the transmitting switch inserts a 4-byte 802.1Q tag into the Ethernet frame header immediately after the source MAC address field. This tag contains four sub-fields:

    • TPID (Tag Protocol Identifier): Fixed value of 0x8100, identifying this as a tagged 802.1Q frame to all downstream devices
    • PCP (Priority Code Point): 3-bit Class of Service value used by QoS mechanisms to make forwarding priority decisions
    • DEI (Drop Eligible Indicator): 1-bit field used in congestion management to identify frames that should be discarded first when buffers are full
    • VID (VLAN Identifier): 12-bit field carrying the VLAN ID, supporting values from 1 to 4094 with 0 and 4095 reserved

    The receiving switch reads the VID, makes a forwarding decision based on the destination MAC address within the matching VLAN's MAC address table, and strips the tag before delivering the frame out an access port to the end device. End devices are entirely unaware that tagging took place.

    Configuring VLANs on Cisco IOS-XE

    All examples below apply to sw-infrarunbook-01, a Cisco Catalyst switch running IOS-XE. The administrative user is infrarunbook-admin and management addresses use RFC 1918 space.

    Step 1: Create VLANs in the VLAN Database

    sw-infrarunbook-01# configure terminal
sw-infrarunbook-01(config)# vlan 10
sw-infrarunbook-01(config-vlan)# name SERVERS
sw-infrarunbook-01(config-vlan)# exit
sw-infrarunbook-01(config)# vlan 20
sw-infrarunbook-01(config-vlan)# name WORKSTATIONS
sw-infrarunbook-01(config-vlan)# exit
sw-infrarunbook-01(config)# vlan 30
sw-infrarunbook-01(config-vlan)# name VOICE
sw-infrarunbook-01(config-vlan)# exit
sw-infrarunbook-01(config)# vlan 99
sw-infrarunbook-01(config-vlan)# name MANAGEMENT
sw-infrarunbook-01(config-vlan)# exit
sw-infrarunbook-01(config)# vlan 999
sw-infrarunbook-01(config-vlan)# name NATIVE-UNUSED
sw-infrarunbook-01(config-vlan)# exit

    Step 2: Assign Access Ports to VLANs

    sw-infrarunbook-01(config)# interface GigabitEthernet0/1
sw-infrarunbook-01(config-if)# description SERVER-01
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10
sw-infrarunbook-01(config-if)# spanning-tree portfast
sw-infrarunbook-01(config-if)# spanning-tree bpduguard enable
sw-infrarunbook-01(config-if)# exit

sw-infrarunbook-01(config)# interface GigabitEthernet0/2
sw-infrarunbook-01(config-if)# description WORKSTATION-DESK-A3
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 20
sw-infrarunbook-01(config-if)# switchport voice vlan 30
sw-infrarunbook-01(config-if)# spanning-tree portfast
sw-infrarunbook-01(config-if)# spanning-tree bpduguard enable
sw-infrarunbook-01(config-if)# exit

    Step 3: Configure a Trunk Port

    Trunk ports carry tagged traffic for multiple VLANs between switches or between a switch and a router. Always restrict the allowed VLAN list to only the VLANs that legitimately need to traverse the link — this is both a security measure and a performance optimization.

    sw-infrarunbook-01(config)# interface GigabitEthernet0/24
sw-infrarunbook-01(config-if)# description UPLINK-TO-CORE
sw-infrarunbook-01(config-if)# switchport mode trunk
sw-infrarunbook-01(config-if)# switchport trunk encapsulation dot1q
sw-infrarunbook-01(config-if)# switchport trunk native vlan 999
sw-infrarunbook-01(config-if)# switchport trunk allowed vlan 10,20,30,99
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# exit
    Security note: Setting the native VLAN to an unused, dedicated VLAN (999 in this example) prevents double-tagging VLAN hopping attacks, where an attacker sends a frame pre-tagged with VLAN 999 so the switch strips it and forwards the inner tag into an otherwise unreachable VLAN. Never use VLAN 1 as the native VLAN in production environments.

    Step 4: Configure the Management SVI

    A Switched Virtual Interface (SVI) is a Layer 3 logical interface on a multilayer switch that represents a VLAN. Creating an SVI for the management VLAN gives the switch an IP address reachable over the network for SSH, SNMP, and syslog communications.

    sw-infrarunbook-01(config)# interface Vlan99
sw-infrarunbook-01(config-if)# description MANAGEMENT-SVI
sw-infrarunbook-01(config-if)# ip address 10.99.0.10 255.255.255.0
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# exit

sw-infrarunbook-01(config)# ip default-gateway 10.99.0.1

    Inter-VLAN Routing

    Because VLANs create isolated Layer 2 domains, devices in different VLANs cannot exchange traffic without going through a Layer 3 device. Cisco provides three primary methods for inter-VLAN routing in production environments.

    Router-on-a-Stick

    A single physical router interface connects to a trunk port on the switch. Logical subinterfaces are created on the router for each VLAN, each assigned an IP address that acts as the default gateway for hosts in that VLAN. This approach is simple to implement but introduces a single-link bottleneck for all inter-VLAN traffic.

    Router(config)# interface GigabitEthernet0/0
Router(config-if)# no shutdown
Router(config-if)# exit

Router(config)# interface GigabitEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 10.10.0.1 255.255.255.0
Router(config-subif)# exit

Router(config)# interface GigabitEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 10.20.0.1 255.255.255.0
Router(config-subif)# exit

    Layer 3 Switch with SVIs

    On a Cisco multilayer switch such as the Catalyst 3850 or 9300 series, enabling IP routing and creating SVIs for each VLAN allows the switch to route between VLANs at hardware ASIC speed. This is the preferred approach in campus environments because inter-VLAN routing happens locally on the switch rather than being hairpinned through a dedicated router uplink.

    sw-infrarunbook-01(config)# ip routing

sw-infrarunbook-01(config)# interface Vlan10
sw-infrarunbook-01(config-if)# ip address 10.10.0.1 255.255.255.0
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# exit

sw-infrarunbook-01(config)# interface Vlan20
sw-infrarunbook-01(config-if)# ip address 10.20.0.1 255.255.255.0
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# exit

    Firewall-Enforced Inter-VLAN Routing

    For strict security zones — such as between a PCI cardholder data environment and a general office VLAN — all inter-VLAN traffic is routed through a dedicated firewall appliance. The firewall performs stateful packet inspection and applies zone-based or interface-based ACLs before permitting any cross-VLAN communication. This approach provides the strongest security boundary and is commonly required to satisfy compliance mandates, but it requires careful throughput planning to avoid creating a bottleneck.

    VLAN Trunking Protocol (VTP)

    VTP is a Cisco-proprietary Layer 2 messaging protocol that propagates VLAN database changes across a switch domain. A switch in VTP server mode can create, modify, or delete VLANs, and those changes are automatically pushed to all VTP client switches in the same domain. While this reduces manual VLAN provisioning effort in large environments, VTP carries a well-known operational risk: a new or factory-reset switch with a higher VTP configuration revision number, when connected to the domain, can overwrite the VLAN database on every switch in the domain, effectively deleting all VLANs and causing a network-wide outage.

    The recommended approach in production environments is to configure all switches in VTP transparent mode. In this mode, a switch maintains its own local VLAN database, forwards VTP advertisements it receives, but does not apply or process them.

    sw-infrarunbook-01(config)# vtp mode transparent
sw-infrarunbook-01(config)# vtp domain solvethenetwork.com
sw-infrarunbook-01(config)# vtp password Str0ng-VTP-Pass!

    Verifying VLAN Configuration

    Use the following show commands on sw-infrarunbook-01 to confirm that VLANs, port assignments, and trunk links are configured as expected.

    Show VLAN Brief

    sw-infrarunbook-01# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- ------------------------------
1    default                          active
10   SERVERS                          active    Gi0/1
20   WORKSTATIONS                     active    Gi0/2
30   VOICE                            active    Gi0/2
99   MANAGEMENT                       active
999  NATIVE-UNUSED                    active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup

    Show Interfaces Trunk

    sw-infrarunbook-01# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/24      on           802.1q         trunking      999

Port        Vlans allowed on trunk
Gi0/24      10,20,30,99

Port        Vlans allowed and active in management domain
Gi0/24      10,20,30,99

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/24      10,20,30,99

    Show Switchport Detail

    sw-infrarunbook-01# show interfaces GigabitEthernet0/1 switchport

Name: Gi0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (SERVERS)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none

    VLAN Security Best Practices

    • Move all production ports off VLAN 1. VLAN 1 carries Cisco control-plane protocols by default. Leaving user or server traffic on VLAN 1 increases exposure and complicates access control.
    • Set the native VLAN to a dedicated unused VLAN on all trunk ports. Choose a VLAN ID such as 999 that is never assigned to any end device. Apply this consistently across all trunk links in the infrastructure.
    • Restrict the trunk allowed VLAN list explicitly. Only permit VLANs that genuinely need to traverse each trunk. Pruning unnecessary VLANs limits the blast radius of a misconfiguration and reduces broadcast overhead on trunk links.
    • Run VTP in transparent mode. Avoid VTP server and client modes in production environments to eliminate the risk of accidental VLAN database propagation from a rogue or factory-reset switch.
    • Enable BPDU Guard on all access ports. Combined with PortFast, BPDU Guard prevents rogue switches from being plugged into access ports and disrupting the spanning tree topology.
    • Pair VLANs with DHCP snooping and Dynamic ARP Inspection (DAI). DHCP snooping prevents unauthorized DHCP servers from responding to client requests within a VLAN. DAI validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing and man-in-the-middle attacks.
    • Apply ACLs to the management SVI. Restrict SSH and SNMP access to the management interface to authorized administrative hosts within the 10.99.0.0/24 range. Deny all other inbound connections to the SVI.
    • Audit VLAN membership regularly. Remove VLANs that are no longer in use and ensure every active VLAN is documented with its purpose, IP subnet, and responsible team. Stale VLANs permitted on trunk links expand the attack surface unnecessarily.

    VLAN Numbering Scheme

    Cisco IOS supports VLAN IDs 1 through 4094. VLANs 1002 through 1005 are reserved for legacy FDDI and Token Ring use and cannot be deleted. The normal range (1 to 1005) is supported in all VTP modes. The extended range (1006 to 4094) requires VTP transparent mode or VTP version 3 with a password configured.

    A consistent, documented VLAN numbering scheme reduces provisioning errors across the team. A practical scheme for a campus deployment centered on sw-infrarunbook-01 might be structured as follows:

    • VLAN 10 — Servers (10.10.0.0/24, gateway 10.10.0.1)
    • VLAN 20 — Workstations (10.20.0.0/24, gateway 10.20.0.1)
    • VLAN 30 — Voice (10.30.0.0/24, gateway 10.30.0.1)
    • VLAN 40 — Wireless Clients (10.40.0.0/24, gateway 10.40.0.1)
    • VLAN 50 — Printers (10.50.0.0/24, gateway 10.50.0.1)
    • VLAN 60 — IoT and OT Devices (10.60.0.0/24, gateway 10.60.0.1)
    • VLAN 70 — Guest and Untrusted (10.70.0.0/24, gateway 10.70.0.1)
    • VLAN 99 — Management (10.99.0.0/24, gateway 10.99.0.1)
    • VLAN 999 — Native Unused (no IP addressing, no hosts assigned)

    Related Articles

    Frequently Asked Questions

    What is a VLAN in simple terms?

    A VLAN is a way to logically divide a physical switch into multiple separate networks. Devices in different VLANs cannot communicate directly at Layer 2, even if they are plugged into ports on the same physical switch. It creates multiple virtual switches from a single piece of hardware, each with its own isolated broadcast domain.

    What is the difference between a VLAN and a subnet?

    A VLAN is a Layer 2 concept that defines which switch ports share the same broadcast domain. A subnet is a Layer 3 concept that defines a range of IP addresses sharing the same network prefix. Each VLAN is typically paired with one IP subnet, but they are distinct constructs: VLANs exist at the switching layer while subnets exist at the routing layer.

    Can devices on different VLANs communicate with each other?

    Yes, but only through a Layer 3 device such as a router, a multilayer switch with IP routing enabled, or a firewall. Layer 2 frames cannot cross VLAN boundaries on their own. The Layer 3 device performs inter-VLAN routing by receiving the packet, making a routing decision based on the destination IP, and forwarding it into the appropriate VLAN.

    What is the native VLAN on a Cisco trunk and why does it matter?

    The native VLAN is the VLAN whose traffic is transmitted untagged across an 802.1Q trunk link (VLAN 1 by default). It matters for security because an attacker can exploit it through a double-tagging attack to reach VLANs they are not authorized to access. Setting the native VLAN to an unused dedicated VLAN on all trunk ports eliminates this risk.

    What is the difference between an access port and a trunk port?

    An access port carries untagged traffic for exactly one VLAN and connects to end devices like workstations and servers. A trunk port carries 802.1Q-tagged traffic for multiple VLANs simultaneously and connects to other switches, routers, or firewalls that participate in multiple VLANs.

    What is a voice VLAN on a Cisco switch and how does it work?

    A voice VLAN is a secondary VLAN configured alongside the data VLAN on an access port. When a Cisco IP phone connects, the switch advertises the voice VLAN ID via CDP or LLDP. The phone tags its VoIP frames with that ID, while the PC behind the phone sends untagged frames into the data VLAN. Both traffic streams use the same physical port and cable.

    What is VTP and should I use it in production?

    VTP (VLAN Trunking Protocol) automatically synchronizes VLAN database changes across Cisco switches in the same domain. It is generally not recommended for production use because a single switch with a higher VTP revision number can overwrite and delete the VLAN database across the entire domain. Most engineers configure all switches in VTP transparent mode and manage VLAN changes manually or through automation.

    What is an SVI on a Cisco switch?

    SVI stands for Switched Virtual Interface. It is a virtual Layer 3 interface on a multilayer switch representing a VLAN. An SVI gives the switch an IP address for management access on that VLAN. On multilayer switches with ip routing enabled, SVIs also serve as the default gateways for hosts in each VLAN, enabling hardware-accelerated inter-VLAN routing.

    How many VLANs can a Cisco switch support?

    Cisco IOS supports VLAN IDs 1 through 4094 for active VLANs. VLANs 1002 through 1005 are reserved for legacy protocols. The normal range (1 to 1005) works in all VTP modes. The extended range (1006 to 4094) requires VTP transparent mode or VTP version 3. The practical hardware limit depends on the specific platform's TCAM capacity.

    How do I verify VLAN assignments on a Cisco switch?

    Use 'show vlan brief' to see all active VLANs and their port assignments. Use 'show interfaces trunk' to verify allowed and active VLANs on trunk links. Use 'show interfaces GigabitEthernetX/X switchport' to inspect the VLAN assignment and mode of a specific port. Use 'show vtp status' to confirm VTP mode and domain configuration.

    Related Articles