VLAN (Virtual Local Area Network) is one of the most fundamental technologies in modern Cisco network design. Whether you are managing a small office switch stack or a multi-site enterprise campus, understanding VLANs is essential to building networks that are secure, scalable, and straightforward to troubleshoot. This article covers what VLANs are, why they matter, how they work on Cisco IOS and IOS-XE platforms, and how to configure them step by step on a real switch.
What Is a VLAN?
A VLAN is a logical segmentation of a physical switched network. Without VLANs, every device connected to a switch belongs to the same broadcast domain. Any broadcast frame sent by one device — an ARP request, a DHCP discover, a spanning-tree BPDU — is forwarded out every other port on the switch. As networks grow, this creates unnecessary traffic, security risks, and operational complexity.
A VLAN solves this by partitioning the switch into multiple isolated Layer 2 broadcast domains. Devices in VLAN 10 cannot directly communicate with devices in VLAN 20 at Layer 2, even if they share the same physical switch chassis. Traffic must be routed at Layer 3 to pass between VLANs, giving network administrators a natural enforcement point for security policies and access control lists.
VLANs are standardized by IEEE 802.1Q, the industry-standard tagging protocol that carries VLAN membership information across trunk links between switches, routers, and firewalls.
Why Are VLANs Used in Cisco Networks?
Broadcast Domain Reduction
In a flat network with several hundred devices, every ARP request and DHCP discover is flooded to all switch ports simultaneously. VLANs contain these broadcasts within logical groups, dramatically reducing unnecessary traffic and improving switch forwarding performance. Smaller broadcast domains mean faster convergence, less CPU load on end hosts processing unwanted frames, and a quieter network baseline that is easier to monitor.
Security Segmentation
VLANs enforce Layer 2 isolation between departments, security zones, or device categories. A guest wireless VLAN can be kept entirely separate from the internal server VLAN. Even if a guest device is physically connected to the same switch as a production server, it cannot send Ethernet frames directly to that server without traversing a Layer 3 device where access control policies, firewall rules, and inspection engines can be applied.
Operational Flexibility
Users and devices can be grouped by function or security policy rather than by physical location. Moving a user from one department to another is a configuration change on the switch port, not a physical recabling operation. This is particularly valuable in environments with frequent organizational changes, hot-desking arrangements, or dynamic workloads.
Voice and Data Separation
Cisco IP phones use a dedicated voice VLAN to separate VoIP traffic from workstation data traffic on the same physical port. This allows QoS policies to prioritize voice packets with the correct Differentiated Services Code Point (DSCP) markings and Class of Service (CoS) values without affecting regular data traffic. The phone tags its own frames with the voice VLAN ID, while untagged frames from a PC connected behind the phone remain in the data VLAN.
Compliance and Regulatory Segmentation
Frameworks such as PCI-DSS require that cardholder data environments be isolated from general corporate networks. VLANs provide the Layer 2 segmentation boundary that, combined with Layer 3 access control and stateful firewall policies, satisfies these isolation requirements. Proper VLAN design documented with network diagrams and port assignments is often a direct requirement during compliance audits.
VLAN Types on Cisco Switches
Data VLAN
The standard VLAN type for carrying user-generated traffic from workstations, servers, and printers. Each access port is assigned to exactly one data VLAN. The terms data VLAN and access VLAN are often used interchangeably in Cisco documentation and in day-to-day operations.
Voice VLAN
Configured on access ports connected to Cisco IP phones. The switch sends a CDP or LLDP advertisement to the phone, instructing it to tag its voice traffic with the voice VLAN ID. The PC sitting behind the phone sends untagged frames that are placed into the data VLAN. Both VLANs operate simultaneously on a single physical access port, which is the defining characteristic of a voice VLAN configuration.
Native VLAN
On an 802.1Q trunk link, frames belonging to the native VLAN are transmitted without a VLAN tag. By default, the native VLAN is VLAN 1 on all Cisco switches. Cisco best practice is to change the native VLAN to an unused, dedicated VLAN on all trunk ports to prevent double-tagging VLAN hopping attacks.
Management VLAN
A dedicated VLAN used exclusively for switch management traffic — SSH sessions, SNMP polling, syslog messages, and NTP synchronization. Isolating management traffic in its own VLAN limits the attack surface of the switch control plane and makes it straightforward to apply ACLs that restrict management access to authorized administrative hosts only.
Default VLAN
VLAN 1 is the factory default on all Cisco switches. All ports begin as members of VLAN 1 and it cannot be deleted or renamed. Every Cisco control-plane protocol — CDP, VTP, PAgP, and DTP — operates on VLAN 1 by default. Best practice is to move all production and user-facing traffic off VLAN 1 and leave it carrying only unavoidable control-plane traffic.
How IEEE 802.1Q Tagging Works
When a frame crosses a trunk link, the transmitting switch inserts a 4-byte 802.1Q tag into the Ethernet frame header immediately after the source MAC address field. This tag contains four sub-fields:
- TPID (Tag Protocol Identifier): Fixed value of 0x8100, identifying this as a tagged 802.1Q frame to all downstream devices
- PCP (Priority Code Point): 3-bit Class of Service value used by QoS mechanisms to make forwarding priority decisions
- DEI (Drop Eligible Indicator): 1-bit field used in congestion management to identify frames that should be discarded first when buffers are full
- VID (VLAN Identifier): 12-bit field carrying the VLAN ID, supporting values from 1 to 4094 with 0 and 4095 reserved
The receiving switch reads the VID, makes a forwarding decision based on the destination MAC address within the matching VLAN's MAC address table, and strips the tag before delivering the frame out an access port to the end device. End devices are entirely unaware that tagging took place.
Configuring VLANs on Cisco IOS-XE
All examples below apply to sw-infrarunbook-01, a Cisco Catalyst switch running IOS-XE. The administrative user is infrarunbook-admin and management addresses use RFC 1918 space.
Step 1: Create VLANs in the VLAN Database
sw-infrarunbook-01# configure terminal
sw-infrarunbook-01(config)# vlan 10
sw-infrarunbook-01(config-vlan)# name SERVERS
sw-infrarunbook-01(config-vlan)# exit
sw-infrarunbook-01(config)# vlan 20
sw-infrarunbook-01(config-vlan)# name WORKSTATIONS
sw-infrarunbook-01(config-vlan)# exit
sw-infrarunbook-01(config)# vlan 30
sw-infrarunbook-01(config-vlan)# name VOICE
sw-infrarunbook-01(config-vlan)# exit
sw-infrarunbook-01(config)# vlan 99
sw-infrarunbook-01(config-vlan)# name MANAGEMENT
sw-infrarunbook-01(config-vlan)# exit
sw-infrarunbook-01(config)# vlan 999
sw-infrarunbook-01(config-vlan)# name NATIVE-UNUSED
sw-infrarunbook-01(config-vlan)# exitStep 2: Assign Access Ports to VLANs
sw-infrarunbook-01(config)# interface GigabitEthernet0/1
sw-infrarunbook-01(config-if)# description SERVER-01
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10
sw-infrarunbook-01(config-if)# spanning-tree portfast
sw-infrarunbook-01(config-if)# spanning-tree bpduguard enable
sw-infrarunbook-01(config-if)# exit
sw-infrarunbook-01(config)# interface GigabitEthernet0/2
sw-infrarunbook-01(config-if)# description WORKSTATION-DESK-A3
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 20
sw-infrarunbook-01(config-if)# switchport voice vlan 30
sw-infrarunbook-01(config-if)# spanning-tree portfast
sw-infrarunbook-01(config-if)# spanning-tree bpduguard enable
sw-infrarunbook-01(config-if)# exitStep 3: Configure a Trunk Port
Trunk ports carry tagged traffic for multiple VLANs between switches or between a switch and a router. Always restrict the allowed VLAN list to only the VLANs that legitimately need to traverse the link — this is both a security measure and a performance optimization.
sw-infrarunbook-01(config)# interface GigabitEthernet0/24
sw-infrarunbook-01(config-if)# description UPLINK-TO-CORE
sw-infrarunbook-01(config-if)# switchport mode trunk
sw-infrarunbook-01(config-if)# switchport trunk encapsulation dot1q
sw-infrarunbook-01(config-if)# switchport trunk native vlan 999
sw-infrarunbook-01(config-if)# switchport trunk allowed vlan 10,20,30,99
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# exitSecurity note: Setting the native VLAN to an unused, dedicated VLAN (999 in this example) prevents double-tagging VLAN hopping attacks, where an attacker sends a frame pre-tagged with VLAN 999 so the switch strips it and forwards the inner tag into an otherwise unreachable VLAN. Never use VLAN 1 as the native VLAN in production environments.
Step 4: Configure the Management SVI
A Switched Virtual Interface (SVI) is a Layer 3 logical interface on a multilayer switch that represents a VLAN. Creating an SVI for the management VLAN gives the switch an IP address reachable over the network for SSH, SNMP, and syslog communications.
sw-infrarunbook-01(config)# interface Vlan99
sw-infrarunbook-01(config-if)# description MANAGEMENT-SVI
sw-infrarunbook-01(config-if)# ip address 10.99.0.10 255.255.255.0
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# exit
sw-infrarunbook-01(config)# ip default-gateway 10.99.0.1Inter-VLAN Routing
Because VLANs create isolated Layer 2 domains, devices in different VLANs cannot exchange traffic without going through a Layer 3 device. Cisco provides three primary methods for inter-VLAN routing in production environments.
Router-on-a-Stick
A single physical router interface connects to a trunk port on the switch. Logical subinterfaces are created on the router for each VLAN, each assigned an IP address that acts as the default gateway for hosts in that VLAN. This approach is simple to implement but introduces a single-link bottleneck for all inter-VLAN traffic.
Router(config)# interface GigabitEthernet0/0
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface GigabitEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 10.10.0.1 255.255.255.0
Router(config-subif)# exit
Router(config)# interface GigabitEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 10.20.0.1 255.255.255.0
Router(config-subif)# exitLayer 3 Switch with SVIs
On a Cisco multilayer switch such as the Catalyst 3850 or 9300 series, enabling IP routing and creating SVIs for each VLAN allows the switch to route between VLANs at hardware ASIC speed. This is the preferred approach in campus environments because inter-VLAN routing happens locally on the switch rather than being hairpinned through a dedicated router uplink.
sw-infrarunbook-01(config)# ip routing
sw-infrarunbook-01(config)# interface Vlan10
sw-infrarunbook-01(config-if)# ip address 10.10.0.1 255.255.255.0
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# exit
sw-infrarunbook-01(config)# interface Vlan20
sw-infrarunbook-01(config-if)# ip address 10.20.0.1 255.255.255.0
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# exitFirewall-Enforced Inter-VLAN Routing
For strict security zones — such as between a PCI cardholder data environment and a general office VLAN — all inter-VLAN traffic is routed through a dedicated firewall appliance. The firewall performs stateful packet inspection and applies zone-based or interface-based ACLs before permitting any cross-VLAN communication. This approach provides the strongest security boundary and is commonly required to satisfy compliance mandates, but it requires careful throughput planning to avoid creating a bottleneck.
VLAN Trunking Protocol (VTP)
VTP is a Cisco-proprietary Layer 2 messaging protocol that propagates VLAN database changes across a switch domain. A switch in VTP server mode can create, modify, or delete VLANs, and those changes are automatically pushed to all VTP client switches in the same domain. While this reduces manual VLAN provisioning effort in large environments, VTP carries a well-known operational risk: a new or factory-reset switch with a higher VTP configuration revision number, when connected to the domain, can overwrite the VLAN database on every switch in the domain, effectively deleting all VLANs and causing a network-wide outage.
The recommended approach in production environments is to configure all switches in VTP transparent mode. In this mode, a switch maintains its own local VLAN database, forwards VTP advertisements it receives, but does not apply or process them.
sw-infrarunbook-01(config)# vtp mode transparent
sw-infrarunbook-01(config)# vtp domain solvethenetwork.com
sw-infrarunbook-01(config)# vtp password Str0ng-VTP-Pass!Verifying VLAN Configuration
Use the following show commands on sw-infrarunbook-01 to confirm that VLANs, port assignments, and trunk links are configured as expected.
Show VLAN Brief
sw-infrarunbook-01# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- ------------------------------
1 default active
10 SERVERS active Gi0/1
20 WORKSTATIONS active Gi0/2
30 VOICE active Gi0/2
99 MANAGEMENT active
999 NATIVE-UNUSED active
1002 fddi-default act/unsup
1003 token-ring-default act/unsupShow Interfaces Trunk
sw-infrarunbook-01# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/24 on 802.1q trunking 999
Port Vlans allowed on trunk
Gi0/24 10,20,30,99
Port Vlans allowed and active in management domain
Gi0/24 10,20,30,99
Port Vlans in spanning tree forwarding state and not pruned
Gi0/24 10,20,30,99Show Switchport Detail
sw-infrarunbook-01# show interfaces GigabitEthernet0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (SERVERS)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: noneVLAN Security Best Practices
- Move all production ports off VLAN 1. VLAN 1 carries Cisco control-plane protocols by default. Leaving user or server traffic on VLAN 1 increases exposure and complicates access control.
- Set the native VLAN to a dedicated unused VLAN on all trunk ports. Choose a VLAN ID such as 999 that is never assigned to any end device. Apply this consistently across all trunk links in the infrastructure.
- Restrict the trunk allowed VLAN list explicitly. Only permit VLANs that genuinely need to traverse each trunk. Pruning unnecessary VLANs limits the blast radius of a misconfiguration and reduces broadcast overhead on trunk links.
- Run VTP in transparent mode. Avoid VTP server and client modes in production environments to eliminate the risk of accidental VLAN database propagation from a rogue or factory-reset switch.
- Enable BPDU Guard on all access ports. Combined with PortFast, BPDU Guard prevents rogue switches from being plugged into access ports and disrupting the spanning tree topology.
- Pair VLANs with DHCP snooping and Dynamic ARP Inspection (DAI). DHCP snooping prevents unauthorized DHCP servers from responding to client requests within a VLAN. DAI validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing and man-in-the-middle attacks.
- Apply ACLs to the management SVI. Restrict SSH and SNMP access to the management interface to authorized administrative hosts within the 10.99.0.0/24 range. Deny all other inbound connections to the SVI.
- Audit VLAN membership regularly. Remove VLANs that are no longer in use and ensure every active VLAN is documented with its purpose, IP subnet, and responsible team. Stale VLANs permitted on trunk links expand the attack surface unnecessarily.
VLAN Numbering Scheme
Cisco IOS supports VLAN IDs 1 through 4094. VLANs 1002 through 1005 are reserved for legacy FDDI and Token Ring use and cannot be deleted. The normal range (1 to 1005) is supported in all VTP modes. The extended range (1006 to 4094) requires VTP transparent mode or VTP version 3 with a password configured.
A consistent, documented VLAN numbering scheme reduces provisioning errors across the team. A practical scheme for a campus deployment centered on sw-infrarunbook-01 might be structured as follows:
- VLAN 10 — Servers (10.10.0.0/24, gateway 10.10.0.1)
- VLAN 20 — Workstations (10.20.0.0/24, gateway 10.20.0.1)
- VLAN 30 — Voice (10.30.0.0/24, gateway 10.30.0.1)
- VLAN 40 — Wireless Clients (10.40.0.0/24, gateway 10.40.0.1)
- VLAN 50 — Printers (10.50.0.0/24, gateway 10.50.0.1)
- VLAN 60 — IoT and OT Devices (10.60.0.0/24, gateway 10.60.0.1)
- VLAN 70 — Guest and Untrusted (10.70.0.0/24, gateway 10.70.0.1)
- VLAN 99 — Management (10.99.0.0/24, gateway 10.99.0.1)
- VLAN 999 — Native Unused (no IP addressing, no hosts assigned)
Frequently Asked Questions
Q: What is a VLAN in simple terms?
A: A VLAN is a way to logically divide a physical switch into multiple separate networks. Devices in different VLANs cannot talk to each other directly at Layer 2, even if they are plugged into ports on the same physical switch. Think of it as creating multiple virtual switches from a single piece of hardware, each with its own isolated broadcast domain.
Q: What is the difference between a VLAN and a subnet?
A: A VLAN is a Layer 2 concept — it defines which switch ports share the same broadcast domain. A subnet is a Layer 3 concept — it defines a range of IP addresses that share the same network prefix. In practice, each VLAN is typically paired with one IP subnet, but they are distinct: a VLAN without an SVI or router subinterface has no IP addressing at all, while a subnet can exist on a routed interface without any VLAN involvement.
Q: Can devices on different VLANs communicate with each other?
A: Yes, but only through a Layer 3 device such as a router, a multilayer switch with IP routing enabled, or a firewall. Layer 2 frames cannot cross a VLAN boundary on their own. The Layer 3 device receives the frame, makes a routing decision based on the destination IP address, and forwards it into the appropriate destination VLAN. This is called inter-VLAN routing.
Q: What is the native VLAN on a Cisco trunk and why does it matter?
A: The native VLAN is the VLAN whose traffic is sent untagged across an 802.1Q trunk link. By default it is VLAN 1. It matters for security because an attacker can exploit the native VLAN to perform a double-tagging attack, sending a frame pre-tagged with the native VLAN ID so the first switch strips the outer tag and forwards the frame with the attacker's inner tag into a VLAN they should not be able to reach. Setting the native VLAN to an unused, dedicated VLAN on all trunk ports eliminates this attack vector.
Q: What is the difference between an access port and a trunk port?
A: An access port carries traffic for exactly one VLAN. Frames entering or leaving an access port are untagged — the switch adds or removes the VLAN association internally. Access ports connect end devices such as workstations, servers, and IP phones. A trunk port carries tagged traffic for multiple VLANs simultaneously using 802.1Q encapsulation. Trunk ports connect switches to other switches, to routers, or to firewalls that need to participate in multiple VLANs.
Q: What is a voice VLAN on a Cisco switch and how does it work?
A: A voice VLAN is a secondary VLAN configured on an access port alongside the regular data VLAN. When a Cisco IP phone is connected to the port, the switch sends a CDP or LLDP advertisement telling the phone which VLAN ID to use for its voice traffic. The phone tags its VoIP frames with that voice VLAN ID. Meanwhile, the PC connected behind the phone continues sending untagged frames that belong to the data VLAN. Both traffic streams flow over the same physical cable and the same switch port simultaneously.
Q: What is VTP and should I use it in production?
A: VTP (VLAN Trunking Protocol) is a Cisco-proprietary protocol that automatically synchronizes VLAN database changes across switches in the same VTP domain. While it reduces manual VLAN provisioning work, it is considered risky in production because a single switch with a higher revision number can overwrite and delete the VLAN database on the entire domain. Most network engineers configure all switches in VTP transparent mode for production environments and manage VLAN changes manually or through automation tools.
Q: What is an SVI on a Cisco switch?
A: SVI stands for Switched Virtual Interface. It is a virtual Layer 3 interface on a multilayer switch that represents a VLAN. When you configure an IP address on a VLAN interface (for example, interface Vlan99), you are creating an SVI. SVIs serve two purposes: they give the switch itself an IP address for management access, and on multilayer switches with ip routing enabled, they act as the default gateway for hosts in that VLAN and enable hardware-accelerated inter-VLAN routing.
Q: How many VLANs can a Cisco switch support?
A: The IEEE 802.1Q standard defines a 12-bit VLAN ID field, giving a theoretical maximum of 4096 VLAN IDs (0 through 4095). Cisco IOS uses IDs 1 through 4094 for active VLANs. VLANs 1002 through 1005 are reserved for legacy FDDI and Token Ring and cannot be used for Ethernet. The normal range (1 through 1005) works in all VTP modes. The extended range (1006 through 4094) requires VTP transparent mode or VTP version 3. The actual hardware limit depends on the specific platform and its TCAM resources.
Q: How do I verify VLAN assignments on a Cisco switch?
A: Use show vlan brief to see all active VLANs and which access ports are assigned to each. Use show interfaces trunk to verify which VLANs are allowed and active on trunk ports. Use show interfaces GigabitEthernetX/X switchport to inspect the VLAN assignment and mode of a specific port. Use show vtp status to confirm the VTP mode and domain configuration across your switch estate.
Q: What is VLAN hopping and how do I prevent it?
A: VLAN hopping is an attack technique where an unauthorized host sends traffic into a VLAN it should not have access to. There are two primary methods: switch spoofing (where an attacker configures their NIC to negotiate a trunk link using DTP) and double tagging (where an attacker sends a frame with two 802.1Q headers). Prevention measures include: disabling DTP negotiation on all access ports with switchport nonegotiate and switchport mode access, setting the native VLAN to a dedicated unused VLAN on all trunks, and never placing end-device traffic on VLAN 1.
Q: What happens to a VLAN if I delete it from the VLAN database?
A: If you delete a VLAN from the VLAN database on a Cisco switch, all access ports still assigned to that VLAN are immediately placed in an inactive state. Those ports will no longer forward traffic. The port configuration retains the VLAN assignment, so if you recreate the VLAN with the same ID, the ports will automatically return to an active forwarding state. Always reassign or document all ports before deleting a VLAN to avoid unintended outages.