Virtual Local Area Network (VLAN) is one of the most important technologies not only for CCNA but for most Cisco exams too. It’s not limited to routing and switching; there is a broad use of VLANs in security, voice, data centre and many others modules of Cisco learning, so you can say it is a foundation for switching. It’s very necessary to get a clear understanding over VLANs, not only for CCNA Exam perspective but to build a strong future in Networking. So hold onto your seats and take a cup of coffee – it is going to be informative for you.

A Virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements. VLANs are basically used to divide a single broadcast domain into multiple broadcast domains without changing IP schemes. It means if two hosts with same network IP and same CIDR value are not in same VLANs, then they cannot communicate to each other.

VLANs give network administrators a great deal of flexibility in LAN design. VLANs extend the traditional router bounded broadcast domain to a VLAN-bounded broadcast domain. VLANs make it possible to make a broadcast domain into any shape that can be defined and bounded by the switches within the local area network.

A VLAN allows a network administrator to create groups of logically networked devices based on functions, departments, or project teams. For computers to communicate on the same VLAN, each must have an IP address and a subnet mask that belong to the same subnet and are consistent for that VLAN. The switch has to be configured with the VLAN, and each port in the VLAN must be assigned to the VLAN.

A switch port with a singular VLAN configured on it is called an access port. Remember that just because two computers are physically connected to the same switch does not mean that they can communicate. Devices on two separate subnets must communicate via a router, whether or not VLANs are used.

In simple terms, a VLAN is a set of workstations within a LAN that can communicate with each other as though they were on a single, isolated LAN.

What does it mean to say that they “communicate with each other as though they were on a single, isolated LAN”?

Among other things, it means that:

  • Broadcast packets sent by one of the workstations will reach all the others in the same VLAN.
  • Broadcasts sent by one of the workstations in the VLAN will not reach any workstations that are not in the same VLAN.
  • Broadcasts sent by workstations that are not in the same VLAN will never reach workstations that are in the other VLAN.
  • The workstations can all communicate with each other without needing to go through a gateway. For example, IP connections would be established by ARPing for the destination IP and sending packets directly to the destination workstation—there would be no need to send packets to the IP gateway to be forwarded on.
  • The workstations can communicate with each other using non-routable protocols.

The Purpose of VLANs

The basic reason for splitting a network into VLANs is to reduce congestion on a large LAN. To understand this problem, we need to look briefly at how LANs have developed over the years. Initially LANs were very flatall the workstations were connected to a single piece of coaxial cable, or to sets of chained hubs. In a flat LAN, every packet that any device puts onto the wire gets sent to every other device on the LAN.

As the number of workstations on the typical LAN grew, they started to become hopelessly congested. There were just too many collisions, because most of the time when a workstation tried to send a packet, it would find that the wire was already occupied by a packet sent by some other device.

This section describes the three solutions for this congestion that were developed:

  • Using routers to segment LANs
  • Using switches to segment LANs
  • Using VLANs to segment LANs

Earlier, hubs were the most popular L2 device but due to congestion they became less popular and have been largely replaced by L2 switches. This has made the whole concept of a collision domain somewhat historical. In modern networks, a “collision domain” mostly consists of a single device attached to an L2 switch port, or possibly a PC with something like an IP phone attached to it.

So, instead of the LANs corresponding to physical areas divided from each other by routers, there are virtual LANs distributed across the network. For example, all the devices in the various areas labelled “VLAN A” all belong to a single virtual LAN—i.e. a single broadcast domain.

Advantages of using VLANs

  1. Performance: As mentioned above, routers that forward data in software become a bottleneck as LAN data rates increase. Doing away with the routers removes this bottleneck.
  2. Greater flexibility: If users move their desks, or just move around the place with their laptops and IP phones, then, if the VLANs are set up the right way, they can plug their PC and IP Phones in at the new location, and still be within the same VLAN. This is much harder when a network is physically divided up by routers. Because workstations can be moved from one VLAN to another just by changing the configuration on switches, it is relatively easy to put all the people working together on a particular project into a single VLAN. They can then more easily share files and resources with each other.
  3. Ease of partitioning off resources: If there are servers or other equipment to which the network administrator wishes to limit access, then they can be put into their own VLAN. Then users in other VLANs can be given access selectively.

So, the primary benefits of using VLANs are:

  • Security
  • Cost reduction
  • Higher performance
  • Broadcast storm mitigation
  • Improved IT staff efficiency
  • Simpler project or application management

The CCNA exam points of view for VLANs include the following:

Configure, verify, and troubleshoot a switch with VLANs and inter switch communications, verify network status and switch operation using basic utilities (including: ping, traceroute, telnet, SSH, ARP, ipconfig), SHOW and DEBUG commands, auto negotiation, and so, the main tasks in CCNA exams are:

  • Configure, verify, and troubleshoot VLANs
  • Configure, verify, and troubleshoot trunking on Cisco switches
  • Configure, verify, and troubleshoot interVLAN routing

VLANs are divided numerically into a normal range and an extended range. Normal range VLANs are identified by a VLAN ID between 1 and 1005. Configurations are stored within a VLAN database file, called vlan.dat, which is the Flash memory of the switch. Extended range VLANs are identified by a VLAN ID between 1006 and 4094 and are saved in the running configuration file. VTP (VLAN Trunking Protocol is good topic, no need to worry we will cover it with another article) does not learn extended range VLANs. One Cisco Catalyst 2960 switch can support up to 255 VLANs.

A question comes on your mind: why are the number of VLANs which can be configured on a switch limited?

The answer is “the number of VLANs configured affects the performance of the switch hardware.”

A native VLAN is assigned to an IEEE 802.1Q trunk port, which supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). You assign the management VLAN an IP address and subnet mask so that the switch can be managed via HTTP, Telnet, SSH, or SNMP. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve this purpose. In security best practice, it is always better to define this VLAN to be a VLAN distinct from all other VLANs defined in the switched LAN.

Ok, it’s time to take you through some configuration. Suppose an enterprise network infrastructure has different employee groups and, as a network admin, you don’t want to give them privilege to interact with each other. So we are going to configure Vlan 5 for IT group, Vlan 6 for marketing group and so on to complete the task. To configure VLANs, you need to write following commands in Global/Config mode of L2/L3 Switch:

SW1(config)#vlan 5 /* 5 represents vlan id
SW1(config-vlan)#name IT /* IT represents vlan name for vlan 5
SW1(config-vlan)#vlan 6
SW1(config-vlan)#name Marketing
SW1(config-vlan)#vlan 7
SW1(config-vlan)#name HR
SW1(config-vlan)#vlan 8
SW1(config-vlan)#name Management

Now, our desired VLANs are configured. You can check it with show vlan command:

SW1#show vlan

Now we are going to assign VLANs to their respective switch ports

SW1(config)#interface fastethernet 0/5
SW1(config-if)#switchport mode access /* making it access port
SW1(config-if)#switchport access vlan 5 /* assigning vlan 5 to int f0/5
SW1(config-if)#interface range fastethernet 0/10 – 20
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 6
SW1(config-if)#interface range fastethernet 0/21 – 22
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 7

To perform trunking between two switches SW1 and SW2, you need to configure the following on both switches:

SW1(config)#interface fastethernet 0/24
SW1(config-if)#switchport trunk encapsulation dot1q / isl
SW1(config-if)#switchport mode trunk

And to configure a SVI (switch virtual interface – means assigning an ip to a vlan ),

SW1(config)#int vlan 5
SW1(config-if)#ip address

Upon completion of this VLAN exercise, you will be able to:

  • Configure VLANs
  • Configure the management interface
  • Configure trunking
  • Assign VLANs to access ports
  • Verify connectivity

But the best part of this article is Troubleshooting, and I am going to briefly explain four common VLAN and trunk configuration errors which you may face in your Cisco exam, even in CCIE:

  • Native VLAN mismatches: Trunk ports are configured with different native VLANs. This configuration error generates console notifications, causes control and management traffic to be misdirected, and poses a security risk.
  • Trunk mode mismatches: One trunk port is configured with trunk mode “off” and the other with trunk mode “on.” This configuration error causes the trunk link to stop working.
  • VLANs and IP subnets: User computers, for example, may have been configured with the incorrect IP addresses or subnet masks or default gateways. The result is loss of connectivity.
  • Allowed VLANs on trunks: The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk.

Figure 1 above shows a scenario for inter-VLAN routing. For the router’s configuration, I have explained in that scenario the VLAN configuration for sw1.

Feel free to ask me for any kind help. I will try my best to help you out. I hope this article is informative for you and thank you for your time and consideration. Keep visiting Intense School resource page to stay updated.


  1. How Virtual Local Area Networks (VLANs) Work By Edward Tetz
  2. Network Warrior By: Gary A. Donahue, Publisher: O’Reilly Media, Inc.
  3. Understanding and Configuring VLANs,
  4. CCNP SWITCH Official Certification Guide by David Hucaby