Got it

VLAN’s Detailed explanation

Latest reply: Feb 27, 2021 06:44:07 374 32 27 0 7

Hi Everyone,

I want every startup network engineer to read this article and understand more about vlans

What is VLAN:

A Virtual Local Area Network (VLAN) is a concept in which we divide a Local Area Network logically into multiple smaller networks.

In a typical LAN, workstations are connected through a hub or a repeater. These devices propagate incoming data throughout a network. However, if two people send data at the same time, then a collision occurs and all the transmitted data is lost. Moreover, to prevent the collision from further travel to all workstations, a bridge or switch is used.


The workstations, hubs, and repeaters together form a LAN segment. A LAN segment is also known as a collision domain since collisions remain within the segment. The area within which broadcasts and multicasts are confined is called a broadcast domain or LAN. Thus, a LAN can consist of one or more LAN segments.

Defining broadcast and collision domains in a LAN depends on how the workstations, hubs, switches, and routers are physically connected together. This means that everyone on a LAN must be located in the same area.

VLAN’s allow a network manager to logically segment a LAN into different broadcast domains (as shown in the figure below). Since this is a logical segmentation and not a physical one, workstations do not have to be physically located together. Users on different floors of the same building, or even in different buildings, can now belong to the same LAN.


Why DO we Need VLAN?

In the earlier days of networking, a Local Area Network (LAN) consisted of a network of devices connected within an area. However, today a LAN is defined as a single broadcast domain. In other words, if a user broadcasts a message in his/her LAN, it’ll be received by every other user on the LAN.

These broadcasts stay within a LAN with the use of a router so that they do not travel beyond the LAN. However, the downside of using such a router is that it takes more time to process the incoming data than a simple bridge or switch. Virtual Local Area Network provides an alternate solution to segregate the broadcasts and to contain them within a LAN.

There are 5 main types of VLANs depending on the type of the network they carry:

1. Default VLAN:
When the switch initially starts up, all switch ports become a member of the default VLAN (generally all switches have default VLAN named as VLAN 1), which makes them all part of the same broadcast domain. Using default VLAN allows any network device connected to any of the switch port to connect with other devices on other switch ports. One unique feature of Default VLAN is that it can’t be rename or delete.

2. Data VLAN:
Data VLAN is used to divide the whole network into 2 groups. One group of users and other group of devices. This VLAN also known as a user VLAN, the data VLAN is used only for user-generated data. This VLAN carrying data only. It is not used for carrying management traffic or voice.

3. Voice VLAN:
Voice VLAN is configured to carry voice traffic. Voice VLANs are mostly given high transmission priority over other types of network traffic. To ensure voice over IP (VoIP) quality (delay of less than 150 milliseconds (ms) across the network), we must have separate voice VLAN as this will preserve bandwidth for other applications.

4. Management VLAN:
A management VLAN is configured to access the management capabilities of a switch (traffic like system logging, monitoring). VLAN 1 is the management VLAN by default (VLAN 1 would be a bad choice for the management VLAN). Any of a switch VLAN could be define as the management VLAN if admin as not configured a unique VLAN to serve as the management VLAN. This VLAN ensures that bandwidth for management will be available even when user traffic is high.

5. Native VLAN:
This VLAN identifies traffic coming from each end of a trunk link. A native VLAN is allocated only to an 802.1Q trunk port. The 802.1Q trunk port places untagged traffic (traffic that does not come from any VLAN) on the native VLAN. It is a best to configure the native VLAN as an unused VLAN.

How VLANs Work

Below is a normal ethernet frame. It consists of:

· Source and destination MAC addresses

· Type / Length field

· Payload (the data)

· Frame Check Sequence (FCS) for integrity


The frame has a four-byte VLAN tag added, which includes the VLAN ID. As shown below, the tag is right after the source MAC. The FCS is also removed during this stage.


Finally, the FCS is recalculated based on the entire frame.


The VLAN ID is 12-bits long, which allows for a theoretical maximum of 4096 possible VLANs. In practice, there are several VLANs reserved (depending on vendor). This allows for about 4090 usable VLANs.

What is Tagging in VLAN:

To support VLANs, a special “tag” needs to be applied to packets so that network devices can know how to forward those packets correctly.

While different vendors have their own proprietary method for creating this tag (e.g. the now deprecated Cisco ISL protocol), a standard supported by most networking devices for supporting VLANs on Ethernet networks is the IEEE 802.1Q standard.

802.1Q adds a 32-bit field (4 bytes) inside an Ethernet frame.


The first 16 bits in this field (TPID) are used to identify the frame as an 802.1Q tagged frame while 12 out of the remaining 16 bits are used to carry the VLAN ID.

The remaining 4 bits are mainly used for Quality of Service (QoS) operations.


12 bits used for the VLAN ID means that 4096 VLANs can theoretically be supported i.e. 2^12 = 4096.

However, all 0s (0x000 in hexadecimal) and all 1s (0xFFF in hexadecimal) are reserved bringing the total supported VLANs to 4094.

Note that network vendors may also implement their own VLAN ID restrictions.

On the other hand, some devices understand and participate in VLAN tagging.

It means these devices tag the packets they send and can also understand when they received a tagged packet.

A switch is a typical example of such a device.

Since VLANs can span multiple switches, it means there needs to be a way for tagged packets to travel from one switch to another.

To do this, a single port on the same VLAN can be used on both the switches to carry traffic for that VLAN:


However, this becomes impractical and defeats the purpose of VLANs when you have multiple VLANs.

A better alternative will be a single port that can carry packets from multiple VLANs.

In this case, the switch will need to tag packets correctly for their correct VLANs as they exit the port and the receiving device (e.g. another switch) on the other end must understand this tagging and forward these packets to the correct VLANs:


These ports are known as “tagged ports” because the switch applies tags to the packets sent from such ports.

Depending on the vendor, tagged ports are able to carry traffic for all VLANs by default but a filter can be applied on such ports to limit the allowed VLANs.

What is Untagging in VLAN:

Untagged simply means that is the ports native vlan. Packets traveling on the native vlan do not need to be tagged since we know that it is the native vlan of the port. Tagged packets are coming from vlan’s outside of the native vlan of the port and are tagged so that the switch knows what vlan they belong to and can route accordingly. Generally, when you go switch to switch you will be creating a trunk port that will basically tag every vlan so that you can use all vlans on the secondary switch.

What is PVID:

PVID is short for Port VLAN identifier.

The PVID of a port is the VLAN id that will be assigned to any untagged frames entering the switch on that port (assuming the switch is using port-based VLAN classification). This is a concept that is defined in IEEE 802.1Q

For example, if you intend to connect a PC or a printer to a port, you would set the port as untagged in VLAN 10 and excluded from all other VLANS. The switch knows to only send VLAN 10 stuff to that port and to remove the VLAN tagging information before sending anything out.

But, what about untagged frames entering the switch from the PC or printer (They’ll be untagged because the PC or printer doesn’t know about VLAN). This is where PVID comes in. PVID tells the switch what to do with those untagged incoming frames. In this example, if the PVID doesn’t match the VLAN id, the PC won’t be able to communicate with anybody because the frames it sends into the switch will end up on the wrong VLAN.

Link and Interface Types:


Link Types:

· Access link

An access link can transmit data frames of only one VLAN. It connects a switch to a user terminal, such as a host, server, and simplified Layer 2 switch. Generally, user terminals do not need to know the VLANs to which they belong and cannot identify tagged frames; therefore, only untagged frames are transmitted along an access link.

· Trunk link

A trunk link can transmit data frames from multiple VLANs. It connects a switch to another switch or a router. Frames on a trunk link must be tagged so that other network devices can correctly identify VLAN information in the frames.

Interface Types:

· Access interface

An access interface often connects to a user terminal such as a user host or server that cannot identify VLAN tags, or is used when VLANs do not need to be differentiated. In most cases, access interfaces can only receive and send untagged frames and can add only a unique VLAN tag to untagged frames. However, if the VID and PVID are the same in tagged frames, access interfaces can receive and process the tagged frames.

· Trunk interface

A trunk interface often connects to a switch, router, AP, or voice terminal that can receive and send tagged and untagged frames simultaneously. It allows tagged frames from multiple VLANs and untagged frames from only one VLAN.

· Hybrid interface

A hybrid interface can connect to not only a user terminal (such as a user host or server) or network device (such as a hub or simplified Layer 2 switch) that cannot identify tags, but also a switch, router, voice terminal, or AP that can receive and send tagged and untagged frames. It allows tagged frames from multiple VLANs. Frames sent out from a hybrid interface are tagged or untagged according to the VLAN configuration.

Hybrid and trunk interfaces can be interchanged in some scenarios, but hybrid interfaces must be used in specified scenarios, for example, selective QinQ scenario. Before packets from multiple VLANs provided by a service provider enter a user network, the outer VLAN tags must be removed. The trunk interface cannot be used here because the trunk interface allows only untagged packets from the default VLAN of the interface to pass through.

· QinQ interface

An 802.1Q-in-802.1Q (QinQ) interface often connects a private network to a public network. It can add an additional 802.1Q tag to a tagged frame. QinQ supports up to 4094 x 4094 VLANs, thereby extending VLANs over the network. The outer tag is often called the public tag and identifies the VLAN ID of the public network, whereas the inner tag is often called the private tag and identifies the VLAN ID of the private network.(Can refer my previous article QinQ configuration)

Example configurations:

Creating a VLAN

1. Run system-view

The system view is displayed.

2. Run vlan vlan-id

A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.

The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, you can run the vlan batch command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN.

3. Run commit

The configuration is committed.

Configuring Port types:

Hybrid Port:

[~L2] vlan batch 100 200

[*L2] interface gigabitethernet 0/1/3

[*L2-GigabitEthernet0/1/3] port link-type hybrid

[*L2-GigabitEthernet0/1/3] port hybrid untagged 200

[*L2-GigabitEthernet0/1/3] port hybrid tagged 100

[*L2-GigabitEthernet0/1/3] quit

Trunk Port:

[*L2] interface gigabitethernet 0/1/1

[*L2-GigabitEthernet0/1/1] undo shutdown

[*L2-GigabitEthernet0/1/1] port link-type trunk

[*L2-GigabitEthernet0/1/1] port trunk allow-pass vlan 100

[*L2-GigabitEthernet0/1/1] quit

Access Port:

[*L2] interface gigabitethernet 0/1/2

[*L2-GigabitEthernet0/1/2] undo shutdown

[*L2-GigabitEthernet0/1/1] port link-type access

[*L2-GigabitEthernet0/1/2] port default vlan 200

[*L2-GigabitEthernet0/1/2] quit

[*L2] commit

@zaheernew @cataleyagonzc @Mabox @shahid @NTan33 @E.DR_91 @BAZ @Malik3000 @umaryaqub @sohaib.ansar @lucian2003 @Vien @user_3015189 @Mohamed619 @Mohamed_Ahmed @Giandiego @nochhie @Chenxintao @Kevin_Thomas @little_fish @tesfama @Becky_2019 @dengdengdeng @Irina @Steffy @NikoleT @Moschino @evaaaa @Sara_Obaid @Ayeshaali @Unicef @albertsilva @Saqib123 @wissal @Dragos_Voicila @gululu @andersoncf1 @olive.zhao @kannan1990 @user_4105683 @user_4105651

  • x
  • convention:

Created Feb 21, 2021 08:17:51

Very Well Explained
View more
  • x
  • convention:

IndianKid Created Feb 21, 2021 08:33:05 (0) (0)
thanks for support  
Created Feb 21, 2021 08:19:07

Awesome content
View more
  • x
  • convention:

Created Feb 21, 2021 08:20:41

Nice Article Kid
View more
  • x
  • convention:

MVE Created Feb 21, 2021 08:21:01

Very good
View more
  • x
  • convention:

IndianKid Created Feb 21, 2021 08:32:57 (0) (0)
MVE Author Created Feb 21, 2021 08:26:15

very good detailed information for understanding VLANs
View more
  • x
  • convention:

IndianKid Created Feb 21, 2021 08:32:51 (0) (0)
Thanks for support  
MVE Author Created Feb 21, 2021 09:31:30

Interesting sharing
View more
  • x
  • convention:

MVE Author Created Feb 21, 2021 09:48:54

Thanks for sharing.
View more
  • x
  • convention:

MVE Created Feb 21, 2021 19:57:34

Very good explanation
View more
  • x
  • convention:

Created Feb 21, 2021 21:05:01

Interesting post. Well done.
View more
  • x
  • convention:

Ayeshaali Created Feb 22, 2021 16:57:20 (0) (0)
Ayeshaali Created Feb 22, 2021 16:57:30 (0) (0)
alexander.grosello Created Feb 25, 2021 22:01:24 (0) (0)
Back to list


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.