# VLAN - Virtual Local Area Network ## What is a VLAN A VLAN or Virtual Local Area Network is a logical grouping of devices within a network that behave as if they are on the same physical network segment even though they may be connected to different physical switches or located in different areas. VLANs divide a single physical network into multiple logical networks. Devices in the same VLAN can communicate directly with each other. Devices in different VLANs cannot communicate directly and must go through a router or Layer 3 switch. VLANs are defined in the IEEE 802.1Q standard. ## Why VLANs are Used VLANs provide several important benefits. Security is improved by isolating departments or types of traffic from each other. For example the finance department can be in its own VLAN so their sensitive financial data is separated from other departments. Performance is improved by reducing the size of broadcast domains. Broadcasts in one VLAN do not reach devices in other VLANs, reducing unnecessary traffic. Flexibility allows devices to be grouped logically by function or department rather than by physical location. A user can be moved to a different VLAN by changing the switch configuration rather than physically moving cables. ## How VLANs Work VLANs are configured on managed switches. Each switch port is assigned to a VLAN. When a device connected to a port sends a frame, the switch knows which VLAN it belongs to based on the port configuration. The switch only forwards the frame to ports in the same VLAN. Broadcasts are contained within the VLAN. ## VLAN Tagging and 802.1Q When frames need to travel between switches or to a router, the switch adds a VLAN tag to the frame to identify which VLAN it belongs to. This is defined by the IEEE 802.1Q standard. The 802.1Q tag is inserted into the Ethernet frame header and contains the VLAN identifier which is a 12-bit field allowing up to 4094 VLANs. Links that carry traffic for multiple VLANs are called trunk links. Links that carry traffic for only one VLAN are called access links. ## Inter-VLAN Routing Devices in different VLANs cannot communicate directly because they are in separate broadcast domains. To enable communication between VLANs a router or Layer 3 switch must be used. Router-on-a-stick uses a single router interface configured with multiple subinterfaces, one for each VLAN. A Layer 3 switch can route between VLANs internally without an external router, providing better performance. ## Native VLAN The native VLAN is a special VLAN on a trunk link for which frames are not tagged. If a frame arrives on a trunk port without a tag it is assigned to the native VLAN. By default the native VLAN is VLAN 1 on Cisco switches. For security reasons it is recommended to change the native VLAN from the default VLAN 1 and to avoid using the native VLAN for user traffic.