VLANs let you take one physical network and carve it up into multiple, separate logical networks.
Imagine you’ve got a company with two departments: Sales and Engineering. Normally, they’d all be on the same network. But what if Sales needs access to sensitive customer data, and Engineering needs access to proprietary product designs? You want to keep those separate for security and broadcast domain control. That’s where VLANs shine.
Here’s a basic setup on a managed switch, let’s say a Cisco Catalyst 2960. We’ll create VLAN 10 for Sales and VLAN 20 for Engineering.
Switch> enable
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vlan 10
Switch(config-vlan)# name Sales
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name Engineering
Switch(config-vlan)# exit
Switch(config)# interface range GigabitEthernet0/1 - 5
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# exit
Switch(config)# interface range GigabitEthernet0/6 - 10
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 20
Switch(config-if-range)# exit
Switch(config)# end
Switch# write memory
In this example:
vlan 10andvlan 20create the VLANs themselves.name Salesandname Engineeringgive them descriptive labels.interface range GigabitEthernet0/1 - 5selects the ports that will belong to the Sales department.switchport mode accessconfigures these ports for end devices (like PCs or printers) that will be members of a single VLAN.switchport access vlan 10assigns those ports specifically to VLAN 10 (Sales).- The same logic applies to ports
GigabitEthernet0/6 - 10for VLAN 20 (Engineering).
Now, devices plugged into ports 1-5 can only talk to other devices on ports 1-5 (within VLAN 10). They cannot directly communicate with devices on ports 6-10 (in VLAN 20) at Layer 2. This segmentation dramatically reduces the broadcast domain size, improving performance and security. If a broadcast storm or a virus hits one VLAN, it’s contained and won’t immediately infect the other.
To allow communication between VLANs, you need a Layer 3 device, like a router or a Layer 3 switch, configured for inter-VLAN routing. This is often done using a technique called "router-on-a-stick" or by configuring Switched Virtual Interfaces (SVIs) on a Layer 3 switch.
Here’s a quick look at SVIs on a Layer 3 switch:
Switch# configure terminal
Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface vlan 20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# ip routing
Switch(config)# end
Here, interface vlan 10 and interface vlan 20 create Layer 3 interfaces for each VLAN. We assign an IP address to each, which acts as the default gateway for devices in that VLAN. ip routing enables the switch to perform routing between these IP subnets. Devices in VLAN 10 would use 192.168.10.1 as their gateway, and devices in VLAN 20 would use 192.168.20.1.
The most surprising thing about VLANs is how they are fundamentally a Layer 2 concept, yet they become the building blocks for Layer 3 segmentation and routing. Without understanding how the 802.1Q tagging works on trunk ports, you’re missing a crucial piece of how traffic is actually distinguished as it traverses between VLANs on a single physical link.
When you configure a trunk port, you’re essentially telling the switch to add a 4-byte tag to Ethernet frames. This tag contains the VLAN ID. A common misconception is that access ports are "untagged," but technically, they are implicitly tagged with the VLAN assigned to them. The switch only adds the tag when sending traffic out of a trunk port to another device that understands VLANs. For traffic destined for an access port, the switch removes the tag before forwarding it.
The next concept you’ll need to grasp is how to manage traffic flow and security policies between these newly created network segments using Access Control Lists (ACLs).