Introduction to VLANs

(Satish P) #33

Explanations are very much understandable to the depth with easy writings. Your lessons are a complete package to clear the basic concepts.

(Nyi Nyi L) #34

create different vlans for user and server. i want to allow IT administrator to access server vlan but the server should be DHCP server. for this case how should i create vlan and configure?

(Andrew P) #35

First thing you would have to decide whether you are going to be using a layer 3 switch or a router to join these VLANs together. In the case of a L3 switch, you would need to create an SVI (switched virtual interface) in each of the VLAN’s subnets. In the case of a router, you would have to create sub-interfaces (assuming you are using a router-on-a-stick model). I will assume you are using a L3 switch. Suppose you have vlans 10 (Server, and 20 (Client You would have to create an SVI like this: interface vlan 10, ip address

After you create your SVIs, you would need to create a DHCP scope on the DHCP server for and configure the Layer 3 switch to have that server as an ip helper-address (basically a DHCP relay).

You also mention that you wanted to ensure that an admin has access to the server vlan. This implies you are thinking about setting up ACLs to restrict access at layers 3 or 4. This is tricky to do, because you often don’t know all the protocols necessary to allow through between the VLANs. Generally, expect in very high security environments, ACLs are not used in this way. If you are concerned about this, it is far easier to put a proper firewall between the servers segment and your users, which will create what is called a DMZ.

(Karl K) #36

Thanks Rene. Great explanation

(Shantel - split this topic #37

19 posts were merged into an existing topic: Introduction to VLANs

(Brian C) #38

Hi I think I may have gotten a bad prep exam question as I cannot get it to work in labs and it does not make sense fully to me from how I learned VLANS. I will upload the practice test question from Boson and would like input please.

above is what they say is the answer and the topology its very brief. and below is their explanation.

Now I tried this in lab it does work if I make both Fa0/2 and Fa0/1 in the same VLAN 7 for Switch A that logically makes sense to me all the way around. I was able to ping from host A to Host B no problem.

However if I did the other part change Fa0/1 on Switch A to Vlan 6 where both ports on the switch was in VLAN 6 then I could no longer ping from Host A to Host B.

which that makes sense to me as VLANS are suppose to separate traffic that’s the entire point of VLANS to be able to ISOLATE traffic.

However, saying that what they did say about access ports only sending untagged frames, which are frames that do not contain VLAN information. that part sounded kind of logically to me as well but… now I am confused on a basic of switching and not to mention its like 12 midnight and my brain is shutting down and I cannot think very well…ugg anyway when in doubt create a lab and test it and I did and its not working like they say so I was hoping for some explanation like they are incorrect or partially right but basically looking for an answer.



Ok when I tested this on Cisco VIRL Equipment which for most everything is same as real equipment I was indeed able to ping from VLAN 6 to VLAN 7; where VLAN 6 host had same subnet and VLAN 7 host had IP

I have to admit this has kind of shaken my foundation of thinking as I liked to think of vlan as a pipe that traffic flowed through…

on my VIRL I used 4 switches with two of them acting as hostA and hostB. I setup hostA in VLAN 6 and then assigned the ip to that VLAN6 and for host B I did the same thing but for vlan 7.

Only other odd thing was when I set up the connection between the two switches one side in VLAN 6 and the other side in VLAN 7 I got a native VLAN mismatch error but the traffic still flowed and I was able to ping across VLAN.

Diagram below:

So Boson was correct.

when we use command: switchport access vlan 6

that seems to change the native vlan yet there is also a command to change the native vlan. I guess since a switchport can only have one vlan assigned to it (except in the case of the voice vlan which is special case) that works same on an access port as changing the native vlan.

The command to change the native vlan is not really needed for access port was created so you can change the native vlan on a trunk?

From a security aspect this means VLANs does not really separate traffic or protect it as untagged just goes… this is going to fill so many of my ways of thinking with holes as this was a foundation idea I had in my head.

anyway this shook my world a bit. feel free to post link to any good reading on this or talk about access ports and the communication of untagged traffic over different VLANS!


Ok I Think I am getting my head around some of this. at first this new idea crushed me I mean why have VLANS?? if traffic can go across them there is no security. I was literally stunned and very rattled.

I however then started reading carefully and see this is a very specific circumstance that takes advantage of a granular ingress rule and the lack of a similar egress rule which applies at least to cisco switching in general.

They the following:

  1. Traffic received by a switch that arrives on one VLAN will be forwarded only to ports in the same VLAN(unless IP routing is enabled and setup). this is why in my example they say FA0/1 & FA0/2 must be in the same VLAN in order for traffic to pass between them. So right there is a specific requirement.

  2. So its basically shoving(in my our example) untagged traffic to FA0/1 because it can receive traffic from the same VLAN according to the rules of the switch (Which it did). Then from there its moving along the port and gets over to Switch B who gets this untagged traffic and does what its suppose to which is move the traffic along.

  3. So the rule is kind of an ingress rule now an egress rule so the rule says incoming has to be in the same vlan on the same switch in order for it to send. Makes sense. However, once its sent to another switch that is different. A switch receiving it would think everything is as it should be because its untagged and would just carry on as normal.

  4. so basically a native vlan mismatch which is what this was can be dangerous security flaw and that’s why we are informed about it and the importance of it as it would allow traffic from another vlan to move to another switch and do something it normally should not.

  5. I don’t know why they don’t have an egress rule that says unless your in the same VLAN you cannot enter… however if you think about it that’s what Trunking is!!! So actually I guess I do know or at least that is how it would seem to be logically.

So I think my world is once again safe but using this special circumstances to break the normal really helped to teach me something and please correct me if I am wrong but I think I have it figured out in my head.

(Lazaros Agapides) #39

Hello Brian

If I followed your reasoning correctly, then yes I believe you’ve got it!

Just keep in mind that the question involved all Access ports and no trunk ports. This means that VLAN numbers on either side of the connection between the switches can be absolutely anything. The important thing to allow for layer 2 connectivity from end to end is that ports on the same switch be on the same VLAN. That is, SW A ports Fa0/1 and 0/2 should be on the same VLAN and SW B ports Fa0/1 and 0/2 should also be on the same VLAN. That way you can have layer 2 connectivity from end to end.

You can immediately rule out any answers that involve routing by noting that Hosts A and B are in the same subnet. That way you can also eliminate any solutions involving trunking once again because both hosts are in the same subnet.

I hope this has been helpful!


(Justin A) #40

I understand that vlans segment network traffic. What is the technical process that separates vlans? How does a Switch know I can forward out of this port, but I am not allowed to forward out that port?

1 Like
(Kevin W) #41

Hello Justin,

I hope you are doing well. To answer your question, the switch knows which interface to forward a packet based on a few things.

First thing to know is by default all ports on a switch start in VLAN 1 this is the “native” vlan by default. As an administrator, you are going to decide what VLAN an interface should participate in.

For example, if we wanted to place an interface in VLAN 7 we would use the following commands:

switch(config#)vlan 7 (tells the switch to create vlan 7)
switch(config-vlan)# name VOIP (tells the switch vlan 7 is named VOIP)
switch(config)# int fa0/7
switch(config#) switchport mode access (Tells the switch this port is an access port)
switch(config)# switchhport access vlan 7 

(tells the switch what vlan the port belongs to)

When the above commands are completed this information is placed in the vlan.dat file located in NVRAM.

You can see this information when you run “sh vlan”, below you can see a network I have been working on in packet tracer and the results of the “sh vlan” command.


the sh vlan command will show all the access ports and their corresponding vlan. This information is pulled from the vlan.dat file.

Also in the mac address table you can see what vlan is assigned to a port. I have attached an example of this below.


A trunk is different than an access port, by default a trunk lets all VLANs traverse the interface.

An example config would be

switch(config)# int fa0/24
switch(config-if)# switchport mode trunk (turns the interface into a trunk)
switch(config-if)# switchport trunk allowed vlan 1,7,10,20,35 

(denys all other vlans from traversing trunk)

This info is also added to the vlan.dat you can look at what trunks have been created (if the interface is up/up) by running the command sh int trunk

Now this explains how the switch knows what ports are apart of what VLAN but this does not explain how the switch decides what vlan the traffic is coming from.

An access port does not expect to see tagged traffic

A trunk port expects to see tagged traffic (except for the native vlan)

So, for example, say I have a PC attached to fa0/7 this port is an access port assigned to vlan 7. When my PC sends data it does not know to tag the traffic to identify it as part of vlan 7. When the packet goes into the interface, the switch will then add a 4 byte tag to the frame. Now the switch knows what ports are a part of each vlan and what vlan the traffic belongs to. The exception to this rule is that native vlan is never tagged unless configured to be tagged.

Now say I have a wireless access point that is configured with 3 SSID’s/networks. Each SSID is apart of its own vlan. However, the access point only has one data port. In this case we would use a trunk. The access point can be set to send x tag for x network, So that way when we send traffic over the trunk it will know what vlan the traffic is apart of.

So to recap:
vlans are defined by the admin, this info is put into the vlan.dat file to use
the mac address table also has a list of interfaces and what vlan they are apart of
(as long as traffic has been seen on the ports in question)
the switch or endpoint device will tag the traffic, so that the switch knows what vlan the traffic belongs to and sends it to the proper port. I hope this answers your vlan question!

(Justin A) #42

I guess my question is does a switch check the hash of the frame and compare it to the cam table? For instance, a switch gets a frame with a vlan membership of 10 and its an arp request. Does the switch get the frame, run a hash(including the vlan) and then forward it out only the ports where it found an exact match? I am curious how does the switch separate its own vlans? I mean I think that if you try to put one subnet on two different vlans the switch will yell at you. Is there any real seperation other than the switch not allowing it?

(Lazaros Agapides) #44

Hello Justin

Let’s say a switch has 24 access ports where ports 1-12 are on VLAN 10 and ports 13-24 are on VLAN 20. Let’s say a broadcast frame is sent on port 1. The switch will receive that frame and send it out of ports 2 to 12. Why? Because it knows that it entered port 1, therefore it is on VLAN 10, therefore it will send it out of all ports that have been configured on VLAN 10. It doesn’t even look at the details of the frame itself, because there is no data in the frame that gives the switch VLAN information. The information comes only from the fact that the egress port is on VLAN 10.

Now if we have a trunk, where multiple VLANs are used, the frame must have additional information in order for the switch to determine on which VLAN to place it. However, when a tagged frame enters a trunk port, the tag is immediately stripped, and the frame is forwarded only to ports that are configured on the VLAN of the tag that was just removed.

The CAM table has nothing to do with the VLANs that ports belong to. The CAM table will map MAC addresses to ports. If a frame enters a port on VLAN 10, with a destination MAC address of a device on VLAN 20, even if that entry is in the CAM table, the switch will not allow this frame to be forwarded due to the mismatch in VLANs.

I hope this has been helpful!


(Kevin W) #45


All of your posts are extremely well written. Thank you for explaining things much simpler than I can :slight_smile:

(Lazaros Agapides) #46

Hello Scott

Thanks so much for the encouragement! I’m glad I could be of help!!


(Austin A) #47

I loved the explanation on the virtual aspect vs the physical cabling. very clarifying. Thank you!

(Aung Kyaw M) #48

Hi ,

May I know what’s main different things between Standard Valn and Extended Van ?
After through internet , I’ve met Extended only support VTP3 …is there any other different between those vlan range ?

(Lazaros Agapides) #49

Hello Aung

Before Cisco IOS Release 12.4(15)T, users were permitted to configure VLANs numbered from 2 to 1001. The remaining VLANs (numbered from 1006 to 4094) were reserved for use as internal VLANs configured by applications.

Because this number of VLANs was not always enough, especially for ISPs, beginning with Cisco IOS Release 12.4(15)T, all VLAN numbers except those reserved for default and reserved VLANs are available for user configuration. The result is that users and applications share the VLAN number space from 1006 to 4094.

VTP, the protocol that allows switches to share VLAN names, numbers and configurations, does not propagate configuration information for extended-range VLANs (VLAN numbers 1006 to 4094). You must configure extended-range VLANs manually on each network device.

I hope this has been helpful!


1 Like
(Kevin K) #50

Great lesson on Vlans,

I would like to know when we assign a switchport to a particular vlan, how does the switch know which ports belongs to which VLANS so it can forward frames to the correct destination. For example, the CAM table shows mac address mapped to interfaces, how does the switch know what vlans are assigned especially since the frames do not carry vlan information ? Thank you!

(Lazaros Agapides) #51

Hello Kevin

The information of which ports belong to which VLAN is kept in the configuration. The running configuration resides in RAM and is used by the switch to determine to which VLAN each port is assigned.

I hope this has been helpful


(Max C) #52

Hi, how the router interpret a VLAN?.

For example, if i have this type of topology:

R - SW - H

The router have an ip addres that face up to the SW, for example, the SW that face up to the router have an acces port for the vlan 10, and the same thing to the host.

Why this communication is valid, even when the router to the switch didn’t have any vlan?

(Lazaros Agapides) #53

Hello Max

Take a look at this diagram:

Assume that ports 1, 5, and 10 have been assigned to VLAN 10 (the green ports). If the host communicates with the router, it sends a frame that enters the switch on port 1. The switch will have the ability to forward that frame to any port that is configured VLAN 10. This means that the frame can exit from ports 5 or 10 depending on where the destination MAC is found. The router doesn’t actually have to know what VLAN it is connected to, nor does the host. They just send their frames and the switch deals with where they can be forwarded to.

Now i the router was plugged into port 5, then the communication would still be successful, since 1, 5 and 10 are on the same VLAN. However, if the router was plugged into port 7 for example, communication would be blocked because the switch cannot allow devices on different VLANs to communicate.

I hope this has been helpful!