15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .

net

PRACTICAL NETWORKING HOME SERIES CLASSES ABOUT

.NET

Virtual Local Area Networks

(VLANs)
JUNE 23, 2016 by ed harmoush 130 comments

Virtual Local Area Networks, or VLANs, are a very simple concept that has been very poorly defined by the
industry.

This article will explain VLANs from a practical perspective. It will be framed around the two major functions of
VLANs, and concluded with an explanation of the idea behind the Native VLAN.

Finally, at the end of the article is a two question comprehension challenge – if you can successfully answer these
two questions, then you can consider yourself to fully understand the concept of VLANs — the topic of configuring
VLANs will be covered in another article.

Two Major Functions of VLANs

Below is a network with three different physical switches. The switches facilitate communication within networks,
and the Routers facilitate communication between networks.

Each switch above independently performs the four functions of switch.

If each of these switches have 24 ports and only two are in use, then 22 ports are left wasted on each switch.
Moreover, what if you need to replicate this network elsewhere and you do not have three physical switches to
accommodate?

That is where the first major function of a VLAN comes into play: A VLAN allows you to take one physical
switch, and break it up into smaller mini-switches.

Breaking up one Physical Switch into multiple Virtual Switches

Consider each circle on the switch below as its own mini-switch. Each of these mini-switches, or virtual switches,
operate completely independent from the others — exactly as they would had there been three different physical
switches.

https://www.practicalnetworking.net/stand-alone/vlans/ 1/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Traffic flow through this topology operates exactly as it did in the topology above it (with three separate physical
switches).

Each virtual switch, or VLAN, is simply a number assigned to each switch port. For example, the two
switch ports in the red mini-switch might be assigned to VLAN #10. The two ports in the orange mini-switch might
be assigned to VLAN #20. And lastly the two switch ports in the blue mini-switch might be assigned to VLAN #30.

If a port is not explicitly assigned a VLAN number, it resides in the default VLAN, which has a VLAN
number of 1.

Traffic arriving on a switch port assigned to VLAN #10 will only ever be forwarded out another switch port that
belongs to VLAN #10 – a switch will never allow traffic to cross a VLAN boundary. Again, each VLAN operates
as if it were a completely separate physical switch.

In the first illustration, traffic from the red switch cannot magically appear on the orange switch without first
passing through a router. Similarly, in the second illustration, traffic in VLAN #10 cannot magically appear on VLAN
#20 without also passing through a router.

Each of the VLANs also maintain their own, independent, MAC address table. If Host A sends a frame with a
destination MAC address of Host B, that frame would still be flooded solely within the switch ports in VLAN #10.

Ultimately, assigning different ports to different VLANs allows you to re-use a single physical switch for multiple
purposes. This is the first major function of a VLAN.

But that isn’t all VLANs allow you to do. The second major function is VLANs allow you to extend the smaller
Virtual switches across multiple Physical switches.

Extending Virtual Switches across multiple Physical Switches

To illustrate this point, we will expand the topology above with an additional physical switch and two additional
hosts:

Notice how a VLAN# 10 and VLAN# 30 have been extended onto a second switch. This enables Host A and Host C
to exist in the same VLAN, despite being connected to different physical switches located in potentially different
areas.

The primary benefit of extending a VLAN to different physical switches is that the Layer 2 topology no longer has to
be tied to the Physical Topology. A single VLAN can span across multiple rooms, floors, or office buildings.

https://www.practicalnetworking.net/stand-alone/vlans/ 2/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Each connected switch port in the topology above is a member of only a single VLAN. This is referred to as
an Access port. An Access port is a switch port that is a member of only one VLAN.

When configuring a port as an Access port, the administrator also designates the VLAN number that port is a
member of. Whenever the switch receives any traffic on an Access port, it accepts the traffic onto the configured
VLAN.

In order to extend a VLAN to the second switch, a connection is made between one Access port on both switches
for each VLAN. While functional, this strategy does not scale. Imagine if our topology was using ten VLANs, on a 24
port switch nearly half of the ports would be taken up by the inter-switch links.

Instead, there is a mechanism which allows a single switch port to carry traffic from multiple VLANs. This is referred
to as a Trunk port. A Trunk port is a switch port that carries traffic for multiple VLANs.

We can use Trunk ports to reduce the amount of switch ports

required for the topology above. This enables us to leave more
ports available to add hosts to the network in the future.

This physical topology operates (logically) identically to the

illustration above it, but requires far fewer switch ports.

We were able to use a total of four Trunk ports (across both

switches) to replace eight different Access ports in the prior
illustration.

Typically, switch ports connected to end-host devices are

configured as Access ports (e.g., workstations, printers,
servers). Conversely, switch ports connected to other network devices are configured as Trunk ports (e.g.,
other switches, routers). We will uncover the reason for this later in this article.

Tagged Ports and Untagged Ports

A Trunk port on a switch can receive traffic for more than one VLAN. For example, in the illustration above, the link
between the two switches is carrying traffic for both VLAN 10 and VLAN 30.

But in both cases, the traffic is leaving one switch as a series of 1s and 0s, and arriving on the other switch as a
series of 1s and 0s. Which begs the question, how will the receiving switch determine which 1s and 0s belong to
VLAN #10, and which 1s and 0s belong to VLAN #30?

To account for this, whenever a Switch is forwarding traffic out a Trunk port, it adds to that traffic a tag
to indicate to the other end what VLAN that traffic belongs to. This allows the receiving switch to read the
VLAN tag in order to determine what VLAN the incoming traffic should be associated to.

An Access port, by comparison, can only ever carry or receive traffic for a single VLAN. Therefore, there is no
need to add a VLAN Tag to traffic leaving an Access port.

Since VLANs are a Layer 2 technology, the VLAN Tag is

inserted within the Layer 2 header. The standard Layer 2
header in modern networks is the Ethernet header, which
has three fields: Destination MAC Address, Source MAC
Address, and Type.

When an Ethernet frame is exiting a Trunk port, the switch

will insert a VLAN Tag between the Source MAC address
and the Type fields.

This allows the receiving switch to associate the frame with the appropriate VLAN.

To summarize, the final topology with traffic traveling between Host C and Host D through Access ports and Trunk
ports will look like this:

https://www.practicalnetworking.net/stand-alone/vlans/ 3/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

The physical topology above will work exactly like the logical topology below. The hosts will not know whether they
are going through two physical switches (or three or four), or what VLANs they are in. They operate exactly as they
would in any situation which involves moving packets through a network.

Access Ports and End-Host Devices

Earlier we mentioned Access ports typically face end-host devices like workstations or printers or servers. Part of
the reason for this is that switches do not add a VLAN tag when sending traffic out an Access port.

Most end-host devices do not understand the concepts of VLANs. In fact, if they received frames with a
VLAN tag inserted in the middle of the Ethernet header, they are likely to drop them under the assumption
that they were malformed frames.

Of course, understanding the concepts of VLANs is merely a matter of installing the right software or software
patch, but imagine the overhead of requiring every user on your network to both install the software patch, and
configure their devices to send the appropriate VLAN tag.

It is much better for the network administrator to configure and concern themselves with VLANs, and for the end-
host devices to remain blissfully ignorant of what VLAN they are in, or even whether VLANs are being utilized at all.

Terminology
Finally, a quick note on terminology. The terms Access port and Trunk port are usually associated with the Cisco
world. But VLANs are an open standard, therefore other vendors are able to implement VLANs as well.

What Cisco calls a Trunk port (i.e., a switch port that carries traffic for more than one VLAN), other vendors refer to
as a Tagged port – referring to the addition of a VLAN tag to all traffic leaving such a port.

What Cisco calls an Access port (i.e., a switch port that carries traffic for only one VLAN), other vendors refer to as
an Untagged port – referring to the traffic leaving the switch port without a VLAN tag.

These terms are not exhaustive, there are some vendors that may yet use other terminology, other vendors may
even mix and match these terms. Regardless of the terminology used, all the concepts discussed above still apply.

802.1q VLAN Tag

VLAN tags requires adding and removing bits to Ethernet frames. The specific sequence of bits to add is governed
by an open standard, which allow any vendor to implement VLANs on their devices.

https://www.practicalnetworking.net/stand-alone/vlans/ 4/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

The exact format of the VLAN Tag is governed by the 802.1q standard. This is an open, IEEE standard which
is the ubiquitous method of VLAN tagging in use today.

To demonstrate exactly how the VLAN Tag modifies a packet, take a look at the packet capture below of the same
frame before and after it exits a Trunk port.

The portion of the frame highlighted in yellow is the added VLAN tag. Notice it is inserted between the Source MAC
address and Type field of the original Ethernet header.

You can view this capture yourself in Cloudshark, or you can download the capture file and open it in Wireshark.

No other modification to the frame or its payload is made by the addition or removal of the VLAN tag. That said,
since even the slight modification displayed above is made, adding and removing the VLAN tag also involves
recalculating the CRC — which is a simple hash algorithm devised to detect transmissions errors on the wire.

There is an older method of VLAN tagging which is a closed, Cisco proprietary method. This method was called
Inter-Switch Link, or ISL. ISL fully encapsulated the L2 frame in a new header which included the VLAN
identification number.

But these days, even newer Cisco products do not support ISL, as the entire industry has moved to the superior,
open standard of 802.1q.

Native VLAN
There is one final concept associated with VLANs that often brings confusion. That is the concept of the Native
VLAN.

The Native VLAN is the answer to how a switch processes traffic it receives on a Trunk port which does
not contain a VLAN Tag.

Without the tag, the switch will not know what VLAN the traffic belongs to, therefore the switch associates the
untagged traffic with what is configured as the Native VLAN. Essentially, the Native VLAN is the VLAN that any
received untagged traffic gets assigned to on a Trunk port.

Additionally, any traffic the switch forwards out a Trunk port that is associated with the Native VLAN is forwarded
without a VLAN Tag.

To see the Native VLAN in action on a live trunk port, check out this video.

The Native VLAN can be configured on any Trunk port. If the Native VLAN is not explicitly designated on a Trunk
port, the default configuration of VLAN #1 is used.

That being said, it is crucially important that both sides of a Trunk port are configured with the same Native VLAN.
This illustration explains why:

https://www.practicalnetworking.net/stand-alone/vlans/ 5/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Above we have four Hosts (A, B, C, D) all connected to Access Ports in VLAN #22 or VLAN #33, and Switch X and
Switch Y connected to each other with a Trunk port.

Host A is attempting to send a frame to Host C. When it arrives on the switch, Switch X associates the traffic
with VLAN #22. When the frame is forwarded out Switch X’s Trunk port, no tag is added since the Native VLAN for
the Trunk Port on Switch X is also VLAN #22.

But when the frame arrives on Switch Y without a tag, Switch Y has no way of knowing the traffic should belong to
VLAN #22. All it can do is associate the untagged traffic with what Switch Y’s Trunk port has configured as the Native
VLAN, which in this case is VLAN #33.

Since Switch Y will never allow VLAN #33 traffic to exit a VLAN #22 port, Host C will never get this traffic. Even worse,
due to a Switch’s flooding behavior, Host D might inadvertently get the traffic that was destined to Host C.

Finally, it should be noted that the Native VLAN is an 802.1q feature. The antiquated tagging mechanism of ISL
simply dropped traffic receive on a Trunk port that did not include the ISL tag. Also, remember that the Native
VLAN concept only applies to Trunk ports — traffic leaving and arriving on an Access port is always expected to
be untagged.

VLAN Comprehension Challenge

To test yourself to see if you fully understand how VLANs work, there is a simple challenge we can offer.

Below is a (poorly) configured topology, featuring five switches and twelve hosts. Each switch port is configured as
either an Access port in the displayed VLAN, or a Trunk Port with the Native VLAN displayed.

The challenge is to answer just these two simple questions:

Question #1: If Host A sends a frame to Host B, will

Host B receive it?

Question #2: If Host A sends a Broadcast, which

hosts will receive it?

The answers and an explanation are provided below.

Remember, the goal isn’t simply to get the answer

right, but to be able to understand why. If you can
explain the answers to both of these questions to
someone else, then you know you will have mastered
the concept of VLANs.

 Answer to Question #1

Yes, Host B will receive the frame that Host A sends.

https://www.practicalnetworking.net/stand-alone/vlans/ 6/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

To understand why, you will need to have a solid understanding of when a Switch sends a frame tagged or
untagged, and what a switch does when it receives a frame that is tagged or untagged.

We will step through the sequence of events to prove it. For this answer, we are only going to focus on the
connection above and below each switch, and not the connections that are left and right (i.e., ignoring the
connections to Host C through Host L).

It starts with Host A sending the frame untagged since hosts do not understand VLAN tags, nor do they know
what VLAN is configured on the switch port they are connected to.

Switch T receives the untagged frame on an Access Port in VLAN #3. Switch T therefore considers the frame to
be in VLAN #3. The port below Switch T is a Trunk port, which means all traffic leaving the port must have a
VLAN tag. Except for traffic on the Native VLAN, which in this case is VLAN #7 – not the VLAN that our frame is
on. Therefore, the frame leaves Switch T tagged for VLAN #3.

Switch V receives the tagged frame and reads the tag to determine the frame belongs to VLAN #3. Switch V
then forwards the frame untagged out the Access Port in VLAN #3 — all traffic leaving an Access port is
untagged.

Switch X receives the untagged frame on an Access Port in VLAN #4. Since there is no tag, Switch X associates
the frame to VLAN #4. Switch X then forwards the frame out the Trunk port, but since this Trunk port has a
Native VLAN of VLAN #4, the frame is sent untagged.

Switch Y receives the untagged frame on an Access Port in VLAN #6. Switch Y now considers the frame to be in
VLAN #6. Switch Y then forwards the frame out a Trunk port, but since this Trunk port has a Native VLAN of VLAN
#6, the frame is sent untagged.

Switch Z receives the untagged frame on an Access Port in VLAN #9. Switch Z now considers the frame to be in
VLAN #9. Switch Z then forwards the frame out an Access port – which is always sent untagged.

Host B then finally, successfully, receives the untagged frame.

 Answer to Question #2

The following hosts will receive a broadcast frame sent from Host A:
C, F, H, I, B

Note: Host J and Host K receive the broadcast, but when they receive the frame, it will include a VLAN tag. This
article is written from the traditional perspectives of hosts not understanding VLAN tags, therefore, when
receiving a frame with extra bits, they assume the L2 header is malformed and drop it.

To explain this answer, you must first fully understand Question #1 and its answer. Once you have fully grasped
why a frame from Host A is able to get to Host B, you can then try to understand Question #2 and the
explanation below.

The key is to determine what VLAN# each switch will consider the broadcast frame to be a part of. From there,
you can easily determine whether the hosts to the left or right will receive the frame. We already know from
Question #1 that what is sent by Host A will make its way through each switch in the topology, so all there is to
consider is whether the other hosts will receive it.

Again, it starts with Host A sending the frame untagged to Switch T.

Switch T considers the frame in VLAN #3. Therefore, it does forward the broadcast out the Access port in VLAN
#3, and does NOT forward the frame out the Access port in VLAN #2. Host C receives it, Host D does not.

Switch V considers the frame in VLAN #3. Therefore, it does NOT forward the broadcast out the Access port in
VLAN #5, and does forward the broadcast out the Access port in VLAN #3. Host E does not receive the frame,
Host F does.

https://www.practicalnetworking.net/stand-alone/vlans/ 7/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Switch X considers the frame in VLAN #4. Therefore, it does NOT forward the broadcast out the Access port in
VLAN #3, and does forward the broadcast out the Access port in VLAN #4. Host G does not receive the frame,
Host H does.

Switch Y considers the frame in VLAN #6. It does forward the frame out both Trunk ports. However, if the Trunk
port is configured with a Native VLAN that matches the frame, then the frame is sent untagged. Therefore,
when Host I receives the frame, it receives the frame without a VLAN tag and is able to understand the L2
header. But when Host J receives the frame, it includes a VLAN tag – which end-hosts typically do not
understand. Host I is able to receive and process the frame, but Host J, despite receiving the frame, is unable
to understand it and therefore drops it.

Switch Z considers the frame in VLAN #9. It does forward the frame out the Trunk port with Native VLAN #8, but
it does so with a VLAN Tag. Host K is unable to understand the tag, so therefore drops the frame. Switch Z does
NOT forward the frame out the Access Port in VLAN #3. Host K, despite receiving the frame, is unable to
understand it and therefore drops it.

Finally, since we’ve already answered the first question, we know Host B will receive a frame that Host A sends.

If you prefer learning with a Video, the content of this article has been recorded and uploaded to YouTube:

https://www.youtube.com/watch?v=MmwF1oHOvmg

Related Articles:

VLANs - the simplest

explanation What is the Native VLAN? VLANs -- Index Converged Network

filed under: stand alone tagged with: ccna, vlans

Comments
vasu says
July 20, 2016 at 1:46 am

perfect explanation.Would be great if you could explain NAT.

Reply

Ed Harmoush says
July 20, 2016 at 8:33 am

Glad you enjoyed it, Vasu! How did you do with the VLAN Challenge?

NAT is actually the topic of the current article I am working on. So that is coming soon… stay tuned

Update: NAT Article series has been released! Check it out here: pracnet.net/nat

Reply

sushant rakesh says

March 10, 2018 at 9:05 am

very nicely explained..pls let me know if you have explained BGP!!

Reply

Ed Harmoush says

https://www.practicalnetworking.net/stand-alone/vlans/ 8/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

March 20, 2018 at 3:37 pm

Hi Sushant. I’ve released one article on BGP so far. It discusses the BGP oldest path attribute. I’m sure I’ll write
others. In the mean time, if you want to learn more about BGP, check out the BGP Class on the Classes page.

Reply

Toby Skandier says

August 23, 2018 at 8:39 am

Yeah! Come join us in Dallas the week of 09/24. The Cisco BGP class is awesome. There’s also a virtual
component to that session that would allow you to attend remotely. That class works great as a virtual
session. Hope to see you!

Veselin says
August 9, 2016 at 11:16 am

This is brilliant! Nothing more to add, nothing to remove. So far these are the best presented articles I’ve ever seen. I
thank you on behalf of all networking newbies for making the effort to create this website! Looking forward to read
more.
Ves

Reply

Ed Harmoush says
August 9, 2016 at 12:02 pm

Hi Ves, I’m happy to hear they help! Comments like this are great encouragement to keep working on more articles.
Thanks for the note!

Reply

Nivedita says
June 28, 2018 at 3:14 am

Yes Ed, I have never seen such simple explanations for vlans thank you so much..

Reply

Jon says
September 1, 2016 at 8:11 am

Wow this information was so easy to understand! I went through 4 years of school and still did not have a firm grasp
on what exactly a VLAN was. Found this article on spiceworks and im glad i did. will be passing along to others for
enlightenment =)

Reply

Ed Harmoush says
September 1, 2016 at 8:30 am

Hi Jon, glad you found it useful! I appreciate you passing the article along!

Reply

George says
November 24, 2016 at 4:32 am

How is possible to got different native vlan on both sides of trunk link?
Native vlan mismatch?!?

Reply

Ed Harmoush says
November 24, 2016 at 8:53 am

https://www.practicalnetworking.net/stand-alone/vlans/ 9/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Exactly. The Native VLAN configuration only applies to the local switch (and even further, the local switch’s interface).
Nothing is stopping you from (inadvertedly) connecting two switches and configuring two different Native VLANs. The
Native VLAN is not shared or negotiated between the switches, it is statically set.

Some Cisco switches and code versions will use CDP to share with one another what they have configured as the
Native VLAN, so you can some times get warnings that you have a Native VLAN mismatch.

Reply

pankaj singh says

October 22, 2020 at 11:14 am

But ,Packet will be dropped right (as explained in section Native Vlan ) Then how come in question 2
switch V receives VLAN packet with vlan id as 3(as Trunk native vlan is 7) so switch V should receive packet with
vlan id 7
no ??
I am confused here ,As answer to question 2 says “Switch V considers the frame in VLAN #3” .
how ??

Reply

Wim VH says
October 25, 2020 at 2:27 am

Switch V will consider untagged frames coming in on the trunk port as a frame in VLAN #5 (the Native VLAN of
that trunk port).
However, in this exercise it is a tagged frame in VLAN #3. So the concept of the Native VLAN does not apply for
this specific frame.

Reply

Ed Harmoush says
October 26, 2020 at 12:54 pm

Thanks, Wim

Sheree Ann says

November 27, 2016 at 11:52 pm

thank you for taking the time to create an article like this. you have discussed the topic in a clear and concise manner.
will pass this along.

Reply

Ed Harmoush says
November 28, 2016 at 9:55 am

Hi Sheree Ann, glad you enjoyed it! Thank you for the shares!

Reply

James Marsh says

December 24, 2016 at 8:12 pm

This is great, really well explained. I notice that you have some classes listed…are these the articles, or is there
something else that offer ? Because I am already sold on your material

Reply

Ed Harmoush says
December 25, 2016 at 8:37 am

Hi James! Glad you enjoyed the articles.

The classes do cover some of the topics on the articles, but in all cases go into more depth. The animations are also
more “one step at a time” in the classes, to ensure each student fully comprehends the order of things and what
happens next, as well as why.
https://www.practicalnetworking.net/stand-alone/vlans/ 10/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

The classes also cover a far bigger spectrum of technologies. Shoot me an e-mail if you want to know more:
[email protected].

Reply

Adam says
January 11, 2017 at 9:21 am

I thought the only way to connect 2 switches together is using a Trunk Port. The port that connects Switch V and
Switch X is an Access port, according to your diagram. How can the frame continue onto the next switch through an
Access port?

Reply

Ed Harmoush says
January 11, 2017 at 6:05 pm

That is the only common best practice way, but you can absolutely connect two switches together using access ports.
The second switch would only be able to connect hosts in that single VLAN, of course, so if you are simply trying to
add more switchports for a particular VLAN, using an access port inter-link is a perfectly appropriate solution.

Reply

danimal says
April 1, 2018 at 12:00 pm

so in your third diagram above you show a link to vlan 10 in two switches via an access port (and one with vlan
30)…from that i had the impression that the access ports had to be configured using the same vlan. But based on
your challenge problem as Adam mentioned Switch V’s access port vlan3 and Switch X’s access port vlan4 doesn’t
have to match?

is this poor practice to do it this way

Reply

Ed Harmoush says
April 1, 2018 at 6:25 pm

The Access or Trunk configuration is on a per switch-port basis. So yes, in a properly designed network they
should match, but nothing is enforcing that they match — so it can absolutely happen in a misconfigured
network.

And the VLAN challenge intentionally has the configurations not match to test your knowledge and
understanding of VLANs. By no means should it be used as an example of a well designed network =).

Reply

Rohit Kamble says

January 12, 2017 at 1:42 am

It is great document, it clear lots of my doubts.

There is one question, in switch packet(pck) lookup will happen based on destination mac address(dmac) and if we are
not finding out a entry for dmac, we will flood a pcks on all ports in same vlan.
Now consider we sent pck from host A to switch T through access vlan 3. This pck is not tagged with vlan 3. How does
switch CPU will find out pck comes on vlan 3 ?
Are switches do tagging internally on access port for ingress pck and remove tagging while egress pck?
Because there are multiple pck are ingress/egress from switch ports and they might tag or untag, there should be
some way to find out switch cpu which pck comes from which vlan ?

Thanks,
Rohit

Reply

Ed Harmoush says
January 13, 2017 at 9:29 am

https://www.practicalnetworking.net/stand-alone/vlans/ 11/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

The port Host A is connected to is configured as an Access port in VLAN 3, therefore, any packets sent by Host A will
be considered by the switch to be in VLAN 3. This will happen if Host A includes or doesn’t include a VLAN tag
(typically it will not include a VLAN tag). If Host A had tagged the packet with a different VLAN, then the switch
would have dropped the packet.

So yes, in a way, there is an internal tagging of packets by the switch.

Reply

Robert Nanney says

February 22, 2017 at 7:20 am

Great article!

Reply

bright Ugo says

March 2, 2017 at 3:50 am

Excellent explanations. I used this as guide for fresh IT guys assigned to implement a VLAN in a lab enviroment and
they did it perfectly with the help of this explanation

Reply

zon says
March 16, 2017 at 5:53 pm

this is the best and most simple explanation so far~ thanks ~~ it really help me a lot~

Reply

Vish Ponnuru says

August 29, 2017 at 7:31 am

Excellent tutorial with exercise. It is one of the best resources available on net. I passed CCNA but I never seen such
neat material. If there is a book available on networking fundamentals from your site, I definitely buy it.

Reply

Chant says
September 29, 2017 at 12:44 am

Wow, thank you for putting together, very easy to understand!

Reply

tianqi says
November 15, 2017 at 5:49 pm

this is the best explanation about VLAN so far. it is easy to understand!

Reply

Aaron says
December 3, 2017 at 7:14 pm

Really awesome, thanks! Would love to see a “well designed” topology for comparison at the bottom, and maybe more
questions with a different network. But agree with the other comments, best explanation I’ve seen.

Reply

Khushbu Patel says

December 10, 2017 at 9:58 am

Very helpful article. Got very clear understanding of VLAN and related terms. Thank you so much.

Reply

https://www.practicalnetworking.net/stand-alone/vlans/ 12/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Shawn Moore says

December 13, 2017 at 9:49 pm

Really wish I had these nicely laid out articles and clean GIFs back in my day for the CCNA haha. Very well done article
on VLANs and especially inter-vlan routing.

Reply

Fernando Couto says

December 19, 2017 at 5:29 pm

Best approach to teach this important topic: First explains (very well) what you can do and then you’ll be able to plan
whatever your need. Other sites elaborate complex todo lists targeting the most common setups. Liked also how the
hyperlinked terms can help newbies and so kept the text short. Thanks !

Reply

Brian says
February 11, 2018 at 11:20 pm

I’m a little confused about the Native vlan. Is the native vlan the same as the default vlan, only if the default vlan is
changed from vlan 1 ? You have to tell the trunk port what the default vlan is? The only reason a trunk port would
receive an untagged frame is if the port wan’t in a vlan.

All ports start in the default vlan 1, which is untagged. If you set up a single vlan, then you have to setup a trunk port,
but only only the vlan you setup gets tagged, the default vlan is still untagged. You can’t assign a trunk port a native
vlan that doesn’t exist, so the native vlan is the default vlan, unless you’ve changed the default vlan to be something
other than vlan 1. Is my thinking wrong about this?

Also, computers on a vlan are isolated, but they still need a default gateway (router) if they want to connect to the
internet. Computers in vlan 1 can still connect to computer in vlan 2 because they are connected to a router, and a
router knows all networks to which it is connected. What if you didn’t want vlan 1 to communicate with vlan 2 ? But all
computers still need internet access. For example, in your 2nd diagram, what if you didn’t want computer A to
communicate with computer B, but they both needed to connect to the internet using the router they are attached to.

Reply

Ed Harmoush says
February 12, 2018 at 11:37 am

Hi Brian,

I think you are confusing a few terms, namely Native VLAN vs Default VLAN vs Default Native VLAN. I would
recommend reading this post to help highlight the differences.

Regarding your second question, you could use an Access-List to selectively Permit or Deny traffic.

Reply

sss says
February 18, 2018 at 3:57 am

All it can do is associated the untagged traffic with what Switch Y’s Trunk port has configured as the Native VLAN,
which in the case is VLAN #33.

Got some typos to fix here. It should read as: “All it can do is ASSOCIATE” and “which in THIS case is.”

Reply

Ed Harmoush says
February 19, 2018 at 10:43 am

Good catch. Fixed. Thanks!

Reply

Arthur says
February 22, 2018 at 8:14 pm

https://www.practicalnetworking.net/stand-alone/vlans/ 13/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Hi Ed, this is probably one of the most detailed, intuitive and easily understood VLAN explanation on the web, and with
the comparison of tagged/untagged vs access/trunk terminology, it clears a lot of confusion.

Would be really great if you can expand this to IP phones that have LAN and Data ports, and explain how frames
coming in and out of the IP phones and data ports works.

Thanks once again. Cheers.

Reply

Ed Harmoush says
February 25, 2018 at 2:18 pm

Hi Arthur, thanks for the kind words! Really happy you enjoyed the article!

Great suggestion. In fact, I have an outlined already written for an article that will cover Auxillary (Voice VLANs) and
how all that works. I’m afraid I don’t have a timeline at this point for when I will get to writing it. Working on a
Subneting video series at the moment (they are going to be great!).

Reply

Arjun says
May 10, 2018 at 4:40 am

Hey Ed,

I am CCNA certified and yet I have not seen or read such neat explanations ANYWHERE. You are doing a fantastic
job. Ed, when is the subnetting video series coming out? Eagerly waiting for it.

Thanks
Arjun.

Reply

Hem says
March 7, 2018 at 11:37 am

I could not stop myself writing this comment. Simple yet Perfect explanation. I’ve been looking for this. Thank you.

Reply

Ed Harmoush says
March 20, 2018 at 3:28 pm

You’re welcome!

Reply

John Ojo says

March 28, 2018 at 9:00 am

Awesome Ed…you completely nailed it…I have a better understanding now and would go back to an abandoned tshoot
project I had on gns3. Thanks

Reply

Ed Harmoush says
March 28, 2018 at 9:32 am

Glad you enjoyed it, John =) Good luck with the TSHOOT project =)

Reply

danimal says
April 1, 2018 at 12:19 pm

this challenge question is so helpful…it really forces you to understand vs broader overview without understanding
which is all these youtube videos ever do

https://www.practicalnetworking.net/stand-alone/vlans/ 14/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Reply

Ed Harmoush says
April 1, 2018 at 6:25 pm

Glad you found it helpful, Danimal =). Thank you for the read.

Reply

Mehak Mann Dhillon says

April 9, 2018 at 10:25 am

I have been working in networking field from last 3.5 years and always had doubts regarding Native VLAN. This is the
first time I have seen an article explaining VLAN in such an easy way. I have read your other articles as well such as
Gratuitous ARP and came to know that ARP scope is a different concept which is mostly termed as GARP only on other
websites.

You Are The Best

Reply

Ed Harmoush says
April 9, 2018 at 10:43 am

Hi Mehak. Glad you enjoyed the articles =). I’m sure you have colleagues that would also enjoy them, please
consider sharing these articles with them if so =).

Reply

Mehak Mann Dhillon says

April 9, 2018 at 10:58 am

Do you have any articles published regarding TCP? There are few classes for Network fundamentals on your
website. However I am looking for TCP explained in articles like above VLAN topic.

Reply

Ed Harmoush says
April 9, 2018 at 11:05 am

Let’s just say, TCP is on my list. Currently I’m working on a Subnetting video series… they are going to be top
notch.. stay tuned =)

Reply

Mehak Mann Dhillon says

April 9, 2018 at 11:01 am

Yeah I already did!

I was so fascinated by the explanation that I immediately shared

the link with my friends.

Reply

Ed Harmoush says
April 9, 2018 at 11:04 am

Thank you for the shares, I appreciate it!

Reply

Mehak Mann Dhillon says

April 9, 2018 at 11:38 am

Also it will be grateful if you publish articles on SSL(Its only under classes tab).

Looking forward to read more articles on SSL and TCP published by you.

https://www.practicalnetworking.net/stand-alone/vlans/ 15/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

John says
April 9, 2018 at 10:36 am

On your first illustration, why is it not practical to daisy chain the switches instead rather forwarding to a router? Same
as daisy chain a router? Is it because of the host IPs availability? If connecting to another network, will one router
suffice?

Just started reading about networking recently. Thanks!

Reply

Ed Harmoush says
April 9, 2018 at 10:48 am

Hi John.

Because each of the “dashed circles” represents a different IP Network. Switches only facilitate communication within
networks. You would need Routers in between to facilitate communication between networks.

If the whole topology was a single IP Network, then the three daisy chained switches would absolutely work.

The purpose of having multiple networks is to separate groups of communicating devices within their respective
purposes. For instance, a school might have a different IP Network for each classroom.

Reply

jkc says
April 9, 2018 at 10:38 am

Thank you such a detailed explanation.

I have a doubt:

Router is required for 2 hosts to communicate with each other that are in 2 different VLANs. However in the above
challenge, Host A (VLAN 3) was able to send the packet to Host B(VLAN 9) without router/ layer 3 switch by only
adding and removing VLAN tags as per the configuration.

You have mentioned that is a poorly configured topology however is it also another way of communication between 2
hosts of different VLAN without using any router?

Reply

Ed Harmoush says
April 9, 2018 at 11:04 am

Hi JKC,

Typically, when you have multiple VLANs, you also have multiple IP Networks. That is the “correct” way of doing
things. A Router is required to communicate between IP networks.

That said, often the VLAN is the boundary between different Networks, so it is often said that a Router is needed to
communicate between different VLANs. That statement is true, but isn’t the whole truth — in reality, the Router is
needed because you are talking between IP networks.

Remember, a VLAN configuration is purely local to the switch. In the VLAN Challenge, Switch T has no clue how
Switch Z is configured (or any other switch). All the hosts in the VLAN Challenge are configured with an IP address in
the same IP Network. So while traffic between Host A and Host B are crossing different VLANs, they are never
crossing different IP networks — hence, no Router is needed.

Reply

Daniel says
October 4, 2019 at 3:52 am

But, surely, if they are using the same IP network address, they can’t be separate VLANs – they are part of the
same VLAN?

Reply

https://www.practicalnetworking.net/stand-alone/vlans/ 16/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Ed Harmoush says
October 8, 2019 at 8:58 am

Remember, the configuration of VLANs is Layer 2, and the configuration of IP and IP Networks is Layer 3. There
is nothing stopping you from configuring different IP networks in the same VLAN, or the same IP network in
different VLANs.

Of course, neither of those options are considered “best practice”.

So it isn’t that they can’t be in separate VLANs, it is that they shouldn’t.

Reply

ali nezhad says

March 10, 2021 at 9:16 am

Hi Ed
I have the question as Daniel’s. It actually occurred to me after I had already posted a praiseful comment for
this tutorial, which is great. However, I don’t think this network functions at all. I found this thread after
checking to see if anyone else has asked this question. I actually implemented a simple network in Packet
Tracer to test the idea. I wish I could attach a file or a screenshot here. Here’s the diagram:
PC1 (192.168.0.2) —SW1(F0/1, A2) — SW1(F0/2,T2) — SW0(F0/2,T1) — SW0(F0/1, A1)— PC0
(192.168.0.1)

When I ping from one PC to the other, ARP requests are dropped by the first switch on the path.

Ed Harmoush says
March 13, 2021 at 1:32 pm

I would wager this is more a packet tracer nuance than an actual switch. I’ve tested this topology using GNS3
and similar concepts using actual switches, all have functioned as described in the article. I suggest trying the
same set up in GNS3/EVE-NG and see how it plays out.

PS: Did you disable CDP between the switches? And did you make sure a trunk actually formed. Often
(particularly with packet tracer) mismatched VLANs will prevent the trunk from forming. Probably a good idea
to disable DTP entirely as well.

John says
April 18, 2018 at 3:14 pm

Thank you for the informative article and response! Doyou accept donation by chance?

Reply

Ed Harmoush says
May 14, 2018 at 9:16 am

Hi John,

That is kind of you to offer. At the moment I do not have a system set up to accept donations. In the future I’ll be
offering e-learning classes. You’re welcome to “donate” by purchasing one of those.

In the mean time, I’m happy just knowing you enjoyed the content. Thank you for the consideration of a donation.

Reply

Pranav Rakholiya says

April 24, 2018 at 2:21 am

Most easiest way to understand with graphics and easy descriptions….it was my first article reading here….I will start
reading others now

Reply

https://www.practicalnetworking.net/stand-alone/vlans/ 17/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Ed Harmoush says
May 14, 2018 at 9:16 am

Hi Pranav, glad you enjoyed them =) Welcome to the site!

Reply

Okey says
August 18, 2018 at 10:37 am

As far as this very subject matter is concerned, no other material need exist on the net. Cleared every shade of doubt.

Reply

Ed Harmoush says
August 23, 2018 at 9:30 am

Wow, thanks for the kind words, Okey! That was exactly my goal =)

Reply

Toby Skandier says

August 23, 2018 at 8:49 am

Awesome article, Ed. I reversed the flow from B to ensure all the switches would even know B’s MAC address and, sure
enough, a single broadcast from B would have propagated all the way to Switch T and even out to Device A, making
certain that a path from A to B’s unicast MAC would be predicated on forwarding and not one instance of flooding.
Great job!

Reply

Ed Harmoush says
August 23, 2018 at 9:30 am

Hey Toby =) Glad you liked it! And thanks for confirming it works as explained with a lab. I’ll bet that was a fun one
to build out

Reply

amit handa says

September 1, 2018 at 8:43 pm

Thanks alot, Ed ! your articles are perfect for networking newbies like us. please keep them coming. containers please
?

Reply

NAgesh says
September 23, 2018 at 6:58 am

very nicely explained. Can you please add tutorials on TCP/IP Reference model, TCP, UDP, and IP
layers/protocols/headers?

It would be great if you add tutorials on some of the network services like DNS, DHCP, SNMP etc. and What happens
when you type an URL (ex: google.co.in) in the browser and press enter?

Thank you in advance .

Reply

Leonardo Dias says

November 11, 2018 at 11:34 am

Hi Ed,

This explanation and exercises are awesome. This article helped me a lot in a network troubleshooting for a firewall
deployment. Thanks a lot, guy.

https://www.practicalnetworking.net/stand-alone/vlans/ 18/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Reply

Rachel says
November 20, 2018 at 10:42 am

Thank you, your work is amazing, these concepts are so clear to me now.
Please do a series on VXLAN too! Thanks a million.

Reply

sonia says
December 6, 2018 at 2:41 pm

thank you thank you thank you for explaining it so well…..i couldnt answer the challenges first time but with your
explanation I feel like i understood alot! Thank you again

Reply

Ganesh Devarshetty says

March 21, 2019 at 4:02 am

switch t is configured with native vlan 7 and switch v is configured with native vlan 5.this configuration would generate
native vlan mismatch and stp will put the port in inconsistent state.so in this case host a cannot communicate host b

Reply

Ed Harmoush says
March 25, 2019 at 7:06 am

Hi Ganesh, that is only the case if you are using Cisco switches with CDP enabled. Either way, that is outside the
scope of what this article was trying to communicate. The challenge is merely an exercise to determine if you
understand how frames flow through a L2 path in reguards to VLANs and VLAN tagging.

Reply

hasser says
April 9, 2019 at 6:38 am

The connection between two switches using an access port and a trunk port like the switch X and Y, Y and Z will give us
limited connectivity because only VLAN 1 is allowed. How is possible to do this exercise without this consideration?

Reply

Ed Harmoush says
April 11, 2019 at 8:43 am

Hi Hasser, I would encourage you to configure the topology in a lab and test it out yourself. It does work as stated

Reply

mahmoud samir says

April 9, 2019 at 11:39 pm

First of all , Thanks for this simple informative great Explanation .. please keep going
But i have a question regarding Native Vlan Mismatch draw , what if Host B tries to send traffic to either Host C or D ..
As i’ve understood from your explanation that the frame will reach Switch Y tagged with Vlan 33 and this will match the
native Vlan on the trunk port too , so it supposed to strip off the tag and the frame exits the trunk port untagged , But
how the switch will handle that ? ,, Will it drop the traffic or forward it to the default Vlan for example ? this is a little
bit confusing to me. Hope to here from you soon as i tried to search for this scenario result but in vain.

Reply

Ed Harmoush says
April 11, 2019 at 8:42 am

Hi Mahmoud, glad you enjoyed the explanations.

When Switch Y receives a frame tagged with VLAN33, it will simply accept the traffic on to VLAN33 and deliver the
frame to Host D.
https://www.practicalnetworking.net/stand-alone/vlans/ 19/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Remember the Native VLAN determines what VLAN a frame without a tag is associated to. If a frame arrives with a
tag, the frame is accepted on to the VLAN identified by the tag.

Reply

Ferenc Farkas says

May 1, 2019 at 11:17 am

Hello,
This site is really great! Congrats.
You should add a Search Field to make your site better. Fortunatelly there are already many topics on the site, it
becomes difficult to find a certain topic.

Keep up the good work.

Reply

Ferenc Farkas says

May 1, 2019 at 7:18 pm

Ok, forget my comment. I found the Search Field…

Reply

Ed Harmoush says
May 16, 2019 at 9:09 am

Glad you enjoyed the site, Ferenc.

Reply

Voica says
May 2, 2019 at 7:12 am

Thanks for the nice explanation an examples for understanding VLAN tagging! I would have though a longer question
about end stations forwarding traffic to multiple sets of end stations (multiple VLANs). Could you give me please an e-
mail address to discuss this topic in more details?

Reply

Ed Harmoush says
May 16, 2019 at 9:11 am

Hi Voica, glad you enjoyed the articles. Feel free to use the Contact the Author section of the About page.

Reply

Nick says
May 6, 2019 at 2:25 pm

When Host A sends some traffic which is untagged frame, but because the port is configured with access port vlan 3,
the switch considers it for vlan 3 but as per “any traffic leaving an access port is sent untagged”, when it leaves that
port how it will be in vlan 3 then? Isn’t it should be untagged?

Reply

Ed Harmoush says
May 16, 2019 at 9:13 am

After a switch sends a frame, it has zero insight or control as to what VLAN the next switch associates the traffic to.
In an ideal world, all switches will associate the same traffic to the same VLAN, but since the VLAN configurations on
each switch are independent of each other, that isn’t always the case.

Reply

https://www.practicalnetworking.net/stand-alone/vlans/ 20/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Dennis Kamau says

May 11, 2019 at 4:23 am

Hi, I wish to register my sincere gratitude for such a well curated explanation on VLANs. I preparing to sit for CCNA
exam and I thank GOD that I found this article right on time.
Thank you please.

Reply

datpin says
May 18, 2019 at 6:36 pm

it is very clear for the concept of VLAN working

Reply

Mit Patel says

July 21, 2019 at 5:28 am

Hi Ed,

First of all, thank you so much for producing such wonderful articles. They are outstandingly helpful. I have a question
though.

I have heard that native vlan mismatch is a security threat. In your article too, you mention “…Even worse, due to a
Switch’s flooding behavior, Host D might inadvertently get the traffic that was destined to Host C.” Now am unable to
understand how can there be a security threat here. If I get to the basics, each VLAN should ideally be its own
broadcast domain. So even if vlan 22 traffic is allowed to inadvertently reach vlan 33 (in terms of Layer 2 due to native
vlan mismatch?), the traffic was never going to reach the unintended hosts given the subnet mismatch. So how do we
look at this as a big common security threat is my question. Am I missing out something here? Hope I am making
sense.

Reply

Ed Harmoush says
July 22, 2019 at 1:52 pm

You are assuming the hosts are observing the rules of networking. If a host is being malicious, however, they can
certainly accept and receive packets not destined to their IP address with a few tweaks to their networking
configuration.

Reply

Samiul says
August 3, 2019 at 8:43 am

Couple of questions…

1) If i DO NOT define by manual configuration whether a switchport is an ACCESS or TRUNK port then how that port
will deal with tagged or untagged traffic? By default, will wit be associated with VLAN 1 (default vlan) and act as an
ACCESS port?

2) If I have changed the Native Vlan to something other than the default vlan 1, what will be the traffic behavior for
the ports which are just residing as usual with default Vlan 1. Will the trunk port forward traffic from these default
vlans as untagged traffic to the other end of a trunk port?

Reply

Ed Harmoush says
August 5, 2019 at 8:45 am

Hi Samiul,

A lot of your questions are discussed in the Default Switchport Configuration section of the Configuring VLANs on
Cisco Switches article.

1. The default switchport configuration uses Dynamic Trunking Protocol (DTP) to automatically determine whether a
port should be an Access Port or a Trunk Port.

https://www.practicalnetworking.net/stand-alone/vlans/ 21/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

2. The Native VLAN is a per-interface configuration. If you change the Native VLAN to something other than 1, then
traffic exiting that particular port which belongs to VLAN 1 will now be tagged. And any untagged traffic arriving on
that switchort will be associated to the new Native VLAN.

Remember, the Native VLAN configuration only modifies which VLAN is traversing a particular trunk port without a
tag. Watch this video for an illustration of the Native VLAN.

Reply

Shaikh Hafizur Rehman says

August 24, 2019 at 4:21 am

Hi,

Just wan to know if there is a native vlan mismatch on trunk interfaces(native vlan 10 and 20) then host in different
vlan(vlan 10 and 20) will able communicate?

Reply

Ed Harmoush says
August 26, 2019 at 11:16 am

Frames from the two hosts will be able to reach each other. Which is the outcome we are trying to avoid by placing
them on different VLANs to begin with. But, full host to host communication will require a bit more consideration (i.g.,
they will likely be on different IP subnets).

Reply

bob says
September 11, 2019 at 7:05 am

I got the test questions wrong BUT i think i was correct in some aspects. The trunk ports do not state that the vlans
are tagged on it, thus that traffic would not pass over the trunk…correct?

Reply

Un hacker de las redes says

October 22, 2019 at 7:10 pm

Alguien que me explique… qué es “1S y 0S”

No entiendo… deberia de explicar eso…

Reply

RENREN says
October 22, 2019 at 10:56 pm

i configure in on gns3 seems like they are not reaching each other. please enlighten me.

Reply

Ed Harmoush says
October 23, 2019 at 9:57 am

Awesome! I love that you are labbing this!

You’ll want to disable CDP, DTP, and STP for it to work. These are all “extraneous” protocols (outside the scope of
VLANs) that will impede the above from functioning. In addition, each host should have a unique IP address in the
same IP network.

Let us know how it goes =)

Reply

Patrice says
December 23, 2019 at 4:27 am

https://www.practicalnetworking.net/stand-alone/vlans/ 22/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Amazing how it’s look simple when you explain it.

Every time I have a problem with GNS3 or at work, I have a look at your site and understand the problem better.
My favorite site for learning networking, definitely.

Reply

Ed Harmoush says
December 23, 2019 at 11:11 am

=) Thanks for the kind words, Patrice. I’m glad things are easier to understand for you!

Reply

Matthew Sauvage says

March 26, 2020 at 9:35 am

Very clear and helpful Ed but one thing I cannot figure out is on the routing side, which may be a different post. How
do the two routers “know” to use VLAN 20 to pass the packet from VLAN10 to VLAN30? I have a very similar setup
using Draytek routers on which I have “Inter-LAN routing” configured but I am not able to pass packets between
VLANs. What am I missing? I don’t understand how the first router in your diagram moves the packet from VLAN10 to
VLAN 20 and how the second router moves the packet from VLAN20 to VLAN30. Is it because VLAN20 is common to
both routers and that you have inter-LAN routing set up between VLAN10 and VLAN20 on the first router and between
VLAN20 and VLAN30 on the second router, so that the broadcast from host C is able to locate and pass packets to host
D?

Reply

Ed Harmoush says
March 26, 2020 at 9:53 am

Hi Matthew, glad you enjoyed the article =). I cover Routing between Vlans in this article:

https://www.practicalnetworking.net/stand-alone/routing-between-vlans/

Unfortunately, I can’t speak to the specific configuration of Draytek routers, I have no experience with them.

Reply

mani says
March 26, 2020 at 11:20 pm

.sir, can i sent multiple vlan information from one router to another router which is situated in another place

Reply

sr33 says
April 10, 2020 at 8:05 pm

Wow ! this is one of the best explanations I’ve read on ANY TOPIC in a long long time. You have a GIFT. Thank you !

Reply

frank says
June 7, 2020 at 12:19 am

Untagged PDU from SWx to SWy is successfull also with different native VLANs at ends: the switch associate the
untagged PDU to VLAN ID nr. 01 (802.1Q) anyway in both switchs. Instead CDP, STP, VTP protocols, for example,
doesn’t work because there are differents native VLANs. ANyone with a Packet Tracer can verify this.

Reply

Jerome Ellis says

June 13, 2020 at 12:59 pm

Hello Ed,

Nice articles. the exercise really tested understanding. So am i correct in saying that it is bad practice to try and
interconnect vlans across switches using access ports as the inherent functionality of ” all traffic leaving an Access port

https://www.practicalnetworking.net/stand-alone/vlans/ 23/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

is untagged” means there is no inherent detection of jumpering across vlans. Because in the case of two vlans on the
same switch this would be detected by lack of communication it is not intuitive that when doing vlans across switches
you need to be very careful . If using trunk ports you just need to make sure that the native VLANS are the same. Are
there any other issues to look out for when using vlans across multiple switches?

Reply

Ed Harmoush says
June 26, 2020 at 11:53 am

Hi Jerome! Yes, you’ve understood it exactly.

You’ve also identified the major issues to look out for (native VLAN mismatch across a trunk, and access VLAN
mismatch between switches connected via access ports). =)

Reply

Sammy says
June 28, 2020 at 11:35 am

Now I can have a Good Night Sleep. The best explanation on VLAN ever. 1000s thank you wouldn’t be sufficient to
express my gratitude.

Reply

Ed Harmoush says
June 28, 2020 at 7:11 pm

Glad to help, Sammy. =)

Reply

chiranjib says
August 8, 2020 at 9:58 am

I really enjoyed your Explanation But the Comprehension Challenge is the best part which cleared lot of doubts on
VLAN.

Reply

John says
October 2, 2020 at 5:55 am

Wow!, very helpfully indeed

Reply

John says
October 2, 2020 at 5:56 am

Wow!, very helpfully indeed! A great article.

Reply

Tanuja says
November 14, 2020 at 11:35 pm

Hi Ed,

Great explanation , I have gone through your another article on ARP which cleared my whole doubt .Again your
explanations on VLAN cleared me to some extent . As i know from your Article the switches has only four functionality
filtering/learning/forwarding and flooding . so coming to explanationH of ques 1 – “Switch T receives the untagged
frame on an Access Port in VLAN #3. Switch T therefore considers the frame to be in VLAN #3. The port below Switch T
is a Trunk port, which means all traffic leaving the port must have a VLAN tag. Except for traffic on the Native VLAN,
which in this case is VLAN #7 – not the VLAN that our frame is on. Therefore, the frame leaves Switch T tagged for
VLAN #3.” here the SWT is tagging the packet with vlan 3 and then its leaving from trunk port . But how come switch
is doing tagging here ,As per my knowledge switches does’not do tagging/untagging .and also i have few more
questions below :-

https://www.practicalnetworking.net/stand-alone/vlans/ 24/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

1.If we are considering the best practices , we are not disabling anything CDP/DTP and STP , can the below possible ?

SWx——sending traffic of vlan3 through Trunk port———–SWy(access port with vlan 3 ), can SWy receive the traffic ?

2.SWx——sending traffic of vlan3 through Trunk port———–SWy(access port with vlan 4 ), can SWy receive the traffic
?

3.SWx—-receiving tagged frame of vlan 3 , can this traffic go out of access port of vlan 3 ?

Thank you so much in advance , hoping to hear from you soon .

Regards,
Tanuja

Reply

Ed Harmoush says
November 16, 2020 at 1:00 pm

The “tagging and untagged” functions of a switch are what is necessary to enable VLANs. The
Learn/Forward/Filter/Flood actions happen within each VLAN. Again, a VLAN simply breaks up one physical switch
into virtual/smaller mini-switches.

Regarding your second question (questions!) in each case the receiving switch will receive the traffic, but it’s up to
that Switch’s OS to decide what to do with it. If a Switch port is configured with an access port in VLAN 3 and
receives something tagged for VLAN 4, it often drops the tagged frame.

Reply

prashant says
November 19, 2020 at 12:28 am

the best explained artilcle on this topic! Thank you!

Reply

Ed Harmoush says
November 21, 2020 at 6:56 pm

Glad you liked it, Prashant.

Reply

JH says
November 24, 2020 at 5:44 am

When you’ll ever try to understand VLAN and/or other network concepts right – go to Ed’s tutorials.
Really great and well explained – thanks very much!

Reply

Ed Harmoush says
December 18, 2020 at 9:57 am

Thanks, JH =). Glad you liked them!

Reply

WB says
December 14, 2020 at 12:04 pm

I have a question about the way you explained the answer to question 1.

One of your paragraphs says, “Switch T receives the untagged frame on an Access Port in VLAN #3. Switch T therefore
considers the frame to be in VLAN #3. The port below Switch T is a Trunk port, which means all traffic leaving the port
must have a VLAN tag. Except for traffic on the Native VLAN, which in this case is VLAN #7 – not the VLAN that our
frame is on. Therefore, the frame leaves Switch T tagged for VLAN #3.”

https://www.practicalnetworking.net/stand-alone/vlans/ 25/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Please correct me if I’m wrong but this is basically saying that because Switch T has received an untagged frame from
PC A and will now tag it has VLAN #3 because that’s the native VLAN. And because the the native VLAN is 7 for the
trunk port it has to go through it will remain tagged as VLAN #3 as it leaves down to switch X because it’s not the
same native VLAN as VLAN #3?

But when it reaches switch X it will now tag it as VLAN #4 because once it left VLAN #3 from switch V it became
untagged as it’s an access port. But because switch X has a native VLAN of 4 for both ports it will leave switch X
untagged and once it reaches switch Y it will become VLAN #6 because that’s its native VLAN port?

So I think what I’m trying to ask is will a frame be left untagged if it leaves a port that has both ports as the same
native VLAN and the other condition would be if it leaves a port that is a access port?

Reply

WB says
December 15, 2020 at 5:13 am

I also have a follow-up question for #2. So since its a broadcast; every host tries to receive it correct? Let’s say
switch X and Y for example. Switch X sends the broadcast to both H and G but because G isn’t in VLAN 4 it doesn’t
get the broadcast whereas H is in the native VLAN of 4 it receives it. The tag gets dropped because its an access
port?

Also switch Y sends the broadcast to both I and J but I is able to understand it because the tag is dropped since the
native VLAN is 6 for I. But for J its sent tagged as 6 still and hosts are not able to understand VLAN configurations so
it receives the frames but drops it?

Also for switch X the broadcast doesn’t get sent to G because it’s not in the native VLAN but why does J try to
receive it in switch Y even though its not in the native VLAN? Is it because its a trunk port and not a access port?

Reply

Ed Harmoush says
December 18, 2020 at 10:25 am

Switches only facilitate communication. They do not participate in communication. Therefore, they would never
initiate/send Broadcasts.

You can put an IP address on a switch, and therefore that switch would now behave like a host. But remember
when assigning an IP address to a switch, you are doing so *within a specific VLAN*. SO, if you were on Switch X
and assigned an IP address using interface vlan 4, any broadcasts from Switch X would only exit out VLAN 4
ports (i.e., Host G would not get it).

In such a case, you may as well consider the switch’s IP address as another host in vlan 4, much like Host H.

Hope this helps.

(PS: Don’t confuse a Switch’s “flooding” behavior with a “broadcast”, those are two different things:
https://www.practicalnetworking.net/series/packet-traveling/host-to-host-through-a-switch/)

Reply

Ed Harmoush says
December 18, 2020 at 10:19 am

You’re understanding is fundamentally correct.

I just want to clarify that an Access port is *always* untagged and always expected to receive traffic untagged.
Anything arriving on an access port is assigned to the access port VLAN — it seems you are referring to this as
“native vlan”, which isn’t typically how this is referred to, but doesn’t affect the over all outcome.

The native vlan is a concept which only applies to Trunk ports.

Reply

David says
January 30, 2021 at 6:33 pm

Thank you for this great article.

I do have a question about the line:
https://www.practicalnetworking.net/stand-alone/vlans/ 26/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

“Since Switch Y will never allow VLAN #33 traffic to exit a VLAN #22 port, Host C will never get this traffic.” in the
article vs. these lines in the Answer to Question 1:
“Switch V receives the tagged frame and reads the tag to determine the frame belongs to VLAN #3. Switch V then
forwards the frame untagged out the Access Port in VLAN #3 — all traffic leaving an Access port is untagged. Switch X
receives the untagged frame on an Access Port in VLAN #4.”

How did switch V ever accept VLAN#3 traffic on a VLAN#4 port?

Reply

David says
January 30, 2021 at 6:35 pm

Sorry, last line in the question was “How did switch X ever accept VLAN#3 traffic on a VLAN#4 port?”.

Reply

Ed Harmoush says
February 1, 2021 at 6:30 pm

Since it arrives untagged, Switch X has no knowledge of the frame being in VLAN #3. It simply accepts the
untagged frame and since the local switchport is configured as an access port in VLAN 4, it assumes the incoming
frame also belongs to VLAN 4.

Reply

ali nezhad says

March 10, 2021 at 7:40 am

What a great tutorial! I have told my students to read this and watch the related video. I have rarely if ever seen a
concept explained so well.

Reply

Ed Harmoush says
March 13, 2021 at 1:29 pm

Thank you kindly, Ali. I appreciate the referrals.

Reply

Speak Your Mind

Name *

Email *

Website

Post Comment

Get Notified of Updates Most read articles this week: What else will you learn today?
Your E-Mail: Routing Between VLANs
1.4k views | 0 comments

https://www.practicalnetworking.net/stand-alone/vlans/ 27/28
15/03/2021 Virtual Local Area Networks (VLANs) – Practical Networking .net

Your Name: Gratuitous ARP

acl arp ASA Asymmetric Encryption
1k views | 0 comments

Subscribe Virtual Local Area Networks (VLANs) Authentication BGP CCNA CCNP cisco

1k views | 4 comments Cryptography DH eigrp Encryption hashing

Search this website … Cisco ASA NAT – Configuration Guide nat RSA subnetting vlans VPN
0.9k views | 0 comments

Traditional ARP
620 views | 0 comments

Return to top of page Copyright © 2015–2021 Practical Networking .net · All Rights Reserved

https://www.practicalnetworking.net/stand-alone/vlans/ 28/28