So, we’ve covered LANs by now. Guess what’s next? Virtual Local Area Networks! But Nobody calls them like that. Rather, everybody just calls it a VLAN. Let’s get right to it then.

A VLAN is basically a LAN within your already existing LAN, from a logical point of view. Communication within your VLAN will operate in the same manner that it will within your physical LAN. Meaning that layer 2 traffic will not move beyond the border of the VLAN. One powerful thing about VLANs is that they are logical connections instead of physical connections. You can span VLANs over multiple switches and therefore you are not limited to a single networking device.

Often, you will find network designs that will segment the LAN into multiple VLANs. One reason for this might be that the finance department should be separated from other departments. Another reason would be to decrease the size of a broadcast domain by using a different VLAN for each office floor. Whatever the reason might be, you are very flexible in the use of VLANs.

Types of VLANs

There are two main types of protocols when it comes to using VLANs. These are the standardized IEEE 802.1q protocol, and the Cisco proprietary ISL protocol. The ISL protocol is deprecated, meaning that Cisco will not implement the protocol in future devices anymore. There are already switch series out which do not support the use of ISL anymore. Later on I will still explain the usage of ISL, just for references sake.


The IEEE 802.1q is actually the only protocol used today to create VLANs. Let’s recall how a standard ethernet frame looks:

ethernet frame (1)

When you define a VLAN on an Ethernet port , the Ethernet frames generated by the switch will be a bit different. The switch will put a new 4 byte field between the source MAC address and the Ethertype field. The new field will among other information, contain the following information:

Tag Protocol Identifier (TPID): This field is used to identify the Ethernet frame as being a IEEE 802.1q-tagged frame.
VLAN ID (VID): The field will contain the actual VLAN the frame will belong to. This is comprised from a 12 bit hexadecimal value, allowing up to 4094 different VLAN ID’s to be used.

The Frame Check Sequence will also have to be updated, because otherwise the receiver will find the frame to be invalid, when it computates the FCS with the Cyclic Redundancy Check. Below you will find the changed Ethernet frame when you define the use of a VLAN on an Ethernet port using 802.1q:

ethernet frame vlan tag(1)


As mentioned, ISL is now a deprecated protocol. This is mainly because of the way it works. The IEEE 802.1q standard is far more superior to the ISL protocol. Instead of inserting a new field in the Ethernet Frame, the ISL protocol encapsulates the entire Ethernet Frame by adding a new ISL header and trailer. The Ethernet Frame remains unchanged. The header will contain among other things the VLAN ID, and the trailer will contain a new FCS. It will look like this:

ISL Frame (1)

The header is 26 bytes and the trailer is 4 bytes, adding a total of 30 bytes to an Ethernet frame. If you compare this to the 802.1q VLAN field, it is a lot larger. This will result in a lot more overhead, meaning that more packets need to be sent by a switch in comparison to the 802.1q VLAN field of only 4 bytes, which will add to the total amount of time to send data. Furthermore, ISL is Cisco proprietary, meaning that other switch vendors cannot use it publicly, whereas 802.1q is the industry standard and available to all vendors.

How VLANs work over the network

I will now give you some examples on how to work with VLANs, and what they can do for you. Consider this Layer 2 network, without any routers:


In this topology, the computers within VLAN 100 can communicate with each other, while they cannot communicate with the computers in VLAN 200, and vice versa. This is because virtual LANs work exactly like a standard LAN. Broadcast messages like an ARP frame, will not reach VLAN 200, when it is sent by a device in VLAN 100. There are quite a few things to consider about the way VLANs work, which I will explain below.

To tag or not to tag

Standard computers, laptops and other devices which can connect the the LAN network, are not aware of VLANs. The addition of the VLAN field will happen when the frame arrives at the switch. If a frame with a VLAN field arrives at a standard computer, it will simply drop the packet and do nothing else with it.

You configure a VLAN at the port of the switch. If we take a Cisco switch, it can be done with the following configuration:

interface Ethernet0/0
 switchport access vlan 100
 switchport mode access

Frames sent on the wire by the computer, will only have the VLAN field when it arrives and is processed by the switch. Frames that are sent back to the computer by the switch, will be stripped of the VLAN field before it is sent. In Cisco jargon, this is called an access port. In the above configuration we see that I configured the port to be an access port. In addition to this, I’ve stated that it should belong to VLAN 100.

It is important to remember the underlying way this works, because other vendors might not call it an access port. For example, ports defined on Nortel/Avaya equipment, will use terms like untagAll and tagAll. In this case, since a computer will drop frames with the VLAN field in it, the port should be configured as untagAll in VLAN 100.

I’ve segmented the layer 2 topology in two separate VLANs, but it has a shared link between the switches. It should be possible for computers in VLAN 100 on the left side, to reach the computers on the right side in VLAN 100 and vice versa for computers in VLAN 200. Can you guess what needs to be done?

When the left switch receives a frame that is destined for a computer on the right side, it will forward the frame to the right switch, but it will keep the VLAN field, to keep the traffic of VLAN 100 and VLAN 200 separated. Of course, other switches will not drop frames when it sees the added VLAN field, but it has to be configured to handle it correctly. This next configuration defines the port configuration between the two switches:

interface Ethernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk

You’ll see that the port is now configured as a trunk port, instead of an access port. This is also Cisco terminology, which basically stands for a port which will not remove the VLAN field of an Ethernet frame. You can kinda relate this to the trunk of a car, where you most probably will have different stuff lying around, which go along with you when you travel. In Nortel/Avaya terminology, this is called a tagAll port. With Cisco switches, you have to define the type of encapsulation that is used for working with VLANs. dot1q is short for the IEEE 802.1q standard. You might also be able to choose ISL, if you have an older Cisco switch.

Native VLAN

In your quest to understand how VLANs work, you’ll most probably stumble across the term Native VLAN. Therefore I’ll explain a bit about what it is and why you would use it.

A native VLAN is the concept of carrying untagged frames from a specific VLAN across a trunk link, when all other VLANs are tagged. This feature was added in 802.1q to be backwards compatible with devices which did not have the ability to tag VLANs, in a topology where devices used a shared medium to traverse the network. Think in terms of a Bus Topology here, where devices basically use the same cable to reach the switch.

When you want to use this on a Cisco switch, the configuration will look as follows:

interface Ethernet0/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 300
 switchport mode trunk

In Nortel/Avaya equipment, you will add the option untagPvidOnly to the port and define the default VLAN, which is called the PVID.

That’s it for now! I hope you had fun and learned something. See you in the next post!