VLAN Visualizer - Interactive Learning Tool

The Big Picture

VLANs (Virtual Local Area Networks) let you logically separate network traffic without buying separate switches for each department. Think of it as creating invisible walls inside your network.

One physical switch can act like multiple separate switches - Sales traffic stays with Sales, Engineering stays with Engineering, and Guests are isolated from everyone!

The Problem: Broadcast Chaos

Imagine an office with 500 computers all on the same network. Every time one computer sends a broadcast (like "Who has this IP?" or "I'm looking for a printer!"), ALL 500 computers receive it.

Network becomes slow from constant broadcast traffic
Security nightmare - anyone can see everyone's traffic
Accounting can sniff Engineering's data packets
Guest WiFi users can scan your entire network

The Solution: VLANs Create Boundaries

With VLANs, you create separate broadcast domains. A broadcast from VLAN 10 (Sales) stays in VLAN 10 - it never reaches VLAN 20 (Engineering).

"Think of VLANs like separate radio frequencies. Sales is on FM 101.1, Engineering is on FM 102.3. They can't hear each other even though they're using the same radio tower (switch)!"

Now if someone in Sales sends a broadcast, only the 50 Sales computers receive it - not all 500 computers. 90% less broadcast traffic!

Why Use VLANs?

Benefit	How It Helps
Security	Isolate sensitive traffic (payroll, HR, servers)
Performance	Smaller broadcast domains = less noise
Cost Savings	One switch does the work of many
Flexibility	Move users by changing port config, not cables
Organization	Group by function, not physical location

VLAN Quick Facts

Property	Value
Standard	IEEE 802.1Q
VLAN Range	1-4094 (0 and 4095 reserved)
Normal Range	1-1005 (stored in vlan.dat)
Extended Range	1006-4094 (requires VTP transparent)
Default VLAN	VLAN 1 (cannot delete)
Tag Size	4 bytes added to frame

Want More Detail?

What's in a VLAN Tag?

▼

The 802.1Q tag adds 4 bytes to each Ethernet frame:

TPID (2 bytes): Tag Protocol ID = 0x8100 (identifies tagged frame)
PCP (3 bits): Priority Code Point (QoS - 0-7)
DEI (1 bit): Drop Eligible Indicator
VID (12 bits): VLAN ID (0-4095)

12 bits for VLAN ID = 4096 possible VLANs (2^12)

What's a Native VLAN?

▼

Native VLAN = the VLAN that carries untagged traffic on a trunk.

Default is VLAN 1
Frames in native VLAN are NOT tagged on trunk
Both ends of trunk MUST have same native VLAN
Security tip: Change from VLAN 1 to unused VLAN

Switch(config-if)# switchport trunk native vlan 999

Basic VLAN Commands

▼

Create a VLAN:

Switch(config)# vlan 10
Switch(config-vlan)# name Sales

Assign port to VLAN:

Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

Create trunk:

Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30

Verify:

Switch# show vlan brief
Switch# show interfaces trunk

Common VLAN Mistakes

▼

Native VLAN mismatch - Both trunk ends need same native VLAN
Forgetting to create VLAN - Port assigned to non-existent VLAN won't forward
Using VLAN 1 - Don't use for user data (security)
No inter-VLAN routing - VLANs can't talk without Layer 3
Trunk pruning disabled - All VLANs flood all trunks

Ready to see tagging in action? Try the interactive tabs above! →

Watch how frames get tagged and untagged as they travel through the network!

Send a Frame

From which VLAN?

Current Frame Structure

Dest MAC
6 bytes

Src MAC
6 bytes

Type
2 bytes

Data
46-1500

FCS
4 bytes

Untagged frame at source PC

How Tagging Works

1. PC sends untagged frame → Access port

2. Switch adds 802.1Q tag → Frame enters trunk

3. Frame travels tagged → Between switches

4. Switch removes tag → Before delivery to PC

802.1Q Tag Structure

▼

The 4-byte tag is inserted after Source MAC:

TPID: 0x8100 (identifies 802.1Q)
PCP: QoS priority (0-7)
DEI: Drop eligibility
VID: VLAN ID (1-4094)

Click on switches or devices to see their port configurations!

Port Types

Access Single VLAN, end devices

Trunk Multiple VLANs, switch-to-switch

VLANs

VLAN 10 - Sales

VLAN 20 - Engineering

VLAN 30 - Guest

Click a switch or device to view
its port configuration

VLANs are isolated! Select a routing method to see how traffic flows between VLANs.

Routing Method

Test Traffic

From:

To:

No Inter-VLAN Routing

VLANs are isolated at Layer 2

Current: No Routing

Without Layer 3 routing, VLANs cannot communicate. Each VLAN is a separate broadcast domain.

VLAN Visualizer - Virtual LANs