What Is a VLAN? A Plain-English CCNA Explanation

WHAT IS A VLAN?_

A VLAN lets one physical switch act like several separate switches. Here's the mental model, why it matters for the CCNA, and the exact commands.

[ ▶ SHORT ANSWER ] A VLAN (Virtual LAN) is a logical grouping of switch ports into a separate broadcast domain. It lets a single physical switch behave like several independent switches: devices in VLAN 10 cannot reach devices in VLAN 20 at Layer 2, even if they plug into the same switch. VLANs are identified by a number from 1 to 4094 and are configured with the commands 'vlan ' and 'switchport access vlan '. To move traffic between VLANs you need a Layer 3 device (a router or a Layer 3 switch).

Imagine a 24-port switch. By default, every port is in the same VLAN (VLAN 1), so every device shares one big broadcast domain — a broadcast from any device reaches all the others. That works for a tiny network, but it doesn't scale: broadcasts pile up, and you can't separate, say, the accounting computers from the guest Wi-Fi.

A VLAN (Virtual Local Area Network) solves this by carving that one switch into multiple logical switches. Put ports 1–12 in VLAN 10 and ports 13–24 in VLAN 20, and you now have two independent broadcast domains on the same hardware. A device in VLAN 10 can't even see a device in VLAN 20 at Layer 2 — they behave as if they're plugged into two physically separate switches.

Why VLANs matter

VLANs give you three things the CCNA cares about: segmentation (smaller broadcast domains, less noise), security (separate sensitive traffic without buying more switches), and flexibility (group users by function, not by physical location).

Configuring a VLAN (Cisco IOS)

Create the VLAN, then assign access ports to it:

Switch(config)# vlan 10
Switch(config-vlan)# name SALES
Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

Verify with show vlan brief, which lists every VLAN and the ports assigned to it.

The catch: VLANs can't talk to each other by themselves

Because each VLAN is its own broadcast domain (and its own IP subnet), traffic between VLANs has to be routed by a Layer 3 device — a router (router-on-a-stick) or a Layer 3 switch with SVIs. That's a separate topic, and the #1 source of "why can't my VLANs ping each other?" confusion.

★ RELATED QUESTIONS

[ What is the default VLAN on a Cisco switch? ] VLAN 1. Every switch port belongs to VLAN 1 out of the box until you assign it elsewhere. Best practice is to move user traffic off VLAN 1 and avoid using it for management.

[ How many VLANs can a switch have? ] VLAN IDs range from 1 to 4094. IDs 1002–1005 are reserved for legacy Token Ring/FDDI, and the normal range used in practice is 1–1005, with 1006–4094 being the extended range.

[ Do two VLANs need different IP subnets? ] Yes. Each VLAN is a separate broadcast domain and should map to its own IP subnet. Putting two subnets in one VLAN, or one subnet across two VLANs, causes connectivity problems.

WHAT IS A VLAN?_

Why VLANs matter

Configuring a VLAN (Cisco IOS)

The catch: VLANs can't talk to each other by themselves

★ RELATED QUESTIONS

★ READ NEXT