A LAN is defined as a single broadcast domain, including all devices within that broadcast domain. This is more specific than simply saying it's a group of devices in a single location.
A broadcast domain is the group of devices that will receive a broadcast frame sent by any one of its members. When a device sends a frame with the destination MAC address FFFF.FFFF.FFFF, all devices in that broadcast domain will receive it.
Routers do not forward broadcast frames, which means routers separate broadcast domains. Each router interface creates a boundary for a broadcast domain.
Switches flood broadcast frames out all interfaces except the one it was received on. This means switches do not separate broadcast domains by default.
VLANs are used to logically separate end hosts at Layer 2, creating multiple broadcast domains on a single switch. This eliminates the need to purchase separate physical switches for each department or group.
VLANs are configured on switch interfaces, not on the end hosts themselves. The end host connected to a switch interface becomes part of whatever VLAN that interface is assigned to.
Switches will not forward traffic between VLANs, including broadcast and unknown unicast traffic. Traffic must pass through a router to travel between VLANs, which is called inter-VLAN routing.
An access port is a switchport that belongs to a single VLAN and typically connects to end hosts like PCs. Access ports give end hosts access to the network.
Topic
Key Information
Default VLAN
All switch interfaces are in VLAN 1 by default
Default VLANs
VLANs 1, 1002, 1003, 1004, 1005 exist by default and cannot be deleted
Legacy VLANs
VLANs 1002-1005 are for FDDI and Token Ring (not needed for CCNA)
VLAN Creation
VLANs are automatically created when you assign an interface to a non-existent VLAN
VLAN Purpose
Improves network performance AND security
Layer of Operation
VLANs operate at Layer 2
Term
Definition
LAN
A single broadcast domain, including all devices in that broadcast domain
Broadcast Domain
The group of devices which will receive a broadcast frame (destination MAC FFFF.FFFF.FFFF) sent by any member
VLAN
Virtual LAN - A method to logically divide a Layer 2 broadcast domain into multiple separate broadcast domains
Access Port
A switchport belonging to a single VLAN, typically connecting to end hosts
Trunk Port
A switchport that carries traffic for multiple VLANs
Inter-VLAN Routing
The process of forwarding traffic between VLANs using a router
Broadcast Frame
A frame with destination MAC address FFFF.FFFF.FFFF
Number/Value
Significance
FFFF.FFFF.FFFF
Broadcast MAC address
VLAN 1
Default VLAN (all interfaces assigned here by default)
VLANs 1002-1005
Reserved for FDDI/Token Ring, cannot be deleted
5 VLANs
Number of default VLANs on a Cisco switch
Forgetting that switches are Layer 2 devices - Switches don't look at IP addresses; they only see MAC addresses. Even if you configure different subnets, the switch doesn't know or care.
Confusing subnet separation with VLAN separation - Putting devices in different subnets does NOT prevent Layer 2 broadcast flooding. You need VLANs for Layer 2 separation.
Forgetting default VLANs - When asked how many VLANs exist after creating X VLANs, remember to add the 5 default VLANs (1, 1002, 1003, 1004, 1005).
Router interface counting for broadcast domains - Each router interface is part of a separate broadcast domain. A point-to-point link between two routers is still a broadcast domain.
Thinking switches forward between VLANs - Switches NEVER forward traffic directly between VLANs. A router is required.
Forgetting VLAN auto-creation - Assigning an interface to a non-existent VLAN creates that VLAN automatically.
"Routers Route, Switches Switch (within VLAN)" - Routers separate broadcast domains; switches extend them unless VLANs are configured.
"5 + X = Total VLANs" - 5 default VLANs plus any you create equals total VLANs.
"All Fs = All Friends" - FFFF.FFFF.FFFF goes to all devices (broadcast).
"Layer 2 = VLAN, Layer 3 = Subnet" - VLANs separate at Layer 2, subnets at Layer 3. You need BOTH for proper segmentation.
"Access = One, Trunk = Many" - Access ports carry one VLAN, trunk ports carry multiple.
Scenario: A network has 2 routers connected to each other, each router has 2 switches connected, no VLANs configured.
Calculation:
Router 1 to Switch 1 = 1 broadcast domain
Router 1 to Switch 2 = 1 broadcast domain
Router 1 to Router 2 = 1 broadcast domain
Router 2 to Switch 3 = 1 broadcast domain
Router 2 to Switch 4 = 1 broadcast domain
Total = 5 broadcast domains
Scenario: Configure interfaces G1/0-G1/3 for Engineering (VLAN 10)
SW1(config)# interface range g1/0 - 3
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 10
Command
Purpose
show vlan brief
Display VLANs and their assigned interfaces
interface range [type][range]
Configure multiple interfaces at once
switchport mode access
Set interface as access port
switchport access vlan [number]
Assign interface to specific VLAN
vlan [number]
Enter VLAN configuration mode (creates VLAN if it doesn't exist)
name [name]
Assign a name to the VLAN
Method 1: Delete a Specific VLAN (Recommended for single VLANs)
Switch> enable
Switch# configure terminal
Switch(config)# no vlan <vlan_id>
Switch(config)# exit
Switch# write memory (or copy running-config startup-config)
Example: no vlan 10 to remove VLAN 10.
Method 2: Delete All VLANs (Factory Reset for VLANs)
Switch# delete flash:vlan.dat
Delete filename [vlan.dat]? (Press Enter to confirm)
Delete flash:/vlan.dat? [confirm] (Press Enter to confirm)
Switch# reload
Note: This command deletes the vlan.dat file, which stores all VLAN info, effectively removing all configured VLANs and port assignments, requiring a reload.
vlan.dat
What is a broadcast domain?
The group of devices which will receive a broadcast frame (destination MAC FFFF.FFFF.FFFF) sent by any one of its members.
What is the broadcast MAC address?
What does a switch do when it receives a broadcast frame?
It floods the frame out all interfaces EXCEPT the interface it was received on.
What does a router do when it receives a broadcast frame?
It does NOT forward it. The router receives the frame but doesn't send it to other networks.
What is a VLAN?
Virtual LAN - A method to logically divide a Layer 2 broadcast domain into multiple separate broadcast domains on a single switch.
What are the two main purposes of VLANs?
1) Improve network performance (reduce unnecessary broadcast traffic)
2) Improve network security (limit who receives broadcast/unknown unicast traffic)
How are VLANs assigned to end hosts?
VLANs are configured on switch interfaces. The end host connected to that interface becomes part of that VLAN.
What is the default VLAN on Cisco switches?
VLAN 1 - All interfaces are assigned to VLAN 1 by default.
Which VLANs exist by default on a Cisco switch and cannot be deleted?
VLAN 1, 1002, 1003, 1004, and 1005 (5 VLANs total)
What are VLANs 1002-1005 used for?
FDDI and Token Ring (legacy technologies, not needed for CCNA)
What is an access port?
A switchport that belongs to a single VLAN and usually connects to end hosts like PCs.
What is a trunk port?
A switchport that carries traffic for multiple VLANs.
What happens if you assign a switch interface to a VLAN that doesn't exist?
The switch automatically creates the VLAN.
What is inter-VLAN routing?
The process of routing traffic between different VLANs using a router (switches cannot forward traffic directly between VLANs).
Will a switch forward traffic directly between hosts in different VLANs?
No, NEVER. Traffic must go through a router for inter-VLAN routing.
What command displays VLANs and their assigned interfaces on a Cisco switch?
What command sets a switch interface as an access port?
What command assigns a switch interface to VLAN 10?
switchport access vlan 10
What command enters VLAN configuration mode for VLAN 10?
vlan 10
What command assigns the name "ENGINEERING" to a VLAN (while in VLAN config mode)?
name ENGINEERING
How do you configure multiple interfaces at once?
Use the interface range command. Example: interface range g1/0 - 3
interface range
interface range g1/0 - 3
If you create VLANs 10, 20, and 30 on a switch, how many total VLANs will show in show vlan brief?
8 VLANs (5 default + 3 created)
Why doesn't separating hosts into different subnets prevent broadcast flooding?
Because switches are Layer 2 devices - they only look at MAC addresses, not IP addresses. Subnets are Layer 3.
At what layer do VLANs operate?
Layer 2 (Data Link Layer)
If PC1 in VLAN 10 sends a broadcast, which devices receive it?
Only devices in VLAN 10 (the switch floods the broadcast only to interfaces in the same VLAN).
In a network with one router connected to one switch (no VLANs), how many broadcast domains exist?
1 broadcast domain (all devices connected to the switch plus the router's interface)
A point-to-point connection between two routers - is this a broadcast domain?
Yes, even a point-to-point connection with only two devices is technically a broadcast domain.
Why is it recommended to explicitly configure switchport mode access even though access mode is the default for end host connections?
It's best practice to explicitly configure settings rather than rely on autonegotiation of port type.
What message appears when assigning an interface to a non-existent VLAN?
"% Access VLAN does not exist. Creating vlan [number]."
How do VLANs improve network security?
By limiting broadcast and unknown unicast traffic to only devices within the same VLAN, preventing unauthorized devices from receiving sensitive network traffic.
Last changed23 days ago