VLAN vs Subnet — What's the Difference and When to Use Each
Understand the key differences between VLANs and subnets. Learn how they work, when to use each, and how they work together in real network designs. Practical examples included.
Why Network Segmentation Matters
A flat network where every device lives in one big broadcast domain is a recipe for trouble. Every ARP request, every DHCP discover, every broadcast packet hits every single device. Performance degrades, security is nonexistent, and troubleshooting becomes a nightmare.
Network segmentation solves three critical problems:
- Security — Isolate sensitive systems (servers, management interfaces, IoT devices) so a compromised device can't reach everything
- Performance — Smaller broadcast domains mean less noise and faster communication
- Management — Organize devices logically, apply policies per group, simplify troubleshooting
Two technologies handle segmentation: subnets and VLANs. They work at different layers of the OSI model, solve different problems, and in practice you almost always use them together. This post breaks down exactly how each works, how they differ, and when to use which.
What Is a Subnet?
A subnet (short for subnetwork) is a Layer 3 (network layer) concept. It divides a larger IP address space into smaller, logical networks. Routers use subnets to determine where to forward packets.
How Subnetting Works
Every IP address has two parts: a network portion and a host portion. The subnet mask determines where one ends and the other begins.
IP Address: 192.168.1.100
Subnet Mask: 255.255.255.0 (/24 in CIDR notation)
Network part: 192.168.1.0 (first 24 bits)
Host part: .100 (last 8 bits)
Usable hosts: 192.168.1.1 — 192.168.1.254 (254 hosts)
Two devices on different subnets cannot talk directly — they need a router to forward traffic between them.
Subnet A: 192.168.1.0/24 (192.168.1.1 — 192.168.1.254)
Subnet B: 192.168.2.0/24 (192.168.2.1 — 192.168.2.254)
Device 192.168.1.50 wants to reach 192.168.2.50
→ Packet goes to default gateway (router)
→ Router forwards to Subnet B
A Quick CIDR Example
Say you have the network 10.0.0.0/16 and need four separate subnets. You borrow 2 bits from the host portion:
10.0.0.0/18 → 10.0.0.1 — 10.0.63.254 (16,382 hosts)
10.0.64.0/18 → 10.0.64.1 — 10.0.127.254 (16,382 hosts)
10.0.128.0/18 → 10.0.128.1 — 10.0.191.254 (16,382 hosts)
10.0.192.0/18 → 10.0.192.1 — 10.0.255.254 (16,382 hosts)
Why We Subnet
- Reduce broadcast domains — Broadcasts stay within the subnet instead of flooding the entire network
- Organize IP allocation — Give each department, floor, or site its own address range
- Enable routing efficiency — Routers make forwarding decisions based on subnet boundaries
- Meet compliance requirements — PCI-DSS, HIPAA, and other standards require network segmentation
Already comfortable with subnetting? Check out our deep dive on Subnetting, CIDR & VLSM for advanced techniques.
What Is a VLAN?
A VLAN (Virtual Local Area Network) is a Layer 2 (data link layer) concept. It logically groups switch ports into separate broadcast domains, regardless of physical location.
Without VLANs, every port on a switch belongs to the same broadcast domain. A broadcast frame from port 1 reaches every other port. With VLANs, you can split a single physical switch into multiple virtual switches.
How VLANs Work
You assign each switch port to a VLAN. Ports in VLAN 10 can only communicate at Layer 2 with other ports in VLAN 10. Traffic from VLAN 10 never reaches VLAN 20 — the switch enforces the boundary.
48-Port Switch
├── Ports 1-16: VLAN 10 (Sales)
├── Ports 17-32: VLAN 20 (Engineering)
└── Ports 33-48: VLAN 30 (Management)
A device on port 5 (VLAN 10) can talk directly to a device on port 12 (VLAN 10). But it cannot reach a device on port 20 (VLAN 20) without a router — even though they are plugged into the same physical switch.
802.1Q Tagging
When VLAN traffic needs to travel between switches, frames are tagged with the VLAN ID using the IEEE 802.1Q standard. The tag is a 4-byte field inserted into the Ethernet frame header:
Normal Ethernet Frame:
[Dest MAC | Src MAC | EtherType | Payload | FCS]
802.1Q Tagged Frame:
[Dest MAC | Src MAC | 0x8100 | VLAN Tag | EtherType | Payload | FCS]
^^^^ ^^^^^^^^^
TPID 12-bit VLAN ID (1-4094)
This allows a single physical link between two switches to carry traffic for multiple VLANs.
Access Ports vs Trunk Ports
| Port Type | Purpose | Tagging | |-----------|---------|---------| | Access port | Connects to end devices (PCs, printers, phones) | Untagged — the switch strips the VLAN tag before forwarding to the device | | Trunk port | Connects switches to switches, or switches to routers | Tagged — carries multiple VLANs over a single link using 802.1Q |
An end device typically has no idea what VLAN it's on. The switch handles the tagging transparently.
Why We Use VLANs
- Security isolation — Devices in different VLANs cannot communicate without passing through a router or firewall where you can apply ACLs
- Reduce broadcast storms — A broadcast in VLAN 10 stays in VLAN 10 and does not flood VLAN 20
- Flexible grouping — Move a user to a different department by changing their port's VLAN assignment, no physical cable moves required
- Span across switches — VLAN 10 can exist on Switch A and Switch B, connected by a trunk link
Key Differences — Comparison Table
| Feature | Subnet | VLAN | |---------|--------|------| | OSI Layer | Layer 3 (Network) | Layer 2 (Data Link) | | What it segments | IP address space | Switch ports / broadcast domains | | Configured on | Routers, L3 switches, host NICs | Switches | | Identifier | Network address + subnet mask | VLAN ID (1–4094) | | Protocol | IP (IPv4/IPv6) | IEEE 802.1Q | | Scope | Can span routers across WAN links | Typically local to a switch or campus | | Devices affected | Any IP-speaking device | Only devices on VLAN-capable switches | | Communication across boundaries | Router forwards between subnets | Router required for inter-VLAN routing | | Primary purpose | Logical IP organization and routing | Layer 2 traffic isolation | | Cloud environments | Heavily used (VPCs, CIDR blocks) | Rarely used (cloud abstracts L2) |
The short version: Subnets divide IP address space. VLANs divide switch ports. Subnets are about routing. VLANs are about switching.
How VLANs and Subnets Work Together
In practice, you almost never use one without the other. The best practice is simple:
One VLAN = One Subnet
Each VLAN gets its own IP subnet. Devices within a VLAN share a subnet and communicate at Layer 2. Devices in different VLANs are on different subnets and require a router to communicate.
Example Network Design
┌─────────────────────────┐
│ L3 Switch / Router │
│ │
│ VLAN 10: 192.168.10.1 │
│ VLAN 20: 192.168.20.1 │
│ VLAN 30: 192.168.30.1 │
└────┬──────┬──────┬──────┘
│ │ │
Trunk │Trunk │Trunk │
│ │ │
┌─────────┴──┐ ┌┴──────┴──────┐
│ Switch A │ │ Switch B │
│ │ │ │
│ P1-8: V10 │ │ P1-8: V10 │
│ P9-16: V20 │ │ P9-16: V20 │
│ P17-24: V30 │ │ P17-24: V30 │
└─────────────┘ └──────────────┘
V10 = VLAN 10 (Sales) → 192.168.10.0/24
V20 = VLAN 20 (Engineering) → 192.168.20.0/24
V30 = VLAN 30 (Management) → 192.168.30.0/24
A Sales PC on Switch A (VLAN 10, IP 192.168.10.50) wants to reach an Engineering server on Switch B (VLAN 20, IP 192.168.20.100):
- The PC sends the packet to its default gateway: 192.168.10.1 (the L3 switch)
- The L3 switch receives the frame on VLAN 10, strips the tag, and routes the packet
- The L3 switch looks up 192.168.20.0/24, encapsulates the packet in a VLAN 20 frame
- The frame travels down the trunk to Switch B, which delivers it to the destination port
Inter-VLAN Routing Methods
There are two common approaches for routing between VLANs:
Router-on-a-Stick — A single router interface is connected to the switch via a trunk link. The router creates sub-interfaces, one per VLAN:
Router (single physical interface, multiple sub-interfaces)
│
│ Trunk (carries VLAN 10, 20, 30)
│
Switch
Best for small networks with low inter-VLAN traffic.
Layer 3 Switch (SVI) — The switch itself performs routing using Switch Virtual Interfaces. Each VLAN gets an SVI with an IP address that acts as the default gateway:
L3 Switch
├── SVI VLAN 10: 192.168.10.1
├── SVI VLAN 20: 192.168.20.1
└── SVI VLAN 30: 192.168.30.1
Best for enterprise networks. Routing happens in hardware at wire speed.
Real-World Example: Small Office Network
A company has three departments: Sales (15 users), Engineering (25 users), and Management (10 users). Here is how to design the network.
VLAN and Subnet Assignment
| Department | VLAN ID | Subnet | Gateway | Usable Range | DHCP Pool | |-----------|---------|--------|---------|-------------|-----------| | Sales | 10 | 192.168.10.0/24 | 192.168.10.1 | .2 — .254 | .100 — .200 | | Engineering | 20 | 192.168.20.0/24 | 192.168.20.1 | .2 — .254 | .100 — .200 | | Management | 30 | 192.168.30.0/24 | 192.168.30.1 | .2 — .254 | .100 — .200 |
Switch Configuration (Cisco IOS)
! Create VLANs
vlan 10
name Sales
vlan 20
name Engineering
vlan 30
name Management
! Configure access ports for Sales (ports 1-16)
interface range GigabitEthernet0/1 - 16
switchport mode access
switchport access vlan 10
spanning-tree portfast
! Configure access ports for Engineering (ports 17-32)
interface range GigabitEthernet0/17 - 32
switchport mode access
switchport access vlan 20
spanning-tree portfast
! Configure access ports for Management (ports 33-40)
interface range GigabitEthernet0/33 - 40
switchport mode access
switchport access vlan 30
spanning-tree portfast
! Configure trunk port to L3 switch/router (port 48)
interface GigabitEthernet0/48
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 999Layer 3 Switch Configuration (Inter-VLAN Routing)
! Enable IP routing
ip routing
! Create SVIs (default gateways for each VLAN)
interface Vlan10
ip address 192.168.10.1 255.255.255.0
no shutdown
interface Vlan20
ip address 192.168.20.1 255.255.255.0
no shutdown
interface Vlan30
ip address 192.168.30.1 255.255.255.0
no shutdown
! Optional: restrict Engineering from reaching Management
ip access-list extended BLOCK-ENGR-TO-MGMT
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip any any
interface Vlan20
ip access-group BLOCK-ENGR-TO-MGMT inRouter-on-a-Stick Alternative
If you are using a standard router instead of an L3 switch:
! Router sub-interfaces (one per VLAN)
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0With this setup, all three departments have isolated Layer 2 domains, separate IP ranges, and controlled inter-VLAN routing with optional access lists for security.
Common Mistakes to Avoid
1. Multiple Subnets on One VLAN
Putting 192.168.10.0/24 and 192.168.20.0/24 on the same VLAN technically works but breaks the clean one-to-one mapping. Broadcasts from both subnets flood the same Layer 2 domain, devices may have ARP issues, and troubleshooting becomes confusing. Stick to one VLAN, one subnet.
2. Forgetting Trunk Ports Between Switches
If VLAN 10 exists on Switch A and Switch B, the link between them must be a trunk. Otherwise, only traffic from the native VLAN passes. This is the number one reason "the new VLAN doesn't work on the other switch."
! Both sides of the link need this:
interface GigabitEthernet0/48
switchport mode trunk
switchport trunk allowed vlan 10,20,303. Not Setting Up Inter-VLAN Routing
You created VLANs and subnets, but devices in different VLANs cannot ping each other. That is expected and by design. You need a router or L3 switch with SVIs to route between them. VLANs isolate at Layer 2 — you must explicitly enable Layer 3 communication.
4. Using VLAN 1 as Your Production VLAN
VLAN 1 is the default VLAN on most switches. All ports start in VLAN 1, and management traffic often runs on it. Using it for production data is a security risk because:
- It cannot be deleted on most platforms
- Control plane protocols (CDP, VTP, STP BPDUs) travel on VLAN 1
- VLAN hopping attacks often target VLAN 1
Best practice: Move all user traffic to numbered VLANs (10, 20, 30, etc.) and leave VLAN 1 unused.
5. Mismatched Native VLANs
The native VLAN is the VLAN whose traffic is sent untagged on a trunk. If Switch A's trunk has native VLAN 1 and Switch B's trunk has native VLAN 99, frames will end up in the wrong VLAN. Always set the native VLAN explicitly and consistently on both ends:
! Both switches:
switchport trunk native vlan 999Use a dedicated, unused VLAN as the native VLAN for maximum security.
When to Use What
Use Subnets Alone
- Cloud environments — AWS VPCs, Azure VNets, and GCP VPCs use subnets for segmentation. VLANs are abstracted away by the cloud provider
- Simple routed networks — A small home lab with a single router and no managed switches
- Point-to-point WAN links — /30 or /31 subnets for router-to-router connections
Use VLANs Alone
Rarely a good idea. Without corresponding subnets, all devices would be on the same IP network and the VLAN isolation is incomplete. The only edge case is Layer 2 bridging scenarios or transparent firewall deployments.
Use Both Together (Most Common)
- Office networks — Any office with more than one department
- Campus networks — Multiple buildings, hundreds of users
- Data centers — Server VLANs, storage VLANs, management VLANs
- Guest Wi-Fi isolation — Guest VLAN with its own subnet, firewalled from corporate
Decision Flowchart
Do you have managed switches?
├── No → Use subnets only (routed segmentation)
└── Yes → Do you need Layer 2 isolation between groups?
├── No → Subnets may be enough
└── Yes → Use VLANs + Subnets (one VLAN per subnet)
└── Do VLANs need to communicate?
├── No → Done (full isolation)
└── Yes → Add inter-VLAN routing
(L3 switch or router-on-a-stick)
Quick Recap
- Subnets operate at Layer 3 and divide IP address space. They control routing.
- VLANs operate at Layer 2 and divide switch ports into isolated broadcast domains. They control switching.
- In production networks, you pair them: one VLAN = one subnet.
- VLANs provide the Layer 2 boundary. Subnets provide the Layer 3 addressing. A router or L3 switch connects them.
- Cloud environments abstract VLANs away — you only deal with subnets.
- On-premises networks with managed switches should always use both.
The combination of VLANs and subnets is the foundation of nearly every enterprise network. Understanding how they differ and how they complement each other is essential for designing secure, performant, and manageable networks.
Already familiar with subnetting? Try our free Subnet Calculator to calculate network ranges, CIDR blocks, and usable IPs.