Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / General Networking / Comparison of VLAN vs Subnet in TCP/IP Computer Networks

Comparison of VLAN vs Subnet in TCP/IP Computer Networks

Written By Harris Andrea

A few decades ago, flat networks were the norm. I remember in my very first job as a network engineer, most of our clients’ networks consisted of a single broadcast domain (VLAN) and a huge single flat Layer 3 network (usually in the 10.0.0.0 range).

vlan and subnets in networks

As time passed by and networks started to become bigger and bigger, flat networks were simply not manageable, not to say that they even had lots of problems because of the single broadcast nature of the network.

VLANs and Subnets are two of the most basic building blocks of TCP/IP networks and are nowadays used extensively to segment-down big networks and make them more manageable and efficient.

Table of Contents

  • What is a VLAN
  • What is a Subnet
  • Comparison of Vlans and Subnets
  • VLAN vs Subnet – Comparison Table
  • Can 2 VLANs have the same subnet?
  • VLAN and Subnet Security

If you want a quick comparison of VLAN vs Subnet, here it is:

  • VLANs work at Layer 2 of the OSI model and are used to separate LAN traffic in different broadcast domains. Hosts in the same VLAN can communicate freely between each other. Hosts in different VLANs can’t communicate by default (unless there is Layer 3 routing between them).
  • A Subnet works at Layer 3 of the OSI model and is used to create smaller Layer 3 network IP ranges from a larger network range.

Let’s compare and discuss in more details the differences between VLANs and Subnets below. The simple network diagram below will help in our discussion.

diagram with switch and router

In the network above, we have two VLANs (10 and 20) and two network Subnets (192.168.10.0/24 and 192.168.20.0/24).

Although the hosts belonging in the two VLANs are connected to the same Switch, they can’t communicate between them via the switch.

If hosts in VLAN 10 want to communicate with hosts in VLAN 20, traffic from the hosts in VLAN 10 must go up to the router interface (with IP 192.168.10.1) which will route the packets to its second interface (192.168.20.1) and down to VLAN 20.

What is a VLAN

Virtual Local Area Networks or VLANs are a method of separating ethernet traffic flowing through a LAN network at Layer 2 or the Data Link layer of the OSI model.

Without VLANs every packet flowing through a network would be visible to every connected device and every device would be able to communicate with each other.

From a security perspective this is not a good thing as within a corporate environment you would not want your customer service computers for example to be able to see resources and access the finance department for example or within a College the Students computer communicating freely with the teacher computers etc.

This separation of traffic is achieved by assigning VLANs to the switch interfaces where the end devices are connected.

When traffic comes from these connected end-devices to the switch, packets are tagged with a VLAN ID number by the switch.

This is called 802.1Q Vlan tagging. When a packet reaches a switchport (access port on Cisco devices), the switch assigns an 802.1Q tag (VLAN ID) to the Ethernet frame.

Now, the switch forwards this frame only to other ports that belong in the same VLAN. If the tag matches the Vlan assigned to that interface then the packet is allowed through, if it doesn’t match then the packet is dropped.

An analogy that is often used is to imagine lanes on a highway, these separate lanes represent the different Vlans.

Another way of looking at it is to imagine there’s a building with 4 doors leading to 4 different rooms. One red, one green, one yellow and one blue.

From a group of 40 people 10 are given passes that open the red door, 10 passes for the green door, 10 passes for the yellow door and 10 passes for the blue door.

Now you can see that if someone who has a red pass tries to enter the blue door the pass won’t work so they are unable to talk to the people on the other side of the blue door, but they can go through the red door and talk to all the people who also have a red pass and have access to this room.

MORE READING:  Collision Domains and Broadcast Domains Explained (with Diagrams and Examples)

This is the same principle as Vlan tagging. So, what happens if a Vlan tagged interface receives a packet that does not have a Vlan tag?

By default, this packet would be dropped so this is where we would use a Native Vlan. The Native Vlan is associated with all untagged packets and by default on a Cisco switch the Native Vlan is Vlan 1.

As a security best practice this is often changed to another number.  On a trunk interface, all Vlan tagged traffic can be allowed across the link or only certain Vlans can be allowed across. All untagged traffic would be tagged with the native Vlan and allowed across the trunk.

It is important that the Native Vlan matches on both sides of the trunk link because if the Native Vlan is different the switch will drop this untagged traffic at the far end of the trunk as it will see a mismatch.

What is a Subnet

A subnet is a Layer 3 IP network range that is derived after breaking down a large network range into smaller pieces through the subnetting of its IP address range.

A single class A IP address (with subnet mask 255.0.0.0) would allow 127 networks with 16,777,216 IP host addresses per network.

This would result in a lot of wasted IP addresses even for the largest networks. This is where subnetting can help.

The original class A IP address can be split into smaller chunks and these smaller chunks of IP addresses can be used to make many smaller networks using the same big address range.

To make these smaller networks the subnet mask is changed from a /8 or 255.0.0.0 to another mask that gives a smaller number of usable IP addresses.

An IP address of 10.0.0.1 with a mask of 255.255.255.0 or /24 would allow around 2-million subnetworks or subnets but only 254 usable IP addresses per subnet.

This means that by segmenting down a big IP range into smaller subnets, you have better management and more efficient use of IP address space.

In real world switched networks, each Subnet is associated with its own VLAN (as shown on out network diagram above). So, the two terms we examine here (VLAN and subnet) have a direct mapping between them.

Network administrators separate their LAN networks into several VLANs with each one having its own Layer 3 subnet.

A Layer 3 subnet is the analogy of one department room. People in the same room can communicate freely. However, if you want to go to another room (subnet) you must pass through a door (router gateway) which takes you to the other department.

Comparison of Vlans and Subnets

Subnets are used to further separate the network traffic, but the main difference between VLANs and Subnets is that VLANs are a Layer 2 method of separating ethernet traffic (this is done within the switching infrastructure) and Subnets are a Layer 3 method of separating traffic and this is carried out within the routing infrastructure.

VLANs and Subnets are used together in infrastructure security to form a defence in depth as both methods separate the traffic within the network.

VLANs, although providing separation of traffic, can communicate between them only through Layer 3 routing.

There are times when you may want different Vlans to be able to communicate. For example, if you have a File Server that is attached to a switch and configured to be in Vlan 10 and a PC that is attached to the same switch but configured in Vlan 20, then they will be unable to communicate at layer 2 because the Vlans are different.

To allow the PC to talk to the Server, a Layer 3 router must perform the “Inter-VLAN” routing. This is depicted in the basic diagram shown at the beginning of this article. Another way to provide “Inter-VLAN” routing is by using SVI on a Layer 3 switch.

MORE READING:  Comparison of EIGRP vs OSPF Routing Protocols

Switch Virtual Interface (SVI) needs to be created on a layer 3 switch for each VLAN. Basically, the SVI is a virtual network interface which acts as the default gateway for all hosts in that VLAN.

This would mean that any devices in Vlan 10 would now be able to communicate with devices in Vlan 20 and vice versa. Below is the Cisco configuration to create the two SVI’s:

Enable
Configure terminal

Vlan 10
Name Servers

Vlan 20
Name User_PC

interface Vlan10
Description Servers
ip address 10.0.1.1 255.255.255.0

interface Vlan20
Description User PC’s
ip address 10.0.2.2 255.255.255.0

Once an SVI has been created all devices in Vlan 10 and Vlan 20 will be able to communicate with each other.

If you only want certain devices on Vlan 10 to communicate to the devices on Vlan 20 then an Access Control List (ACL) will need to be placed on the SVI to permit or deny access where required.

VLAN vs Subnet – Comparison Table

Characteristic VLAN Subnet
OSI Layer Layer 2 Layer 3
Traffic Isolation At Switch Level (Ethernet) At Router Level (IP packets)
Network Device Used Configured on Network Layer 2 Switches Configured on Network Routers or Layer 3 Switches
Advantages Creates separate broadcast domains – Limits broadcasts in the network.

 

Provides network isolation at the lowest level.

More efficient use of IP network space.

 

Having different subnets allows traffic control using firewalls or router Access Control Lists.

Networking Protocols 802.1Q, MAC address IPv4/IPv6

Can 2 VLANs have the same subnet?

Some people ask the question if we can have two different VLANs (e.g VLAN 10 and 20) on a switch and assign the same subnet to each VLAN (e.g 192.168.1.0/24).

The above scenario, although technically can be done, it is not recommended and does not serve any purpose.

Hosts connected to the two VLANs will not be able to communicate although they will belong in the same subnet range.

The two VLANs create two separate broadcast domains and therefore Layer 2 traffic in each VLAN will stay inside the VLAN and will not be able to reach the other VLAN. Thus, hosts will not be able to communicate between the two broadcast domains.

The proper network setup is to have different Layer 3 subnets belonging to different Layer 2 VLANs and then have a Layer 3 routing engine in order to allow communication between the two VLANs/subnets.

VLAN and Subnet Security

Let’s discuss briefly the security aspects of VLANs and subnets. 

They are both used in modern networks to separate and control traffic between hosts and segregating LAN networks. They are both very useful and essential in network security.

VLAN isolation is stronger than subnet isolation in terms of security. If you separate hosts into different VLANs, then you make sure that hosts in these VLANs can not communicate between them.

For example, computers belonging to the Finance Department are assigned in VLAN 10 and Computers belonging to Engineering Department are assigned in VLAN 20. This scenario completely isolates the computers of  the two Departments and you make sure they will not be able to communicate unless the traffic passes first from a Layer 3 device.

Now, subnetting also creates security isolation if you use a Layer 3/4 Firewall device to control the routing between the Layer 3 subnets. This is also a common and useful practice in network security.

Traffic from different subnets can be controlled by a Firewall in order to block or allow only the necessary packets between the subnets (in Layer 3, Layer 4 level). If the traffic between subnets passes only through a regular router, then you don’t have the same security control like a firewall.

The absolute best security practice is to have isolation at both VLAN and Subnet levels. Assign each subnet to its own physical VLAN and have a network firewall control the traffic between VLANs/subnets.

Related Posts

  • What is OSPF NSSA (Not So Stubby Area) and How is it Configured?
  • Comparison of BOOTP vs DHCP Protocols in Computer Networks
  • Pros and Cons of SD-WAN in Networks – Description and Discussion
  • Comparison of GNS3 vs EVE-NG vs Packet Tracer for Networks Simulation
  • Subnetting vs Supernetting – What’s the Difference? (Explanation Guide)

Filed Under: General Networking

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. FRANCIS says

    May 27, 2021 at 7:48 am

    VERY EDUCATIVE AND SIMPLIFIED.GOOD WORK.

  2. BatmansByte says

    October 5, 2022 at 11:25 pm

    Copy and paste error in the previous submission.

    This in the betinning isn’t helpful.

    Quote:
    If you want a quick comparison of VLAN vs Subnet, here it is:

    VLANs work at Layer 2 of the OSI model and are used to separate LAN traffic in different broadcast domains. Hosts in the same VLAN can communicate freely between each other. Hosts in different VLANs can’t communicate by default (unless there is Layer 3 routing between them).
    A Subnet works at Layer 3 of the OSI model and is used to create smaller Layer 3 network IP ranges from a larger network range.
    :EndQuote

    Hosts in the same VLAN/Subnet can communicate freely between each other. Hosts in different VLANs/Subnets can’t commuicate by default (unless there is a Layer 3 routing between them).

    VLANs work at Layer 2, Subnets at Layer 3, but they seem to have the same benefits, problems, and solution.

    That’s where I’m stuck anyways, why not just use subnets instead of VLANs?

  3. Harris Andrea says

    October 6, 2022 at 5:31 am

    Separate VLANs must be used as well in order to contain and limit the broadcast packets.

    If you have only one VLAN (let’s say the default VLAN 1) then all broadcasts from all hosts (even if they are separated into different subnets) will be received by all hosts in the VLAN, so you have flooding problems if broadcast packets.

    The correct design is to have 1-to-1 relationship between VLANs and subnets (e.g one VLAN ID for subnet A, a different VLAN ID for subnet B etc).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

0 shares