Subnets vs VLANs — clear differences, examples, and when to use each

Learn the difference between subnets and VLANs: what they are, how they isolate traffic, example commands (Cisco/Linux), inter-VLAN routing, best practices and security implications.

PDF

Short definitions

Subnet (IP subnet): a Layer‑3 (IP) address block defined by a network prefix (for example 192.168.1.0/24). Subnets control which IP addresses are considered 'local' and therefore avoid routing.

VLAN (Virtual LAN): a Layer‑2 construct that segments switch ports into separate broadcast domains using a VLAN ID (1–4094). Frames in different VLANs are isolated at Layer‑2 unless explicitly routed.

Core idea — one-sentence

VLANs separate traffic at Layer‑2 (broadcast domains), and subnets separate traffic at Layer‑3 (routing boundaries). In practical networks you typically map one subnet to one VLAN so that IP routing and switch segmentation line up.

Key properties and behavior

  • Layer: VLAN = L2, Subnet = L3.
  • Isolation: VLANs isolate broadcast and ARP at L2; subnets isolate IP routing (packets between different subnets must be routed).
  • Traffic flow: Hosts in same VLAN and same subnet communicate directly (no router). Hosts in different VLANs need a router or L3 switch (inter‑VLAN routing).
  • Addressing: Subnet is defined by prefix/mask (e.g. /24). VLAN is identified by numeric ID (e.g. VLAN 10).
  • Encapsulation: VLAN tagging uses 802.1Q on trunk links; subnets use IP addressing and masks.

Simple example

Imagine a small office:

  • Sales VLAN 10 & subnet 192.168.10.0/24
  • Engineering VLAN 20 & subnet 192.168.20.0/24

Hosts in Sales (VLAN 10) can ARP and talk directly to 192.168.10.x addresses. To talk to 192.168.20.x (Engineering) packets must go to the default gateway (inter‑VLAN router or L3 switch), which routes between the subnets.

When you might use VLANs vs subnets

  • Use VLANs to: group users by department or function, contain broadcasts, separate guest networks on the same physical switch, and apply per‑VLAN policies on switches (ACLs, QoS).
  • Use subnets to: allocate IP address ranges, apply routing policies, firewall rules, and IP‑based services (DHCP scopes, IP access lists).
  • Typical rule: create a VLAN for each subnet (one VLAN ↔ one subnet). Exceptions exist (router on a stick, VRFs, advanced overlays).

How VLANs and subnets interact

  • Common mapping: VLAN 10 = 192.168.10.0/24, VLAN 20 = 192.168.20.0/24. This gives clear L2 and L3 separation.
  • Inter‑VLAN routing: performed by a Layer‑3 switch or router. Methods include routed ports, SVIs (Switch Virtual Interfaces), or a router‑on‑a‑stick (single trunk port with subinterfaces).
  • VLAN trunking (802.1Q): allows multiple VLANs to cross a single physical link by tagging frames with VLAN IDs.

Command examples

Cisco switch (create VLAN and assign access port):

vlan 10
 name Sales
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10

Cisco trunk port (802.1Q):

interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk

Linux add VLAN on interface eth0 (example):

ip link add link eth0 name eth0.10 type vlan id 10
ip addr add 192.168.10.2/24 dev eth0.10
ip link set up eth0.10

Subnetting quick review

  • /24 → 256 addresses (254 usable), /25 → 128 addresses (126 usable), /30 → 4 addresses (2 usable) for point‑to‑point, etc.
  • Choose subnet sizes to match expected hosts to conserve address space and reduce broadcast size.

Security and operational considerations

  • VLANs help contain broadcast storms and limit L2 attack surface, but do not inherently provide strong security — you still need ACLs, firewalls, and segmentation.
  • Be aware of VLAN hopping attacks; mitigate by disabling unused ports, using access mode for user ports, and not using default/native VLAN for sensitive traffic.
  • Document VLAN ↔ subnet mappings and ensure DHCP scopes align with VLANs.

Common misconceptions

  • "VLANs are the same as subnets" — they are related but at different OSI layers. You can have multiple subnets in one VLAN (rare) or multiple VLANs in one routed IP space (via routing), but typical best practice is one VLAN per subnet.
  • "VLANs provide firewalling" — VLAN separation is L2 isolation; cross‑VLAN traffic can be routed unless explicitly blocked.

Best practices

  1. Map one subnet to one VLAN for simplicity.
  2. Keep VLANs and subnets well documented and consistent across switches.
  3. Use appropriate subnet sizes to limit broadcast domain size.
  4. Place routers or L3 switches for inter‑VLAN routing and enforce security between subnets with ACLs or firewalls.
  5. Harden switch ports: disable unused ports, set them to access mode on a non‑used VLAN, and avoid using VLAN 1 for user traffic.

Short summary

VLANs split the Layer‑2 world into separate broadcast domains. Subnets split the Layer‑3 world into address/routing domains. In real networks they are used together: VLANs provide the L2 segmentation and subnets provide address and routing boundaries — typically one VLAN per subnet for clarity and predictable behavior.

Ask a followup question