VLAN Calculator

Plan VLAN subnetting by entering a base network, the number of VLANs required, and optionally the hosts per VLAN. Generates a complete subnet plan you can copy and use.

What are VLANs?

A Virtual LAN (VLAN) is a logical grouping of devices on one or more physical LANs, configured through switch software rather than physical cabling. Devices in the same VLAN communicate as if they were on the same physical network segment, even if they are physically located on different switches or floors of a building.

VLANs are identified by a VLAN ID: a number from 1 to 4094. VLAN 1 is the default VLAN on most switches and is typically reserved for management. VLANs 2–1001 are the normal range, while 1002–1005 are reserved for legacy protocols, and 1006–4094 form the extended range.

Why network segmentation matters

Without VLANs, every device on a switch shares the same broadcast domain. Broadcasts from any device reach every other device, consuming bandwidth and creating security risks. VLANs solve this by creating isolated broadcast domains:

  • Security: Isolate sensitive systems (e.g. finance, SCADA, guest Wi-Fi) from the general network. Traffic between VLANs must pass through a router or firewall where policies can be enforced.
  • Performance: Smaller broadcast domains reduce unnecessary traffic. A broadcast storm in one VLAN won't affect others.
  • Compliance: PCI-DSS, HIPAA, and other frameworks often require network segmentation between systems handling different data classifications.
  • Management: Group devices logically by function (servers, printers, phones, workstations) rather than physical location. Moves and changes become configuration tasks rather than recabling.

Trunk vs access ports

Switch ports operate in one of two modes:

Access port
Carries traffic for a single VLAN. End devices (PCs, printers, phones) connect to access ports. The switch adds/removes VLAN tags transparently; the connected device is unaware of VLANs.
Trunk port
Carries traffic for multiple VLANs simultaneously using 802.1Q tagging. Used between switches, and between switches and routers. Each Ethernet frame on a trunk includes a 4-byte VLAN tag identifying which VLAN it belongs to.

Common VLAN design patterns

Per-department VLANs
Each department (engineering, HR, finance) gets its own VLAN and subnet. Simple and easy to understand. Works well for small to medium organisations.
Per-function VLANs
Separate VLANs for servers, workstations, VoIP phones, printers, management, and guest access. More granular control. The most common pattern in enterprise networks.
Point-to-point links
Router-to-router or switch-to-switch links using /30 or /31 subnets (2 usable addresses). Saves address space when you only need to connect two devices.
DMZ segmentation
Public-facing servers (web, email, DNS) placed in a dedicated VLAN with strict firewall rules allowing only necessary traffic in and out. Prevents a compromised public server from accessing internal systems.

VLAN numbering conventions

While VLAN IDs are just numbers, most organisations follow conventions to keep things manageable:

  • VLAN 1: Default/native VLAN. Best practice is to not use it for production traffic.
  • VLANs 10–99: Infrastructure (management, monitoring, network devices).
  • VLANs 100–199: Server VLANs.
  • VLANs 200–299: User/workstation VLANs.
  • VLANs 300–399: VoIP/phones.
  • VLANs 900–999: Guest/IoT/untrusted devices.

The specific numbers vary by organisation. The key is consistency. Document your scheme and stick to it.