VLAN - Virtual Local Area Network

What is VLAN?

VLAN stands for Virtual Local Area Network. It is a network configuration that allows devices on different physical LANs to be grouped into the same logical network, as if they were on the same physical LAN.

Why is VLAN useful?

Segmentation – Separates network traffic for better performance and security.
Security – Limits broadcast domains and isolates sensitive data.
Efficiency – Reduces unnecessary traffic and improves bandwidth usage.
Flexibility – Devices can be grouped logically regardless of physical location.
Simplified Management – Easier to manage and troubleshoot network segments.

How it works?

Switch Configuration: VLANs are configured on managed switches.
Port Assignment – Each switch port is assigned to a specific VLAN.
Tagging (802.1Q) – VLAN tags are added to Ethernet frames to identify VLAN membership.
Traffic Isolation – Devices in different VLANs cannot communicate unless routed.
Inter-VLAN Routing – A Layer 3 device (router or Layer 3 switch) enables communication between VLANs.

Where is VLAN used?

Enterprise Networks – To separate departments like HR, Finance, and IT.
Data Centers – For isolating services and tenants in virtualized environments.
Educational Institutions – To separate student, faculty, and administrative networks.
VoIP and IP Cameras – To isolate voice and video traffic from data traffic.
Guest Networks – To provide internet access without exposing internal resources.

Which OSI layer does this protocol belong to?

VLAN operates at Layer 2 of the OSI model.
It modifies Ethernet frames using VLAN tags (IEEE 802.1Q).
VLAN-aware switches use these tags to forward traffic within the correct VLAN.
Although VLANs are Layer 2, inter-VLAN routing requires Layer 3 functionality.

Topics in this section,

Learnings in this section

Terminology

Version Info

VLAN Version&RFC Details

VLAN Basic Setup on Ubuntu using IPv4

VLAN Basic Setup on Ubuntu using IPv6

VLAN Protocol Packet Details

VLAN Usecases

VLAN Basic Features

VLAN Feature : Logical Segmentation

VLAN Feature : Broadcast Control

VLAN Feature : Improved Security

VLAN Feature : Traffic Management

VLAN Feature : Simplified Administration

VLAN Feature : Scalability

VLAN Feature : Quality of Service (QoS)

VLAN Feature : Support for Multi-Tenancy

VLAN Feature : Dynamic Assignment

:ref VLAN Feature : Integration with STP <VLAN_step18>

Reference links

Learnings in this section

In this section, you are going to learn

Terminology

Terminology

Version Info

Version Info

VLAN Version&RFC Details

VLAN Version	VLAN Number	Year	Core Idea / Contribution
VLAN Aggregation	RFC 3069	2001	Introduced Super-VLANs to allow multiple VLANs to share a single IP subnet and gateway using Proxy ARP.
RADIUS VLAN Attributes	RFC 4675	2006	Defined RADIUS attributes for dynamic VLAN assignment and traffic prioritization (e.g., VLAN ID, priority table).
RADIUS Tunnel Support	RFC 2868	2000	Enabled dynamic VLAN assignment using Tunnel-Private-Group-ID during user authentication.
VLAN MIBs	RFC 2674	1999	Defined SNMP MIBs for managing VLANs and priority tagging (IEEE 802.1Q and 802.1p).
VXLAN	RFC 7348	2014	Introduced VXLAN, a Layer 2 overlay over Layer 3 networks using 24-bit VNIs for scalable virtual networks.
EVPN	RFC 7432	2015	Defined Ethernet VPN using BGP as a control plane for VXLAN/MPLS networks.
EVPN-VXLAN Integration	RFC 8365	2018	Combined EVPN with VXLAN for scalable, policy-driven, multi-tenant data centers.
Private VLANs	RFC 5517	2010	Described Layer 2 isolation within VLANs (Isolated, Community, Promiscuous ports) for secure shared environments.

VLAN Basic Setup on Ubuntu using IPv4

VLAN Interface Creation Test Case

This test verifies that a VLAN interface can be successfully created on a Linux system using the ip command. The interface should be visible in the system with the specified VLAN ID and IP configuration.

Step-1: Identify your physical interface.

Note

In this example, we assume eth0 is the physical interface. Adjust according to your system.
Step-2: Create VLAN interface.
test:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100
test:~$ sudo ip link set dev eth0.100 up
Step-3: Verify VLAN interface creation.
test:~$ ip -d link show eth0.100
Expected result:

VLAN interface eth0.100 is created successfully.

It appears in the ip -d link show output with the correct VLAN ID.

Interface should be UP and have the IP address 192.168.100.1/24 assigned.
Step-4: Validation
test:~$ ip addr show eth0.100
eth0.100@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> ...
inet 192.168.100.1/24 scope global eth0.100
vlan protocol 802.1Q id 100 <REORDER_HDR> ...
Result: VLAN interface is created with name eth0.100.
VLAN Ping Test Case
This test verifies basic connectivity between two machines on the same VLAN using ICMP ping. Successful ping confirms correct VLAN setup and tagging (802.1Q).
Step-1: Configure VLAN interface on test1.
test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test1:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100
test1:~$ sudo ip link set dev eth0.100 up
test1:~$ ip -d link show eth0.100
Step-2: Configure VLAN interface on test2.
test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test2:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100
test2:~$ sudo ip link set dev eth0.100 up
test2:~$ ip -d link show eth0.100
Step-3: Ping from test1 to test2 and vice versa.
test1:~$ ping 192.168.100.2
test2:~$ ping 192.168.100.1
Step-4: Verify ICMP echo and reply packets are tagged with 802.1Q VLAN header using packet capture (e.g., Wireshark or tcpdump).

Expected result:

Ping should succeed between test1 and test2 with 0% packet loss.

ICMP echo request/reply packets are visible and correctly tagged with VLAN ID 100.

Step-5: Wireshark Capture

Download wireshark capture
VLAN Isolation Test Case
This test verifies that devices on different VLANs cannot communicate directly. When VLAN isolation is functioning correctly, ping between devices in different VLANs will fail.
Step-1: Configure VLAN 100 on test1.
test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test1:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100
test1:~$ sudo ip link set dev eth0.100 up
test1:~$ ip -d link show eth0.100
Step-2: Configure VLAN 200 on test2.
test2:~$ sudo ip link add link eth0 name eth0.200 type vlan id 200
test2:~$ sudo ip addr add 192.168.200.1/24 dev eth0.200
test2:~$ sudo ip link set dev eth0.200 up
test2:~$ ip -d link show eth0.200
Step-3: Attempt to ping from test1 to test2.
test1:~$ ping 192.168.200.1
Step-4: Capture packets using Wireshark to verify that no ICMP traffic is exchanged between VLANs.

Expected result:

Ping fails with 100% packet loss.

No ICMP echo request/reply packets are seen.

Confirms VLAN isolation is working as expected.

Step-5: Wireshark Capture

Download wireshark capture
VLAN Persistence Across Reboots Test Case
This test verifies that VLAN interfaces persist after a system reboot by using persistent network configuration via Netplan.
Step-1: Edit the Netplan configuration file on test1 to define a VLAN interface.
network:
 version: 2
 ethernets:
  eth0:
   dhcp4: no
 vlans:
  vlan100:
    id: 100
    link: eth0
    addresses:
      - 192.168.100.1/24
Save the file as /etc/netplan/01-netcfg.yaml (or the appropriate Netplan config file for your system).
Step-2: Apply the Netplan configuration.
test1:~$ sudo netplan apply
Step-3: Reboot the system.
test1:~$ sudo reboot
Step-4: After reboot, verify that vlan100 interface exists and has the correct IP address.
test1:~$ ip addr show vlan100
Expected result:

The interface vlan100 should be present after reboot.

It should have the correct IP address 192.168.100.1/24.

Confirms VLAN persistence via Netplan.
ARP Resolution with VLAN Tag Test Case
This test verifies that ARP request and reply packets are correctly tagged with a VLAN ID (802.1Q) when VLAN interfaces are used. It also confirms basic IP connectivity through successful ping.
Step-1: Configure VLAN interface on test1.
test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test1:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100
test1:~$ sudo ip link set dev eth0.100 up
test1:~$ ip -d link show eth0.100
Step-2: Configure VLAN interface on test2.
test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test2:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100
test2:~$ sudo ip link set dev eth0.100 up
test2:~$ ip -d link show eth0.100
Step-3: Ping between test1 and test2.
test1:~$ ping 192.168.100.2
test2:~$ ping 192.168.100.1
Step-4: Use Wireshark to capture packets and inspect for ARP resolution.

Look specifically for ARP request and reply frames tagged with VLAN ID 100.

Confirm that ICMP packets are also properly VLAN tagged.

Expected result:

Ping should succeed with 0% packet loss between test1 and test2.

ARP packets (request and reply) must include the VLAN tag (802.1Q) in packet capture.

ICMP packets must also include VLAN tag.

Step-5: Wireshark Capture

Download wireshark capture
TCP 3-Way Handshake with VLAN Tag Test Case
This test verifies that TCP 3-way handshake packets and data packets are properly VLAN-tagged (802.1Q) when transmitted between two machines with VLAN interfaces on the same subnet.
Step-1: Configure VLAN interface on test1.
test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test1:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100
test1:~$ sudo ip link set dev eth0.100 up
test1:~$ ip -d link show eth0.100
Step-2: Configure VLAN interface on test2.
test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test2:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100
test2:~$ sudo ip link set dev eth0.100 up
test2:~$ ip -d link show eth0.100
Step-3: Create a basic TCP server on test2.
test2:~$ vi tcp_server.c
// Insert basic TCP server code

test2:~$ gcc tcp_server.c -o tcp_server
Step-4: Create a basic TCP client on test1.
test1:~$ vi tcp_client.c
// Insert basic TCP client code

test1:~$ gcc tcp_client.c -o tcp_client
Step-5: Run the TCP server and client to establish a connection.
test2:~$ ./tcp_server
test1:~$ ./tcp_client
Step-6: Capture packets using Wireshark on either side.

Look for TCP 3-way handshake packets (SYN, SYN-ACK, ACK) and ensure they are tagged with VLAN ID 100.

Also verify that any data packets exchanged are VLAN tagged.

Expected result:

TCP connection is successfully established.

Packet capture shows TCP handshake and data packets tagged with VLAN ID (802.1Q).

Confirms correct VLAN tagging for TCP traffic.

Step-7: Wireshark Capture

Download wireshark capture
UDP Packets with VLAN Tag Test Case
This test verifies that UDP packets are properly tagged with a VLAN ID (802.1Q) when transmitted between two machines with VLAN interfaces on the same subnet.
Step-1: Configure VLAN interface on test1.
test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test1:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100
test1:~$ sudo ip link set dev eth0.100 up
test1:~$ ip -d link show eth0.100
Step-2: Configure VLAN interface on test2.
test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test2:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100
test2:~$ sudo ip link set dev eth0.100 up
test2:~$ ip -d link show eth0.100
Step-3: Create a basic UDP server on test2.
test2:~$ vi udp_server.c
// Insert basic UDP server code

test2:~$ gcc udp_server.c -o udp_server
Step-4: Create a basic UDP client on test1.
test1:~$ vi udp_client.c
// Insert basic UDP client code

test1:~$ gcc udp_client.c -o udp_client
Step-5: Run the UDP server and client to exchange packets.
test2:~$ ./udp_server
test1:~$ ./udp_client
Step-6: Capture packets using Wireshark

Inspect the UDP packets for VLAN tagging with VLAN ID 100.

Expected result:

UDP client-server communication is successfully established.

Wireshark capture confirms that UDP packets are tagged with VLAN ID (802.1Q).

Step-7: Wireshark Capture

Download wireshark capture
Ping Using Hostname (DNS) with VLAN Tag Test Case
This test verifies that DNS queries and ICMP packets are correctly VLAN tagged when hostname-based communication is performed over VLAN interfaces.
Step-1: Configure VLAN interface on test1.
test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test1:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100
test1:~$ sudo ip link set dev eth0.100 up
Step-2: Configure VLAN interface on test2.
test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test2:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100
test2:~$ sudo ip link set dev eth0.100 up
Step-3: Install and configure dnsmasq on test1.
test1:~$ sudo apt update
test1:~$ sudo apt install dnsmasq
Edit /etc/dnsmasq.conf and add:
address=/vm1.local/192.168.100.2
address=/vm2.local/192.168.100.3
Restart the dnsmasq service:
test1:~$ sudo systemctl restart dnsmasq
test1:~$ sudo systemctl status dnsmasq
Step-4: Configure test2 to use test1 as its DNS server.
Edit /etc/resolv.conf on test2:
nameserver 192.168.100.2
search local
Save and close the file.
Step-5: Test ping using hostname.
test2:~$ ping vm1
Step-6: Capture packets using Wireshark on test1 or test2.

Look for DNS query/response packets and ICMP packets.

Confirm that all packets include VLAN tag (802.1Q) with VLAN ID 100.

Expected result:

DNS query resolves hostname successfully.

Ping to hostname succeeds with 0% packet loss.

Both DNS and ICMP packets are correctly VLAN tagged.

Step-7: Wireshark Capture

Download wireshark capture
Ping Between Two Machines (DHCP) with VLAN Tag Test Case
This test verifies that a VLAN-tagged interface can receive an IP address via DHCP, and confirms that both DHCP and ICMP packets carry VLAN tags (802.1Q).
Step-1: Configure VLAN interface on test1 (DHCP Server).
test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test1:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100
test1:~$ sudo ip link set dev eth0.100 up
test1:~$ ip -d link show eth0.100
Step-2: Install and configure DHCP server on test1.
test1:~$ sudo apt update
test1:~$ sudo apt install isc-dhcp-server
Edit DHCP server interface configuration file:
test1:~$ sudo nano /etc/default/isc-dhcp-server
Change the line:
INTERFACESv4=""
To:
INTERFACESv4="eth0.100"
Configure DHCP range in /etc/dhcp/dhcpd.conf:
subnet 192.168.100.0 netmask 255.255.255.0 {
    range 192.168.100.50 192.168.100.100;
    option routers 192.168.100.1;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 8.8.8.8;
    default-lease-time 600;
    max-lease-time 7200;
}
Save and restart DHCP server:
test1:~$ sudo systemctl restart isc-dhcp-server
test1:~$ sudo systemctl enable isc-dhcp-server
test1:~$ sudo systemctl status isc-dhcp-server
Step-3: Configure VLAN interface on test2 (DHCP Client).
test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test2:~$ sudo ip link set dev eth0.100 up
Step-4: Install DHCP client and request an IP address.
test2:~$ sudo apt install isc-dhcp-client
test2:~$ sudo dhclient eth0.100
Step-5: Verify IP address on test2.
test2:~$ ip a show eth0.100
Step-6: Ping from test1 to the dynamically assigned IP on test2.
test1:~$ ping <test2-assigned-IP>
Step-7: Packet Capture and VLAN Verification

Capture packets using Wireshark or tcpdump on either machine.

Look for:

DHCP Discover / Offer / Request / ACK packets

ICMP Echo Request / Reply

All packets should contain VLAN ID 100 (802.1Q tag)

Expected result:

DHCP IP address is successfully assigned to test2 on VLAN interface.

Ping between test1 and test2 succeeds with 0% packet loss.

All DHCP and ICMP packets are VLAN tagged.

Step-8: Wireshark Capture

Download wireshark capture
VLAN Tested with IPv4 Web Server (Own) - Test Case
This test verifies that a self-hosted IPv4 web server is reachable via a VLAN-tagged interface and that all traffic (TCP 3-way handshake and HTTP content) carries VLAN tags.
Step-1: Configure VLAN interface on test1 (Web Server).
test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test1:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100
test1:~$ sudo ip link set dev eth0.100 up
Step-2: Install and configure Apache2 on test1.
test1:~$ sudo apt update
test1:~$ sudo apt install apache2 -y
test1:~$ sudo ufw allow 'Apache Full'
test1:~$ sudo systemctl start apache2
test1:~$ sudo systemctl enable apache2
Step-3: Create custom HTML page for the web server.
test1:~$ sudo mkdir -p /var/www/myvlanweb.com/html
test1:~$ sudo nano /var/www/myvlanweb.com/html/index.html
Sample HTML page:
<html>
  <head><title>VLAN Web Test</title></head>
  <body>
    <h1>Welcome to VLAN Web Server</h1>
    <p>This is a test page served over VLAN 100</p>
  </body>
</html>
test1:~$ sudo chown -R www-data:www-data /var/www/myvlanweb.com/html
test1:~$ sudo chmod -R 755 /var/www/myvlanweb.com
Step-4: Configure Apache virtual host.
test1:~$ sudo nano /etc/apache2/sites-available/myvlanweb.com.conf
Add the following content:
<VirtualHost * :80>
    ServerAdmin webmaster@localhost
    ServerName myvlanweb.com
    DocumentRoot /var/www/myvlanweb.com/html

    <Directory /var/www/myvlanweb.com/html>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/myvlanweb_error.log
    CustomLog ${APACHE_LOG_DIR}/myvlanweb_access.log combined
</VirtualHost>
test1:~$ sudo a2ensite myvlanweb.com.conf
test1:~$ sudo a2dissite 000-default.conf
test1:~$ sudo apache2ctl configtest
test1:~$ sudo systemctl reload apache2
Step-5: Configure VLAN interface on test2 (Client).
test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test2:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100
test2:~$ sudo ip link set dev eth0.100 up
Step-6: Test connectivity and fetch webpage.
test2:~$ curl http://192.168.100.3
Step-7: Capture packets using Wireshark.

Verify presence of: - TCP 3-way handshake (SYN, SYN-ACK, ACK) - HTTP GET / 200 OK responses - All packets must have VLAN ID 100 (802.1Q tag)

Expected Result:

Client receives full HTML response from server.

Ping and HTTP communication succeed.

VLAN tags are present in TCP and HTTP packets.

Step-8: Wireshark Capture

Download wireshark capture
VLAN Tested with IPv6 Web Server (Own) - Test Case
This test verifies that an IPv6 web server hosted on a VLAN-tagged interface is reachable from another VLAN-tagged client, and that all traffic (TCP handshake and HTTP response) carries the correct 802.1Q VLAN tags.
Step-1: Configure VLAN interface with IPv6 address on test1 (Web Server).
test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test1:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100
test1:~$ sudo ip addr add 2001:db8:100::3/64 dev eth0.100
test1:~$ sudo ip link set dev eth0.100 up
Step-2: Install and configure Apache2 on test1.
test1:~$ sudo apt update
test1:~$ sudo apt install apache2 -y
test1:~$ sudo ufw allow 'Apache Full'
test1:~$ sudo systemctl start apache2
test1:~$ sudo systemctl enable apache2
Step-3: Create custom HTML content for the website.
test1:~$ sudo mkdir -p /var/www/myvlanweb.com/html
test1:~$ sudo nano /var/www/myvlanweb.com/html/index.html
Sample HTML page:
<html>
  <head><title>IPv6 VLAN Web Test</title></head>
  <body>
    <h1>Welcome to VLAN IPv6 Web Server</h1>
    <p>This page is served over IPv6 and VLAN 100.</p>
  </body>
</html>
test1:~$ sudo chown -R www-data:www-data /var/www/myvlanweb.com/html
test1:~$ sudo chmod -R 755 /var/www/myvlanweb.com
Step-4: Configure Apache virtual host.
test1:~$ sudo nano /etc/apache2/sites-available/myvlanweb.com.conf
Add the following content:
<VirtualHost * :80>
    ServerAdmin webmaster@localhost
    ServerName myvlanweb.com
    DocumentRoot /var/www/myvlanweb.com/html

    <Directory /var/www/myvlanweb.com/html>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/myvlanweb_error.log
    CustomLog ${APACHE_LOG_DIR}/myvlanweb_access.log combined
</VirtualHost>
test1:~$ sudo a2ensite myvlanweb.com.conf
test1:~$ sudo a2dissite 000-default.conf
test1:~$ sudo apache2ctl configtest
test1:~$ sudo systemctl reload apache2
Step-5: Configure VLAN interface with IPv6 on test2 (Client).
test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100
test2:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100
test2:~$ sudo ip addr add 2001:db8:100::2/64 dev eth0.100
test2:~$ sudo ip link set dev eth0.100 up
Step-6: Test connectivity and fetch web content.
test2:~$ ping6 2001:db8:100::3
test2:~$ curl http://[2001:db8:100::3]/
Step-7: Packet capture and VLAN verification.

Use Wireshark to capture traffic on eth0 or eth0.100.

Confirm presence of: - TCP 3-way handshake packets - HTTP GET and 200 OK responses - All packets tagged with VLAN ID 100 (802.1Q)

Expected Result:

Web server is accessible from client over IPv6 on VLAN.

Curl outputs the expected HTML content.

TCP and HTTP packets show correct VLAN tagging in the capture.

Step-8: Wireshark Capture

Download wireshark capture
Switch-to-Switch VLAN Trunk Test Case
This test verifies that a trunk connection between two Layer 2 switches correctly allows VLAN-tagged traffic to pass between two VPCS nodes in the same VLAN.
Step-1: Setup and connect topology in simulation tool (e.g., Cisco Packet Tracer, GNS3, or EVE-NG).
Drag and drop: - 2 Layer 2 switches (Switch A and Switch B) - 2 VPCS nodes (PC1 and PC2)
Connect as follows:
PC1 <--> Gi0/1 (Switch A)
Switch A Gi0/2 <--> Gi0/2 Switch B
Gi0/1 (Switch B) <--> PC2
Step-2: Configure VLAN 10 and ports on Switch A.
SwitchA> enable
SwitchA# configure terminal
SwitchA(config)# vlan 10
SwitchA(config-vlan)# name VLAN10
SwitchA(config-vlan)# exit
SwitchA(config)# interface Gi0/1
SwitchA(config-if)# switchport mode access
SwitchA(config-if)# switchport access vlan 10
SwitchA(config-if)# no shutdown
SwitchA(config-if)# exit
SwitchA(config)# interface Gi0/2
SwitchA(config-if)# switchport trunk encapsulation dot1q
SwitchA(config-if)# switchport mode trunk
SwitchA(config-if)# no shutdown
SwitchA(config-if)# exit
Step-3: Configure VLAN 10 and ports on Switch B (repeat similar steps).
SwitchB> enable
SwitchB# configure terminal
SwitchB(config)# vlan 10
SwitchB(config-vlan)# name VLAN10
SwitchB(config-vlan)# exit
SwitchB(config)# interface Gi0/1
SwitchB(config-if)# switchport mode access
SwitchB(config-if)# switchport access vlan 10
SwitchB(config-if)# no shutdown
SwitchB(config-if)# exit
SwitchB(config)# interface Gi0/2
SwitchB(config-if)# switchport trunk encapsulation dot1q
SwitchB(config-if)# switchport mode trunk
SwitchB(config-if)# no shutdown
SwitchB(config-if)# exit
Step-4: Configure IP addresses on VPCS nodes.
PC1> ip 192.168.10.2 255.255.255.0
PC2> ip 192.168.10.3 255.255.255.0
Step-5: Perform Ping Test.
PC1> ping 192.168.10.3
PC2> ping 192.168.10.2
Step-6: Capture traffic using Wireshark on the trunk link (Gi0/2 <–> Gi0/2).

Filter: vlan

Check for: - ICMP Echo Requests and Replies - 802.1Q VLAN tags (ID: 10)

Expected Result:

Ping should be successful with 0% packet loss.

ICMP packets are encapsulated with 802.1Q VLAN tags on trunk port.

Step-7: Wireshark Capture

Download wireshark capture
Linux-to-Linux VLAN Trunk Test Case
This test verifies that VLAN trunking works between two Linux machines configured with multiple VLAN interfaces, allowing communication over multiple VLANs (e.g., VLAN 10 and VLAN 20).
Step-1: Configure VLAN interfaces on test1 (Linux Machine 1).
test1:~$ sudo ip link add link eth0 name eth0.10 type vlan id 10
test1:~$ sudo ip addr add 192.168.10.1/24 dev eth0.10
test1:~$ sudo ip link set dev eth0.10 up

test1:~$ sudo ip link add link eth0 name eth0.20 type vlan id 20
test1:~$ sudo ip addr add 192.168.20.1/24 dev eth0.20
test1:~$ sudo ip link set dev eth0.20 up
Step-2: Configure VLAN interfaces on test2 (Linux Machine 2).
test2:~$ sudo ip link add link eth0 name eth0.10 type vlan id 10
test2:~$ sudo ip addr add 192.168.10.2/24 dev eth0.10
test2:~$ sudo ip link set dev eth0.10 up

test2:~$ sudo ip link add link eth0 name eth0.20 type vlan id 20
test2:~$ sudo ip addr add 192.168.20.2/24 dev eth0.20
test2:~$ sudo ip link set dev eth0.20 up
Step-3: Test connectivity over VLAN interfaces from test1.
test1:~$ ping 192.168.10.2    # VLAN 10
test1:~$ ping 192.168.20.2    # VLAN 20
Step-4: Verify VLAN tag presence in packets using Wireshark.

Confirm: - ICMP Echo Requests and Replies - VLAN 802.1Q tags (ID 10 and 20)

Expected Result:

Ping should be successful for both VLAN 10 and VLAN 20.

VLAN tags (802.1Q) should be present in ICMP packets during capture.

Step-5: Wireshark Capture

Download wireshark capture
VLAN Tag Priority Bits (PCP) Test Case
This test verifies that all 7 combinations of PCP (Priority Code Point) values (001 to 111) in the 802.1Q VLAN tag are correctly set and visible in packet captures using Wireshark.
Step-1: Prepare the common VLAN packet send code (vlan_send_template.c)
test1:~$ vi vlan_send_template.c
# (Write the common C code that constructs and sends a VLAN tagged Ethernet frame)
# (This includes logic to set the TCI field using PCP_VALUE macro)
Download vlan_send_template.c
Step-2: Create one example wrapper file (send_pcp1.c) for PCP value = 1
#define PCP_VALUE 1
#include "vlan_send_template.c"
test1:~$ gcc send_pcp1.c -o send_pcp1
test1:~$ sudo ./send_pcp1
Step-3: Repeat Step-2 for remaining PCP values (2, 3, 4, 5, 6, 7)

Create send_pcp0.c, send_pcp2.c, …, send_pcp7.c by changing PCP_VALUE

Compile and run each one similarly to generate corresponding packets

Step-4: Capture packets using Wireshark while each binary is run

Apply display filter in Wireshark: vlan

Observe the “Priority” field in the VLAN tag

Confirm PCP field shows values 1–7 as expected

Expected Result:

Each compiled binary should send a packet with correct PCP bits (0–7).

Wireshark should display the VLAN tag with corresponding PCP (Priority) field value.

Step-5: Wireshark Capture

Download wireshark capture
VLAN Tag DEI (Drop Eligible Indicator) Bit Test Case
This test verifies that the DEI (Drop Eligible Indicator) bit in the 802.1Q VLAN tag can be set to 1 using raw socket programming in Linux and is visible in packet captures using Wireshark.

Step-1: Write a C program to send ICMP packet with VLAN tag (DEI = 1)

Download dei_bit.c source code
Step-2: Compile and run the code on a Linux machine with proper permissions
test1:~$ gcc dei_bit.c -o dei_bit
test1:~$ sudo ./dei_bit
Step-3: Capture the outgoing packet using Wireshark on the same interface

Apply display filter: vlan

Check the DEI (Drop Eligible Indicator) field in the VLAN header

Ensure DEI = 1 is present in the packet

Expected Result:

The ICMP Echo Request packet should be visible in Wireshark.

VLAN tag with DEI = 1 should be clearly shown under VLAN header details.

Step-4: Wireshark Capture

Download wireshark capture

Notes:

DEI field is useful in congestion management. It marks the frame as eligible for discard if congestion occurs.

Default DEI is 0. This test explicitly sets it to 1.
Same VLAN, Different Subnets Ping Test Case
This test verifies that devices in the same VLAN but assigned to different subnets can communicate when routed via a router subinterface using dot1Q encapsulation.
Step-1: Configure VLAN 10 on the Switch (Layer 2)
Switch> enable
Switch# configure terminal

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit

Switch(config)# interface GigabitEthernet0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit

Switch(config)# interface GigabitEthernet0/0
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk allowed vlan 10
Switch(config-if)# exit

Switch(config)# exit
Switch# write memory
Step-2: Configure Router subinterfaces for inter-subnet routing over VLAN 10
Router> enable
Router# configure terminal

Router(config)# interface FastEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.1.1 255.255.255.224
Router(config-subif)# ip address 192.168.1.33 255.255.255.224 secondary
Router(config-subif)# exit

Router(config)# interface FastEthernet0/0
Router(config-if)# no ip address
Router(config-if)# no shutdown
Router(config-if)# exit

Router# write memory
Step-3: Assign IP addresses to PCs in different subnets (still in same VLAN)
PC1> ip 192.168.1.10 255.255.255.224 192.168.1.1
PC2> ip 192.168.1.40 255.255.255.224 192.168.1.33
Step-4: Test inter-subnet connectivity
PC1> ping 192.168.1.40
PC2> ping 192.168.1.10
Step-5: Verify packets using Wireshark (capture on trunk or router interface)

Confirm: - ICMP Echo Request and Reply packets - 802.1Q VLAN tags with VLAN ID 10 - Routing is performed between subnets even within the same VLAN

Expected Result:

Ping should succeed between hosts on different subnets but within the same VLAN.

ICMP packets should contain 802.1Q VLAN tag with VLAN ID 10.

Routing should occur on the router’s subinterface with multiple subnet addresses.

Step-6: Wireshark Capture

Download wireshark capture
IP Communication Across Aggregated VLANs (IRB with BVI) Test Case
This test verifies communication between hosts in different VLANs but in the same IP subnet using Integrated Routing and Bridging (IRB) with a Bridge Virtual Interface (BVI) on the router.
Step-1: Enable Integrated Routing on the Router
Router> enable
Router# configure terminal
Router(config)# bridge irb
Step-2: Configure VLANs on the Switch
Switch> enable
Switch# configure terminal

Switch(config)# vlan 10
Switch(config-vlan)# exit

Switch(config)# vlan 20
Switch(config-vlan)# exit

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit

Switch(config)# interface GigabitEthernet0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)# exit

Switch(config)# interface GigabitEthernet0/3
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20
Switch(config-if)# exit

Switch# write memory
Step-3: Configure Router Subinterfaces for VLANs
Router(config)# interface FastEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# bridge-group 1
Router(config-subif)# no ip address
Router(config-subif)# exit

Router(config)# interface FastEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# bridge-group 1
Router(config-subif)# no ip address
Router(config-subif)# exit
Step-4: Configure Bridge Virtual Interface (BVI)
Router(config)# interface BVI1
Router(config-if)# ip address 192.168.10.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit

Router(config)# bridge 1 protocol ieee
Router(config)# bridge 1 route ip

Step-5: Assign IP addresses to PCs in different VLANs but same subnet

PC1> ip 192.168.10.10 255.255.255.0 192.168.10.1
PC2> ip 192.168.10.20 255.255.255.0 192.168.10.1

Step-6: Test Connectivity Between PCs
PC1> ping 192.168.10.20
PC2> ping 192.168.10.10
Step-7: Wireshark Capture Verification

Confirm: - ICMP Echo Request and Echo Reply - VLAN tags (802.1Q) for VLAN 10 and VLAN 20 - Communication is successful across VLANs through the BVI interface

Expected Result:

Ping should succeed between devices on different VLANs but within the same subnet.

VLAN-tagged packets (with VLAN IDs 10 and 20) should be visible in the capture.

Routing is achieved via the router’s BVI interface, enabling cross-VLAN communication.

Step-8: Wireshark Capture

Download wireshark capture
Broadcast Isolation Across VLANs Test Case
This test verifies that layer 2 broadcasts are isolated between VLANs, even if the IP subnet is shared, by sending a directed broadcast from one VLAN and ensuring it is not propagated to hosts in another VLAN.

Prerequisite:

Use the same setup as described in the previous test case (IRB routing via router subinterfaces and BVI).

PC1 is in VLAN 10 and PC2 is in VLAN 20.

Both are in the same IP subnet 192.168.10.0/24.
Step-1: Send Directed Broadcast from PC1 (VLAN 10)
PC1> ping 192.168.10.255
Step-2: Monitor PC2 (VLAN 20) for Response

No response should be observed.

Optionally, run Wireshark or packet capture on PC2 or on a trunk port between switch and router.

Step-3: Wireshark Verification

On VLAN 20 side (PC2 or router trunk): - No ICMP Echo Requests for destination 192.168.10.255 should be seen.

On VLAN 10 side: - ICMP Echo Request should be seen. - Destination MAC should be broadcast (FF:FF:FF:FF:FF:FF) - VLAN tag with ID 10 should be present.

Expected Result:

PC2 (in VLAN 20) should not receive any of the broadcast ICMP packets sent by PC1 (in VLAN 10).

Layer 2 broadcast traffic is contained within VLAN 10.

Step-4: Wireshark Capture

Download broadcast isolation capture
Super VLAN Hierarchy Communication Test Case
This test verifies communication between hosts assigned to different Sub-VLANs under a common Super VLAN, using Integrated Routing and Bridging (IRB) on a router to forward traffic.
Step-1: Configure VLANs and Ports on the Switch
Switch> enable
Switch# configure terminal
Switch(config)# vlan 100
Switch(config-vlan)# name SuperVLAN
Switch(config-vlan)# exit
Switch(config)# vlan 101
Switch(config-vlan)# name SubVLAN1
Switch(config-vlan)# exit
Switch(config)# vlan 102
Switch(config-vlan)# name SubVLAN2
Switch(config-vlan)# exit

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 101
Switch(config-if)# exit

Switch(config)# interface GigabitEthernet0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 102
Switch(config-if)# exit

Switch(config)# interface GigabitEthernet0/3
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 101,102
Switch(config-if)# exit
Switch(config)# write memory
Step-2: Configure Router IRB and Subinterfaces
Router> enable
Router# configure terminal
Router(config)# bridge irb

Router(config)# interface FastEthernet0/0.101
Router(config-subif)# encapsulation dot1Q 101
Router(config-subif)# bridge-group 1
Router(config-subif)# no ip address
Router(config-subif)# exit

Router(config)# interface FastEthernet0/0.102
Router(config-subif)# encapsulation dot1Q 102
Router(config-subif)# bridge-group 1
Router(config-subif)# no ip address
Router(config-subif)# exit


Router(config)# interface BVI1
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit

Router(config)# bridge 1 protocol ieee
Router(config)# bridge 1 route ip
Step-3: Configure IP Addresses on End Devices (PC1 & PC2)
PC1> ip 10.0.0.10 255.255.255.0 10.0.0.1
PC2> ip 10.0.0.20 255.255.255.0 10.0.0.1
Step-4: Test IP Connectivity
PC1> ping 10.0.0.20    # To PC2
PC1> ping 10.0.0.1     # To Router BVI1
PC2> ping 10.0.0.10    # To PC1
Step-5: Wireshark Verification

Verify on router or switch trunk port: - ICMP Echo Requests and Replies are seen - VLAN tags (802.1Q) with IDs 101 and 102 are present - Destination MAC reflects correct endpoint

Expected Result:

Ping between PC1 and PC2 (from different Sub-VLANs) is successful

Router forwards packets between sub-VLANs under the same Super VLAN

802.1Q tags with VLAN ID 101/102 are visible in packet captures

Step-6: Wireshark Capture

Download VLAN Hierarchy pcap

VLAN Basic Setup on Ubuntu using IPv6

Setup

VLAN Protocol Packet Details

Echo Request Packet

S.No	Protocol Packets	Description	Size(bytes)
1	Echo Request	It is a type of message used in the ICMP to test the reachability of a network device.	42
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	2
	Type	Indicates the type of ICMP message 8 - specifies this is an Echo Request	1
	Code	Provides further information about the type 0 - Always Zero for echo requests	1
	Checksum	Used for error-checking the ICMP header and data.	2
	Identifier	Used to match requests and replies, usually set by sender.	2
	Sequence Number	Used to match requests and replies	2
	Data	Optional data sent with the request	32

Echo Reply Packet

S.No	Protocol Packets	Description	Size(bytes)
2	Echo Reply	The response to an echo request, confirming the machine’s status and providing round-trip time data.	42
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	2
	Type	Indicates the type of ICMP message 0 - specifies this is an Echo Reply	1
	Code	Provides further information about the type 0 - Always Zero for echo replies	1
	Checksum	Used for error-checking the ICMP header and data.	2
	Identifier	Matches the identifier from the Echo Request	2
	Sequence Number	Matches the sequence number from the Echo Request	2
	Data	Optional data sent with the request	32

DNS Query Packet

S.No	Protocol Packets	Description	Size(bytes)
3	DNS Query Packet	Client sends a query to a DNS server requesting the IP address associated with a domain name.	2850 bytes
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	2
	Header	Contains essential information about the DNS query or response.	12
	ID	Copied in the corresponding response to match queries and responses	2
	QR	Indicates whether the message is a query (0) or a response (1)	2 bits
	Opcode	Specifies the kind of query (e.g., standard query, inverse query)	2 bits
	AA (Authoritative Answer)	Indicates if the responding server is an authority for the domain name.	2 bits
	TC (Truncation)	Indicates if the message was truncated	2 bits
	RD (Recursion Desired)	Set by the client to indicate if recursive query support is desired	2 bits
	RA (Recursion Available)	Set by the server to indicate if recursive query support is available	2 bits
	Z	Reserved for future use, must be zero	2 bits
	RCODE (Response Code)	Indicates the status of the response	2 bits
	QDCOUNT	Number of entries in the question section	2
	ANCOUNT	Number of resource records in answer section	2
	NSCOUNT	Number of name server resource records in the authority section	2
	ARCOUNT	Number of resource records in the additional records section	2
	Question Section	Contains the query for the DNS server
	QNAME	The domain name being queried	variable (255)
	QTYPE	The type of the query (e.g., A, MX)	2
	QCLASS	The class of the query (e.g., IN for internet)	2

DNS Response Packet

S.No	Protocol Packets	Description	Size(bytes)
4	DNS Response Packet	Sent by a DNS server to reply to a client’s query	45100 bytes
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	2
	Header	Contains essential information about the DNS query or response	12
	ID	Copied in the corresponding response to match queries and responses	2
	QR	Indicates whether the message is a query (0) or a response (1)	2 bits
	Opcode	Specifies the kind of query	2 bits
	AA (Authoritative Answer)	Indicates if the server is authoritative	2 bits
	TC (Truncation)	Indicates if the message was truncated	2 bits
	RD (Recursion Desired)	Set by the client	2 bits
	RA (Recursion Available)	Set by the server	2 bits
	Z	Reserved for future use	2 bits
	RCODE (Response Code)	Indicates the status of the response	2 bits
	QDCOUNT	Number of entries in the question section	2
	ANCOUNT	Number of resource records in answer section	2
	NSCOUNT	Number of name server resource records in the authority section	2
	ARCOUNT	Number of resource records in the additional records section	2
	Question Section	Contains the query for the DNS server
	QNAME	The domain name being queried	variable (255)
	QTYPE	The type of the query (e.g., A, MX)	2
	QCLASS	The class of the query (e.g., IN)	2
	Answer Section	Contains resource records answering the question
	NAME	Domain name to which this resource record pertains	variable (255)
	TYPE	Type of the resource record (e.g., A, MX)	2
	CLASS	Class of the resource record (e.g., IN)	2
	TTL	Time interval that the record may be cached	4
	RDLENGTH	Length of the RDATA field	2
	RDATA	Data of the resource record	variable (65535)
	Authority Section	Contains resource records pointing to authoritative name servers
	NAME	Domain name	variable (255)
	TYPE	Type of the resource record	2
	CLASS	Class of the resource record	2
	TTL	Time interval that the record may be cached	4
	RDLENGTH	Length of the RDATA field	2
	RDATA	Data of the resource record	variable (65535)
	Additional Section	Contains additional information
	NAME	Domain name	variable (255)
	TYPE	Type of the resource record	2
	CLASS	Class of the resource record	2
	TTL	Time interval that the record may be cached	4
	RDLENGTH	Length of the RDATA field	2
	RDATA	Data of the resource record	variable (65535)

DHCP Discover Packet

S.No	Protocol Packets	Description	Size(bytes)
5	DHCP Discover	Sent by a client to locate available DHCP servers	262
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	2
	Operation Code (op)	Specifies the type of DHCP message 1 (BOOT REQUEST)	1
	Hardware Type (htype)	Indicates the type of hardware used for the network	1
	Hardware Address Length (hlen)	Specifies the length of the hardware address (MAC address) in bytes	1
	Hops	Number of relay agents that have forwarded this message	1
	Transaction Identifier (xid)	Unique identifier used by the client to match responses	4
	Seconds (secs)	Elapsed time since the client started the DHCP process	2
	Flags	Broadcast flag	2
	Client IP Address (ciaddr)	Client’s IP address (if already assigned)	4
	Your IP Address (yiaddr)	IP address to be assigned	4
	Server IP Address (siaddr)	Next server IP (e.g., for TFTP)	4
	Gateway IP Address (giaddr)	Relay agent IP address	4
	Client Hardware Address	Clients MAC address	16
	Server Hostname (sname)	Optional server hostname	64
	Boot File Name (file)	Optional boot file name	128
	Options	DHCP Message Type (53=1), Parameter Request List (55), Client ID (61), Hostname (12), Requested IP (50)	Variable

DHCP Offer Packet

S.No	Protocol Packets	Description	Size(bytes)
6	DHCP Offer	Sent by server in response to Discover, offering IP and config	271
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	2
	Operation Code (op)	2 (BOOT REPLY)	1
	Hardware Type (htype)	Type of hardware	1
	Hardware Address Length (hlen)	Length of MAC address	1
	Hops	Number of relay agents	1
	Transaction Identifier (xid)	Matches clients Discover	4
	Seconds (secs)	Time since DHCP started	2
	Flags	Broadcast flag	2
	Client IP Address (ciaddr)	Clients IP (if any)	4
	Your IP Address (yiaddr)	Offered IP address	4
	Server IP Address (siaddr)	Servers IP	4
	Gateway IP Address (giaddr)	Relay agent IP	4
	Client Hardware Address	Clients MAC address	16
	Server Hostname (sname)	Optional	64
	Boot File Name (file)	Optional	128
	Options	DHCP Message Type (53=2), Server ID (54), Subnet Mask (1), Router (3), Lease Time (51), DNS (6)	37

DHCP Request Packet

S.No	Protocol Packets	Description	Size(bytes)
7	DHCP Request	Sent by client to accept the offered IP and request configuration	267
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	4
	Operation Code (op)	1 (BOOT REQUEST)	1
	Hardware Type (htype)	Type of hardware	1
	Hardware Address Length (hlen)	Length of MAC address	1
	Hops	Number of relay agents	1
	Transaction Identifier (xid)	Matches Offer	4
	Seconds (secs)	Time since DHCP started	2
	Flags	Broadcast flag	2
	Client IP Address (ciaddr)	Clients IP (if any)	4
	Your IP Address (yiaddr)	Requested IP	4
	Server IP Address (siaddr)	Servers IP	4
	Gateway IP Address (giaddr)	Relay agent IP	4
	Client Hardware Address	Clients MAC address	16
	Server Hostname (sname)	Optional	64
	Boot File Name (file)	Optional	128
	Options	DHCP Message Type (53=3), Server ID (54), Requested IP (50), Parameter List (55), Client ID (61)	31

DHCP ACK Packet

S.No	Protocol Packets	Description	Size(bytes)
8	DHCP ACK	Sent by server to confirm lease and finalize configuration	273
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	4
	Operation Code (op)	2 (BOOT REPLY)	1
	Hardware Type (htype)	Type of hardware	1
	Hardware Address Length (hlen)	Length of MAC address	1
	Hops	Number of relay agents	1
	Transaction Identifier (xid)	Matches Request	4
	Seconds (secs)	Time since DHCP started	2
	Flags	Broadcast flag	2
	Client IP Address (ciaddr)	Clients IP (if any)	4
	Your IP Address (yiaddr)	Assigned IP	4
	Server IP Address (siaddr)	Servers IP	4
	Gateway IP Address (giaddr)	Relay agent IP	4
	Client Hardware Address	Clients MAC address	16
	Server Hostname (sname)	Optional	64
	Boot File Name (file)	Optional	128
	Options	DHCP Message Type (53=5), Server ID (54), Subnet Mask (1), Router (3), DNS (6), Lease Time (51)	37

SYN Packet

S.No	Protocol Packets	Description	Size(bytes)
9	SYN Packet	Used to initiate a TCP connection. Part of the three-way handshake.	20
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	2
	Source Port	Port number of the sender (Client)	2
	Destination Port	Port number of the receiver	2
	Sequence Number	Initial sequence number	4
	Acknowledgment Number	0 (not set)	0
	Data Offset	4-bit field specifying TCP header size in 32-bit words	1
	Reserved	3 bits reserved for future use	1
	Flags	SYN flag set	2
	Window Size	Sender’s receive window size	2
	Checksum	Error-checking field	2
	Urgent Pointer	Points to urgent data if URG flag is set	2
	Options	May include MSS, window scaling, timestamps	variable
	Data (Payload)	No payload	0

SYN-ACK Packet

S.No	Protocol Packets	Description	Size(bytes)
10	SYN-ACK Packet	Sent by receiver to acknowledge SYN and establish connection	24
	VLAN Tag	IEEE 802.1Q tag	2
	Source Port	Receiver’s port	2
	Destination Port	Sender’s port	2
	Sequence Number	Server’s Initial Sequence Number	4
	Acknowledgment Number	Client’s ISN + 1	4
	Data Offset	TCP header size	1
	Reserved	Reserved bits	1
	Flags	SYN = 1, ACK = 1	2
	Window Size	Receiver’s window size	2
	Checksum	Error-checking	2
	Urgent Pointer	Urgent data pointer	2
	Options	MSS, window scaling, timestamps	variable
	Data (Payload)	No payload	0

ACK Packet

S.No	Protocol Packets	Description	Size(bytes)
11	ACK Packet	Acknowledges received data or control packets	24
	VLAN Tag	IEEE 802.1Q tag	2
	Source Port	Sender’s port	2
	Destination Port	Receiver’s port	2
	Sequence Number	Next byte expected to be received	4
	Acknowledgment Number	Last received byte + 1	4
	Data Offset	TCP header size	1
	Reserved	Reserved bits	1
	Flags	ACK = 1	2
	Window Size	Sender’s window size	2
	Checksum	Error-checking	2
	Urgent Pointer	Urgent data pointer	2
	Options	Optional TCP options	variable
	Data (Payload)	May carry data if piggybacked	variable

PSH-ACK Packet

S.No	Protocol Packets	Description	Size(bytes)
12	PSH-ACK Packet	Pushes data immediately and acknowledges receipt	24
	VLAN Tag	IEEE 802.1Q tag	2
	Source Port	Sender’s port	2
	Destination Port	Receiver’s port	2
	Sequence Number	First byte of current message	4
	Acknowledgment Number	Next expected byte	4
	Data Offset	TCP header size	1
	Reserved	Reserved bits	1
	Flags	PSH = 1, ACK = 1	2
	Window Size	Sender’s window size	2
	Checksum	Error-checking	2
	Urgent Pointer	Urgent data pointer	2
	Options	Optional TCP options	variable
	Data (Payload)	Carries data to be processed immediately	variable (1460)

FIN Packet

S.No	Protocol Packets	Description	Size(bytes)
13	FIN Packet	Used to terminate a TCP connection	24
	VLAN Tag	IEEE 802.1Q tag	2
	Source Port	Sender’s port	2
	Destination Port	Receiver’s port	2
	Sequence Number	Last byte sent	4
	Acknowledgment Number	Acknowledges received data	4
	Data Offset	TCP header size	1
	Reserved	Reserved bits	1
	Flags	FIN = 1	2
	Window Size	Sender’s window size	2
	Checksum	Error-checking	2
	Urgent Pointer	Urgent data pointer	2
	Options	Optional TCP options	variable
	Data (Payload)	No payload	0

FIN-ACK Packet

S.No	Protocol Packets	Description	Size(bytes)
14	FIN-ACK Packet	Acknowledges FIN and signals end of transmission	24
	VLAN Tag	IEEE 802.1Q tag	2
	Source Port	Sender’s port	2
	Destination Port	Receiver’s port	2
	Sequence Number	Last byte sent	4
	Acknowledgment Number	Next expected byte	4
	Data Offset	TCP header size	1
	Reserved	Reserved bits	1
	Flags	FIN = 1, ACK = 1	2
	Window Size	Sender’s window size	2
	Checksum	Error-checking	2
	Urgent Pointer	Urgent data pointer	2
	Options	Optional TCP options	variable
	Data (Payload)	No payload	0

UDP Packet

S.No	Protocol Packets	Description	Size(bytes)
15	UDP Packet	A connectionless transport layer protocol used for fast data transmission.	65537
	VLAN Tag	IEEE 802.1Q tag containing VLAN ID, Priority, and CFI	2
	UDP Header	Contains control information for UDP communication	8
	Source Port	Identifies the port number of the sender	2
	Destination Port	Identifies the port number of the receiver	2
	Length	Total length of the UDP packet (header + data)	2
	Checksum	Error-checking for header and data	2
	Data (UDP Payload)	Contains the actual payload being transmitted	variable (65507)

ARP Request Packet

S.No	Protocol Packets	Description	Size(bytes)
16	ARP Request Packet	Used to request the MAC address corresponding to a known IP address.	32
	VLAN Tag (802.1Q)	Contains VLAN ID and priority (TPID + TCI)	4
	Hardware Type (HTYPE)	Specifies type of hardware (1 for Ethernet)	2
	Protocol Type (PTYPE)	Type of protocol (e.g., 0x0800 for IPv4)	2
	Hardware Address Length (HLEN)	Length of the hardware address (e.g., 6 for MAC)	1
	Protocol Address Length (PLEN)	Length of the protocol address (e.g., 4 for IPv4)	1
	Operation (OPER)	1 for request, 2 for reply	2
	Sender Hardware Address (SHA)	MAC address of sender	6
	Sender Protocol Address (SPA)	IP address of sender	4
	Target Hardware Address (THA)	MAC address of target (0 in request)	6
	Target Protocol Address (TPA)	IP address of target	4

ARP Reply Packet

S.No	Protocol Packets	Description	Size(bytes)
17	ARP Reply Packet	Responds to ARP request with the MAC address for the requested IP.	32
	VLAN Tag (802.1Q)	Contains VLAN ID and priority (TPID + TCI)	4
	Hardware Type (HTYPE)	Specifies type of hardware (1 for Ethernet)	2
	Protocol Type (PTYPE)	Type of protocol (e.g., 0x0800 for IPv4)	2
	Hardware Address Length (HLEN)	Length of the hardware address (e.g., 6 for MAC)	1
	Protocol Address Length (PLEN)	Length of the protocol address (e.g., 4 for IPv4)	1
	Operation (OPER)	1 for request, 2 for reply	2
	Sender Hardware Address (SHA)	MAC address of sender	6
	Sender Protocol Address (SPA)	IP address of sender	4
	Target Hardware Address (THA)	MAC address of target	6
	Target Protocol Address (TPA)	IP address of target	4

VLAN Usecases

S.no	Use Case	Description
1	Departmental Segmentation	VLANs separate traffic between departments (e.g., HR, Finance, IT) to improve security and reduce broadcast domains.
2	Guest Network Isolation	Guest users are placed in a separate VLAN to prevent access to internal resources while still allowing internet access.
3	Voice and Data Separation	IP phones and computers are placed in different VLANs to prioritize voice traffic (VoIP) and ensure call quality.
4	Data Center Multi-Tenancy	VLANs isolate tenants or applications in data centers, enabling secure and scalable multi-tenant environments.
5	Wireless Network Segmentation	Different SSIDs are mapped to different VLANs to separate user groups (e.g., staff, students, guests).
6	Security Zones	VLANs are used to create zones (e.g., DMZ, internal, external) for applying different security policies.
7	Load Balancing and Traffic Management	VLANs help distribute traffic across multiple paths or devices, improving performance and fault tolerance.
8	Simplified Network Management	VLANs allow logical grouping of devices regardless of physical location, making network changes easier.
9	Compliance and Auditing	VLANs help enforce data access policies and simplify auditing by isolating sensitive systems
10	Disaster Recovery and Backup	VLANs can segment backup traffic from production traffic to ensure performance and security during recovery operations.

VLAN Basic Features

S.no	Feature	Description
1	Logical Segmentation	VLANs allow logical grouping of devices regardless of physical location, improving network organization.
2	Broadcast Control	VLANs limit broadcast domains, reducing unnecessary traffic and improving performance.
3	Improved Security	Devices in different VLANs cannot communicate without a router or Layer 3 switch, enhancing isolation.
4	Traffic Management	VLANs help prioritize and manage traffic, especially for time-sensitive data like voice or video.
5	Simplified Administration	VLANs make it easier to manage and reconfigure networks without changing physical cabling.
6	Scalability	VLANs support large and growing networks by segmenting traffic and reducing congestion.
7	Quality of Service (QoS)	VLANs can be used with QoS policies to ensure bandwidth for critical applications.
8	Support for Multi-Tenancy	VLANs enable isolation of different tenants or departments in shared environments like data centers.
9	Dynamic Assignment	VLANs can be assigned dynamically using protocols like RADIUS and 802.1X for user-based access control.
10	Integration with STP	VLANs work with Spanning Tree Protocol (STP) variants to prevent loops and ensure redundancy.

VLAN Feature : Logical Segmentation

Logical Segmentation - Testcases

#	Test Case	Description	Expected Result
1	Create VLAN on switch	Define VLAN ID 10	VLAN created
2	Assign port to VLAN	Port 1 to VLAN 10	Port isolated to VLAN 10
3	Assign multiple ports to VLAN	Ports 14 to VLAN 20	All ports grouped logically
4	Remove port from VLAN	Port 2 from VLAN 20	Port removed from group
5	Create multiple VLANs	VLANs 10, 20, 30	VLANs created successfully
6	Verify VLAN isolation	Devices in VLAN 10 and 20	No communication between VLANs
7	Enable inter-VLAN routing	Router-on-a-stick setup	VLANs can communicate
8	Disable inter-VLAN routing	ACL blocks traffic	VLANs isolated
9	Assign VLAN to wireless SSID	SSID1 VLAN 30	Wireless clients segmented
10	Assign VLAN to VoIP phones	VLAN 40 for voice	Voice traffic isolated
11	Assign VLAN to CCTV	VLAN 50 for cameras	Surveillance traffic isolated
12	Assign VLAN to guest network	VLAN 60 for guests	Guest traffic isolated
13	Assign VLAN to printers	VLAN 70 for printers	Printer traffic isolated
14	Assign VLAN to servers	VLAN 80 for servers	Server traffic isolated
15	Assign VLAN to management	VLAN 90 for admin	Management traffic isolated
16	Test VLAN trunking	Trunk between switches	VLANs passed correctly
17	Test native VLAN mismatch	Different native VLANs	Warning or dropped packets
18	Test VLAN tagging	802.1Q tags	Tags applied correctly
19	Test untagged traffic	Access port	Traffic assigned to default VLAN
20	Test VLAN propagation via VTP	VLANs shared across switches	VLANs synchronized
21	Test VTP pruning	Unused VLANs pruned	Bandwidth optimized
22	Test VLAN on L2 switch	Basic segmentation	VLANs function correctly
23	Test VLAN on L3 switch	Routing between VLANs	Inter-VLAN routing works
24	Test VLAN with DHCP	VLAN-specific scopes	IPs assigned correctly
25	Test VLAN with static IPs	Manual config	Devices communicate within VLAN
26	Test VLAN with firewall rules	VLAN-based ACLs	Traffic filtered
27	Test VLAN with QoS	Prioritize VLAN 40	Voice traffic prioritized
28	Test VLAN with SNMP	VLAN-specific monitoring	Data collected per VLAN
29	Test VLAN with syslog	VLAN-based logging	Logs show VLAN activity
30	Test VLAN with multicast	VLAN-specific multicast	Multicast scoped to VLAN
31	Test VLAN with spanning tree	Per-VLAN STP	Loop prevention per VLAN
32	Test VLAN with port security	MAC binding per VLAN	Unauthorized access blocked
33	Test VLAN with storm control	Broadcast limit per VLAN	Storms mitigated
34	Test VLAN with mirror port	Monitor VLAN 10	Traffic mirrored correctly
35	Test VLAN with redundant links	Trunk failover	VLANs remain active
36	Test VLAN with loopback detection	Loop in VLAN 20	Loop blocked
37	Test VLAN with access control	VLAN-based user access	Access restricted
38	Test VLAN with dynamic assignment	RADIUS assigns VLAN	User placed in correct VLAN
39	Test VLAN with MAC-based VLAN	MAC address triggers VLAN	Device assigned correctly
40	Test VLAN with voice VLAN	Auto-detect VoIP	Phone placed in voice VLAN
41	Test VLAN with guest VLAN	Unauthenticated user	Placed in guest VLAN
42	Test VLAN with management VLAN	Switch admin access	Only via VLAN 90
43	Test VLAN with backup link	Trunk failover	VLANs rerouted
44	Test VLAN with cloud-managed switch	VLAN config via cloud	VLANs applied remotely
45	Test VLAN with SDN controller	VLANs via OpenFlow	Dynamic segmentation
46	Test VLAN with hybrid port	Tagged + untagged	Both traffic types handled
47	Test VLAN with IoT devices	VLAN 100 for IoT	Devices isolated
48	Test VLAN with BYOD policy	VLAN 110 for personal devices	Segmented from corporate
49	Test VLAN with VLAN hopping attack	Malicious tagging	Attack blocked
50	Test VLAN with compliance audit	VLANs documented	Audit passed

VLAN Feature : Broadcast Control

Broadcast Control - Testcases

#	Test Case	Description	Expected Result
1	Broadcast within same VLAN	Devices in VLAN 10	Broadcast received
2	Broadcast across different VLANs	VLAN 10 to VLAN 20	Broadcast blocked
3	Broadcast storm in VLAN	High broadcast rate	Contained within VLAN
4	Broadcast from trunk port	Tagged VLAN 30	Only VLAN 30 receives
5	Broadcast from access port	VLAN 40	Only VLAN 40 receives
6	Broadcast from wireless client	SSID mapped to VLAN 50	VLAN 50 receives
7	Broadcast from wired client	Port in VLAN 60	VLAN 60 receives
8	Broadcast with VLAN tagging	802.1Q tag present	Routed to correct VLAN
9	Broadcast with no VLAN tag	Untagged frame	Assigned to native VLAN
10	Broadcast with VLAN mismatch	Tag doesn’t match port VLAN	Dropped
11	Broadcast with VTP enabled	VLANs synced	Broadcast scoped correctly
12	Broadcast with VTP disabled	Manual VLAN config	Broadcast scoped correctly
13	Broadcast with STP enabled	Loop prevention	No broadcast loop
14	Broadcast with STP disabled	Loop exists	Broadcast storm risk
15	Broadcast with port mirroring	Monitor VLAN 70	Broadcast visible on mirror
16	Broadcast with ACL applied	VLAN 80 filtered	Broadcast blocked
17	Broadcast with ACL not applied	VLAN 90 open	Broadcast allowed
18	Broadcast with DHCP request	VLAN 100 client	DHCP server in same VLAN responds
19	Broadcast with DHCP relay	Server in different VLAN	Relay agent forwards
20	Broadcast with ARP request	VLAN 110	ARP reply received
21	Broadcast with ARP spoofing	VLAN 120	Detected and blocked
22	Broadcast with IGMP snooping	VLAN 130 multicast	Controlled broadcast
23	Broadcast with multicast traffic	VLAN 140	Broadcast limited to group
24	Broadcast with unknown MAC	VLAN 150	Flooded within VLAN
25	Broadcast with known MAC	VLAN 160	Directed unicast
26	Broadcast with loopback detection	VLAN 170	Loop blocked
27	Broadcast with storm control	VLAN 180	Broadcast rate limited
28	Broadcast with QoS	VLAN 190	Prioritized handling
29	Broadcast with SNMP trap	VLAN 200	Trap sent to manager
30	Broadcast with syslog	VLAN 210	Logs show broadcast events
31	Broadcast with mirrored VLAN	VLAN 220	Traffic visible on mirror port
32	Broadcast with isolated VLAN	VLAN 230	No inter-port communication
33	Broadcast with community VLAN	VLAN 240	Limited broadcast scope
34	Broadcast with private VLAN	VLAN 250	Broadcast scoped to primary
35	Broadcast with voice VLAN	VLAN 260	Voice traffic isolated
36	Broadcast with guest VLAN	VLAN 270	Guest traffic isolated
37	Broadcast with IoT VLAN	VLAN 280	IoT traffic isolated
38	Broadcast with BYOD VLAN	VLAN 290	Personal devices isolated
39	Broadcast with management VLAN	VLAN 300	Admin traffic isolated
40	Broadcast with native VLAN	VLAN 1	Untagged traffic scoped
41	Broadcast with mismatched native VLANs	Trunk ports	Broadcast dropped
42	Broadcast with hybrid port	Tagged + untagged	Scoped correctly
43	Broadcast with SDN controller	VLAN 310	Controlled via policy
44	Broadcast with cloud-managed switch	VLAN 320	Scoped via cloud config
45	Broadcast with VLAN hopping attempt	Malicious tag	Attack blocked
46	Broadcast with MAC-based VLAN	VLAN assigned by MAC	Scoped correctly
47	Broadcast with dynamic VLAN	Assigned via RADIUS	Scoped correctly
48	Broadcast with static VLAN	Manual config	Scoped correctly
49	Broadcast with VLAN pruning	Unused VLANs pruned	Broadcast not forwarded
50	Broadcast with inter-VLAN ACL	VLAN 330 to VLAN 340	Broadcast blocked

VLAN Feature : Improved Security

Improved Security - Testcases

#	Test Case	Description	Expected Result
1	Device in VLAN 10 pings VLAN 20	No L3 routing	Ping fails
2	Device in VLAN 10 accesses VLAN 10	Same VLAN	Access allowed
3	Device in VLAN 10 accesses VLAN 20	No router	Access denied
4	Device in VLAN 10 accesses VLAN 20	With L3 switch	Access allowed
5	Device in VLAN 10 accesses VLAN 20	ACL blocks traffic	Access denied
6	Device in VLAN 10 accesses VLAN 20	ACL allows traffic	Access allowed
7	VLAN 30 has no gateway	No routing	Isolation enforced
8	VLAN 40 has gateway	Routing enabled	Communication possible
9	VLAN 50 has firewall rules	Traffic filtered	Access controlled
10	VLAN 60 has no firewall	Open routing	Access allowed
11	VLAN 70 has port security	MAC filtering	Unauthorized blocked
12	VLAN 80 has no port security	Open access	All devices allowed
13	VLAN 90 has DHCP	IP assigned securely	Device isolated
14	VLAN 100 has static IPs	Manual config	Isolation maintained
15	VLAN 110 has rogue DHCP	Unauthorized server	Detected and blocked
16	VLAN 120 has ARP spoofing	Attack attempt	Blocked by security
17	VLAN 130 has IP spoofing	Fake IP used	Blocked by ACL
18	VLAN 140 has MAC spoofing	Fake MAC used	Blocked by port security
19	VLAN 150 has guest devices	Guest VLAN	Isolated from internal
20	VLAN 160 has internal devices	Trusted VLAN	No guest access
21	VLAN 170 has IoT devices	Segmented VLAN	No access to core
22	VLAN 180 has servers	Server VLAN	Access restricted
23	VLAN 190 has printers	Printer VLAN	Access controlled
24	VLAN 200 has VoIP phones	Voice VLAN	Isolated from data
25	VLAN 210 has CCTV	Surveillance VLAN	No external access
26	VLAN 220 has management devices	Admin VLAN	Access restricted
27	VLAN 230 has BYOD devices	Personal VLAN	Segmented from corporate
28	VLAN 240 has VLAN hopping attempt	Malicious tag	Attack blocked
29	VLAN 250 has ACL logging	Access attempts logged	Logs updated
30	VLAN 260 has SNMP traps	Security alerts	Traps sent
31	VLAN 270 has syslog	Security events logged	Logs show isolation
32	VLAN 280 has mirrored port	Security monitoring	Traffic observed
33	VLAN 290 has STP enabled	Loop prevention	Secure topology
34	VLAN 300 has STP disabled	Loop risk	Broadcast storm possible
35	VLAN 310 has trunk port	Tagged traffic	VLANs isolated
36	VLAN 320 has access port	Untagged traffic	VLAN assigned
37	VLAN 330 has hybrid port	Tagged + untagged	Isolation maintained
38	VLAN 340 has native VLAN mismatch	Trunk misconfig	Security warning
39	VLAN 350 has inter-VLAN ACL	Specific access allowed	Controlled communication
40	VLAN 360 has no inter-VLAN ACL	Open routing	All VLANs accessible
41	VLAN 370 has DHCP snooping	Rogue DHCP blocked	Secure IP assignment
42	VLAN 380 has dynamic VLAN assignment	RADIUS-based	Secure segmentation
43	VLAN 390 has static VLAN assignment	Manual config	Isolation enforced
44	VLAN 400 has MAC-based VLAN	Device-specific VLAN	Access controlled
45	VLAN 410 has VLAN-based firewall rules	Per-VLAN policy	Access filtered
46	VLAN 420 has VLAN-based QoS	Prioritized traffic	Secure and efficient
47	VLAN 430 has VLAN-based monitoring	VLAN-specific logs	Security visibility
48	VLAN 440 has VLAN-based alerts	Intrusion detection	Alerts triggered
49	VLAN 450 has VLAN-based compliance	Audit-ready config	Passed audit
50	VLAN 460 has VLAN-based encryption	Encrypted VLAN traffic	Secure communication

VLAN Feature : Traffic Management

Traffic Management - Testcases

#	Test Case	Description	Expected Result
1	Assign voice VLAN	VLAN 10 for VoIP	Voice traffic prioritized
2	Assign video VLAN	VLAN 20 for video	Video traffic prioritized
3	Assign data VLAN	VLAN 30 for data	Standard priority
4	Apply QoS to voice VLAN	High priority	Low latency for voice
5	Apply QoS to video VLAN	Medium priority	Smooth video playback
6	Apply QoS to data VLAN	Best-effort	Normal traffic handling
7	Test voice call quality	VLAN 10	No jitter or delay
8	Test video stream quality	VLAN 20	No buffering
9	Test file transfer	VLAN 30	Normal speed
10	Simulate congestion	All VLANs	Voice/video prioritized
11	Apply bandwidth limit	VLAN 30	Data rate controlled
12	Remove bandwidth limit	VLAN 30	Full speed restored
13	Enable traffic shaping	VLAN 10	Smooth traffic flow
14	Disable traffic shaping	VLAN 10	Bursty traffic allowed
15	Enable traffic policing	VLAN 20	Excess traffic dropped
16	Disable traffic policing	VLAN 20	All traffic allowed
17	Enable priority queuing	VLAN 10	Voice packets first
18	Enable weighted fair queuing	VLAN 20	Balanced traffic handling
19	Enable class-based queuing	VLAN 30	Traffic classified
20	Monitor traffic per VLAN	SNMP or NetFlow	Usage stats collected
21	Log traffic per VLAN	Syslog	Logs show usage
22	Mirror VLAN traffic	VLAN 10	Traffic visible on monitor port
23	Apply ACL to limit traffic	VLAN 30	Access restricted
24	Remove ACL	VLAN 30	Access restored
25	Test VLAN with multicast	VLAN 40	Efficient group delivery
26	Test VLAN with broadcast	VLAN 50	Scoped broadcast
27	Test VLAN with unicast	VLAN 60	Direct delivery
28	Test VLAN with storm control	VLAN 70	Broadcast storm prevented
29	Test VLAN with loop prevention	VLAN 80	STP active
30	Test VLAN with redundant links	VLAN 90	Traffic rerouted
31	Test VLAN with trunk port	VLAN tags preserved	Traffic passed correctly
32	Test VLAN with access port	Untagged traffic	VLAN assigned
33	Test VLAN with hybrid port	Tagged + untagged	Traffic handled properly
34	Test VLAN with native VLAN	VLAN 1	Untagged traffic handled
35	Test VLAN with mismatched native VLANs	Trunk ports	Warning or drop
36	Test VLAN with SDN controller	Dynamic traffic rules	Traffic managed
37	Test VLAN with cloud-managed switch	Remote config	Traffic prioritized
38	Test VLAN with dynamic VLAN assignment	RADIUS	Traffic routed correctly
39	Test VLAN with static VLAN assignment	Manual config	Traffic routed correctly
40	Test VLAN with MAC-based VLAN	Device-specific	Traffic routed correctly
41	Test VLAN with voice detection	Auto VLAN assignment	Voice prioritized
42	Test VLAN with video detection	Auto VLAN assignment	Video prioritized
43	Test VLAN with guest traffic	VLAN 100	Isolated and limited
44	Test VLAN with IoT traffic	VLAN 110	Segmented and controlled
45	Test VLAN with BYOD traffic	VLAN 120	Segmented and limited
46	Test VLAN with server traffic	VLAN 130	High throughput
47	Test VLAN with printer traffic	VLAN 140	Low priority
48	Test VLAN with backup traffic	VLAN 150	Scheduled and limited
49	Test VLAN with alerting	Traffic spike	Alert triggered
50	Test VLAN with compliance policy	Traffic logs	Policy enforced

VLAN Feature : Simplified Administration

Simplified Administration - Testcases

#	Test Case	Description	Expected Result
1	Create VLAN remotely	Via switch CLI or GUI	VLAN created
2	Assign port to VLAN remotely	No physical access	Port reassigned
3	Move device to new VLAN	Change config only	Device reassigned
4	Rename VLAN	Update VLAN name	Name updated
5	Delete unused VLAN	Remove from config	VLAN deleted
6	Add new VLAN for department	HR VLAN created	Devices grouped
7	Merge two VLANs	Combine VLAN 10 & 20	Unified traffic
8	Split VLAN into two	VLAN 30 30 & 31	Segmented traffic
9	Assign VLAN to new port	Plug-and-play	Device joins VLAN
10	Change VLAN for wireless SSID	Update controller	Clients reassigned
11	Apply VLAN config via template	Bulk config	Multiple switches updated
12	Apply VLAN config via script	Automated deployment	VLANs created
13	Apply VLAN config via SDN	Centralized control	VLANs pushed
14	Apply VLAN config via cloud	Remote management	VLANs updated
15	Backup VLAN configuration	Save config file	Backup created
16	Restore VLAN configuration	Load config file	VLANs restored
17	Audit VLAN configuration	Review settings	Report generated
18	Document VLAN layout	Export config	Documentation updated
19	Schedule VLAN changes	Maintenance window	Changes applied
20	Rollback VLAN changes	Revert config	Previous state restored
21	Assign VLAN via RADIUS	Dynamic assignment	User placed in VLAN
22	Assign VLAN via MAC address	MAC-based VLAN	Device auto-assigned
23	Assign VLAN via port profile	Predefined settings	VLAN applied
24	Assign VLAN via policy	Role-based access	VLAN assigned
25	Assign VLAN via DHCP option	VLAN ID in DHCP	Device joins VLAN
26	Assign VLAN via SNMP	Remote config	VLAN updated
27	Assign VLAN via API	Programmatic change	VLAN applied
28	Assign VLAN via GUI	Web interface	VLAN assigned
29	Assign VLAN via CLI	Command line	VLAN assigned
30	Assign VLAN via mobile app	Cloud-managed switch	VLAN assigned
31	Monitor VLAN usage	SNMP or NetFlow	Traffic stats collected
32	Log VLAN changes	Syslog enabled	Changes recorded
33	Alert on VLAN change	Notification system	Admin alerted
34	Test VLAN config on test port	Lab setup	VLAN verified
35	Clone VLAN config to new switch	Replication	Config copied
36	Sync VLANs across switches	VTP or manual	VLANs consistent
37	Prune unused VLANs	Clean config	Unused VLANs removed
38	Lock VLAN config	Prevent changes	Config protected
39	Tag VLANs with metadata	Department, purpose	Easier tracking
40	Visualize VLAN topology	Network map	VLAN layout shown
41	Export VLAN config	CSV or JSON	File generated
42	Import VLAN config	From file	VLANs created
43	Validate VLAN config	Check for errors	Validation passed
44	Simulate VLAN changes	Test environment	Impact analyzed
45	Apply VLAN config to stack	Multi-switch config	VLANs applied
46	Apply VLAN config to fabric	SDN fabric	VLANs deployed
47	Apply VLAN config to virtual switch	Hypervisor	VLANs applied
48	Apply VLAN config to container network	Docker/K8s	VLANs applied
49	Apply VLAN config to cloud VPC	AWS/Azure/GCP	VLAN-like segmentation
50	Apply VLAN config to remote site	WAN link	VLANs extended

VLAN Feature : Scalability

Scalability - Testcases

#	Test Case	Description	Expected Result
1	Create 10 VLANs	Small-scale segmentation	VLANs created
2	Create 100 VLANs	Medium-scale deployment	VLANs created
3	Create 4094 VLANs	Maximum VLANs supported	VLANs created
4	Assign 1000 ports to VLANs	Large port assignment	Ports grouped
5	Add new VLAN without downtime	Live network	No disruption
6	Remove unused VLANs	Clean-up	Resources freed
7	Expand VLANs across switches	Multi-switch config	VLANs propagated
8	Use VTP for VLAN sync	Centralized management	VLANs synced
9	Use manual VLAN config	Distributed control	VLANs consistent
10	Use VLANs in data center	High-density environment	Traffic segmented
11	Use VLANs in campus network	Multi-building setup	VLANs extended
12	Use VLANs in enterprise network	Thousands of users	Traffic managed
13	Use VLANs in ISP network	Customer segmentation	Traffic isolated
14	Use VLANs in cloud environment	Virtual networks	VLANs mapped
15	Use VLANs in hybrid cloud	On-prem + cloud	VLANs integrated
16	Use VLANs in SDN fabric	Software-defined	VLANs scalable
17	Use VLANs in container networks	Kubernetes/Docker	VLANs applied
18	Use VLANs in virtual machines	Hypervisor-based	VLANs assigned
19	Use VLANs in IoT deployments	Many small devices	Traffic segmented
20	Use VLANs in smart buildings	Multiple systems	VLANs organized
21	Use VLANs in industrial networks	SCADA/PLC	VLANs isolated
22	Use VLANs in retail chains	Multi-site stores	VLANs replicated
23	Use VLANs in education networks	Classrooms/labs	VLANs separated
24	Use VLANs in healthcare networks	Devices/patients	VLANs secured
25	Use VLANs in government networks	Departmental segmentation	VLANs enforced
26	Use VLANs in financial networks	High-security zones	VLANs isolated
27	Use VLANs in hospitality networks	Guest/staff separation	VLANs enforced
28	Use VLANs in transportation systems	Stations/vehicles	VLANs extended
29	Use VLANs in smart cities	Public infrastructure	VLANs scalable
30	Use VLANs in large events	Temporary networks	VLANs deployed
31	Use VLANs with automation tools	Ansible/SaltStack	VLANs deployed
32	Use VLANs with cloud APIs	AWS/Azure/GCP	VLANs provisioned
33	Use VLANs with orchestration	Terraform	VLANs managed
34	Use VLANs with monitoring tools	SNMP/NetFlow	VLAN stats collected
35	Use VLANs with logging tools	Syslog/SIEM	VLAN activity logged
36	Use VLANs with alerting tools	Prometheus/Zabbix	VLAN alerts triggered
37	Use VLANs with compliance tools	PCI/HIPAA	VLANs audited
38	Use VLANs with backup systems	VLAN-based routing	Backup traffic isolated
39	Use VLANs with load balancers	VLAN-aware routing	Traffic balanced
40	Use VLANs with firewalls	VLAN-based rules	Traffic filtered
41	Use VLANs with VPNs	VLAN tagging	Secure segmentation
42	Use VLANs with wireless networks	SSID to VLAN mapping	Clients segmented
43	Use VLANs with VoIP systems	Voice VLANs	Traffic prioritized
44	Use VLANs with video systems	Streaming VLANs	Traffic optimized
45	Use VLANs with storage networks	iSCSI/NAS VLANs	Storage isolated
46	Use VLANs with printers	VLAN for peripherals	Traffic separated
47	Use VLANs with guest access	VLAN 100 for guests	Traffic isolated
48	Use VLANs with BYOD	VLAN 200 for personal devices	Traffic segmented
49	Use VLANs with automation scripts	Dynamic scaling	VLANs created on demand
50	Use VLANs with AI/ML workloads	High-bandwidth VLANs	Traffic optimized

VLAN Feature : Quality of Service (QoS)

Quality of Service (QoS) - Testcases

#	Test Case	Description	Expected Result
1	Apply QoS to voice VLAN	VLAN 10 for VoIP	Voice traffic prioritized
2	Apply QoS to video VLAN	VLAN 20 for video	Video traffic prioritized
3	Apply QoS to data VLAN	VLAN 30 for data	Best-effort delivery
4	Set DSCP value for voice	DSCP 46 (EF)	Marked correctly
5	Set DSCP value for video	DSCP 34 (AF41)	Marked correctly
6	Set DSCP value for data	DSCP 0 (BE)	Marked correctly
7	Enable QoS on switch	Global config	QoS features active
8	Disable QoS on switch	Global config	QoS features inactive
9	Configure priority queue	Voice VLAN	Voice gets highest priority
10	Configure weighted queue	Video VLAN	Balanced traffic handling
11	Configure bandwidth limit	VLAN 40	Traffic capped
12	Remove bandwidth limit	VLAN 40	Full bandwidth restored
13	Apply traffic shaping	VLAN 50	Smooth traffic flow
14	Apply traffic policing	VLAN 60	Excess traffic dropped
15	Monitor QoS statistics	VLAN 10	Stats collected
16	Log QoS events	VLAN 20	Logs show QoS actions
17	Alert on QoS drop	VLAN 30	Notification triggered
18	Test voice call under load	VLAN 10	No jitter or delay
19	Test video stream under load	VLAN 20	No buffering
20	Test file transfer under load	VLAN 30	Lower priority
21	Apply QoS to trunk port	Tagged VLANs	QoS policies applied
22	Apply QoS to access port	Untagged VLAN	QoS policies applied
23	Apply QoS to hybrid port	Mixed traffic	QoS applied correctly
24	Apply QoS to wireless SSID	VLAN-mapped SSID	Traffic prioritized
25	Apply QoS to guest VLAN	VLAN 70	Limited bandwidth
26	Apply QoS to IoT VLAN	VLAN 80	Controlled traffic
27	Apply QoS to BYOD VLAN	VLAN 90	Lower priority
28	Apply QoS to server VLAN	VLAN 100	High throughput
29	Apply QoS to printer VLAN	VLAN 110	Low priority
30	Apply QoS to backup VLAN	VLAN 120	Scheduled bandwidth
31	Apply QoS to management VLAN	VLAN 130	High priority
32	Apply QoS to CCTV VLAN	VLAN 140	Video prioritized
33	Apply QoS to SCADA VLAN	VLAN 150	Real-time traffic prioritized
34	Apply QoS to cloud VLAN	VLAN 160	Cloud sync optimized
35	Apply QoS to storage VLAN	VLAN 170	iSCSI/NAS traffic prioritized
36	Apply QoS to VLAN with ACL	VLAN 180	QoS + security enforced
37	Apply QoS to VLAN with STP	VLAN 190	No loop interference
38	Apply QoS to VLAN with multicast	VLAN 200	Efficient delivery
39	Apply QoS to VLAN with broadcast	VLAN 210	Controlled broadcast
40	Apply QoS to VLAN with SNMP	VLAN 220	Monitoring traffic prioritized
41	Apply QoS to VLAN with syslog	VLAN 230	Logging traffic prioritized
42	Apply QoS to VLAN with mirrored port	VLAN 240	Monitoring unaffected
43	Apply QoS to VLAN with SDN	VLAN 250	Dynamic policy applied
44	Apply QoS to VLAN with cloud controller	VLAN 260	Remote policy applied
45	Apply QoS to VLAN with automation	VLAN 270	Scripted QoS applied
46	Apply QoS to VLAN with API	VLAN 280	Programmatic control
47	Apply QoS to VLAN with compliance policy	VLAN 290	Policy enforced
48	Apply QoS to VLAN with alerting	VLAN 300	Alerts on threshold
49	Apply QoS to VLAN with logging	VLAN 310	Logs show QoS actions
50	Apply QoS to VLAN with backup schedule	VLAN 320	Bandwidth reserved

VLAN Feature : Support for Multi-Tenancy

Support for Multi-Tenancy - Testcases

#	Test Case	Description	Expected Result
1	Create VLAN for Tenant A	VLAN 100	Tenant A isolated
2	Create VLAN for Tenant B	VLAN 200	Tenant B isolated
3	Create VLAN for Tenant C	VLAN 300	Tenant C isolated
4	Assign ports to Tenant A VLAN	Ports 110	Traffic scoped to Tenant A
5	Assign ports to Tenant B VLAN	Ports 1120	Traffic scoped to Tenant B
6	Assign ports to Tenant C VLAN	Ports 2130	Traffic scoped to Tenant C
7	Prevent inter-VLAN communication	No L3 routing	Tenants isolated
8	Enable inter-VLAN routing	With ACLs	Controlled access
9	Apply ACL to block Tenant A from Tenant B	Security policy	Access denied
10	Apply ACL to allow Tenant A to access shared services	Controlled access	Access allowed
11	Assign VLANs to virtual machines	Hypervisor config	VMs isolated
12	Assign VLANs to containers	Docker/K8s	Containers isolated
13	Assign VLANs to cloud workloads	VPC segmentation	Tenants isolated
14	Assign VLANs to physical servers	Rack-based config	Traffic segmented
15	Assign VLANs to storage systems	NAS/iSCSI	Storage isolated
16	Assign VLANs to backup systems	VLAN 400	Backup traffic isolated
17	Assign VLANs to monitoring systems	VLAN 500	Monitoring scoped
18	Assign VLANs to management systems	VLAN 600	Admin access isolated
19	Assign VLANs to guest tenants	VLAN 700	Guest traffic isolated
20	Assign VLANs to test environments	VLAN 800	Test traffic isolated
21	Assign VLANs to production environments	VLAN 900	Production traffic isolated
22	Assign VLANs to development environments	VLAN 1000	Dev traffic isolated
23	Assign VLANs to staging environments	VLAN 1100	Staging traffic isolated
24	Assign VLANs to finance department	VLAN 1200	Sensitive data isolated
25	Assign VLANs to HR department	VLAN 1300	HR traffic isolated
26	Assign VLANs to engineering department	VLAN 1400	Engineering traffic isolated
27	Assign VLANs to sales department	VLAN 1500	Sales traffic isolated
28	Assign VLANs to support department	VLAN 1600	Support traffic isolated
29	Assign VLANs to marketing department	VLAN 1700	Marketing traffic isolated
30	Assign VLANs to legal department	VLAN 1800	Legal traffic isolated
31	Assign VLANs to compliance systems	VLAN 1900	Compliance traffic isolated
32	Assign VLANs to analytics systems	VLAN 2000	Analytics traffic isolated
33	Assign VLANs to AI/ML workloads	VLAN 2100	High-bandwidth traffic isolated
34	Assign VLANs to public-facing services	VLAN 2200	External access scoped
35	Assign VLANs to internal services	VLAN 2300	Internal access scoped
36	Assign VLANs to shared infrastructure	VLAN 2400	Controlled access
37	Assign VLANs to load balancers	VLAN 2500	Traffic balanced per tenant
38	Assign VLANs to firewalls	VLAN 2600	Security enforced per tenant
39	Assign VLANs to VPN gateways	VLAN 2700	Secure remote access
40	Assign VLANs to DNS/DHCP servers	VLAN 2800	Network services scoped
41	Assign VLANs to logging systems	VLAN 2900	Logs isolated per tenant
42	Assign VLANs to alerting systems	VLAN 3000	Alerts scoped per tenant
43	Assign VLANs to orchestration tools	VLAN 3100	Automation scoped
44	Assign VLANs to SDN controller	VLAN 3200	Dynamic segmentation
45	Assign VLANs to cloud controller	VLAN 3300	Remote management scoped
46	Assign VLANs to compliance audit tools	VLAN 3400	Audit traffic isolated
47	Assign VLANs to billing systems	VLAN 3500	Financial data isolated
48	Assign VLANs to tenant-specific VLAN groups	Grouped config	Logical separation
49	Assign VLANs to tenant-specific QoS policies	Bandwidth control	Performance optimized
50	Assign VLANs to tenant-specific ACLs	Security policy	Access controlled

VLAN Feature : Dynamic Assignment

Dynamic Assignment - Testcases

#	Test Case	Description	Expected Result
1	User logs in via 802.1X	RADIUS assigns VLAN 10	User placed in VLAN 10
2	User logs in with different credentials	RADIUS assigns VLAN 20	User placed in VLAN 20
3	Guest user logs in	RADIUS assigns guest VLAN	Guest isolated
4	Employee logs in	RADIUS assigns employee VLAN	Access granted
5	Admin logs in	RADIUS assigns admin VLAN	Full access granted
6	Invalid credentials	RADIUS denies access	No VLAN assigned
7	RADIUS server unreachable	Fallback VLAN used	Default VLAN assigned
8	RADIUS server timeout	Retry mechanism	VLAN assigned after retry
9	MAC-based authentication	Device MAC triggers VLAN	VLAN assigned
10	Device without 802.1X support	MAC auth fallback	VLAN assigned
11	VLAN assigned based on user role	Role = HR	HR VLAN assigned
12	VLAN assigned based on device type	Device = printer	Printer VLAN assigned
13	VLAN assigned based on location	Switch port mapping	VLAN assigned accordingly
14	VLAN assigned based on time of day	Business hours	VLAN 30 assigned
15	VLAN assigned based on policy	Policy engine decision	VLAN assigned
16	VLAN assigned via RADIUS attribute	Tunnel-Private-Group-ID	VLAN ID applied
17	VLAN assigned via dynamic ACL	RADIUS sends ACL	Access controlled
18	VLAN assigned via VLAN override	Local config overridden	RADIUS VLAN used
19	VLAN assigned via fallback policy	RADIUS fails	Default VLAN used
20	VLAN assigned via guest portal	Captive portal login	VLAN assigned post-auth
21	VLAN assigned via posture check	Compliant device	VLAN assigned
22	VLAN denied due to non-compliance	Antivirus missing	Access denied
23	VLAN assigned via certificate auth	EAP-TLS	VLAN assigned securely
24	VLAN assigned via username group	AD group mapping	VLAN assigned
25	VLAN assigned via endpoint profile	Device fingerprinting	VLAN assigned
26	VLAN assigned via NAC policy	Network Access Control	VLAN enforced
27	VLAN assigned via switch config	Dynamic VLAN enabled	VLAN assigned
28	VLAN assigned via wireless controller	SSID + RADIUS	VLAN assigned
29	VLAN assigned via VPN login	Remote user	VLAN assigned virtually
30	VLAN assigned via cloud RADIUS	Azure AD or Okta	VLAN assigned
31	VLAN assigned via local RADIUS	On-prem server	VLAN assigned
32	VLAN assigned via hybrid RADIUS	Cloud + local fallback	VLAN assigned
33	VLAN assigned via VLAN pooling	Load balancing	VLAN selected from pool
34	VLAN assigned via VLAN override on port	Port config ignored	RADIUS VLAN used
35	VLAN assigned via dynamic VLAN on trunk	Tagged VLAN assigned	Traffic routed correctly
36	VLAN assigned via dynamic VLAN on access port	Untagged VLAN assigned	Traffic routed correctly
37	VLAN assigned via dynamic VLAN on hybrid port	Mixed traffic handled	VLAN assigned
38	VLAN assigned via dynamic VLAN on virtual switch	VM login	VLAN assigned
39	VLAN assigned via dynamic VLAN on container	Container startup	VLAN assigned
40	VLAN assigned via dynamic VLAN on IoT device	MAC-based auth	VLAN assigned
41	VLAN assigned via dynamic VLAN on mobile device	802.1X auth	VLAN assigned
42	VLAN assigned via dynamic VLAN on printer	MAC-based VLAN	VLAN assigned
43	VLAN assigned via dynamic VLAN on guest laptop	Captive portal + RADIUS	VLAN assigned
44	VLAN assigned via dynamic VLAN on smart TV	Device profile	VLAN assigned
45	VLAN assigned via dynamic VLAN on VoIP phone	LLDP-MED + RADIUS	Voice VLAN assigned
46	VLAN assigned via dynamic VLAN on switch uplink	Trunk port	VLANs passed correctly
47	VLAN assigned via dynamic VLAN on SDN controller	Policy-based	VLAN assigned
48	VLAN assigned via dynamic VLAN on cloud-managed switch	Remote config	VLAN assigned
49	VLAN assigned via dynamic VLAN with logging	Syslog enabled	Assignment logged
50	VLAN assigned via dynamic VLAN with alerting	Assignment failure	Alert triggered

VLAN Feature : Integration with STP

Integration with STP - Testcases

#	Test Case	Description	Expected Result
1	Enable STP on VLAN 10	Basic loop prevention	STP active
2	Enable STP on VLAN 20	Redundant links	STP blocks loop
3	Enable STP on all VLANs	Global config	STP active per VLAN
4	Use PVST+ with VLANs	Per-VLAN STP	Independent trees
5	Use RPVST+ with VLANs	Rapid convergence	Fast recovery
6	Use MSTP with VLANs	VLANs mapped to instances	Efficient STP
7	Configure STP priority	VLAN 10 root bridge	VLAN 10 elected root
8	Configure STP cost	VLAN 20 path selection	Optimal path chosen
9	Configure STP port roles	VLAN 30	Roles assigned correctly
10	Configure STP timers	VLAN 40	Timers adjusted
11	Simulate link failure	VLAN 50	STP re-converges
12	Simulate switch failure	VLAN 60	STP re-elects root
13	Add redundant link	VLAN 70	STP blocks one port
14	Remove redundant link	VLAN 80	STP unblocks port
15	Enable BPDU guard	VLAN 90	Rogue switch blocked
16	Enable BPDU filter	VLAN 100	BPDUs suppressed
17	Enable root guard	VLAN 110	Root bridge protected
18	Enable loop guard	VLAN 120	Loop prevented
19	Enable portfast	VLAN 130 access port	Fast transition
20	Disable portfast	VLAN 130 trunk port	Normal STP behavior
21	Test STP convergence time	VLAN 140	Converges within expected time
22	Test STP topology change	VLAN 150	Change detected
23	Monitor STP status	VLAN 160	STP active and stable
24	Log STP events	VLAN 170	Events recorded
25	Alert on STP failure	VLAN 180	Notification triggered
26	Test STP with VLAN trunking	Tagged VLANs	STP operates correctly
27	Test STP with VLAN access ports	Untagged VLANs	STP operates correctly
28	Test STP with hybrid ports	Mixed traffic	STP functions properly
29	Test STP with VLAN pruning	Unused VLANs removed	STP unaffected
30	Test STP with VLAN mismatch	Native VLAN conflict	Warning generated
31	Test STP with VLAN hopping attempt	Malicious traffic	STP blocks loop
32	Test STP with VLAN-based ACLs	Filtered traffic	STP unaffected
33	Test STP with VLAN-based QoS	Prioritized traffic	STP unaffected
34	Test STP with VLAN-based monitoring	VLAN 190	STP status visible
35	Test STP with VLAN-based logging	VLAN 200	Logs show STP activity
36	Test STP with VLAN-based alerting	VLAN 210	Alerts triggered on change
37	Test STP with SDN controller	VLAN 220	STP managed dynamically
38	Test STP with cloud-managed switch	VLAN 230	STP configured remotely
39	Test STP with automation tools	VLAN 240	STP deployed via script
40	Test STP with orchestration tools	VLAN 250	STP managed centrally
41	Test STP with virtual switches	VLAN 260	STP active in VMs
42	Test STP with container networks	VLAN 270	STP active in containers
43	Test STP with IoT VLANs	VLAN 280	Loops prevented
44	Test STP with guest VLANs	VLAN 290	Isolation maintained
45	Test STP with voice VLANs	VLAN 300	Fast convergence
46	Test STP with video VLANs	VLAN 310	No loop interference
47	Test STP with backup VLANs	VLAN 320	Redundant paths managed
48	Test STP with management VLANs	VLAN 330	Admin access protected
49	Test STP with compliance VLANs	VLAN 340	Secure topology maintained
50	Test STP with multi-tenant VLANs	VLAN 350	Isolation and redundancy ensured

Reference links

Reference links