Free. Saves to your browser. Export when done.

VLAN ID Planner

Design and document a VLAN scheme for any network — one floor, one building, or multiple sites. Track VLAN IDs, names, IP subnets, gateways, owners, and notes in a single editable table. Validates VLAN IDs, flags duplicates, exports to CSV. Built by Datastrive, a Chicago managed IT and network design provider.

  • Auto-saves as you type
  • CSV import & export
  • Built-in best-practice presets
VLAN ID Name Subnet (CIDR) Gateway Owner Notes
No rows yet Saved in your browser only — never sent to any server

Reserved & risky VLAN IDs

Per IEEE 802.1Q, VLAN IDs span 0–4095, but several are reserved or carry compatibility risk depending on your hardware vendor. The planner above warns when you use these. Use them only when you specifically know why.

VLAN IDStatusNotes
0ReservedUsed in 802.1Q for priority-tagged frames (no VLAN). Cannot be assigned.
1Default — avoidThe default VLAN on every switch. Many switches send untagged management traffic here. Production traffic on VLAN 1 is a known security risk.
2–1001Normal rangeSafe for general use. Use this range for your business VLANs.
1002–1005Cisco-reservedReserved on Cisco switches for legacy Token Ring / FDDI. Cannot be deleted on many Cisco models. Avoid.
1006–4094Extended rangeSafe for general use. Useful for management/segmentation when you want clear separation from “user” VLANs.
4095ReservedUsed internally by 802.1Q for implementation use. Cannot be assigned.

VLAN design best practices

VLAN design is one of those things where the same network can be fine for years before bad choices catch up. The wrinkles below are what experienced network engineers reach for first, and what we apply when designing or redesigning networks at Datastrive.

  1. Never use VLAN 1 for production traffic VLAN 1 is the default native VLAN on virtually every switch. If you don’t change it, every untagged port on a misconfigured switch automatically lands in your “main” network. Best practice: explicitly set the native VLAN on trunk ports to an unused, blackholed VLAN (e.g., 999), and never put hosts in VLAN 1.
  2. Pick a numbering scheme and stick with it Two common patterns: (1) Tens — 10 = mgmt, 20 = data, 30 = voice, 40 = guest, 50 = cameras. Easy to read, room to grow. (2) Hundreds with site offset — 110-190 for site A, 210-290 for site B. Pick one. Mixing schemes mid-network is the #1 cause of “wait, what’s VLAN 47 again” moments six months later.
  3. Reserve high IDs for management and infrastructure Use VLAN IDs 3000+ for switch management, AP management, IP cameras, IPMI, and other infrastructure traffic. Keeps user-facing VLANs clean in the lower hundreds and creates an immediate visual cue: “if it’s a high ID, it’s infrastructure, ACL it tightly.”
  4. Don’t undersize your IP subnets A common mistake is /24 everywhere because /24 is easy. For high-density wireless or BYOD VLANs you’ll burn through 254 hosts faster than you think. Use our subnet calculator to plan: /23 (510 hosts) for guest WiFi at any office over ~100 people; /22 (1022 hosts) for hospital, school, or large open-floor environments.
  5. Plan for growth — leave gaps Don’t pack VLAN IDs sequentially (10, 11, 12, 13). Use 10, 20, 30, 40 instead. When the inevitable “we need a new VLAN for the new department” call comes, you can insert it logically (15 between 10 and 20) instead of breaking your scheme by tacking on VLAN 87 at the end.
  6. Use consistent naming — ALL_CAPS or hyphens, pick one Names that compare cleanly in switch CLIs and config diffs save hours of debugging. CORP_DATA or corp-data — either works. "Corp Data", corpdata, and Corp_Data all coexisting in the same network is what software-developer types call “technical debt” and what network engineers call “the reason I’m here on Saturday.”
  7. Document gateways, owners, and tickets in one place The owner column matters more than people realize. When a VLAN suddenly stops routing, you need to know whose change broke it — the network team, an application team, the security team, or that contractor from 18 months ago whose access nobody revoked. Keep this planner export with your network diagrams and runbook.

Frequently asked questions

What’s the maximum number of VLANs?

The 802.1Q standard allocates 12 bits for the VLAN ID, allowing values 0–4095. Of those, 0 and 4095 are reserved, leaving 4094 usable VLANs per switch.

For larger environments where 4094 isn’t enough — large data centers, multi-tenant ISPs — QinQ (802.1ad, “VLAN stacking”) or VXLAN extend this dramatically. VXLAN supports 16 million identifiers and is the standard for modern overlay networks.

Why is VLAN 1 considered insecure?

Because every switch defaults to it. Every unconfigured port lands in VLAN 1. Many switches send their management protocols (CDP, VTP, STP BPDUs) untagged, which means they ride VLAN 1. If an attacker plugs into an unconfigured port, they’re already on the same broadcast domain as your switches’ management chatter.

The fix has two parts: (1) put production hosts in a dedicated VLAN (any non-1 number), and (2) on trunk ports, set the native VLAN to a dedicated unused ID (e.g., 999) and configure that VLAN with no ports and no IP — effectively a black hole.

What’s the difference between an access port and a trunk port?

An access port belongs to exactly one VLAN. Anything plugged into it (a workstation, phone, printer) is automatically in that VLAN with no configuration on the host. Frames leave the port untagged.

A trunk port carries traffic for multiple VLANs simultaneously, with each frame tagged with its VLAN ID using 802.1Q. Trunks connect switches to switches, switches to routers/firewalls, and switches to access points or virtualization hosts that need to land traffic in multiple VLANs.

A common pattern: switch-to-switch links are trunks carrying every VLAN; ports for end-user devices are access ports in one specific VLAN.

How big should each VLAN’s IP range be?

Common starting points: /24 (254 hosts) for typical corporate VLANs; /23 (510 hosts) for high-density WiFi or guest networks at offices over ~75 people; /26 (62 hosts) or /27 (30 hosts) for small infrastructure VLANs (cameras, printers).

The constraint isn’t really host count — it’s broadcast domain size. Even with capacity for 1000+ hosts, a VLAN with 500 active devices generates noticeable broadcast traffic. As a rule of thumb, keep active hosts per VLAN under 250–500 for typical office traffic, lower for chatty IoT devices.

Should I use the same VLAN IDs across multiple sites?

Two valid approaches:

Same IDs everywhere: VLAN 20 = “Corp Data” at every site. Simple, easy to remember, works well if sites are connected via a Layer 3 WAN (each site’s VLAN 20 has its own IP subnet, e.g., 10.10.20.0/24, 10.20.20.0/24).

Site-offset IDs: Site A uses 100s, site B uses 200s, etc. Useful when sites might ever be bridged at Layer 2 (campus environments, MPLS L2VPN, EVPN), or when you want VLAN ID alone to tell you which site a frame came from.

For most multi-site SMB networks with L3 WAN, same IDs are simpler. For larger enterprises, site-offset is more flexible.

What’s a private VLAN (PVLAN)?

A private VLAN is a VLAN feature that subdivides a single VLAN’s broadcast domain into smaller groups that can’t talk to each other directly — even though they share an IP subnet. Common in hotel networks (every guest sees only their own room), some hospital deployments, and shared hosting environments.

Three port types: promiscuous (talks to everyone, usually the gateway), community (talks to others in the same community + promiscuous), isolated (talks only to promiscuous). Useful but vendor-specific in implementation; not all switches support them.

Need a network that can carry the VLANs you just planned?

Datastrive designs, builds, and manages business networks across the Chicago area — structured cabling, switches, firewalls, WiFi, segmentation, and ongoing management. We’re a managed IT and low-voltage contractor for small and mid-sized businesses.

Talk to Datastrive →