March 26, 20265 min read

VLAN Planning Calculator

Plan VLAN IDs, subnets, and trunking configuration for your network. Calculate VLAN capacity and design segmented enterprise or home lab networks.

networking vlan network segmentation switching calchub

VLANs are the most practical tool for network segmentation short of buying more physical switches. They let you create logically separate networks on the same physical infrastructure — keeping IoT devices away from your corporate data, isolating guest WiFi, or separating production and development environments on the same switch stack.

What a VLAN Actually Does

A VLAN (Virtual LAN) is a Layer 2 broadcast domain defined in software. Devices on the same VLAN can communicate at Layer 2 as if they're on the same switch. Devices on different VLANs cannot communicate without going through a router (or Layer 3 switch).

VLAN IDs range from 1 to 4094 (12 bits in the 802.1Q header). ID 1 is the default VLAN on most switches — leaving production traffic on VLAN 1 is a security anti-pattern, as it's often excluded from some security controls and harder to isolate.

VLAN Planning with CalcHub

The CalcHub VLAN Calculator helps you:

Assign VLAN IDs and names in a structured plan

Map VLANs to subnets (the Layer 3 complement)

Calculate trunk port capacity (how many VLANs per trunk)

Identify inter-VLAN routing requirements

Export a configuration table for managed switches

Enter your total number of VLANs needed, network topology type, and whether you're doing inter-VLAN routing on a router-on-a-stick, Layer 3 switch, or dedicated firewall.

Sample VLAN Plan for a Small Business

VLAN ID	Name	Subnet	Purpose
10	Staff	10.10.0.0/23	Employee workstations
20	Servers	10.20.0.0/24	Internal servers and NAS
30	Guest	10.30.0.0/24	Guest WiFi — internet only
40	IoT	10.40.0.0/24	Smart devices, printers
50	VoIP	10.50.0.0/24	IP phones, QoS required
60	Security	10.60.0.0/24	Cameras, NVR
99	Management	10.99.0.0/28	Switch/AP management only

Each VLAN is its own subnet, handled by a firewall with inter-VLAN routing policies. Guest VLAN only reaches the internet — no access to Staff or Servers. IoT VLAN can access the internet but is firewalled from everything else.

Access Ports vs Trunk Ports

Access port: Carries traffic from a single VLAN. End devices (computers, phones, APs) connect to access ports. The switch tags frames with the VLAN ID internally, but the end device sees no VLAN tag. Trunk port: Carries traffic from multiple VLANs using 802.1Q tagging. Used for switch-to-switch connections and switch-to-router/firewall links. Each frame has a 4-byte 802.1Q header added with the VLAN ID.

A typical small business topology:

Firewall ─── (trunk: VLANs 10,20,30,40,50) ─── Managed Switch
                                                      ├── Access port (VLAN 10) → PC
                                                      ├── Access port (VLAN 50) → IP Phone
                                                      └── Trunk → WiFi AP (broadcasts multiple SSIDs)

Wireless VLANs

Each SSID on a managed access point can be mapped to a different VLAN. The AP connects to the switch on a trunk port carrying all relevant VLANs. Guest WiFi users join VLAN 30, staff WiFi joins VLAN 10 — all on the same physical AP and cable.

This is how enterprise WiFi works: one cable to the ceiling AP, multiple logical networks served simultaneously.

Tips

Name your VLANs clearly. VLAN 10 = "Staff" is much easier to understand in switch configs and firewall rules than just "VLAN 10."
Don't use VLAN 1 for anything. Move all production traffic to numbered VLANs starting from 10 or 100. VLAN 1 should be unused or limited to isolated management traffic.
Document trunk port allowlists. Each trunk port should only carry the VLANs it needs. A trunk carrying all 4094 VLANs is a lazy config that's harder to audit and troubleshoot.

How many VLANs can a typical managed switch handle?

Consumer managed switches (like Netgear GS308E) support 64 VLANs. Prosumer (Ubiquiti, TP-Link Omada) support 256. Enterprise switches typically support the full 802.1Q range of 4,094. For most small businesses, 64 is more than enough.

Does having more VLANs slow down the switch?

Not meaningfully on modern hardware. VLAN processing is done in hardware on all managed switches. The CPU load from VLAN tagging is negligible even at line rate.

What's "VLAN hopping" and how do I prevent it?

VLAN hopping is an attack where a device pretends to be a trunk port (using double 802.1Q tagging) to send traffic to a different VLAN. Prevent it by setting all unused ports to a dedicated unused VLAN, explicitly setting access ports as access (not auto-negotiate), and never using the native VLAN for user traffic.

Subnet Calculator — plan subnets for each VLAN
IP Converter Calculator — work with IP addresses in your VLAN plan
Bandwidth Calculator — size trunk bandwidth for your VLAN traffic