VLAN — Virtual Local Area Network

Virtual Local Area Network

For AV-specific VLAN design including Dante, AV-over-IP, and control system VLANs, see networking/vlans-and-av-network-design.

A VLAN is a logical network segment created within a managed switch that isolates Layer 2 broadcast traffic. Devices on VLAN 10 cannot communicate with devices on VLAN 20 without a Layer 3 router or firewall handling the inter-VLAN routing. VLANs allow multiple logically separate networks to share the same physical switch infrastructure — critical in AV installations where Dante audio, AV-over-IP video, control system traffic, and corporate IT all run on the same building cabling but must be isolated from each other for performance and security.

How VLANs Work

VLANs are implemented at the switch level using 802.1Q tagging. Each Ethernet frame is tagged with a 4-byte header containing the VLAN ID (1–4094). Switches use these tags to enforce membership — a frame tagged for VLAN 10 is only forwarded to ports that are members of VLAN 10.

Access ports (untagged): the switch accepts untagged frames from the connected device and assigns them to a specific VLAN. Used for end devices (IP cameras, Dante devices, PCs) that are not VLAN-aware.

Trunk ports (tagged): carries multiple VLANs simultaneously between switches or between a switch and a router. Used for uplinks between switches and for connections to VLAN-aware devices (routers, firewalls, Dante Domain Manager servers).

Native VLAN: the VLAN assigned to untagged frames arriving on a trunk port. Mismatched native VLANs between two connected switches cause subtle connectivity problems.

AV VLAN Design Principles

Standard AV VLAN architecture separates traffic by type:

Dante uses mDNS for device discovery, which does not cross VLAN boundaries. All Dante devices must be on the same VLAN to discover each other in Dante Controller. Use Dante Domain Manager to operate Dante across multiple VLANs. See networking/dante-domain-manager.

Inter-VLAN Routing

Traffic between VLANs requires Layer 3 routing — either a router-on-a-stick (router with 802.1Q trunk to switch) or a Layer 3 switch with inter-VLAN routing enabled. In AV systems, inter-VLAN routing is often needed for:

• Control processors on the AV VLAN reaching displays on the corporate VLAN
• Video conferencing codecs on the AV VLAN reaching the Microsoft Teams or Zoom cloud
• Network management (IT admin) accessing AV devices for monitoring

Firewall rules on the inter-VLAN routing path control which specific ports and protocols are allowed — e.g., allow TCP 41794 (Crestron CIP) from control VLAN to display VLAN, block all other traffic.

Common Pitfalls

• All AV devices on the corporate VLAN. Dante multicast and AV-over-IP multicast flood the corporate network, causing congestion and complaints from IT. Fix: create dedicated VLANs for Dante and AV-over-IP before installation; do not put AV devices on the corporate VLAN.

• Native VLAN mismatch between switches. Two switches connected via trunk have different native VLANs configured; some devices see unexpected traffic or lose connectivity. Fix: always configure the same native VLAN on both ends of a trunk link; use VLAN 1 as native (or an explicitly chosen management VLAN) consistently.

• Dante devices on different VLANs not discovering each other. Dante Controller shows some devices offline even though pings succeed. mDNS does not cross VLAN boundaries. Fix: move all Dante devices to a single VLAN, or deploy Dante Domain Manager.

• Control system can't reach display after VLAN separation. Crestron processor on AV VLAN cannot send RS-232-over-IP or TCP commands to a display on the corporate VLAN because inter-VLAN routing is blocked. Fix: add firewall rules to permit the specific control protocol ports between the two VLANs.