A VLAN is simply a logical way to separate ports on a switch.  In a way, if you had a 24-port switch and was able to break it in half so that 12-ports were on each half, that's somewhat how a VLAN functions.  It is simply a way to group ports for traffic.  It does "block" traffic in a way that each VLAN is a separate Ethernet LAN...requiring a router to route traffic between VLANs.

Functions such as "voice", "data", etc. are simply labels that we put on VLANs, and do not affect the functionaly.  VLANs function the same way.  The labels are simply and administrative way of helping us understand what traffic should be on the VLAN.

Routing between VLANs (whether by router-on-a-stick or other methods) does not defeat the purpose of a VLAN.  It is necessary in the even one needs cross-VLAN communications.

Loosely think of each VLAN as a separate switch.

Hi Randall,

VLANs are used to create multiple network over a single switched physical topology. Imagine you wanted to have separate networks for, say, two or three different units in your company: developers, graphics, marketing, for security and management purposes. You would either buy a separate switch (or switches) for each of these units and keep the networks physically separate, or you will use a single switched topology and instead, create the (now logically) separate networks using VLANs.

So VLANs are about virtualizing switches, much in a similar way to using VirtualBox or VMWare to virtualize PCs. Instead of having multiple pieces of the same hardware, you are using the same hardware and use additional mechanisms to virtualize it and create multiple instances. VLANs are just that - virtual broadcast domains spanning over a switched topology, separate and isolated on Layer2 between each other.

However, having VLANs does not mean you want to prevent them from ever communicating. You want to contain the broadcasts, have VLANs to use separate IP ranges, exert tighter control over the inter-VLAN traffic. There may be legal reasons, however, why the VLAN networks for developers, graphics and marketing may be allowed to communicate for some purpose (say, the shared printer is in the marketing VLAN and everybody wants to print on it). That is why it is completely legal to request for inter-VLAN communication. This is accomplished by using a router-on-stick or using multilayer switches that perform inter-VLAN routing inside their hardware directly. In other words, just as you would interconnect multiple physically distinct switched networks with a router, you are doing the same with router-on-stick.

1. Do  User/Data VLANs prevent voice and management traffic from accessing the  other VLANs, or does it not work or what? I've read a few conflicting  things about it.

Any VLAN will keep the data within it closed and will not leak it to any other VLAN, unless the traffic is routed to another VLAN. So unless the VLAN carries IP traffic that is purposefully addressed to recipients located in another VLAN (or another network), this traffic will not leave its original VLAN. In addition, it must be a router that takes packets from one VLAN and puts them into another, so the inter-VLAN communication is not provided by switches but only by routers or devices capable of routing.

2. Does putting a router on a stick to allow for cross VLAN communications defeat the purpose of a VLAN?

Not at all - think about the reasons described before.

You are certainly welcome to ask further!

Best regards,

Peter