Introduction#
Imagine you run a company with three departments — HR, Engineering, and Finance — all plugged into the same physical network switches. By default, every device can see every other device’s broadcast traffic. HR can see packets meant for Finance. Interns share a broadcast domain with the CEO’s laptop.
That’s a security nightmare and a performance problem rolled into one.
VLANs (Virtual Local Area Networks) solve this by letting you carve one physical network into multiple isolated logical networks — no extra hardware required.
What is a VLAN?#
A VLAN is a logical network segment created by partitioning a physical switch or set of switches at the data link layer. Devices in the same VLAN communicate as if they were on the same physical LAN — even if they’re on different switches across a building — while devices in different VLANs are isolated from each other by default.
The key word is logical. You’re not running new cables or buying new switches. You’re using software configuration to divide one physical network into many virtual ones.
Which OSI Layer Do VLANs Operate On?#
VLANs operate at Layer 2 — the Data Link Layer of the OSI model.
| OSI Layer | Name | What it handles |
|---|---|---|
| Layer 1 | Physical | Cables, signals, hardware |
| Layer 2 | Data Link | MAC addresses, Ethernet frames, switching — VLANs live here |
| Layer 3 | Network | IP addresses, routing |
| Layer 4+ | Transport and above | TCP/UDP, applications |
Because VLANs are a Layer 2 construct, they create separate broadcast domains. Broadcasts sent within VLAN 10 stay inside VLAN 10 and never reach VLAN 20. To route traffic between VLANs, you need a Layer 3 device — a router or a Layer 3 switch.
How VLANs Work Technically#
The 802.1Q Standard#
The IEEE 802.1Q standard (also called “Dot1Q”) is the universal protocol for VLAN tagging on Ethernet networks. Published in 1998 and refined continuously, it defines how switches mark Ethernet frames to identify which VLAN they belong to.
Here’s how it works: when a frame needs to cross a trunk link (a link that carries traffic for multiple VLANs), the switch inserts a 4-byte VLAN tag into the Ethernet frame header.
The 802.1Q Tag Structure#
The tag sits between the Source MAC address and the EtherType field in the Ethernet frame:
[ Destination MAC ][ Source MAC ][ 802.1Q Tag (4 bytes) ][ EtherType ][ Payload ][ FCS ]The 4-byte tag breaks down like this:
| Field | Size | Purpose |
|---|---|---|
| TPID (Tag Protocol Identifier) | 2 bytes | Fixed value 0x8100 — tells devices this is a tagged frame |
| PCP (Priority Code Point) | 3 bits | Frame priority for QoS (0–7) |
| DEI (Drop Eligible Indicator) | 1 bit | Whether the frame can be dropped under congestion |
| VID (VLAN Identifier) | 12 bits | The actual VLAN ID (1–4094) |
The 12-bit VID gives you 4,094 usable VLANs (IDs 0 and 4095 are reserved).
The addition of the 4-byte tag extends the standard Ethernet MTU from 1518 bytes to 1522 bytes.
Access Ports vs Trunk Ports#
VLAN-enabled switch ports fall into two categories:
Access Port (Untagged)#
- Belongs to one VLAN only
- Used for end devices — PCs, printers, IP phones, servers
- The switch adds/removes the VLAN tag invisibly; the end device never sees it
- Example: a laptop plugged into port Fa0/1, assigned to VLAN 10
Trunk Port (Tagged)#
- Carries traffic for multiple VLANs simultaneously
- Used for switch-to-switch and switch-to-router links
- Frames are tagged with their VLAN ID so the receiving device knows which VLAN each frame belongs to
- Example: the uplink port between two switches, carrying VLANs 10, 20, and 30
Native VLAN#
Every trunk port has a Native VLAN — the VLAN assigned to untagged frames that arrive on a trunk. By default this is VLAN 1. It’s best practice to change this to an unused VLAN to avoid security risks (more on that below).
Types of VLANs#
| VLAN Type | Purpose | Example |
|---|---|---|
| Data VLAN | Carries regular user traffic | Employee laptops and workstations |
| Voice VLAN | Dedicated to VoIP traffic with QoS priority | IP phones on VLAN 200 |
| Management VLAN | Admin access to switches, routers, APs | SSH/SNMP traffic on VLAN 99 |
| Native VLAN | Handles untagged frames on trunk ports | Should be an unused VLAN |
| Default VLAN | All ports start here (usually VLAN 1) | Change this immediately in production |
| IoT VLAN | Isolates smart devices and sensors | Cameras, thermostats, printers |
| Guest VLAN | Internet-only access for visitors | Hotel Wi-Fi, office guest network |
Inter-VLAN Routing#
VLANs are isolated at Layer 2 — devices in different VLANs cannot talk to each other unless traffic is routed at Layer 3. There are two ways to do this:
1. Router-on-a-Stick#
A single physical router interface is divided into sub-interfaces, each mapped to a VLAN. The trunk link carries all VLAN traffic up to the router, which routes between them.
Router(config)# interface GigabitEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0
Router(config)# interface GigabitEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.02. Layer 3 Switch (SVI)#
A Switched Virtual Interface (SVI) is a virtual Layer 3 interface on a managed switch. Each VLAN gets its own SVI with an IP address, and the switch itself handles routing — no external router needed.
Switch(config)# vlan 10
Switch(config)# vlan 20
Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config)# interface vlan 20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config)# ip routingReal-World Examples#
Example 1 — Office Network#
A company with three departments on the same physical switches:
VLAN 10 — Engineering → 192.168.10.0/24
VLAN 20 — HR → 192.168.20.0/24
VLAN 30 — Finance → 192.168.30.0/24
VLAN 99 — Management → 10.0.99.0/24
VLAN 200 — Voice (VoIP) → 172.16.200.0/24HR can’t sniff Engineering traffic. Finance traffic is isolated from everything else. VoIP quality is guaranteed with QoS on VLAN 200.
Example 2 — Cisco Switch Config (Access + Trunk)#
! Create VLANs
Switch(config)# vlan 10
Switch(config-vlan)# name Engineering
Switch(config)# vlan 20
Switch(config-vlan)# name HR
! Configure an access port for an Engineering PC
Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
! Configure a trunk port (uplink to another switch)
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,99
Switch(config-if)# switchport trunk native vlan 999Example 3 — Voice + Data on the Same Port#
A single switch port serving both a PC and an IP phone:
Switch(config)# interface FastEthernet0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10 ! Data VLAN for PC
Switch(config-if)# switchport voice vlan 200 ! Voice VLAN for IP phoneThe PC traffic is untagged (VLAN 10). The phone tags its traffic as VLAN 200 automatically. The switch handles both on a single cable.
Example 4 — IoT Isolation#
VLAN 50 — IoT devices (cameras, smart locks, sensors)IoT devices are notoriously insecure — many can’t be patched and run old firmware. Isolating them in their own VLAN means a compromised camera can’t reach your file servers or HR systems. A firewall ACL at the VLAN boundary controls exactly what IoT devices are allowed to access.
Security Considerations#
VLAN Hopping#
An attacker can attempt to send frames tagged for a different VLAN to gain unauthorized access — this is called VLAN hopping. Two common methods:
- Double Tagging — Attacker sends a frame with two 802.1Q tags. The outer tag matches the native VLAN, gets stripped by the first switch, and the inner tag delivers the frame to a target VLAN.
- Switch Spoofing — An attacker negotiates a trunk link with a switch using DTP (Dynamic Trunking Protocol), gaining access to all VLANs.
Mitigations:
- Disable DTP on all access ports:
switchport nonegotiate - Set the native VLAN to an unused VLAN (e.g., VLAN 999)
- Explicitly define which VLANs are allowed on trunk ports
- Shut down all unused switch ports and assign them to an unused VLAN
VLANs Are Not a Firewall#
A critical point: VLANs create logical separation, not security enforcement. By themselves they don’t filter traffic. Always place ACLs or a firewall at the Layer 3 boundary between VLANs to control what can talk to what.
Best Practices#
| Practice | Why |
|---|---|
| Never use VLAN 1 for production traffic | It’s the default — attackers know it |
| Change the native VLAN to an unused one | Prevents double-tagging attacks |
| Disable DTP on access ports | Stops switch spoofing |
| Explicitly allow VLANs on trunks | Principle of least privilege |
| Use a dedicated Management VLAN | Isolates admin access from user traffic |
| Separate IoT devices into their own VLAN | Limits blast radius of compromised devices |
| Put VoIP on a dedicated Voice VLAN with QoS | Guarantees call quality |
| Shut unused ports and assign to a dead VLAN | Removes physical attack surface |
| Document your VLAN design | Future you (and your team) will thank you |
Quick Summary#
| Concept | One-liner |
|---|---|
| VLAN | Logical network segment on a shared physical switch |
| OSI Layer | Layer 2 — Data Link |
| 802.1Q | The IEEE standard that defines VLAN tagging |
| VLAN Tag | 4-byte field added to Ethernet frames carrying VLAN ID |
| Access Port | Single VLAN, used for end devices |
| Trunk Port | Multiple VLANs, used between switches/routers |
| Inter-VLAN Routing | Requires Layer 3 — router-on-a-stick or L3 switch SVI |
| VLAN Hopping | Attack that exploits tagging misconfigs — mitigate with native VLAN hardening |
Co-authored by Vishwakarma, Deeps 2nd Brain
