Networking and Protocols

VLAN

Layer two segmentation that creates separate broadcast domains on the same physical switching fabric.

Where you will see it: Shows up in packet captures, network diagrams, firewall rules, and system or network logs.

What it is

A VLAN (Virtual LAN) is a way to split a physical switch network into multiple logical networks. Each VLAN is its own broadcast domain. Frames are associated with a VLAN either by the port they enter (access port) or by an 802.1Q tag in the frame (trunk port).

Key points
  • Access ports belong to one VLAN, trunk ports carry many VLANs with tags.
  • VLANs reduce broadcast scope and help organize networks.
  • Traffic between VLANs requires routing, usually via a layer three switch or router.

How it works in broad strokes

  1. An access port is assigned to one VLAN. Frames entering that port are treated as belonging to that VLAN.
  2. When a switch needs to send frames for multiple VLANs over one link to another switch, it uses a trunk.
  3. On a trunk, the switch adds an 802.1Q tag that identifies the VLAN for each frame, so the receiving switch knows which VLAN the frame belongs to.
  4. One VLAN can be configured as the native VLAN, where frames may be sent untagged. This must match on both ends to avoid confusion.
  5. Switches maintain separate MAC address tables per VLAN, which keeps learning and flooding contained.
  6. To communicate between VLANs, a router or layer three switch routes between the VLAN interfaces and applies policy like ACLs.
  7. Operationally, allowed VLAN lists on trunks decide which VLANs can traverse which links.

Concrete example

An office switch has VLAN 10 for users and VLAN 20 for servers. User ports are access ports in VLAN 10. The uplink between switches is a trunk carrying VLAN 10 and 20 with tags. A layer three switch routes between VLAN 10 and 20 and enforces that users can only reach specific server ports.

Why it matters

Without VLANs, one large layer two network becomes noisy and risky. VLANs improve scalability by limiting broadcasts and improve security and operations by separating roles, such as user devices, servers, and management interfaces.

Security angle

  • VLANs are useful for segmentation but should be combined with layer three controls like ACLs and firewalling.
  • Misconfigured trunks and native VLAN behavior can enable VLAN hopping style issues.
  • Treat management VLANs as high value and restrict where they are carried and who can reach them.

Common pitfalls

  • Native VLAN mismatches on trunks can cause traffic leaks and weird connectivity.
  • Leaving all VLANs allowed on a trunk increases risk and makes mistakes spread.
  • Assuming VLAN separation equals full security. Misconfigurations and layer two attacks can bypass it.
  • Forgetting inter VLAN routing. Two VLANs will not talk without a router, even if they share a switch.
  • Mixing up tagging expectations at endpoints, for example when connecting to hypervisors or APs.

DEEP DIVE

Why VLANs exist: control broadcasts and trust zones

On Ethernet, broadcasts reach every device in the same Layer 2 domain. That is fine for small networks, but it becomes noisy and risky at scale. VLANs let you split one switch infrastructure into multiple isolated broadcast domains, so devices in one VLAN do not see broadcasts from another.

This segmentation is both performance and security. It reduces broadcast traffic and creates natural boundaries. You can put guests in one VLAN, servers in another, and management interfaces in a third, even if the cables and switches are shared.

It helps to remember that a VLAN is a logical partition. The switch keeps separate forwarding tables per VLAN context, and it enforces separation unless you explicitly route between VLANs.

Access ports and trunk ports

An access port is for end devices. Frames entering an access port are associated with one VLAN, and frames leaving are usually untagged. The device does not need to know VLANs exist. It just speaks normal Ethernet.

A trunk port connects switches, routers, or hypervisors and carries multiple VLANs over one link. Trunking uses 802.1Q tagging: the switch inserts a small tag into the Ethernet frame that includes a VLAN identifier. The receiving switch reads the tag and knows which VLAN the frame belongs to.

Many environments also have a native VLAN concept where untagged frames on a trunk are treated as belonging to a particular VLAN. Misaligned native VLAN settings between switches are a classic source of subtle leaks and loops.

Inter VLAN communication requires routing

VLANs isolate at Layer 2. If a host in VLAN 10 needs to talk to a host in VLAN 20, it must go through a Layer 3 device that routes between those subnets. That can be a router on a stick, a firewall, or a Layer 3 switch with switched virtual interfaces.

Each VLAN typically maps to an IP subnet, and the default gateway for that subnet lives on the routing device. ARP operates within each VLAN, so a host ARPs for its gateway MAC, sends the packet there, and the router forwards it to the destination VLAN.

This is why VLAN planning often pairs with IP planning. Clear subnet to VLAN mapping simplifies routing policy, access control, and troubleshooting.

Real world pitfalls and attacks

Operational mistakes include missing VLANs on trunks, wrong access VLAN assignments, and mismatched allowed VLAN lists. These create issues that look like random connectivity: some devices work, others cannot reach the gateway, and broadcast dependent protocols behave oddly.

From a security angle, VLAN hopping attacks exploit misconfigurations like dynamic trunk negotiation or poorly controlled native VLANs. Good practice is to disable unnecessary trunk negotiation, explicitly define allowed VLANs, and keep a dedicated management VLAN with strict access controls.

Finally, remember that VLANs are not encryption. They are separation on a switching fabric. If an attacker has access to the switch control plane or can convince the network to tag frames unexpectedly, VLAN boundaries can be bypassed.