1. Library
  2. Routing and Networks
  3. Vlans

VLANs: Virtual Network Segmentation

Updated 10 hours ago

In physical networks, location determines identity. Plug into a switch, and you belong to that switch's network. Every device on the switch can talk to every other device. Geography is destiny.

VLANs invert this. They let switches ask a different question: not "where are you plugged in?" but "who are you supposed to talk to?"

Two devices connected to the same physical switch can be complete strangers—unable to exchange a single packet. Two devices on opposite ends of a building can be neighbors, sharing a broadcast domain as if they were inches apart. The physical topology becomes a suggestion, not a constraint.

What VLANs Actually Do

A VLAN is a tag. That's it.

When a frame enters a switch port, the switch stamps it with a VLAN number. From that moment on, the frame only travels to ports with the same VLAN number. Devices in VLAN 10 can only reach other devices in VLAN 10. Devices in VLAN 20 might as well be on a different planet.

This tagging follows IEEE 802.1Q—a standard that adds 4 bytes to the Ethernet frame header. Those 4 bytes contain the VLAN ID, and they change everything about how the frame moves through the network.

Access ports connect to end devices—computers, phones, printers. The switch assigns incoming traffic to a VLAN and strips the tag from outgoing traffic. The end device never knows VLANs exist.

Trunk ports connect switches to each other (or to routers). They carry traffic for multiple VLANs simultaneously, preserving the tags so the next switch knows where each frame belongs.

Broadcasts—those "anyone listening?" messages—stop at VLAN boundaries. A broadcast in VLAN 10 reaches every device in VLAN 10, and no one else. This is why VLANs improve performance: you're not drowning in broadcasts from devices you'll never talk to.

The Three Departments Problem

Consider an office with Engineering, Sales, and Management. Without VLANs, you have two options:

Option 1: Put everyone on one network. Engineering's file shares are visible to Sales. Management's confidential traffic travels the same wires as everyone else's. A broadcast storm from a misbehaving device in Sales takes down Engineering's connectivity.

Option 2: Buy separate physical infrastructure for each department. Three sets of switches. Three sets of cables. Triple the cost, triple the maintenance.

VLANs give you a third option: one physical network, three logical networks. Engineering on VLAN 10, Sales on VLAN 20, Management on VLAN 30. Same switches, same cables, complete isolation.

Want to move an engineer from the third floor to the first? Change their port's VLAN assignment. No rewiring. No truck roll. Just configuration.

Crossing VLAN Boundaries

VLANs create walls. Sometimes you need doors.

Devices in different VLANs cannot communicate directly—that's the whole point. But Engineering might need to reach a server in the Management VLAN. Sales might need access to shared resources in Engineering.

This requires a router (or a Layer 3 switch, which is a switch that can route). The router has interfaces in multiple VLANs and forwards traffic between them, applying access control rules along the way. "Engineering can reach the file server in Management, but not the HR database."

This is called inter-VLAN routing, and it's where security policies live. VLANs create the isolation; routing creates the controlled exceptions.

Voice and Data: The Split Personality Port

Here's a practical problem: IP phones and computers often share the same desk, but voice traffic needs special treatment—low latency, high priority. You don't want a file download to make a phone call sound like it's underwater.

The solution is elegant. A single switch port can serve two VLANs: a data VLAN for the computer and a voice VLAN for the phone. The phone plugs into the switch; the computer plugs into the phone. Traffic separates automatically.

The switch can then apply quality-of-service policies: voice VLAN traffic gets priority, data VLAN traffic waits its turn. Same physical port, different treatment based on logical membership.

Trunks: The VLAN Highways

When VLANs span multiple switches—and they almost always do—trunk links carry the traffic between them.

A trunk is a single physical link that carries frames from many VLANs, each tagged with its VLAN ID. When a frame arrives at the other end, the receiving switch reads the tag and knows exactly where the frame belongs.

interface GigabitEthernet0/24
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

This says: "This port is a trunk. Carry traffic for VLANs 10, 20, and 30. Drop everything else."

The native VLAN handles untagged traffic on trunks. If a frame arrives without a tag, it gets assigned to the native VLAN. By default, this is VLAN 1, which creates security issues we'll address shortly.

VLAN Numbering

VLANs are identified by numbers from 1 to 4094.

VLAN 1 is special—it's the default VLAN, and it carries certain management traffic. Best practice: don't use it for production traffic.

VLANs 2-1001 are the standard range. Most organizations only need a few dozen VLANs, so this range is plenty.

VLANs 1006-4094 are the extended range, available on modern switches for large deployments.

Smart organizations develop numbering schemes. Maybe VLANs 10-19 are for Building A, 20-29 for Building B. Maybe VLAN 100 is always voice, VLAN 200 is always management. The scheme matters less than having one and sticking to it.

What Can Go Wrong

VLAN mismatch: Switch A's trunk allows VLANs 10, 20, 30. Switch B's trunk allows VLANs 10, 20. VLAN 30 traffic hits Switch B and vanishes.

Native VLAN mismatch: If two connected switches disagree on the native VLAN, untagged traffic ends up in the wrong place—or nowhere.

Access port in wrong VLAN: A device connects to port 5, which is in VLAN 20. The device expects to be in VLAN 10. It can reach the wrong resources and can't reach the right ones. This looks like a "network problem" when it's actually a configuration problem.

Trunk configured as access: Two switches connected with an access port instead of a trunk. Only one VLAN works; everything else is silently dropped.

VLAN Hopping: The Security Concern

VLANs provide isolation, but that isolation can be attacked.

Switch spoofing: An attacker tricks a switch into forming a trunk connection. If the switch port is set to auto-negotiate (the default on many switches), the attacker can announce "I'm a switch, let's trunk" and suddenly has access to every VLAN on that trunk.

Double tagging: This one's clever. An attacker in the native VLAN sends a frame with two VLAN tags—an outer tag matching the native VLAN and an inner tag for the target VLAN. The first switch strips the outer tag (that's what switches do with native VLAN traffic). The inner tag survives. The second switch sees the inner tag and forwards the frame into the target VLAN. It's a letter inside a letter—the first switch opens the outer envelope and thinks its job is done.

Defenses:

  • Never leave ports in auto mode. Explicitly configure every port as access or trunk.
  • Change the native VLAN from VLAN 1 to something unused.
  • Disable unused ports and assign them to a dead-end VLAN.
  • Use VLAN access control lists to filter traffic within VLANs.

Design Principles

Create VLANs for reasons, not for fun. Each VLAN should serve a clear purpose: a security boundary, a broadcast domain, a group of devices with common policies. VLAN sprawl—dozens of VLANs with unclear purposes—makes networks harder to manage and debug.

Size VLANs appropriately. A VLAN with a /24 subnet supports 254 devices. Plan for growth, but don't create a /16 VLAN "just in case"—you'll regret the broadcast traffic.

Document everything. VLAN 47 means nothing six months from now unless someone wrote down "VLAN 47: Guest wireless, Building B."

Plan trunk capacity. All inter-switch traffic for every VLAN flows through trunk links. If you have 20 VLANs and one gigabit trunk, you might need more trunks—or faster ones.

The Deeper Point

VLANs are about control. They give network administrators the power to define who can talk to whom, independent of physical infrastructure.

Before VLANs, network architecture was constrained by cables and switches. Moving a department meant rewiring. Isolating sensitive systems meant separate hardware. Every change was a construction project.

VLANs made network architecture a matter of configuration. The physical layer became infrastructure—important, but not destiny. The logical layer became the space where design happens.

This is the pattern of virtualization everywhere: separate the logical from the physical, and suddenly you can reshape things that used to be fixed. VLANs did it for network segments decades before virtual machines did it for servers.

Understand VLANs, and you understand how networks became programmable.

Frequently Asked Questions About VLANs

Was this page helpful?

😔
🤨
😃
VLANs: Virtual Network Segmentation • Library • Connected