Access Ports vs Trunk Ports
| Port type | What it carries | Typical use |
|---|---|---|
| Access port | One untagged VLAN | A PC, printer, camera, or console |
| Trunk port | Multiple tagged VLANs | Switch-to-switch, router, firewall, or access point uplink |
| Native VLAN | Untagged frames on a trunk | Compatibility; keep it set to an unused ID |
| Voice VLAN | Tagged VLAN for VoIP traffic on an access port | IP phones that carry both voice and PC data |
The 802.1Q Tag Structure
802.1Q is the IEEE standard that defines how VLAN tags are inserted into Ethernet frames. A tag is a 4-byte field inserted between the source MAC address and the EtherType field of a standard Ethernet frame. The four bytes break down as follows:
- TPID (Tag Protocol Identifier): 2 bytes, always set to
0x8100to identify the frame as 802.1Q tagged. - PCP (Priority Code Point): 3 bits used for 802.1p Quality of Service priority (0–7).
- DEI (Drop Eligible Indicator): 1 bit that can mark frames as eligible for dropping under congestion.
- VID (VLAN Identifier): 12 bits that carry the VLAN ID, supporting values from 1 to 4094 (0 and 4095 are reserved).
When a frame exits a trunk port, the switch inserts this tag before transmission. When a frame enters a trunk port, the switch reads the VID and processes the frame in the correct VLAN context. Access ports strip the tag on egress so end devices never see it.
Native VLAN: Untagged Frames on a Trunk
The native VLAN is the VLAN that carries untagged frames on a trunk port. If a device sends an untagged frame into a trunk port, the switch assigns it to the native VLAN. The default native VLAN on most switches is VLAN 1. Both sides of a trunk link must agree on the native VLAN or traffic can be misassigned. Security best practice is to set the native VLAN to an unused ID (such as VLAN 999) so that untagged frames do not accidentally land in a production VLAN.
Voice VLAN for VoIP Phones
Many IP phones have a built-in two-port switch — one port connects to the wall, the other connects to a PC. A switch port configured with a voice VLAN sends voice traffic tagged with the voice VLAN ID and PC traffic untagged on the access VLAN. The phone identifies itself to the switch using CDP or LLDP-MED, and the switch instructs the phone to tag its voice frames with the designated VLAN. This allows a single physical port to serve both a phone and a PC while keeping their traffic in separate VLANs with separate QoS policies.
Why VLANs Exist
Without VLANs, every device on a switch is part of the same broadcast domain. VLANs split that shared fabric into logical networks. A home lab might use one VLAN for trusted devices, one for IoT, one for guests, and one for cameras. An office might separate staff, voice phones, servers, printers, and building control systems. VLANs reduce unnecessary broadcast traffic and provide a structural boundary for applying firewall policy, but they are not a firewall by themselves. Traffic between VLANs requires routing.
Inter-VLAN Routing: Router-on-a-Stick vs Layer 3 SVIs
Devices in different VLANs cannot communicate at Layer 2. Traffic must cross a routing boundary. Two common approaches exist:
- Router-on-a-stick: A single physical router port connects to the switch as a trunk. The router creates subinterfaces — one per VLAN — each configured with the VLAN's gateway IP and a matching 802.1Q encapsulation. Traffic between VLANs leaves the switch tagged, the router routes it, and it returns tagged for the destination VLAN. This works well for small environments but creates a single bottleneck on one physical link.
- Layer 3 switch SVIs: A Layer 3 switch creates Switch VLAN Interfaces (SVIs) — virtual interfaces assigned the gateway IP for each VLAN. Routing happens internally at hardware speed without leaving the switch. This is faster and more scalable for environments where inter-VLAN traffic is high.
In either case, the routing point is where firewall or ACL policy belongs. An IoT VLAN might be allowed to reach the internet and a local DNS resolver but blocked from any connection to the main LAN. A guest VLAN might be internet-only. Creating VLANs without rules is just renaming subnets; adding thoughtful policy is what produces real isolation.
VLAN Hopping Attacks and Mitigations
VLAN hopping is a class of attacks that allows a device on one VLAN to send traffic to another VLAN without going through the router. Two techniques are common:
- Switch spoofing via DTP: Cisco's Dynamic Trunking Protocol (DTP) allows ports to negotiate trunk mode automatically. An attacker who connects a device that sends DTP frames can trick the switch into forming a trunk, giving access to all VLANs. Mitigation: disable DTP on all ports with
switchport nonegotiateand explicitly set ports as access or trunk. - Double tagging: An attacker on the native VLAN sends a frame with two 802.1Q tags — the outer tag matches the native VLAN (which the first switch strips), leaving an inner tag for a target VLAN that the second switch acts on. This is a one-way attack (replies cannot be routed back the same way), but it can still deliver malicious frames. Mitigation: set the native VLAN to an unused ID that no end device belongs to, so attackers cannot be in the native VLAN to begin with.
Practical Home Use of VLANs
VLANs are not just for enterprises. Home networks with a managed switch and a capable router or firewall can use VLANs practically. A common setup separates IoT devices (smart speakers, cameras, thermostats) from trusted computers and phones, and provides a guest Wi-Fi SSID that reaches the internet but not any LAN resources. This limits the blast radius if a cheap IoT device is compromised — it cannot directly reach NAS devices, PCs, or internal services. Consumer routers with VLAN support (Asus, Netgear Nighthawk, pfSense, OPNsense) make this achievable without enterprise gear.
Common Mistakes
- Creating VLANs but allowing all inter-VLAN traffic in the firewall rules anyway.
- Forgetting to tag VLANs on the access point uplink, causing guest clients to get no IP address.
- Using the same subnet on multiple VLANs.
- Leaving VLAN 1 as the native VLAN on trunks with active production traffic.
- Leaving DTP enabled on access ports, enabling switch spoofing attacks.
- Changing switch VLANs remotely without a rollback path.
Frequently Asked Questions
What is a VLAN?
A VLAN is a virtual LAN that separates traffic into different logical networks even when devices share the same physical switch infrastructure.
What is a trunk port?
A trunk port carries traffic for multiple VLANs, using 802.1Q tags so the receiving device knows which VLAN each frame belongs to.
Does each VLAN need its own subnet?
Usually yes. In most practical designs, each VLAN maps to its own IP subnet, and a router or layer-3 switch controls traffic between VLANs.