The Simple Definition
A VLAN is a Virtual Local Area Network. It separates Ethernet traffic at Layer 2. Devices in one VLAN behave as if they are on a separate switch from devices in another VLAN, even if they are plugged into the same physical switch. The separation is enforced by the switch, not by physical cabling.
802.1Q Tagging Mechanics
The IEEE 802.1Q standard defines how VLAN information is carried inside Ethernet frames. A 4-byte tag is inserted into the Ethernet header between the source MAC address and the EtherType field. The tag contains a 12-bit VLAN ID (VID), allowing up to 4094 usable VLANs (0 and 4095 are reserved). It also carries a 3-bit Priority Code Point (PCP) used for QoS prioritization, and a 1-bit Drop Eligible Indicator (DEI).
The Port VLAN ID (PVID) is the VLAN assigned to an access port. When an untagged frame arrives on an access port, the switch internally tags it with the PVID before processing it. When the frame leaves another access port, the tag is stripped. Devices on access ports never see VLAN tags — they simply see normal Ethernet frames.
Access Ports and Trunk Ports
| Port Type | What It Carries | Frame Handling | Typical Use |
|---|---|---|---|
| Access port | One untagged VLAN | Strips tags outbound, adds PVID inbound | Desktop, printer, camera, game console |
| Trunk port | Multiple tagged VLANs | Passes tags through; native VLAN is untagged | Switch uplinks, router links, Wi-Fi APs |
| Hybrid port | One untagged + multiple tagged | Strips one VLAN, passes others tagged | Some AP deployments, IP phones with PC passthrough |
Native VLAN
On a trunk port, frames belonging to the native VLAN are sent untagged. This is a compatibility feature that allows untagged-only devices to participate on a trunk. The native VLAN defaults to VLAN 1 on most Cisco and similar equipment. It is important to configure the native VLAN consistently on both ends of a trunk link. A mismatch — where one side treats VLAN 1 as native and the other treats VLAN 10 as native — will silently merge two VLANs, breaking isolation and potentially causing traffic to appear on the wrong network segment.
VLANs and Subnets: The Difference
A VLAN operates at Layer 2 (Ethernet). An IP subnet operates at Layer 3 (IP). They are not the same thing, but they almost always map one-to-one in a well-designed network. VLAN 10 typically corresponds to a subnet like 192.168.10.0/24, VLAN 20 to 192.168.20.0/24, and so on. The VLAN enforces who can see each other's broadcast traffic. The subnet determines IP addressing and routing. Devices in the same VLAN but different subnets cannot communicate without routing. Devices in the same subnet but different VLANs are isolated at Layer 2 and also cannot communicate without routing.
Inter-VLAN Routing
Devices in different VLANs cannot communicate directly — they need a router or Layer 3 device to forward packets between them. There are two common approaches:
- Router-on-a-stick — A single router port is configured as a trunk, with sub-interfaces for each VLAN. Each sub-interface has an IP address that acts as the default gateway for that VLAN's subnet. Traffic between VLANs passes up to the router and back down. This works well for small setups but the single link can become a bottleneck.
- Layer 3 switch — A managed switch with routing capability creates a switched virtual interface (SVI) for each VLAN. Routing between VLANs happens in the switch silicon at wire speed, without traffic leaving the switch. This is the standard approach in enterprise networks and homelabs with capable switches.
Inter-VLAN routing combined with firewall rules is what gives VLANs their security value. Without firewall rules on the routing path, all VLANs can reach each other freely despite the Layer 2 separation.
Common Home and Business Use Cases
- IoT isolation — Smart bulbs, plugs, cameras, and appliances placed on a dedicated VLAN so that a compromised device cannot reach laptops, NAS devices, or servers on the main network.
- Guest Wi-Fi — Guest devices get internet access via their VLAN but cannot reach the private LAN. Firewall rules block inter-VLAN traffic while allowing guest-to-internet flows.
- VoIP / IP phones — A voice VLAN separates phone traffic from data traffic and enables QoS prioritization (via the PCP bits in the 802.1Q header) to reduce jitter and latency for calls.
- Servers and NAS — A dedicated server VLAN isolates storage and service traffic from general user devices and allows targeted firewall policy.
- Management network — Switch management interfaces, IPMI/BMC, and out-of-band access devices placed on a VLAN reachable only from a jump host or specific admin workstation.
VLAN Hopping Attacks and Mitigations
VLAN hopping is an attack technique that allows a device on one VLAN to send traffic to another VLAN without routing. Two main methods exist:
- Switch spoofing — An attacker configures their NIC to negotiate a trunk with the switch using DTP (Dynamic Trunking Protocol), gaining access to all VLANs. Mitigation: disable DTP on all access ports (
switchport nonegotiateon Cisco), and explicitly configure all ports as access or trunk — never leave them in dynamic mode. - Double tagging — An attacker sends a frame with two 802.1Q tags. The outer tag matches the native VLAN and is stripped by the first switch; the inner tag then directs the frame to a different VLAN on the next switch. This works only toward the victim VLAN (traffic is one-directional). Mitigation: change the native VLAN to an unused VLAN ID (not VLAN 1) and ensure no user ports belong to the native VLAN.
Common Mistakes
The most common VLAN mistake is configuring only one side of the path. If a switch port is trunking VLAN 20 but the access point or router is not expecting VLAN 20 tags, traffic disappears silently. Another common mistake is creating VLANs but then allowing all inter-VLAN traffic through the router, which removes much of the security benefit. A third mistake is inconsistent native VLAN configuration on trunk links, which merges VLANs unexpectedly.
Frequently Asked Questions
What does VLAN stand for?
VLAN stands for Virtual Local Area Network. It separates devices into logical Layer 2 networks even when they share physical switching hardware.
Does each VLAN need its own subnet?
In most routed networks, yes. A VLAN is Layer 2 segmentation, and each VLAN commonly has its own IP subnet so routing and firewall policy are clear.
What is a trunk port?
A trunk port carries traffic for multiple VLANs, usually by adding VLAN tags so the receiving switch, router, or access point knows which VLAN each frame belongs to.