What Is a VLAN? — Splitting One Switch Logically at Layer 2

⏱ approx. 8 min views 30 likes 0 LOG_DATE:2026-06-10
TOC

A VLAN (Virtual LAN) logically divides one physical switch into multiple networks. Even plugged into the same switch, hosts on different VLANs can't talk directly and broadcasts don't reach across. Without adding cabling you can separate "per department", "for servers", "guest Wi-Fi", "IoT", and so on — raising security, performance, and operational flexibility at once. This article covers the goals, access vs trunk, 802.1Q tags, why inter-VLAN traffic needs a router, and the security angle.

01

What a VLAN is — one physical, split logically #

Normally every device on a switch belongs to the same "broadcast domain" and is fully visible to the others. A VLAN groups the switch's ports and separates different groups as if they were "different switches".

▸ In plain terms — "partitioning one building by floor"

The physical building (switch) is one, but interior walls (VLANs) divide it into a "sales floor", "accounting floor", and "guest floor". People on the same floor talk instantly; reaching another floor requires the elevator and reception (a router). Because the walls are just software settings, rearranging the layout is instant.

02

Why use them — isolation, performance, flexibility #

Security (isolation)
Don't put guest Wi-Fi or IoT on the same L2 as internal servers. Isolating them with VLANs makes lateral movement from a compromised device harder.
Performance (broadcast containment)
Broadcasts only fly within a VLAN. Splitting one huge domain into smaller ones cuts wasteful traffic and congestion.
Flexibility (not bound to physical)
Desk moves and reorgs just change a port's VLAN setting — no re-cabling. People on different floors can sit in the same VLAN.
03

Access ports and trunk ports #

The key to VLANs is that a switch has two kinds of ports.

TypeRoleTag
Access portConnects an end device (PC, printer) that belongs to one VLANNone (untagged)
Trunk portConnects switch-to-switch / switch-to-router, carrying multiple VLANs togetherYes (802.1Q tagged)

The end device doesn't know it's on a VLAN (it just speaks ordinary Ethernet). The switch is what's VLAN-aware: it marks frames received on an access port with "this is VLAN 10" and sends them onto the trunk.

04

The IEEE 802.1Q tag — embedding the VLAN ID into a frame #

To carry multiple VLANs on one trunk, each frame must indicate "which VLAN it belongs to." That is the IEEE 802.1Q tag: 4 bytes inserted right after the source MAC of the Ethernet frame, of which 12 bits are the VLAN ID (1–4094).

Where the 802.1Q tag is inserted
# Normal Ethernet frame [ dstMAC | srcMAC | EtherType | payload | FCS ]

# 802.1Q-tagged (on a trunk) [ dstMAC | srcMAC | 802.1Q tag (4B) | EtherType | payload | FCS ] └ TPID 0x8100 + PCP/DEI + VLAN ID(12bit)

When a frame leaves an access port toward an end device, the tag is stripped, so the device only ever sees an ordinary frame. The single VLAN that goes untagged on a trunk is the "native VLAN" (relevant to the security section).

05

Inter-VLAN traffic — separate networks need a router #

A frequent misconception. A different VLAN = a different IP network (different subnet). At L2 they can never talk directly. To connect VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) you need an L3 device (a router or layer-3 switch).

Router on a stick
Connect to the router over one trunk and create a subinterface per VLAN, each acting as that VLAN's default gateway. Cheap, but bandwidth concentrates on the trunk.
Layer-3 switch (SVI)
The switch itself holds a virtual interface (SVI) per VLAN and routes internally at high speed. The enterprise default.

Precisely because a router (a place where filters can be applied) always sits between VLANs, the segmentation design of "split into VLANs, then restrict traffic between them with ACLs / firewalls" becomes possible.

06

Security — VLAN hopping and segmentation design #

A VLAN is a separation tool, but misconfiguration lets attackers cross it. The classic example is VLAN hopping.

AttackMethodDefense
Switch spoofingA host negotiates a trunk itself to peek at all VLANsDisable DTP, set ports as access explicitly
Double taggingDouble-tag a frame and abuse the native VLAN to push it to another VLANUse an unused ID for the native VLAN; require tags on the trunk
▸ "VLAN" is not a perfect wall

A VLAN is a convenient logical separation, but it can be broken by misconfiguration or L2 attacks. Boundaries that need truly strong separation (e.g., DMZ vs internal, OT vs IT) should not rely on VLANs alone — combine physical separation and firewalls. Use the advantage of having a router between VLANs to permit only the necessary traffic with ACLs.

In a zero-trust mindset, microsegmentation with VLANs (slice finely and least-privilege the traffic) is key to limiting blast radius during a breach. L2 attacks like [[arp]] spoofing are also contained more tightly the smaller you slice the VLANs.

07

Summary — five things to remember #

  • A VLAN logically splits one switch, isolating other VLANs as separate networks (an L2 technology).
  • Ports come in two kinds: access (one VLAN, untagged) and trunk (multiple VLANs, 802.1Q tagged).
  • 802.1Q inserts 4 bytes into the Ethernet frame, carrying a 12-bit VLAN ID (1–4094).
  • A different VLAN is a different subnet. Talking between them requires a router / L3 switch (router on a stick / SVI).
  • Beware VLAN hopping. Strong boundaries shouldn't rely on VLANs alone — combine firewalls and physical separation.
𝕏 Post B! Hatena