VLAN & 802.1Q Trunking
The foundational L2 segmentation mechanism. One physical switch, many logical broadcast domains.
Why VLANs exist
A switch without VLANs has one broadcast domain. Every broadcast (ARP, DHCP Discover, NetBIOS) floods every port. Problems:
- Scale — broadcast traffic grows with host count
- Security — everyone sees everyone else’s ARP and DHCP
- Administrative — no logical grouping of related hosts
A VLAN (Virtual LAN) is a switch-enforced boundary that says: these ports belong to broadcast domain X; these other ports belong to Y; they cannot talk without crossing L3.
Access port vs trunk port
| Access port | Trunk port | |
|---|---|---|
| VLANs carried | One | Many |
| Frames | Untagged | Tagged (802.1Q) |
| Used for | End hosts | Inter-switch links, hypervisors, APs |
| ”PVID” | The access VLAN | The native VLAN (untagged on trunk) |
802.1Q tag — how it works
A 4-byte tag inserted between the source MAC and the EtherType:
[ Dst MAC | Src MAC | 802.1Q tag (4B) | EtherType | Payload | FCS ]
↑
TPID=0x8100 | PCP(3) | DEI(1) | VID(12)
- TPID (2 bytes) — 0x8100 identifies the frame as 802.1Q-tagged
- PCP (3 bits) — Priority Code Point → maps to CoS / QoS
- DEI (1 bit) — Drop Eligible Indicator (formerly CFI)
- VID (12 bits) — VLAN ID, range 1–4094 (0 and 4095 reserved)
12 bits = 4096 VLANs, of which 4094 are usable. This limit is why VXLAN exists.
The native VLAN pitfall
Frames in the native VLAN are sent untagged across a trunk. Consequences:
- If both ends don’t agree on the native VLAN, traffic silently crosses broadcast domains → VLAN hopping
- An attacker can inject frames into a VLAN by “double tagging” (outer tag = native, inner tag = target). The first switch strips the outer, the second forwards the inner.
Hardening:
- Set the native VLAN to an unused VLAN (e.g., 999) and prune it from trunks
- Use
vlan dot1q tag nativeto force tagging even on the native VLAN - Never trunk toward end hosts
Private VLANs (PVLAN, RFC not applicable — vendor feature of 802.1Q)
Sub-divide a VLAN further at L2:
| Port type | Can talk to |
|---|---|
| Promiscuous | Everything |
| Community | Same community + promiscuous |
| Isolated | Promiscuous only |
Use case: hotel networks, DMZ segments, multi-tenant without a router between tenants.
VLAN vs VXLAN
| VLAN (802.1Q) | VXLAN (RFC 7348) | |
|---|---|---|
| Scope | Single L2 domain (one switch or stretched L2) | Any-to-any over L3 |
| Namespace | 12 bits → 4094 | 24 bits → 16M |
| Encapsulation | L2 tag | L2-in-UDP (port 4789) |
| Encap overhead | 4 B | ~50 B |
| Typical use | Campus, access | Data center fabric, cloud overlays, Kubernetes CNI |
VXLAN is not a VLAN replacement — it carries VLANs across L3 boundaries. VLANs still exist at the edges.
Common troubleshooting
- “Host can’t reach default gateway” — first suspect: access VLAN mismatch or trunk allowed-list missing the VLAN
- “Works locally, fails across the trunk” — VLAN not allowed on the trunk, or native VLAN mismatch logged as STP BPDU warning
- Broadcast storms — usually STP issue, but VLAN configuration (looped VLANs, rogue trunk) is the trigger
- Voice VLAN + data VLAN on one access port — CDP/LLDP negotiates the voice VLAN; the IP phone trunks to the PC port internally
Relationship to other concepts
- 802.1X (Dot1x, 802.1x method explain) — the RADIUS server can return an attribute that dynamically assigns a port to a VLAN → combine identity with segmentation
- Layer 3 switching — VLANs terminate at an SVI (switched virtual interface); that’s where L2 becomes L3
- Segmentation — VLANs are the primitive; firewalls/ACLs between VLANs are the policy
See also
- Dot1x, 802.1x method explain
- PacketFence vs OpenNAC — dynamic VLAN assignment via NAC
- Segmentation
- L2