VLANs (Virtual Local Area Networks) logically segment a physical network at Layer 2, creating separate broadcast domains without requiring separate physical infrastructure.
Why Use VLANs?
- Security isolation - Separate sensitive traffic (e.g., management, IoT, guest)
- Reduced broadcast traffic - Smaller broadcast domains improve performance
- Logical organisation - Group devices by function rather than location
- Cost efficiency - One switch can serve multiple logical networks
Key Concepts
VLAN ID
- 12-bit identifier (1-4094)
- VLAN 1 is the default (avoid using it for security)
- VLANs 1002-1005 reserved for legacy protocols
Port Types
| Type | Description | Use Case |
|---|---|---|
| Access port | Carries single VLAN, untagged | End devices (PCs, printers) |
| Trunk port | Carries multiple VLANs, tagged | Switch-to-switch, switch-to-router |
| Native VLAN | Untagged VLAN on trunk | Management, compatibility |
802.1Q Tagging
The IEEE 802.1Q standard adds a 4-byte tag to Ethernet frames on trunk ports:
- TPID (Tag Protocol Identifier):
0x8100 - PCP (Priority Code Point): QoS priority
- DEI (Drop Eligible Indicator): Discard eligibility
- VID (VLAN Identifier): 12-bit VLAN ID
Access ports strip tags before forwarding to end devices.
Inter-VLAN Routing
Devices on different VLANs cannot communicate directly - they need a Layer 3 device.
Router-on-a-Stick
Single router interface with subinterfaces for each VLAN. Each subinterface is assigned to a VLAN and given an IP address to serve as the default gateway.
Layer 3 Switch (SVI)
Switch Virtual Interfaces handle routing internally. More efficient than router-on-a-stick as traffic doesn’t leave the switch.
Common VLAN Design
| VLAN | Purpose | Example Subnet |
|---|---|---|
| 10 | Management | 10.0.10.0/24 |
| 20 | Servers | 10.0.20.0/24 |
| 30 | Workstations | 10.0.30.0/24 |
| 40 | VoIP | 10.0.40.0/24 |
| 50 | IoT/Guest | 10.0.50.0/24 |
| 99 | Native (trunk) | - |
Best Practices
- Never use VLAN 1 for user traffic
- Use dedicated management VLAN
- Document VLAN assignments
- Keep native VLAN consistent across trunks
- Consider private VLANs for additional isolation
- Use VLAN pruning to limit trunk traffic
Security Considerations
- VLAN hopping - Attacker jumps between VLANs via double-tagging or switch spoofing
- Mitigations:
- Disable DTP (Dynamic Trunking Protocol)
- Set unused ports to access mode
- Use a dedicated native VLAN (not VLAN 1)
- Enable BPDU guard and port security