networking segmentation

VLAN (VLAN)

vlan network-segmentation switching 802.1q
Plain English

A VLAN is like dividing one big open-plan office into separate rooms using invisible walls. Devices on the same VLAN can talk to each other freely, but devices on different VLANs cannot communicate without going through a router first. This lets you separate guest Wi-Fi from your internal network using the same physical switch, keeping traffic isolated for security and performance.

Technical Definition

A Virtual Local Area Network (VLAN) is a Layer 2 broadcast domain created by a managed switch. VLANs logically partition a single physical switch into multiple isolated networks, each with its own broadcast domain. Defined by IEEE 802.1Q, VLAN tagging inserts a 4-byte field into the Ethernet frame header containing a 12-bit VLAN ID (VID), supporting up to 4,094 VLANs (IDs 1-4094; 0 and 4095 are reserved).

Port types:

  • Access port: carries traffic for a single VLAN; the switch strips the VLAN tag before forwarding to the connected device (device is unaware of VLANs)
  • Trunk port: carries tagged traffic for multiple VLANs simultaneously; uses 802.1Q tagging so the receiving switch knows which VLAN each frame belongs to
  • Native VLAN: the VLAN assigned to untagged frames on a trunk port (default is VLAN 1; best practice is to change it)

Inter-VLAN routing requires a Layer 3 device (router or L3 switch). Common approaches:

  • Router-on-a-stick: a single router interface with 802.1Q subinterfaces, one per VLAN
  • Layer 3 switch: performs routing between VLANs internally using SVIs (Switch Virtual Interfaces)

VLANs improve security by isolating broadcast traffic, reducing the attack surface, and enabling granular firewall rules between segments. They also improve performance by limiting broadcast storm propagation.

Managed Switch802.1Q VLAN Tagging24 ports, 1 physical deviceVLAN 10Engineering10.10.10.0/24Ports 1-8VLAN 20Guest Wi-Fi10.20.20.0/24Ports 9-16VLAN 30Management10.30.30.0/24Ports 17-20RouterInter-VLAN routingTrunkVLANs isolate broadcast domains on one physical switch

Cisco IOS VLAN configuration 

! Create VLANs
Switch(config)# vlan 10
Switch(config-vlan)# name Engineering
Switch(config)# vlan 20
Switch(config-vlan)# name Guest-WiFi
Switch(config)# vlan 30
Switch(config-vlan)# name Management

! Assign access ports
Switch(config)# interface range GigabitEthernet0/1-8
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10

! Configure trunk port to router
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30

! Verify
Switch# show vlan brief
VLAN  Name              Status    Ports
----  ----------------  --------  -------------------------
10    Engineering       active    Gi0/1-8
20    Guest-WiFi        active    Gi0/9-16
30    Management        active    Gi0/17-20
In the Wild

VLANs are foundational to every enterprise network. A typical office has separate VLANs for corporate workstations, guest Wi-Fi, VoIP phones, printers, security cameras, and management interfaces. In data centers, VLANs isolate different application tiers and customer tenants. Homelab builders use VLANs to segment IoT devices from trusted networks (a compromised smart bulb should not be able to reach your NAS). UniFi, MikroTik, and managed switches from any vendor support 802.1Q VLANs. The most common VLAN mistake is leaving all ports on the default VLAN 1 with no segmentation, which means a single compromised device can see all broadcast traffic on the network.

← Back to Dictionary