LearnNetwork
VLANs and trunking

VLANs and trunking — splitting one switch into many

12 min

A switch defaults to one broadcast domain across every port. VLANs (Virtual LANs) let you carve that one switch into multiple logically separate broadcast domains. Ports in VLAN 10 cannot reach ports in VLAN 20 at Layer 2 — they need a router to talk. VLANs are the single biggest improvement to L2 networks of the past 30 years.

Why VLAN?

  • Security. Finance hosts shouldn't share a broadcast domain with the guest Wi-Fi.
  • Broadcast control. Smaller broadcast domain = less ARP / DHCP chatter on every NIC.
  • Logical grouping. "All printers" / "all voice phones" without rewiring the physical plant.
  • Multi-tenant isolation. Multiple customers on the same switch, fully separated.

Access vs trunk ports

| Port type | Carries | VLAN tagging | Used for | |---|---|---|---| | Access | Exactly one VLAN | None — frames are plain Ethernet | End hosts (PC, AP, printer) | | Trunk | Many VLANs | 802.1Q tags on each frame | Inter-switch links, router-on-a-stick uplinks |

A host plugged into an access port has no idea VLANs exist. The switch puts incoming untagged frames into the access VLAN and strips any tag before sending out.

A trunk port has 802.1Q-tagged frames flowing both ways, each tag identifying the VLAN.

802.1Q tag format

The 4-byte tag inserted between source MAC and EtherType:

+-----------+------+------+------------+------+----------+
| Eth DST   | SRC  | TPID | PCP|DEI|VID| Type | Payload  |
| 6 B       | 6 B  | 2 B  | 2 B        | 2 B  |          |
|           |      |0x8100|3+1+12 bits |      |          |
+-----------+------+------+------------+------+----------+

| Field | Bits | What | |---|---|---| | TPID | 16 | Always 0x8100 — flags "VLAN tag follows" | | PCP (Priority Code Point) | 3 | 802.1p priority 0–7 (used by QoS at L2) | | DEI (Drop Eligible Indicator) | 1 | "OK to drop me first under congestion" | | VID (VLAN ID) | 12 | The VLAN number, 0–4095 (1 and 4095 reserved → usable 2–4094) |

Native VLAN — the foot-gun

A trunk has a designated native VLAN whose traffic is sent untagged. The receiving switch puts untagged frames it receives on the trunk into its own native VLAN. Two switches must agree on which VLAN is native or you get unexpected behavior:

  • VLAN hopping attack: attacker on access port in VLAN 5 sends a double-tagged frame; first tag matches native, switch strips it, second tag (a different VLAN) gets honored — instant unauthorized access to that VLAN.
  • Misconfigured native causes traffic to silently leak to the wrong VLAN.

Defenses:

  • Set the native VLAN to an unused, deliberately-not-default value.
  • Configure switchport trunk native vlan tag (Cisco) so even native traffic gets a tag.
  • Don't carry the native VLAN on the trunk's allowed list.

Voice VLAN

A special trick for IP phones: the access port has a regular access VLAN for the PC plugged into the phone's pass-through port, and a separate voice VLAN for the phone itself, which Cisco signals to via CDP/LLDP. The phone tags its own traffic; the PC's traffic is untagged. From one cable you get two logical VLANs.

VLAN configuration — Cisco IOS

Cisco IOSConfigure access + trunk
[object Object],[object Object],[object Object]

VLAN ranges (Cisco-isms)

  • 1–1005 — "normal range" VLANs, stored in vlan.dat.
  • 1006–4094 — "extended range," stored in running-config. Required for any deployment beyond a small enterprise.
  • 1, 1002–1005 — reserved (1 default, others for legacy FDDI/Token Ring).

What to remember

  • VLANs split one switch into many broadcast domains.
  • Access = one VLAN, untagged. Trunk = many VLANs, 802.1Q tagged.
  • Native VLAN carries the untagged traffic on a trunk. Match both ends; consider tagging it explicitly.
  • A frame on a trunk has a 4-byte tag inserted between SRC MAC and EtherType.
  • Hosts in one VLAN need a router (or L3 switch) to reach hosts in another.