Skip to content

VLANs - Primer

Why This Matters

VLANs are the fundamental mechanism for segmenting a physical network into isolated broadcast domains. Every datacenter, office network, and cloud VPC concept traces back to VLAN logic. When a host cannot reach another host on the "same network," when broadcast storms take down a floor, or when tagged traffic silently vanishes — VLANs are usually involved. Ops engineers encounter VLANs when provisioning servers, configuring container networking, debugging connectivity, and managing firewall zones.

What VLANs Are

A VLAN (Virtual Local Area Network) creates a separate Layer 2 broadcast domain on shared physical switch infrastructure. Without VLANs, every port on a switch is in the same broadcast domain — a broadcast from any host reaches every other host. VLANs partition the switch so that traffic in VLAN 10 never reaches hosts in VLAN 20, even if they are plugged into the same physical switch.

Why Segment

  • Security: isolate sensitive systems (PCI, management, user workstations) at L2
  • Performance: limit broadcast domain size (ARP, DHCP, mDNS floods stay within the VLAN)
  • Organization: group hosts by function (web, database, management) regardless of physical location
  • Compliance: PCI-DSS, HIPAA, and similar frameworks require network segmentation

Remember: The mnemonic SPOC helps recall why VLANs exist: Security (isolation), Performance (smaller broadcast domains), Organization (logical grouping), Compliance (regulatory segmentation). Every VLAN justification maps to one of these four.

Fun fact: VLANs were standardized as IEEE 802.1Q in 1998. Before VLANs, network segmentation required physically separate switches — expensive and inflexible. The 12-bit VLAN ID field allows 4094 VLANs (IDs 1-4094; 0 and 4095 are reserved), which was considered enormous in 1998 but is now a hard limit that pushed the development of VXLAN (which uses a 24-bit ID, supporting 16 million segments).

802.1Q Tagging

IEEE 802.1Q is the standard for VLAN tagging. It inserts a 4-byte tag into the Ethernet frame header:

| Dest MAC | Src MAC | 802.1Q Tag (4B) | EtherType | Payload | FCS |
                      |-- TPID (0x8100) --|-- TCI (PCP + DEI + VID) --|
  • TPID: Tag Protocol Identifier — always 0x8100 for 802.1Q
  • VID: VLAN Identifier — 12 bits, range 1-4094 (0 and 4095 reserved)
  • PCP: Priority Code Point — QoS markings (3 bits)

Tagged frames carry the VLAN ID inside the frame itself. Untagged frames have no 802.1Q header.

Under the hood: The 802.1Q tag adds 4 bytes to the Ethernet frame, increasing the maximum frame size from 1518 bytes to 1522 bytes. This is called a "baby giant" frame. Most modern switches handle this transparently, but older equipment or strict MTU configurations may drop tagged frames that exceed 1518 bytes. If VLAN traffic works on one switch pair but not another, check whether the receiving side supports 1522-byte frames.

Access vs Trunk Ports

Access Ports

  • Connect to end devices (servers, workstations, printers)
  • Carry traffic for exactly one VLAN
  • Frames leave the port untagged — the end device does not know about VLANs
  • The switch adds the VLAN tag on ingress, strips it on egress

Trunk Ports

  • Connect switches to other switches, routers, or VLAN-aware hosts
  • Carry traffic for multiple VLANs simultaneously
  • Frames are tagged with their VLAN ID
  • Must be explicitly configured with the list of allowed VLANs
Switch A                          Switch B
[Access: VLAN 10] ----+    +---- [Access: VLAN 10]
[Access: VLAN 20] ----+----+---- [Access: VLAN 20]
                    Trunk
                  (carries both)

Native VLAN

The native VLAN is the VLAN assigned to untagged traffic on a trunk port. By default, this is VLAN 1 on most switches.

Why It Matters

  • Untagged frames arriving on a trunk are placed into the native VLAN
  • If the native VLAN differs on each end of a trunk, traffic crosses VLAN boundaries unintentionally
  • This is a common misconfiguration and a security risk (VLAN hopping attacks)

Best Practice

  • Change the native VLAN from the default (VLAN 1) to an unused VLAN
  • Ensure native VLAN matches on both ends of every trunk
  • Some environments tag the native VLAN explicitly (vlan dot1q tag native on Cisco)

Gotcha: VLAN hopping attacks exploit native VLAN misconfiguration. The attacker double-tags a frame: the outer tag matches the native VLAN (stripped by the first switch), revealing the inner tag for a different VLAN. The frame then traverses the trunk tagged for the target VLAN. Mitigation: set native VLAN to an unused VLAN, explicitly tag native VLAN, and prune unused VLANs from trunks.

VLANs on Linux

Linux has full support for 802.1Q VLAN interfaces. A VLAN interface is a virtual interface that tags/untags traffic for a specific VLAN ID on a parent physical interface.

Creating VLAN Interfaces

# Using ip link (transient — lost on reboot)
ip link add link eth0 name eth0.100 type vlan id 100
ip addr add 10.100.0.5/24 dev eth0.100
ip link set eth0.100 up

# Verify
ip -d link show eth0.100
cat /proc/net/vlan/eth0.100

Persistent Configuration

Debian/Ubuntu (/etc/network/interfaces): 

auto eth0.100
iface eth0.100 inet static
    address 10.100.0.5/24
    vlan-raw-device eth0

nmcli: nmcli connection add type vlan con-name vlan100 dev eth0 id 100 ipv4.addresses 10.100.0.5/24 ipv4.method manual

RHEL/CentOS: create /etc/sysconfig/network-scripts/ifcfg-eth0.100 with DEVICE=eth0.100, VLAN=yes, ONBOOT=yes, and standard IP settings.

Important Prerequisite

The 8021q kernel module must be loaded:

modprobe 8021q
lsmod | grep 8021q

And the physical interface must be connected to a switch port configured as a trunk that allows the VLAN.

Name origin: The term "trunk" in networking comes from telephony, where a trunk line connected two switching offices and carried many calls simultaneously. In Cisco terminology, a trunk port carries multiple VLANs. Confusingly, in IEEE/non-Cisco terminology, the same concept is sometimes called a "tagged port." HP/Aruba switches use "tagged/untagged" instead of "trunk/access." Know your vendor's vocabulary.

Inter-VLAN Routing

Hosts in different VLANs cannot communicate at Layer 2. To route between VLANs, you need a Layer 3 device — a router or a Layer 3 switch.

Router-on-a-Stick

A single router with sub-interfaces (one per VLAN) on a trunk link. The router receives tagged frames, routes between VLANs, and sends responses tagged for the correct VLAN. Works for small environments but the trunk becomes a bottleneck.

Interview tip: "How do hosts on different VLANs communicate?" is a common networking interview question. The answer is always "a Layer 3 device routes between them" — either router-on-a-stick (small scale) or SVIs on an L3 switch (production). Follow up by explaining that VLANs are Layer 2 isolation and inter-VLAN traffic must be routed, never bridged.

Layer 3 Switch (SVI)

Modern datacenter switches route between VLANs in hardware using Switched Virtual Interfaces (SVIs) — an IP address per VLAN on the switch itself. This is the standard production approach.

Common Problems

Trunk Mistag / Wrong Allowed VLANs

Traffic for a VLAN is not reaching the other end of a trunk because the VLAN is not in the trunk's allowed list.

Symptoms: host on VLAN 100 cannot reach hosts on the same VLAN on another switch. Hosts on other VLANs work fine.

Fix: verify the trunk allows the VLAN on both switches: 

# Cisco
show interface trunk
switchport trunk allowed vlan add 100

Native VLAN Mismatch

The native VLAN on one end of a trunk differs from the other end.

Symptoms: intermittent connectivity, traffic appearing in the wrong VLAN, CDP/STP warnings about native VLAN mismatch.

Fix: set the native VLAN to match on both ends: 

# Cisco
switchport trunk native vlan 999

VLAN Not Created on Switch

The VLAN ID is configured on ports but the VLAN itself was never created in the switch's VLAN database.

Symptoms: port shows up/up but no traffic passes. VLAN does not appear in show vlan brief.

Fix: create the VLAN: 

vlan 100
  name web-servers

Debug clue: When VLAN traffic works on some ports but not others, check show vlan brief on the switch. A surprisingly common mistake is configuring the VLAN on ports but forgetting to create the VLAN in the switch's VLAN database. The port shows up/up but silently drops all traffic because the VLAN does not exist. On Cisco switches, VTP pruning can also remove VLANs from trunks if they are not active on any access port.

Linux VLAN Interface Up but No Traffic

Common causes: - Physical interface is down (ip link show eth0) - 8021q module not loaded - Switch port is access mode, not trunk - Switch trunk does not allow the VLAN ID - MTU mismatch (VLAN tag adds 4 bytes — if path MTU is tight, tagged frames may be dropped)

Debugging VLANs

tcpdump: Seeing VLAN Tags

# Capture on the physical interface to see tagged frames
tcpdump -eni eth0 vlan

# Filter for a specific VLAN
tcpdump -eni eth0 'vlan 100'

# Capture on the VLAN interface to see untagged (post-strip) traffic
tcpdump -ni eth0.100

The key insight: capture on the physical interface to see tags, capture on the VLAN interface to see the traffic after tag processing.

Switch-Side Verification

Key Cisco commands: show vlan brief (VLAN database), show interface trunk (trunk status and allowed VLANs), show interface Gi0/1 switchport (port VLAN assignment), show mac address-table vlan 100.

Linux-Side Verification

ip -d link show eth0.100       # VLAN interface details
ip -s link show eth0.100       # RX/TX packet counts
ip neigh show dev eth0.100     # ARP resolution within the VLAN

VLANs in Container and Kubernetes Environments

Docker

Docker's macvlan driver can place containers directly onto a VLAN:

docker network create -d macvlan \
    --subnet=10.100.0.0/24 \
    --gateway=10.100.0.1 \
    -o parent=eth0.100 \
    vlan100_net

The container gets an IP on VLAN 100 and is reachable from the physical network. Useful for legacy integrations where containers need to appear as regular hosts.

Kubernetes

CNI plugins handle VLAN integration:

  • Multus: attaches multiple network interfaces to pods, each potentially on a different VLAN
  • SR-IOV CNI: assigns hardware-virtualized NIC functions to pods with VLAN tags
  • Host-device CNI: passes a host VLAN interface directly into the pod namespace

Typical use case: a pod needs access to a legacy database on VLAN 200 while its primary interface stays on the overlay network. Multus adds a second interface via a NetworkAttachmentDefinition that specifies a macvlan on eth0.200.

Analogy: VLANs are like floors in an office building. Each floor (VLAN) is isolated — people on floor 10 cannot hear conversations on floor 20. To move between floors, you need an elevator (router). The trunk link is the elevator shaft that connects all floors. The 4094 VLAN limit is like running out of floor numbers — which is why cloud providers use VXLAN (24-bit IDs, 16 million segments) for large-scale multi-tenant environments.

Cloud VPCs

Cloud "subnets" are conceptually VLANs — isolated broadcast domains within a VPC. The tagging is abstracted away, but the segmentation model is the same.

Quick Reference

Task Command/Method
Create VLAN interface ip link add link eth0 name eth0.100 type vlan id 100
Assign IP and bring up ip addr add 10.100.0.5/24 dev eth0.100 && ip link set eth0.100 up
Show VLAN details ip -d link show eth0.100
Load 8021q module modprobe 8021q
Capture tagged frames tcpdump -eni eth0 vlan / tcpdump -eni eth0 'vlan 100'
Docker macvlan on VLAN docker network create -d macvlan -o parent=eth0.100 ...

Wiki Navigation

Related Content