Skip to content

VLANs — Trivia & Interesting Facts

Surprising, historical, and little-known facts about Virtual LANs.

VLANs were invented because physical network changes required pulling new cables

Before VLANs, if a user moved from one department to another, a network technician had to physically re-cable their port to a different switch or hub segment. VLANs (standardized as IEEE 802.1Q in 1998) allowed logical network segmentation independent of physical topology. A port's VLAN membership could be changed with a single command, eliminating the need for physical re-cabling.

802.1Q adds only 4 bytes to an Ethernet frame

The 802.1Q VLAN tag inserts a 4-byte field between the source MAC address and the EtherType/Length field. This increases the maximum frame size from 1518 to 1522 bytes. The tag contains a 12-bit VLAN ID (values 0-4095), a 3-bit Priority Code Point (PCP) for QoS, and a 1-bit Drop Eligible Indicator (DEI). The 12-bit VLAN ID limits the number of VLANs to 4,094 (0 and 4095 are reserved), a constraint that drove the invention of VXLAN.

VLAN 1 is the default and the most dangerous VLAN in any network

On most switches, all ports start in VLAN 1, and many control plane protocols (CDP, VTP, STP BPDUs) use VLAN 1 by default. The "VLAN 1 best practice" is to never use VLAN 1 for user traffic — move all user ports to other VLANs and leave VLAN 1 empty (but you can't delete it). This advice exists because VLAN 1's special status makes it harder to secure and easier to accidentally leak traffic.

VLAN hopping is a real attack that exploits trunk ports

VLAN hopping attacks exploit switches configured with DTP (Dynamic Trunking Protocol). An attacker can negotiate a trunk link from an access port, gaining access to all VLANs. The double-tagging variant sends frames with two 802.1Q tags — the outer tag is stripped by the first switch, and the inner tag delivers the frame to a different VLAN. The fix is simple: disable DTP (switchport nonegotiate) and explicitly configure access vs. trunk on every port. Despite being known since the early 2000s, misconfigured DTP ports remain common.

Native VLAN mismatches cause silent traffic leaks

The native VLAN is the VLAN carried untagged on a trunk link. If one end of a trunk uses native VLAN 1 and the other uses native VLAN 10, untagged frames from one side arrive on the wrong VLAN on the other side. This creates a silent cross-VLAN leak that generates no errors or log messages. Cisco CDP will warn about native VLAN mismatches, but many operators disable CDP, missing the only automated detection.

Private VLANs create isolation within a VLAN — VLANs within VLANs

Private VLANs (RFC 5517) divide a primary VLAN into isolated and community ports. Isolated ports cannot communicate with each other (only with the promiscuous port, typically the gateway), while community ports can talk within their community. This is used in DMZs, co-location facilities, and hotel networks where each customer needs network access but must be isolated from other customers — all within a single IP subnet.

Voice VLANs exist because IP phones need special treatment

Most enterprise switches support a "voice VLAN" feature that places IP phone traffic on a separate VLAN from computer traffic, even though both share the same physical port. The switch sends CDP or LLDP-MED messages to the phone telling it which VLAN to use. The phone tags its traffic with the voice VLAN, while the computer's traffic remains untagged on the data VLAN. This allows QoS prioritization of voice traffic without requiring separate physical cabling.

VTP (VLAN Trunking Protocol) has deleted entire networks

Cisco's VTP propagates VLAN configurations across switches automatically. In "server" mode, a single switch's VLAN database is pushed to all other switches. If a switch with a higher VTP revision number (and an empty VLAN database) is plugged into the network, it can overwrite every other switch's VLANs, instantly removing all VLAN assignments across the entire network. This failure mode is so infamous that many organizations disable VTP entirely and manage VLANs manually on each switch.

The 4,094 VLAN limit has shaped data center architecture for 25 years

The 12-bit VLAN ID field in 802.1Q supports 4,094 usable VLANs. This seemed generous in 1998 but became a critical constraint in multi-tenant cloud environments where each tenant might need multiple VLANs. The limit directly motivated the development of VXLAN (with its 24-bit VNI supporting 16 million segments), Q-in-Q (stacking 802.1Q tags), and ultimately the move away from VLAN-based segmentation in modern data centers.