Adjacent Node
Networking, explained. No BS.
VLANs
What It Is
A VLAN is a Layer 2 broadcast domain carried over Ethernet switching infrastructure. VLAN tags let multiple logical LANs share physical links, but a VLAN is not a security boundary by itself. Routing, firewall policy, host controls, and switch configuration decide what can actually talk.
Core Concepts
| Concept | What It Means | Modern Note |
|---|---|---|
| Access port | Carries one untagged VLAN to an endpoint | Normal for clients, printers, cameras, and many servers |
| Trunk port | Carries multiple VLANs using tags | Normal between switches, hypervisors, APs, and firewalls |
| Native VLAN | Untagged VLAN on an 802.1Q trunk | Avoid using it for user traffic |
| Allowed VLAN list | VLANs permitted on a trunk | Keep it explicit, not "all VLANs everywhere" |
| SVI | Layer 3 interface for a VLAN | Default gateway in multilayer designs |
| Routed port | Layer 3 port with no VLAN switching | Often cleaner for switch-to-switch or switch-to-router links |
| Private VLAN | Secondary VLAN behavior inside one primary VLAN | Useful but platform-specific and easy to misread |
| VXLAN VNI | Overlay segment identifier | Modern data centers often map VLANs to VNIs at the edge |
Modern note: VLANs are still everywhere, but modern designs try to keep Layer 2 domains smaller and push routing closer to the access, distribution, or leaf layer.
802.1Q Tag Basics
| Field | Size | What It Does |
|---|---|---|
| TPID | 16 bits | Identifies an 802.1Q-tagged frame, commonly 0x8100 |
| PCP | 3 bits | Layer 2 priority marking |
| DEI | 1 bit | Drop eligible indicator |
| VLAN ID | 12 bits | VLAN identifier, usable range is commonly 1-4094 |
Watch out: VLAN IDs 0 and 4095 are reserved in normal 802.1Q operation. Platform defaults also reserve or treat some VLANs specially.
Access Vs Trunk
| Port Type | Carries | Typical Use | Common Failure |
|---|---|---|---|
| Access | One untagged VLAN | Endpoint connection | Wrong access VLAN |
| Trunk | Many tagged VLANs, optional native VLAN | Switch uplinks, APs, hypervisors | VLAN missing from allowed list |
| Hybrid / general | Mix of tagged and untagged VLANs | Some vendors, APs, voice, IoT | Misread vendor terminology |
| Routed | No L2 switching VLAN | L3 uplink or point-to-point | Expecting L2 adjacency |
Design note: If a link only needs one routed network, make it routed when the platform supports it. Do not build a trunk just because trunks are familiar.
Native VLAN Guidance
| Practice | Guidance | Why |
|---|---|---|
| User traffic on native VLAN | Avoid | Untagged traffic is harder to reason about |
| Native VLAN mismatch | Treat as an outage risk | Can leak traffic or break control protocols |
| Unused native VLAN | Prefer on trunks | Reduces accidental endpoint access |
| Tag native VLAN | Use where supported and consistent | Removes ambiguity on trunk links |
Watch out: "Native VLAN" is not a management VLAN. It is the VLAN used for untagged traffic on a trunk.
VLANs And Security
| Claim | Reality | Better Practice |
|---|---|---|
| VLANs are security | VLANs separate broadcast domains, not trust by themselves | Enforce policy at L3/L4/L7 |
| Same VLAN means trusted | Hosts can still attack each other laterally | Use host firewall, NAC, segmentation, private VLANs where useful |
| Different VLAN means blocked | Routing may allow traffic | Check firewall and ACL policy |
| Hidden VLAN is safe | Obscurity does not hold | Use explicit policy and monitoring |
| Trunk to endpoint is fine | It expands blast radius | Only trunk to endpoints that need it |
Modern note: In modern networks, VLANs are usually one layer in segmentation. Identity, firewall policy, NAC, SASE, microsegmentation, or cloud security groups may also define the real boundary.
Design Patterns
| Pattern | When It Fits | Watch Out |
|---|---|---|
| VLAN per function | Users, servers, voice, guest, cameras, management | Too many tiny VLANs without policy clarity |
| VLAN per site | Small branches | Harder to apply function-specific policy |
| Routed access | Larger campus or resilient access designs | Requires L3 design discipline |
| Collapsed core | Small to medium sites | Core outage blast radius |
| Leaf-spine with VXLAN | Data center or large fabric | VLANs become edge-local, not campus-wide |
| Guest isolation | Internet-only guest access | Do not leak guest into corporate DNS or RFC 1918 paths |
Design note: Name VLANs for purpose, not just number. VLAN 120 - CORP-WIRED-USERS is easier to operate than VLAN 120.
Common VLAN Plan
| VLAN | Name | Purpose | Gateway Example |
|---|---|---|---|
| 10 | NET-MGMT | Switches, APs, out-of-band-like management | 10.10.10.1/24 |
| 20 | CORP-WIRED | Corporate wired endpoints | 10.10.20.1/24 |
| 30 | CORP-WIFI | Corporate wireless endpoints | 10.10.30.1/24 |
| 40 | VOICE | Phones and voice gateways | 10.10.40.1/24 |
| 50 | IOT | Cameras, printers, building systems | 10.10.50.1/24 |
| 60 | GUEST | Guest Internet access | 10.10.60.1/24 |
| 999 | BLACKHOLE | Unused access ports and native VLAN | No gateway |
Watch out: A management VLAN is sensitive. Do not let normal users reach switch, AP, firewall, hypervisor, or controller management just because it is "inside."
Troubleshooting
| Symptom | Check | Likely Cause |
|---|---|---|
| Host gets wrong subnet | Access VLAN, DHCP scope, switchport mode | Port in wrong VLAN |
| VLAN works on one switch, not another | Trunk allowed VLANs, STP state | VLAN pruned or blocked |
| AP SSID clients fail on one VLAN | AP trunk config, controller mapping, DHCP relay | Missing VLAN tag or helper |
| Hypervisor VM has no network | Port group VLAN, switch trunk, host NIC team | Tagging mismatch |
| Native VLAN warnings | Both sides of trunk | Native VLAN mismatch |
| Inter-VLAN routing fails | SVI status, route table, firewall policy | Gateway down or policy blocking |
| Some devices unreachable after move | MAC table, ARP, DHCP lease | Stale binding or wrong VLAN assignment |
Cisco IOS/IOS-XE Examples
Create VLANs:
vlan 20
name CORP-WIRED
!
vlan 30
name CORP-WIFI
!
vlan 999
name BLACKHOLE-NATIVEAccess port:
interface GigabitEthernet1/0/10
description Workstation
switchport mode access
switchport access vlan 20
spanning-tree portfast
spanning-tree bpduguard enableTrunk with explicit allowed VLANs:
interface GigabitEthernet1/0/48
description Uplink to DIST-01
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30,40,50,60
switchport nonegotiateSVI gateway:
interface Vlan20
description CORP-WIRED gateway
ip address 10.10.20.1 255.255.255.0
no shutdownNotes:
- Keep trunk allowed lists explicit.
- Use an unused native VLAN when the design still has an untagged native VLAN.
switchport nonegotiatedisables DTP, but both sides must be manually configured correctly.- Add Layer 3 policy somewhere. VLANs alone do not decide who can talk.
Commands
show vlan brief
show interfaces trunk
show interfaces switchport
show spanning-tree vlan 20
show mac address-table vlan 20
show arp vlan 20bridge vlan show
ip link show
ip addr show
ip route showExpected clues:
- Access port is in the intended VLAN.
- Trunk carries the VLAN on both ends.
- Native VLAN matches or is intentionally tagged.
- SVI is up/up when at least one active port exists in the VLAN.
- STP is not blocking the only path.
- MAC table learns hosts in the expected VLAN.
- DHCP relay or scope matches the VLAN subnet.
Watch Out
- Do not leave trunks allowing every VLAN by default.
- Do not put users, management, servers, guest, and IoT in one flat VLAN.
- Do not treat VLAN separation as firewall policy.
- Do not stretch VLANs between sites unless there is a specific, tested requirement.
- Do not reuse VLAN IDs across locations without clear documentation.
- Do not trunk to phones, APs, hypervisors, or cameras without knowing which VLANs they actually need.
- Do not forget that wireless SSIDs often map to VLANs behind the scenes.