Networking

VLANs and 802.1Q Trunking: Access Ports, Trunks, and the Native-VLAN Footgun

10 min read Part of pathway: Networking from Scratch

One Ethernet switch can host many logical networks at once. Two PCs plugged into ports 1 and 24 of the same physical switch can be on different broadcast domains, with different IP subnets, unable to talk to each other without going through a router. They’re using the same copper, the same backplane, the same MAC-address table — but the switch treats them as if they were on entirely separate switches. The mechanism is the VLAN: a small label slipped into each Ethernet frame that tells the switch which logical network the frame belongs to.

A patch panel with multicolor cables in a communications room
A patch panel with cables of different colors is the physical mirror of a VLAN-segmented network: same hardware, multiple logical groupings, the colors there to keep humans from mixing them up. Photo: Brett Sayles, Pexels.

This is lesson 16 of Networking from Scratch. We touched VLANs briefly in lesson 6 as “the way switch ports get partitioned” and in lesson 9 as a layer-2 concept. This article is the proper deep dive: how the tag is encoded, what access and trunk ports actually do, the gotchas with native VLAN and voice VLAN, and the verification commands that turn switch CLI output from a wall of text into something you can debug.

What problem VLANs solve

Without VLANs, every port on a switch is in the same broadcast domain. A broadcast frame entering port 1 leaves all the other ports. ARP requests, DHCP discovers, mDNS announcements, NetBIOS queries — everything broadcast hits everyone. On a small office network this is fine. On a large flat network it’s a problem: hundreds of hosts generating chatter, every host having to inspect every broadcast, and a single misbehaving device able to flood the whole segment.

The traditional fix was buying more switches and putting different groups on different physical switches with a router between them. Cheap when you have two groups; absurd when you have twenty. Plus, you can’t move someone’s desk without rerunning cables.

VLANs solve the same problem in software. One physical switch hosts many logical broadcast domains. A user’s VLAN is a switch-config attribute, not a physical reality — if their job changes and they need to move from VLAN 20 to VLAN 30, you change the port config; the cables stay where they are. Layer 3 routing between VLANs (“inter-VLAN routing”) happens on a router or layer-3 switch, with normal IP firewalling and ACLs available between the VLANs the same way they’d be available between physical networks.

The 802.1Q tag

IEEE 802.1Q defines the tagging format. A tagged Ethernet frame inserts four extra bytes between the source MAC and the EtherType:

Field Size Meaning
TPID (Tag Protocol ID) 2 bytes Always 0x8100 — the marker that says “this is a VLAN-tagged frame”
PCP (Priority Code Point) 3 bits QoS priority, 0–7 (used by 802.1p)
DEI (Drop Eligible Indicator) 1 bit Whether this frame can be dropped under congestion (formerly “CFI”)
VID (VLAN ID) 12 bits The VLAN number, 1–4094 (0 and 4095 reserved)

That’s the whole tag. 12 bits gives 4,094 usable VLANs — plenty for almost any enterprise. The frame size grows by 4 bytes (max 1522 instead of 1518) so devices in the path need to support “baby jumbo” frames or the tag won’t survive. Almost everything modern does.

Port modes: access vs trunk

A switch port has two relevant operational modes:

Access ports (untagged, single VLAN)

Connects an end host: a PC, a printer, a phone, a server NIC. The host doesn’t know about VLANs — it sends and receives plain untagged Ethernet frames. The switch tags incoming frames with the port’s configured VLAN ID and strips the tag from outgoing frames. The host never sees the tag.

Cisco IOS configuration:

interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10

That port now belongs to VLAN 10. Whatever’s plugged in is on the VLAN-10 broadcast domain, period.

Trunk ports (tagged, multiple VLANs)

Connects to another switch, a router, a hypervisor, or a VM host that needs access to multiple VLANs. Frames keep their 802.1Q tags as they cross a trunk. The switch on the other side reads the tag and forwards into the matching VLAN locally.

interface GigabitEthernet0/24
 switchport mode trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 1

This port carries VLANs 10, 20, and 30 simultaneously, all tagged. Everything else is dropped at the trunk — the allowed vlan list is the equivalent of an ACL between switches. A common mistake when extending a network is forgetting to add the new VLAN to the allowed list on the trunk; the host gets an IP, even pings the local gateway, but inter-switch traffic mysteriously fails.

The native VLAN gotcha

One VLAN on a trunk gets to be untagged: the “native VLAN.” Frames in the native VLAN cross the trunk with no 802.1Q header. Frames in any other VLAN are tagged normally.

The native VLAN exists for backwards compatibility with hubs and old switches that didn’t understand tagging. In a modern environment its main effect is to be a footgun. Two scenarios that cause real outages:

  • Native VLAN mismatch. Switch A’s trunk has native VLAN 1; switch B’s has native VLAN 99. Untagged frames leaving A in “VLAN 1” arrive at B and are placed in “VLAN 99” without ever seeing a tag. The two devices’ CDP/LLDP both warn loudly about this; many engineers ignore those warnings until something breaks.
  • VLAN-hopping attack. If an attacker double-tags a frame — outer tag matches the trunk’s native VLAN (gets stripped on entry), inner tag identifies a target VLAN (gets honoured by the receiving switch) — they can inject traffic into a VLAN they’re not supposed to reach. The mitigation is to make the native VLAN something that no end host ever uses (usually an empty VLAN dedicated to this purpose, e.g., VLAN 999) and to switchport trunk native vlan tag when supported.

Best-practice modern advice: pick a dedicated native VLAN that you don’t put any hosts on, and explicitly set it on every trunk so there’s no ambiguity.

Voice VLAN: the special case for IP phones

An IP phone often has a built-in switch: the wall jack plugs into the phone, the PC plugs into the phone, both share the one cable to the closet. The phone wants to be on the voice VLAN; the PC behind it wants to be on the data VLAN. Two devices, one cable, an access port, two VLANs.

The compromise is the voice VLAN:

interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10        ! data VLAN
 switchport voice vlan 20         ! voice VLAN

This isn’t a real trunk — the port is still in access mode — but the phone is told (via CDP or LLDP-MED) to tag its traffic with VLAN 20. The PC behind the phone sends untagged frames that the switch puts in VLAN 10. The phone’s frames arrive tagged with VLAN 20 and get treated as VLAN 20. Two VLANs on one access port, no operator-visible trunk.

The mechanism is dependent on the phone speaking CDP or LLDP-MED to learn its voice VLAN ID. Some phones won’t do this and need the VLAN ID hardcoded; some PCs misbehave when LLDP-MED is announcing voice; this is the kind of thing that breaks when the PBX is replaced.

Trunk negotiation: DTP and why we usually disable it

Cisco switches default to running DTP (Dynamic Trunking Protocol), which negotiates trunk vs access mode automatically based on what the other end says. That’s convenient between two known-good Cisco switches and a security risk almost everywhere else. An attacker plugging a laptop into an access port can have it negotiate up to a trunk and get visibility into every VLAN on the switch.

The hardening: disable DTP on every port. Either:

interface range Gi0/1 - 23
 switchport mode access
 switchport nonegotiate         ! disables DTP on access ports
interface Gi0/24
 switchport mode trunk
 switchport nonegotiate         ! also explicitly disable on trunks

Modern designs configure mode statically and leave DTP off. The port is access or trunk, full stop, no auto-magic.

Inter-VLAN routing

VLANs separate broadcast domains, but hosts in different VLANs still need to reach each other. The job of inter-VLAN routing falls to a router or a layer-3 switch (often called an “SVI” setup — switched virtual interface). On a Cisco L3 switch:

vlan 10
vlan 20

interface vlan 10
 ip address 10.10.10.1 255.255.255.0    ! gateway for VLAN 10
interface vlan 20
 ip address 10.10.20.1 255.255.255.0    ! gateway for VLAN 20

ip routing                              ! enable L3 forwarding

The switch is now also the default gateway for hosts on each VLAN, and it forwards between them at line rate. Firewall rules, ACLs, or zone-based policy live on this device or on a separate firewall in the path. The classic three-VLAN setup — data / voice / IoT — with rules forbidding IoT from talking to data is implemented here.

Verifying it on a Cisco switch

Three commands solve most VLAN questions:

show vlan brief
! lists every VLAN and which access ports are members of it

show interfaces trunk
! lists trunk ports, their native VLAN, and the allowed VLAN list

show interfaces switchport | include Mode|Access|Trunking
! per-port summary of access vs trunk mode and which VLAN(s)

On Linux running nftables/bridge:

bridge vlan show
! shows VLAN membership per bridge port

ip -d link show eth0.10
! shows that eth0.10 is a VLAN sub-interface tagging VLAN 10

For a Linux router doing inter-VLAN routing without a switch, the canonical setup is per-VLAN sub-interfaces (eth0.10, eth0.20) each with their own IP, and standard IP forwarding between them.

Common VLAN mistakes you’ll meet

  • Forgot to add the VLAN to the trunk’s allowed list. The host can ping its gateway (because the gateway is local on the same switch), but anything that has to cross the trunk fails. Always check show interfaces trunk.
  • Native VLAN mismatch. CDP/LLDP messages warn about it; CDP errors are gold for catching this kind of thing.
  • VLAN exists on switch A but not switch B. Frames cross the trunk just fine but switch B doesn’t know what to do with them. Either define the VLAN on B or use VTP/MVRP to propagate (with careful boundaries — auto-VTP has caused legendary outages).
  • Access port left as default. A port that was never configured is in VLAN 1 (the default). If you don’t want VLAN 1 to be reachable from random plugged-in devices, configure all ports explicitly.
  • Voice VLAN without LLDP-MED. The phone never learns its VLAN ID and ends up on the data VLAN. Confirm LLDP-MED is enabled and the phone supports it.

What you can now answer

  • What does an 802.1Q tag look like? — 4 bytes inserted after the source MAC: TPID + PCP + DEI + 12-bit VLAN ID.
  • What’s the difference between access and trunk? — Access carries one VLAN untagged; trunk carries many, tagged.
  • What’s the native VLAN? — The single VLAN on a trunk that travels untagged. Make it a dedicated empty VLAN to dodge attacks.
  • How can a phone and a PC share one cable on different VLANs? — Voice VLAN: phone tags its traffic from CDP/LLDP-MED hints; PC stays untagged.
  • How do hosts in different VLANs reach each other? — Inter-VLAN routing on a router or layer-3 switch with one SVI per VLAN.
  • Why do real engineers turn off DTP? — Auto-negotiated trunks are a security risk; static config is safer.

What’s next

Lesson 17 covers Wi-Fi tuning in earnest: channel planning, the difference 5 GHz and 6 GHz make, roaming protocols (802.11r/k/v), client steering, and how AP placement decisions you make once cause headaches forever. After that come network troubleshooting tools, then the three hands-on labs.

Tags: #802.1Q #Beginner #Networking #Switching #Trunking #VLAN

Leave a Reply