VLAN’s partition a single layer 2 network into multiple virtual, isolated network segments.


† It’s easy to misconfigure vlans, which can allow a malicious client to hop vlans. vlans are not a security panacea, but they’re a reasonable additional to other security measures.

How VLANs Works

802.1Q encapsulation. Packets are encapsulated with a VLAN ID tag that can be read by vlan-aware devices.


Configuration and Terminology




Appendix: A Brief Review of the OSI Network Layer Model

In terms of VLANs, we’re concerned mainly with layer 2.

Dumb hubs operate only on layer 1; any packet received on any port gets sent to all the ports. Switches operate on layer 2; they shuffle traffic based on MAC addresses, with traffic received on one port only sent to the destination port with the appropriate MAC address. VLAN-capable smart switches maintain multiple ARP tables (see below) to further constrain which ports see what traffic. Some smart switches also have limited routing capability operating on layer 3.

  1. Physical: cables, link lights, simplex/duplex, DSL, T1
  2. Data link: MAC, ARP, lowest level TCP stuff, PPP, SLIP
  3. Network: routing, packetization, IPv4, IPv6, ICMP, IPsec
  4. Transport: segmentation-desegmentation, retransmits, UDP, TCP
  5. Session: NetBIOS, RPC, etc.
  6. Presentation: encapsulation, SSL, MIME, VT220
  7. Application: DNS, FTP, HTTP, NTP, SMTP, etc.

Appendix: A Brief Review of ARP

ARP is a layer 2 protocol. Nodes broadcast ARP requests in order to discover the MAC address of other nodes to which they wish to send data. A switch receives ARP requests, and broadcasts them to all its ports. The destination node responds to the original node with its MAC address and IP address. The originating host adds this pair of addresses to its ARP table.

The switch itself also maintains an ARP table, which matches MAC address to its ports. Smart switches manage ARP mappings in a more sophisticated way.