VLAN
What is VLAN?
VLANA virtual LAN (IEEE 802.1Q) groups switch ports into separate broadcast domains by tagging Ethernet frames with a 12-bit VLAN ID.
A Virtual LAN, standardized in IEEE 802.1Q, divides a physical switching fabric into multiple logical LANs by inserting a 4-byte VLAN tag containing a 12-bit VID (1-4094) into Ethernet frames. Access ports belong to a single VLAN; trunk ports carry multiple tagged VLANs between switches. Devices in different VLANs cannot reach each other at layer 2 and must transit a router or layer-3 switch, which makes VLANs a building block of network segmentation, host isolation, and policy zones. Security-relevant attacks include VLAN hopping (double tagging, switch spoofing) and CAM-table overflow. Hardening involves disabling DTP, pruning unused VLANs, using a dedicated unused VLAN as the native, and pairing 802.1Q with 802.1X and ACLs.
● Examples
- 01
VoIP phones are placed in VLAN 20 while user PCs sit in VLAN 10 on the same access port.
- 02
An attacker double-tags a frame (10 then 99) to hop from VLAN 10 into VLAN 99.
● Frequently asked questions
What is VLAN?
A virtual LAN (IEEE 802.1Q) groups switch ports into separate broadcast domains by tagging Ethernet frames with a 12-bit VLAN ID. It belongs to the Network Security category of cybersecurity.
What does VLAN mean?
A virtual LAN (IEEE 802.1Q) groups switch ports into separate broadcast domains by tagging Ethernet frames with a 12-bit VLAN ID.
How does VLAN work?
A Virtual LAN, standardized in IEEE 802.1Q, divides a physical switching fabric into multiple logical LANs by inserting a 4-byte VLAN tag containing a 12-bit VID (1-4094) into Ethernet frames. Access ports belong to a single VLAN; trunk ports carry multiple tagged VLANs between switches. Devices in different VLANs cannot reach each other at layer 2 and must transit a router or layer-3 switch, which makes VLANs a building block of network segmentation, host isolation, and policy zones. Security-relevant attacks include VLAN hopping (double tagging, switch spoofing) and CAM-table overflow. Hardening involves disabling DTP, pruning unused VLANs, using a dedicated unused VLAN as the native, and pairing 802.1Q with 802.1X and ACLs.
How do you defend against VLAN?
Defences for VLAN typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for VLAN?
Common alternative names include: Virtual LAN, 802.1Q VLAN.
● Related terms
- network-security№ 1113
Subnet
A contiguous range of IP addresses that share a common prefix, defining a single broadcast domain and routing boundary on a network.
- network-security№ 723
Network Segmentation
The practice of splitting a network into multiple zones with controlled traffic between them to contain breaches and enforce least privilege.
- network-security№ 637
MAC Address
A 48-bit hardware identifier (IEEE 802) burned into a network interface and used for delivery within a single link-layer segment.
- network-security№ 061
ARP
A link-layer protocol (RFC 826) that maps an IPv4 address to the MAC address of a host on the same broadcast domain so that frames can be delivered.
- network-security№ 514
IEEE 802.1X
A port-based network access control standard that authenticates a device or user before allowing traffic to pass on a wired or wireless port.
- network-security№ 678
Microsegmentation
A fine-grained form of segmentation that applies allow-list policies between individual workloads or applications, often via host or hypervisor enforcement.
● See also
- № 311DHCP
- № 168CIDR Notation