VLANs & Switching Advanced

A switch is a Layer-2 device that forwards Ethernet frames based on their destination MAC address. It builds a MAC address table (also called a CAM table) by learning: when a frame arrives on a port, the switch records the frame’s source MAC address against that port.

To forward a frame the switch looks up the destination MAC. If it knows the port, it sends the frame out that one port only (unicast forwarding). If the destination is unknown, it floods the frame out every port except the one it arrived on. Entries age out (typically after 300 seconds) if no further traffic is seen.

A collision domain is a segment where two devices can transmit at the same time and corrupt each other’s signals. Old hubs put every port in one collision domain; a switch gives every port its own collision domain, so with full-duplex links collisions essentially disappear.

A broadcast domain is the set of devices that receive a Layer-2 broadcast (destination FF:FF:FF:FF:FF:FF). By default all ports on a switch are in one broadcast domain. A switch forwards broadcasts everywhere within that domain; only a router (Layer 3) or a VLAN boundary stops a broadcast.

Because a plain switch is a single broadcast domain, every broadcast (ARP, DHCP discovery, etc.) reaches every device. On a large flat network this wastes bandwidth and CPU, and means there is no isolation: any host can talk directly to any other at Layer 2, which is bad for security.

The traditional fix was to buy a separate physical switch for each group and connect them with routers. That is rigid and expensive. VLANs let one physical switch host many independent logical networks, splitting the single broadcast domain into several — without extra hardware.

A VLAN (Virtual Local Area Network) is a logical grouping of switch ports — and the devices on them — into a single broadcast domain, independent of physical location. Ports in VLAN 10 behave as if they share their own switch; they cannot reach VLAN 20 at Layer 2.

A VLAN is identified by a number, its VLAN ID. Membership is usually assigned per port. Crucially, two devices in different VLANs need a Layer-3 device (a router or Layer-3 switch) to communicate, even if they plug into the same physical switch.

VLANs deliver four headline benefits. Segmentation: traffic for one group stays within its VLAN, shrinking broadcast domains. Security: sensitive systems (finance, servers) are isolated, and inter-VLAN traffic can be filtered by ACLs at the router. Performance: smaller broadcast domains mean each host processes fewer irrelevant broadcasts. Flexibility: membership is logical, so a user can move desks (or work in a different building) and keep the same VLAN by reconfiguring a port — no recabling.

A switch port operates in one of two main modes. An access port belongs to exactly one VLAN and connects to an end device (PC, printer, server). Frames on an access port are untagged; the host has no idea VLANs exist.

A trunk port carries traffic for many VLANs over a single link, typically between two switches or between a switch and a router. To keep VLANs separate, frames on a trunk are tagged with their VLAN ID (using 802.1Q). Thus access ports carry one VLAN untagged; trunk ports carry many VLANs, each identified by a tag.

IEEE 802.1Q is the standard for VLAN tagging. It inserts a 4-byte tag into the Ethernet frame after the source MAC address. The tag contains a 2-byte Tag Protocol Identifier (TPID, 0x8100) and a 2-byte Tag Control Information field. The TCI holds a 3-bit PCP (priority, 802.1p), a 1-bit DEI flag, and a 12-bit VLAN ID.

Because the VLAN ID is 12 bits, it ranges over 2¹² = 4096 values, numbered 0–4095. IDs 0 and 4095 are reserved, so usable VLAN IDs run from 1 to 4094. VLANs 1002–1005 are reserved for legacy Token Ring/FDDI on Cisco gear; 1–1005 are the normal range and 1006–4094 the extended range.

On an 802.1Q trunk, almost every VLAN is tagged — but one VLAN is sent untagged. That is the native VLAN. When a frame for the native VLAN crosses the trunk, the switch sends it without a tag; when an untagged frame arrives on the trunk, it is assumed to belong to the native VLAN.

The native VLAN defaults to VLAN 1, and it must match on both ends of a trunk or you get a mismatch (and a CDP warning). For security it is best practice to change the native VLAN to an unused ID and to use a dedicated, otherwise-empty VLAN for it, because the native VLAN is involved in the double-tagging VLAN-hopping attack.

By default every switch port is a member of VLAN 1, the default VLAN. VLAN 1 cannot be deleted or renamed and also carries control-plane traffic such as CDP, VTP, and DTP advertisements.

The management VLAN is the VLAN whose SVI (switch virtual interface) holds the switch’s management IP — used for SSH, SNMP, etc. By default this is VLAN 1, but best practice is to move management to a dedicated VLAN that is separate from user data. Leaving everything on VLAN 1 is discouraged: keep user ports off VLAN 1 and isolate management.

On Cisco IOS you first create the VLAN, then put a port into access mode and assign it to that VLAN. The commands below create VLAN 10 (named SALES), then assign interface FastEthernet0/1 to it as an access port. Use show vlan brief to confirm the port landed in the right VLAN.

To carry many VLANs between two switches you configure a trunk. On modern Cisco switches that only support 802.1Q you set switchport mode trunk; on platforms that also support the legacy ISL you may first run switchport trunk encapsulation dot1q. You can restrict which VLANs ride the trunk with an allowed list, and set the native VLAN explicitly.

Dynamic Trunking Protocol (DTP) can auto-negotiate trunks, but for security you should hard-set the mode and disable negotiation with switchport nonegotiate on links to untrusted ports.

Devices in different VLANs need a Layer-3 hop. Router-on-a-stick uses a single physical router interface connected to a switch trunk, divided into one subinterface per VLAN. Each subinterface is tagged with encapsulation dot1Q <vlan> and given the VLAN’s gateway IP. Traffic between VLANs travels up the trunk, gets routed by the router, and returns tagged for the destination VLAN.

It is cheap (one router port) but the single physical link can become a bottleneck. Note the switch side must be a trunk, not an access port.

A faster approach uses a Layer-3 switch that routes in hardware. You enable ip routing, then create a switch virtual interface (SVI) for each VLAN — a virtual interface named interface vlan <id> that holds that VLAN’s gateway IP. Routing between VLANs then happens internally at wire speed, with no external router and no single-link bottleneck.

SVIs are also how a switch gets a management IP. An SVI comes up only when at least one active port (or trunk carrying it) exists in that VLAN.

VTP (VLAN Trunking Protocol) is a Cisco protocol that propagates VLAN definitions across trunks so you create a VLAN once and it appears on every switch in the same VTP domain. Switches operate in one of three modes: server (can create/modify/delete VLANs and advertises them), client (cannot edit VLANs locally, just syncs), and transparent (does not participate but forwards advertisements and keeps its own local VLANs).

VTP uses a configuration revision number; the highest revision wins. A notorious hazard: inserting a switch with a higher revision number and stale VLAN data can overwrite the whole domain’s VLAN database. Reset the revision (e.g. by switching to transparent and back) before adding a switch.

IP phones usually sit between the wall port and a PC: the phone plugs into the switch, and the PC plugs into the phone. A voice VLAN lets that single port carry two VLANs — voice traffic (tagged) for the phone and data traffic (untagged, in the access VLAN) for the PC. This keeps voice separate so QoS can prioritise it and so phones get their own subnet.

On Cisco IOS you set both switchport access vlan (data) and switchport voice vlan on the same access port. The phone learns its voice VLAN via CDP/LLDP and tags its own frames; the PC’s frames remain untagged.

Private VLANs (PVLANs) subdivide a single VLAN/subnet into isolated sub-domains without burning extra VLAN IDs or subnets — useful in hosting and DMZ environments. A primary VLAN contains two kinds of secondary VLANs: isolated ports can talk only to promiscuous ports (typically the gateway/router), not to each other; community ports can talk to other ports in their own community and to promiscuous ports, but not to other communities.

The result: many customers share one subnet yet remain Layer-2-isolated from one another, while all still reach the shared gateway through the promiscuous port.

VLAN hopping lets an attacker reach a VLAN they are not assigned to. Two classic methods exist. Switch spoofing: the attacker’s host pretends to be a switch and negotiates a trunk via DTP, gaining access to all VLANs. Double-tagging: the attacker sends a frame with two 802.1Q tags — the outer tag matching the native VLAN. The first switch strips the outer (native) tag and forwards the frame on its trunk; the second switch reads the inner tag and delivers it into the victim VLAN. Note double-tagging is one-way (no return path) and relies on the native VLAN.

Mitigations: disable DTP and hard-set ports (switchport mode access + switchport nonegotiate); shut unused ports and put them in an unused VLAN; never use VLAN 1 for user or native traffic; set the native VLAN to a dedicated, otherwise-empty ID; and explicitly prune the allowed-VLAN list on trunks.