N4N003: What’s a VLAN?
This episode explains VLANs (Virtual Local Area Networks) as a technology for segmenting networks into separate broadcast domains using 802.1Q tags with 12-bit VLAN identifiers (1-4094). The hosts discuss how VLANs enable network segmentation, inter-VLAN communication through routers, traffic filtering using access lists, and modern alternatives like VXLAN that use VNIs for larger-scale deployments.
Summary
Ethan Banks and Holly Mitlitsky explain that VLANs are virtual local area networks operating at Layer 2 (Ethernet frames), evolving from the physical LAN concept where devices shared a common wire or hub. VLANs allow multiple logical network segments to exist within a single physical switch or span across multiple switches using VLAN tags.
The core technical mechanism involves the 802.1Q tag, a 32-bit tag inserted into Ethernet frames containing a 12-bit VLAN identifier field, allowing 4,094 usable VLAN IDs (0 and 4095 are reserved). By default, switches come configured with VLAN 1 as the native/default VLAN, where all ports are members unless otherwise configured. Access ports belong to a single VLAN without tagging, while trunk (or tagged) ports carry frames from multiple VLANs with tags attached.
The hosts explain broadcast domains as the key concept—each VLAN creates a separate broadcast domain, preventing broadcast frames in one VLAN from reaching hosts in another. This is demonstrated through the ARP (Address Resolution Protocol) process, where hosts use broadcasts to discover MAC addresses within their VLAN. The segmentation provides security boundaries by default preventing inter-VLAN communication unless explicitly enabled through routers or Layer 3 switches.
Communication between VLANs requires routing, which modern Layer 3 switches can perform by decapsulating frames into IP packets, routing them to the destination VLAN, and reencapsulating them. The hosts discuss traffic control mechanisms including port access lists, VLAN access lists, private VLANs (which can completely isolate hosts from each other except through a router port), and firewalls for more sophisticated inter-VLAN filtering.
The episode concludes with VXLAN (Virtual Extensible LAN) as a modern evolution that maps VLANs to Virtual Network Identifiers (VNIs), dramatically expanding from 4,094 to approximately 16 million identifiers to address scalability limitations in large enterprise and datacenter deployments.
About this episode
Today we explore Virtual Local Area Networks (VLANs). This topic was prompted by a question from college student Douglas. We’ll explain the fundamental concepts of VLANs, such as their role in segmenting and managing network traffic, and the technical details for implementation. We’ll also address key topics including VLAN tags, access and trunk ports, and<a class="excerpt-read-more" href="https://packetpushers.net/podcasts/n-is-for-networking/n4n003-whats-a-vlan/" title="ReadN4N003: What’s a VLAN?">... Read more »</a>
Key Insights
- The hosts explain that VLANs evolved from physical LAN architectures where all devices shared a common wire or hub, progressing to virtual segments enabled by switching technology.
- Ethan and Holly establish that VLAN tagging happens at the Ethernet frame header level (Layer 2), not at the IP packet level, using the 802.1Q standard which reserves only 4,094 usable VLAN IDs from a theoretical 4,096 possible values.
- The hosts clarify terminology differences across vendors: Cisco uses 'native VLAN' and 'trunk port' while Juniper uses different naming, but the concepts remain functionally identical.
- Holly identifies that broadcast domains are the key operational concept—broadcasts from one VLAN are not visible to hosts in other VLANs, creating isolated communication scopes for ARP and other broadcast protocols.
- Ethan explains that access ports carry untagged frames belonging to a single VLAN, while trunk/tagged ports add VLAN tags to frames traversing them, enabling frame identification across shared links.
- The hosts note that by default, hosts within the same VLAN can communicate with each other, but this can be restricted using access lists, VLAN access lists, private VLANs, or firewall rules.
- Ethan and Holly establish that inter-VLAN communication requires routing, where Layer 3 switches decapsulate frames to IP packets, route them to destination VLANs, and reencapsulate them for delivery.
- Holly identifies VXLAN as addressing VLAN scalability limitations by mapping VLANs to Virtual Network Identifiers, expanding capacity from 4,094 to 16 million identifiers for larger enterprise deployments.
Topics
Transcript
Welcome to N is for Networking, the short, sharp podcast where we explain the jargon, acronyms, and concepts of the networking industry in plain language. I'm your co-host, Ethan Banks, a grumpy old network engineer who's been pushing packets around since the 90s. And with me is co-host Holly Metlitsky, a university grad with a master's degree working in the networking industry, but still somewhat new to the scene. In this episode of NS for Networking, we are going to discuss another question from my friend Douglas, who sent in a whole list of questions for us, Douglas did. Douglas is a college student right now, and he asks, what are VLANs and how do they help manage network traffic?…
Full transcript available for MurmurCast members
Sign Up to AccessMore from The Everything Feed - All Packet Pushers Pods
TCG079: Why Your State File is Actually a Distributed Systems Problem
Malcolm Matalka argues that Terraform's value lies not in its HCL syntax but in its state management, which is fundamentally a distributed systems problem inadequately solved by file-based locking. He discusses how StateGraph reimagines infrastructure state as a database rather than a JSON file, enabling concurrent operations, better queryability, and solving the scalability issues that plague teams as they grow.
NAN126: Fine-Tuning Open Source LLMs for Network Engineering
Edward Tuharu, founder of VXpert AI, discusses his career pivot from pursuing CCIE certification to building AI-powered NOC/SOC systems after recognizing the transformative potential of transformer architecture in 2022. He outlines the progression of AI technologies from prompting to RAG to fine-tuning to agentic systems, drawing parallels with networking protocol evolution and emphasizing the importance of domain-specific knowledge and fundamentals.
D2DO306: Platform Engineering in the Agentic Era (Sponsored)
Jad Elzane and Miles Gray from VMware by Broadcom discuss how platform engineering evolved from DevOps to address developer cognitive overload, and how Platform Engineering 2.0 must now accommodate AI agents as consumers alongside human developers, requiring new security guardrails and observability controls.
PP116: News Roundup—FortiBleed Reveals Password Cracking Is Alive and Kicking, Accenture Goes All-In on OT, and More
Jennifer Jabush and guest co-host Wolf Gerlich discuss major cybersecurity incidents including the SearchLeak Copilot vulnerability, the FortiBleed password-cracking infrastructure, North Korean NPM package compromises, and organizational acquisitions in the OT security space. They also cover concerns about age verification systems and a FIFA World Cup broadcast vulnerability involving weak client-side authentication.
HS137: Did AI Turn “Everybody Codes” into “Nobody Codes”?
John Attil-Johnson and John Burke discuss how AI coding tools have fundamentally changed the "everybody codes" strategy, arguing that while AI can generate code quickly, logical thinking and code comprehension remain essential skills. They contend that the focus should shift from teaching everyone to code to ensuring everyone can read code and think logically to catch AI-generated errors.