linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
Intro
Lessons
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
home/linux/how/vlan

how/network

VLAN and 802.1Q tagging

One physical switch, one cable plant, but logically split into several isolated broadcast domains. The magic is in a 4-byte tag.

Picture an office: 50 wall jacks, one switch in the closet, and accounting and development have to be isolated from each other. Run a second switch and a second set of cables? No, you have VLANs.

A VLAN (Virtual LAN) is a way to logically split one physical switch into several independent broadcast domains. Hosts in VLAN 10 do not "hear" hosts in VLAN 20, even when they are plugged into adjacent ports of the same switch.

It works through 802.1Q tagging: a 4-byte tag with a VLAN ID is inserted into the Ethernet frame when it crosses a trunk port between switches, and is removed at the access port before the frame goes to the host.

Press ▶ to see how one switch serves 2 VLANs, and where the tag is added and removed.

step 1/5·00 · 4 hosts, 1 switch, 2 VLANs
VLAN 10VLAN 20VLAN-aware switchaccess · vlan 10access · vlan 10access · vlan 20access · vlan 20trunkinternetдругие свитчиhost A1vlan 10host A2vlan 10host B1vlan 20host B2vlan 204 хоста на одном свитче, но в 2 разных vlan: A1/A2 в vlan 10, B1/B2 в vlan 20

§ steps

  1. Four hosts are connected to the switch, but they are logically separated:

    • A1, A2 are in VLAN 10 (say, the accounting department)
    • B1, B2 are in VLAN 20 (say, development)

    The port configuration on the switch says "this port belongs to VLAN N". These are access ports: end devices connect to them, and they work without tags.

recap

What matters here:

  • An access port is connected to one host, in one VLAN. The host neither sees nor sends tags. To it this is an ordinary network
  • A trunk port is connected to another switch, and it carries frames of different VLANs with tags. The tag says "this frame is for VLAN N", and on that basis the receiving switch decides which access ports to send it out of
  • An 802.1Q tag is 4 bytes, inserted between the MAC addresses and the ethertype in the Ethernet header. It holds a VLAN ID (12 bits, up to 4096 VLANs) plus a priority (3 bits, for QoS)
  • Frames do not move between VLANs at L2. For a host in VLAN 10 to talk to a host in VLAN 20 you need a router (an L3 device) that handles both VLANs. This is called inter-VLAN routing or router-on-a-stick
  • A native VLAN is the VLAN that travels on a trunk without a tag. By default this is VLAN 1. A native VLAN mismatch on the two ends of a trunk is a common configuration error
  • On Linux you can create VLAN interfaces: ip link add link eth0 name eth0.10 type vlan id 10, and now eth0.10 accepts only frames tagged with VLAN 10

Related to broadcast-domain (a VLAN is a logical broadcast domain) and ethernet-frame (where the 802.1Q tag goes).

§ dig into the knowledge base

  • ethernet-frameEthernet frame, where 802.1Q is plugged in
  • broadcast-domainbroadcast domain, what a VLAN cuts up
  • mac-addressMAC address, what the tag is made of
Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies