Hubbry Logo
VLANVLANMain
Open search
VLAN
Community hub
VLAN
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
VLAN
VLAN
VLAN
View on Wikipedia
from Wikipedia
OSI model
by layer
7.  Application layer
6.  Presentation layer
5.  Session layer
4.  Transport layer
3.  Network layer
2.  Data link layer
1.  Physical layer
The general concept of virtual LANs.

A virtual local area network (VLAN) is a local area network broadcast domain that is partitioned and isolated in a virtual network at the data link layer (OSI layer 2).[2][3] A VLAN behaves like a virtual network switch or network link that can share the same physical structure with other VLANs while staying logically separate from them.

VLANs work by applying tags to network frames that are forwarded within the broadcast domain, creating the appearance and functionality of network traffic that behaves as if it were split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

VLANs allow network administrators to group hosts together even if the hosts are not directly connected to the same network switch. Because VLAN membership can be configured through software, this can greatly simplify network design and deployment. Without VLANs, grouping hosts according to their resource needs the labor of relocating nodes or rewiring data links. VLANs allow devices that must be kept separate to share the cabling of a physical network and yet be prevented from directly interacting with one another. This managed sharing yields gains in simplicity, security, traffic management, and economy.

Many Internet hosting services use VLANs to separate customers' private zones from one another, enabling each customer's servers to be grouped within a single network segment regardless of where the individual servers are located in the data center. Some precautions are needed to prevent traffic "escaping" from a given VLAN, an exploit known as VLAN hopping.

To subdivide a network into VLANs, one configures network equipment. Simpler equipment might partition only each physical port, in which case each VLAN runs over a dedicated network cable. More sophisticated devices can mark frames through VLAN tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs. Since VLANs share bandwidth, a VLAN trunk can use link aggregation, quality-of-service prioritization, or both to route data efficiently.

Uses

[edit]

VLANs address issues such as scalability, security, and network management. Network architects set up VLANs to provide network segmentation. Routers between VLANs filter broadcast traffic, enhance network security, perform address summarization, and mitigate network congestion.

In a network utilizing broadcasts for service discovery, address assignment and resolution and other services, as the number of peers on a network grows, the frequency of broadcasts also increases. VLANs can help manage broadcast traffic by forming multiple broadcast domains. Breaking up a large network into smaller independent segments reduces the amount of broadcast traffic each network device and network segment has to bear. Switches may not bridge network traffic between VLANs, as doing so would violate the integrity of the VLAN broadcast domain.

VLANs can also help create multiple layer 3 networks on a single physical infrastructure. VLANs are data link layer (OSI layer 2) constructs, analogous to Internet Protocol (IP) subnets, which are network layer (OSI layer 3) constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN.

Without VLAN capability, users are assigned to networks based on geography and are limited by physical topologies and distances. VLANs can logically group networks to decouple the users' network location from their physical location. By using VLANs, one can control traffic patterns and react quickly to employee or equipment relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.[3]

VLANs can be used to partition a local network into several distinctive segments, for instance:[4]

A common infrastructure shared across VLAN trunks can provide a measure of security with great flexibility for a comparatively low cost. Quality of service schemes can optimize traffic on trunk links for real-time (e.g. VoIP) or low-latency requirements (e.g. SAN). However, VLANs as a security solution should be implemented with great care as they can be defeated unless implemented carefully.[5]

In cloud computing VLANs, IP addresses, and MAC addresses in the cloud are resources that end users can manage. To help mitigate security issues, placing cloud-based virtual machines on VLANs may be preferable to placing them directly on the Internet.[6]

Network technologies with VLAN capabilities include:[citation needed]

History

[edit]

After successful experiments with voice over Ethernet from 1981 to 1984, W. David Sincoskie joined Bellcore and began addressing the problem of scaling up Ethernet networks. At 10 Mbit/s, Ethernet was faster than most alternatives at the time. However, Ethernet was a broadcast network and there was no good way of connecting multiple Ethernet networks together. This limited the total bandwidth of an Ethernet network to 10 Mbit/s and the maximum distance between nodes to a few hundred feet.

By contrast, although the existing telephone network's speed for individual connections was limited to 56 kbit/s (less than one hundredth of Ethernet's speed), the total bandwidth of that network was estimated at 1 Tbit/s[citation needed] (100,000 times greater than Ethernet).

Although it was possible to use IP routing to connect multiple Ethernet networks together, it was expensive and relatively slow. Sincoskie started looking for alternatives that required less processing per packet. In the process, he independently reinvented transparent bridging, the technique used in modern Ethernet switches.[7] However, using switches to connect multiple Ethernet networks in a fault-tolerant fashion requires redundant paths through that network, which in turn requires a spanning tree configuration. This ensures that there is only one active path from any source node to any destination on the network. This causes centrally located switches to become bottlenecks, limiting scalability as more networks are interconnected.

To help alleviate this problem, Sincoskie invented VLANs by adding a tag to each Ethernet frame. These tags could be thought of as colors, say red, green, or blue. In this scheme, each switch could be assigned to handle frames of a single color, and ignore the rest. The networks could be interconnected with three spanning trees, one for each color. By sending a mix of different frame colors, the aggregate bandwidth could be improved. Sincoskie referred to this as a multitree bridge. He and Chase Cotton created and refined the algorithms necessary to make the system feasible.[8] This color is what is now known in the Ethernet frame as the IEEE 802.1Q header, or the VLAN tag. While VLANs are commonly used in modern Ethernet networks, they are not used in the manner first envisioned here.[clarification needed]

In 1998, Ethernet VLANs were described in the first edition of the IEEE 802.1Q-1998 standard.[9] This was extended with IEEE 802.1ad to allow nested VLAN tags in service of provider bridging. This mechanism was improved with IEEE 802.1ah-2008.

Configuration and design considerations

[edit]

Early network designers often segmented physical LANs with the aim of reducing the size of the Ethernet collision domain—thus improving performance. When Ethernet switches made this a non-issue (because each switch port is a collision domain), attention turned to reducing the size of the data link layer broadcast domain. VLANs were first employed to separate several broadcast domains across one physical medium. A VLAN can also serve to restrict access to network resources without regard to physical topology of the network.[a]

VLANs operate at the data link layer of the OSI model. Administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving the network layer. Generally, VLANs within the same organization will be assigned different non-overlapping network address ranges. This is not a requirement of VLANs. There is no issue with separate VLANs using identical overlapping address ranges (e.g. two VLANs each use the private network 192.168.0.0/16). However, it is not possible to route data between two networks with overlapping addresses without delicate IP remapping, so if the goal of VLANs is segmentation of a larger overall organizational network, non-overlapping addresses must be used in each separate VLAN.

A basic switch that is not configured for VLANs has VLAN functionality disabled or permanently enabled with a default VLAN that contains all ports on the device as members.[3] The default VLAN typically uses VLAN identifier 1. Every device connected to one of its ports can send packets to any of the others. Separating ports by VLAN groups separates their traffic very much like connecting each group using a distinct switch for each group.

Remote management of the switch requires that the administrative functions be associated with one or more of the configured VLANs.

In the context of VLANs, the term trunk denotes a network link carrying multiple VLANs, which are identified by labels (or tags) inserted into their packets. Such trunks must run between tagged ports of VLAN-aware devices, so they are often switch-to-switch or switch-to-router links rather than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels" : Link Aggregation or Port Trunking). A router (Layer 3 device) serves as the backbone for network traffic going across different VLANs. It is only when the VLAN port group is to extend to another device that tagging is used. Since communications between ports on two different switches travel via the uplink ports of each switch involved, every VLAN containing such ports must also contain the uplink port of each switch involved, and traffic through these ports must be tagged.

Switches typically have no built-in method to indicate VLAN to port associations to someone working in a wiring closet. It is necessary for a technician to either have administrative access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet.

Protocols and design

[edit]

The protocol most commonly used today to support VLANs is IEEE 802.1Q. The IEEE 802.1 working group defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, such as Cisco Inter-Switch Link (ISL) and 3Com's Virtual LAN Trunk (VLT). Cisco also implemented VLANs over FDDI by carrying VLAN information in an IEEE 802.10 frame header, contrary to the purpose of the IEEE 802.10 standard.

Both ISL and IEEE 802.1Q perform explicit tagging – the frame itself is tagged with VLAN identifiers. ISL uses an external tagging process that does not modify the Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and therefore does modify the basic Ethernet frame structure. This internal tagging allows IEEE 802.1Q to work on both access and trunk links using standard Ethernet hardware.

IEEE 802.1Q

[edit]
Main article: IEEE 802.1Q

Under IEEE 802.1Q, the maximum number of VLANs on a given Ethernet network is 4,094 (4,096 values provided by the 12-bit VID field minus reserved values at each end of the range, 0 and 4,095). This does not impose the same limit on the number of IP subnets in such a network since a single VLAN can contain multiple IP subnets. IEEE 802.1ad extends the number of VLANs supported by adding support for multiple, nested VLAN tags. IEEE 802.1aq (Shortest Path Bridging) expands the VLAN limit to 16 million. Both improvements have been incorporated into the IEEE 802.1Q standard.

[edit]
Main article: Cisco Inter-Switch Link

Inter-Switch Link (ISL) is a Cisco proprietary protocol used to interconnect switches and maintain VLAN information as traffic travels between switches on trunk links. ISL is provided as an alternative to IEEE 802.1Q. ISL is available only on some Cisco equipment and has been deprecated.[11]

Cisco VLAN Trunking Protocol

[edit]
Main article: VLAN Trunking Protocol

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of VLANs on the whole local area network. VTP is available on most of the Cisco Catalyst Family products. The comparable IEEE standard in use by other manufacturers is GARP VLAN Registration Protocol (GVRP) or the more recent Multiple VLAN Registration Protocol (MVRP).

Multiple VLAN Registration Protocol

[edit]
Main article: Multiple Registration Protocol

Multiple VLAN Registration Protocol is an application of Multiple Registration Protocol that allows automatic configuration of VLAN information on network switches. Specifically, it provides a method to dynamically share VLAN information and configure the needed VLANs.

Membership

[edit]

VLAN membership can be established either statically or dynamically.

Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.

Dynamic VLANs are created using software or by protocol. With a VLAN Management Policy Server (VMPS), an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the switch queries a database for the VLAN membership of the port that device is connected to. Protocol methods include Multiple VLAN Registration Protocol (MVRP) and the somewhat obsolete GARP VLAN Registration Protocol (GVRP).

Protocol-based VLANs

[edit]

In a switch that supports protocol-based VLANs, traffic may be handled on the basis of its protocol. Essentially, this segregates or forwards traffic from a port depending on the particular protocol of that traffic; traffic of any other protocol is not forwarded on the port. This allows, for example, IP and IPX traffic to be automatically segregated by the network.

VLAN cross connect

[edit]

VLAN cross connect (CC or VLAN-XC) is a mechanism used to create Switched VLANs, VLAN CC uses IEEE 802.1ad frames where the S Tag is used as a Label as in MPLS. IEEE approves the use of such a mechanism in part 6.11 of IEEE 802.1ad-2005.

See also

[edit]

Notes

[edit]

References

[edit]

Further reading

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

VLAN

View on Grokipedia
from Grokipedia
A Virtual Local Area Network (VLAN) is a networking technology that logically segments a physical (LAN) into multiple isolated broadcast domains, allowing devices to be grouped based on organizational functions, security needs, or applications without requiring separate physical cabling or switches. This segmentation is achieved through software configuration on network switches, where ports are assigned to specific VLANs, and is tagged to maintain separation even across shared infrastructure. Standardized by , VLANs support the Media Access Control (MAC) service in bridged Ethernet networks by inserting a 4-byte tag into Ethernet frames to identify the VLAN affiliation, ensuring that broadcast, , and traffic remains confined within its designated domain. The concept of VLANs, invented in the , emerged in the to address limitations in traditional flat LANs, where growing network sizes led to excessive broadcast traffic, security vulnerabilities, and inefficient management; by enabling virtual bridging, VLANs reduce these issues while supporting scalability in enterprise environments. The standard, first published in 1998, defines the architecture for virtual bridged LANs, including protocols for VLAN discovery, configuration, operation adapted for multiple VLANs, and quality of service mechanisms like priority tagging. Subsequent amendments have expanded its capabilities, incorporating features such as provider bridging (), multiple spanning trees (IEEE 802.1s), and for real-time applications in industrial and automotive settings. Key benefits of VLANs include enhanced through traffic isolation—preventing unauthorized access between groups—and improved performance by limiting broadcast domains, which minimizes congestion and optimizes bandwidth usage. They also facilitate flexible administration, such as assigning VLANs by department or , and integrate with routing protocols for inter-VLAN communication via layer-3 switches or routers. Widely implemented in Ethernet switches from vendors like and supported in modern data centers, VLANs remain foundational for segmenting traffic in , IoT, and enterprise networks.

Fundamentals

Definition and Purpose

A Virtual (VLAN) is a logical grouping of network devices that functions as a separate , allowing devices to be segmented on the same physical without requiring dedicated hardware for each group. This enables administrators to organize traffic by criteria such as department, function, or application, irrespective of users' physical locations. The primary purposes of VLANs include enhancing by confining broadcast traffic to specific logical segments, thereby minimizing congestion across the entire . They also bolster through isolation, where devices in one VLAN cannot directly communicate with those in another unless explicitly permitted via . Furthermore, VLANs streamline management in expansive networks by facilitating centralized configuration and reorganization without physical rewiring. In contrast to flat LANs, which operate as a single prone to scalability issues like excessive and exposure in growing environments, VLANs overcome physical limitations by supporting up to 4094 distinct segments in standard setups. Key benefits encompass hardware cost reductions by leveraging existing cabling and switches for multiple logical networks, as well as heightened flexibility for adapting to changes in dynamic settings like corporate offices and data centers.

Basic Operation

VLAN-aware switches operate by assigning each port to a specific VLAN identifier (VID), enabling port-based membership where devices connected to the same VLAN can communicate at Layer 2, while traffic from different VLANs is filtered and prevented from direct inter-VLAN communication unless explicitly routed at Layer 3. In this setup, access ports are typically dedicated to a single VLAN, ensuring that frames entering or exiting the port are associated solely with that VLAN's domain. A core function of VLANs is to provide broadcast domain isolation, where all devices within the same VLAN share a common and receive broadcasts such as ARP requests, but broadcasts originating in one VLAN are dropped by the switch and do not propagate to other VLANs, thereby containing broadcast traffic and reducing . This isolation enhances security and efficiency by logically separating traffic without requiring separate physical networks, though inter-VLAN communication still necessitates a router or Layer 3 switch to forward packets between domains. In handling Ethernet frames, VLAN-aware switches process untagged frames by assigning them to a designated native VLAN, often VLAN 1 by default, while tagged frames include a VLAN tag in the header that specifies the VID for proper forwarding. The VID is encoded in a 12-bit field within the 802.1Q tag, supporting values from 0 to 4095, where 1 to 4094 are available for user-defined VLANs, and 0 and 4095 are reserved for specific protocol uses. Switches forward frames only within the matching VLAN based on this identifier, dropping mismatched traffic at the port level. To interconnect switches supporting multiple VLANs, trunking links are employed, allowing a single physical link to carry traffic for numerous VLANs by encapsulating frames with VLAN tags that preserve the VID across the connection. On trunk ports, all VLAN traffic is permitted by default unless restricted, enabling scalable network designs where broadcast domains extend across multiple switches without merging.

Uses and Applications

Traditional Network Segmentation

In traditional enterprise and campus networks, VLANs have been widely used to achieve departmental isolation by logically grouping devices based on organizational functions, such as assigning separate VLANs to , , or teams. This approach confines traffic within each VLAN, thereby limiting the scope of broadcast domains to prevent widespread propagation of unnecessary packets across the entire network. By isolating departments in this manner, VLANs also restrict unauthorized access between groups, as devices in one VLAN cannot directly communicate with those in another without explicit configuration. VLANs further support in shared media environments by segmenting different types of , such as voice, , and video, into distinct VLANs to reduce congestion and improve . For instance, voice can be assigned to a dedicated VLAN to shield it from network interference, ensuring consistent quality for real-time communications while minimizing latency and in the overall LAN. In a typical corporate LAN setup, administrators might configure VLAN 10 for servers to handle backend resources and VLAN 20 for workstations to manage user endpoints, allowing controlled separation of from general access . To enable communication between these isolated segments, inter-VLAN routing is implemented using routers with subinterfaces, often in a "router-on-a-stick" where a single physical interface handles multiple VLANs via . This setup integrates VLANs with Layer 3 devices to route traffic selectively between departments while maintaining logical boundaries. Historically, VLANs played a key role in the transition from hub-based shared media networks to switched environments in the , serving as a cost-effective bridge to Layer 3 segmentation by enabling logical divisions on multiport switches without requiring additional physical hardware for each segment.

Modern Deployments

In modern network environments, VLANs have evolved to integrate seamlessly with technologies, particularly in hypervisors like VMware ESXi, where they enable isolation of virtual machines (VMs) by tagging traffic at the virtual switch level. Virtual switch tagging (VST) allows the ESXi virtual switch to apply tags to VM traffic, ensuring that packets from different VMs are segregated into distinct broadcast domains without requiring physical changes, a practice that gained prominence in the as data centers shifted toward virtualized infrastructures. This approach enhances by preventing unauthorized inter-VM communication and reduces broadcast , with port groups on the virtual switch configured to assign specific VLAN IDs to VM network adapters. Wireless deployments of VLANs have advanced to support dynamic segmentation through SSID-to-VLAN mapping on access points, allowing separation of user groups such as guests and employees on the same physical . Configuration typically involves using a dedicated controller to create multiple SSIDs and bind each to a specific VLAN ID, with the access point connected to a switch trunk port that allows the corresponding VLANs; isolation can then be tested to ensure proper segmentation. Modern access points support multiple SSIDs—up to 8-16 per band depending on the device—each bound to different VLANs using 802.1Q tagging, outputting tagged traffic even in pure AP mode, which is compatible with contemporary standards like WiFi 7. In access points from vendors like , multiple SSIDs can be mapped to unique VLANs—for instance, a "Guest" SSID directed to VLAN 100 for internet-only access, while an "Employee" SSID routes to VLAN 10 for full corporate resources—facilitating policy enforcement without separate hardware. These configurations, refined since the mid-2010s, integrate with modern security protocols like WPA3, which provides enhanced encryption and protection against offline dictionary attacks, ensuring that VLAN-tagged traffic from authenticated devices remains isolated even in high-density environments. In and (SDN) contexts, VLAN principles underpin segmentation in virtual private clouds (VPCs) and virtual networks (VNets), such as those in AWS and Azure, where traditional VLAN limits of 4096 IDs are overcome by combining native segmentation with overlay protocols like VXLAN. AWS VPCs employ subnet-based isolation akin to VLANs for logical grouping of resources, while integrating VXLAN overlays in services like Amazon VMware Cloud on AWS to encapsulate Layer 2 traffic over Layer 3 underlays, enabling scalable multi-tenancy across global regions without the VLAN ID constraint. Similarly, Azure VNets provide VLAN-like peering and segmentation, augmented by VXLAN for extended reach in hybrid setups, supporting millions of virtual segments through 24-bit identifiers and addressing the demands of post-2010s cloud expansions. VLANs play a critical role in IoT and , particularly in smart factories of the 2020s, where the proliferation of connected devices—which reached approximately 20 billion globally as of 2025 and are projected to exceed 40 billion by 2030—necessitates grouping and segmentation to manage and performance. In industrial settings, VLANs logically partition devices, such as assigning sensors in a stamping workshop to one VLAN for while isolating programmable logic controllers (PLCs) in assembly lines to another, preventing interference from non-critical traffic and mitigating risks like broadcast storms. For example, in automotive manufacturing, VLAN segmentation separates welding robot communications from office IT networks, ensuring real-time reliability for (OT) amid the Industry 4.0 surge, with routers like those supporting integration facilitating QoS prioritization across these groups.

History and Evolution

Early Development

In the pre-VLAN era of the , Ethernet networks operated primarily on shared media using the with (CSMA/CD) protocol, which inherently limited network scale due to collision propagation delays restricting segment lengths to approximately 2,500 meters and requiring repeaters that extended but did not resolve underlying inefficiencies. As LANs expanded within enterprises, these limitations manifested in frequent collisions and reduced throughput, prompting the development of transparent bridges in the late to segment collision domains while preserving a unified across interconnected segments. However, this bridging approach, while enabling larger topologies, exacerbated broadcast storms in growing networks, as all devices remained within a single susceptible to excessive traffic flooding. The initial concepts for VLANs emerged in the late 1980s to address these challenges, with W. David Sincoskie at Bellcore inventing the core idea of logically partitioning a physical LAN into multiple isolated s without altering cabling infrastructure. Around 1990, vendors like (DEC) and began exploring proprietary solutions for LAN segmentation; for instance, DEC advanced early bridging techniques that laid groundwork for virtual segmentation, while developed initial multi-domain switching features in its routers and early switches. These efforts included explorations into LAN emulation over emerging technologies like , aiming to emulate traditional LAN behavior in virtualized setups to support scalable, department-specific networks. A pivotal milestone occurred with the 1990 publication of the standard, which formalized MAC-layer bridging specifications and introduced the (STP) to prevent loops in multi-segment bridged LANs, thereby facilitating the reliable interconnection of multiple physical segments into loop-free topologies that foreshadowed VLAN architectures. This standard enabled network administrators to build extended LANs comprising numerous bridged segments, setting the stage for further logical subdivisions. Commercial imperatives accelerated VLAN adoption amid the explosive growth of 10BASE-T Ethernet in the early , as this standard—ratified in and leveraging affordable unshielded twisted-pair cabling—enabled rapid enterprise deployments of 10 Mbps networks, often resulting in oversized flat infrastructures prone to performance bottlenecks from unsegmented traffic. Enterprises sought VLAN-like solutions to impose logical divisions for , traffic isolation, and efficient without the costly overhauls of physical rewiring, aligning with the era's shift toward switched, scalable LANs.

Standardization and Updates

The formal standardization of Virtual Local Area Networks (VLANs) began with the ratification of in 1998, titled IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks. This standard introduced the VLAN tagging mechanism, enabling the multiplexing of multiple virtual LANs over a single physical link by inserting a 4-byte tag into Ethernet frames to identify VLAN membership. Subsequent amendments to expanded its capabilities for service provider and enterprise environments. , known as Provider Bridges, was ratified to support VLAN tagging (QinQ), allowing service providers to customer VLANs through their networks without interfering with internal VLAN assignments, thus improving for metropolitan Ethernet services. In 2012, introduced Shortest Path Bridging (SPB), an amendment that enhanced VLAN-based forwarding by using routing to compute shortest paths for and traffic across bridged networks, reducing loops and improving efficiency in large-scale deployments. More recently, the revision incorporated updates for (TSN), including profiles for industrial automation that ensure deterministic latency and synchronization over VLANs in bridged networks. Prior to widespread IEEE adoption, played a significant role in VLAN development through proprietary protocols. In 1996, Cisco introduced Inter-Switch Link (ISL), a for encapsulating Ethernet frames with VLAN information across trunk links on its switches, which supported up to 1,024 VLANs initially. Alongside ISL, Cisco developed VLAN Trunking Protocol (VTP) to automate VLAN configuration propagation across switches in a domain, simplifying management in enterprise networks. These innovations were later partially superseded by , though elements like VTP persist in Cisco ecosystems for . In the 2020s, the standard underwent a major revision in 2022 and subsequent amendments have continued to evolve its capabilities, particularly for enhanced interoperability and in emerging technologies. For instance, IEEE 802.1Q VLAN tagging is integral to mobile backhaul networks for traffic separation and QoS enforcement, as outlined in industry specifications for Ethernet-based transport. Similarly, VLAN integration with (EVPN) has advanced data center fabrics, enabling seamless Layer 2 extension and multi-tenancy without altering core VLAN mechanics, as demonstrated in modern spine-leaf architectures. Post-2022 amendments include IEEE 802.1Qcz-2023 for cyclic queuing and forwarding enhancements in TSN, IEEE 802.1Qdj-2024 for TSN support in linear and ring topologies, and IEEE 802.1Qdy-2025 for frame replication and elimination to improve reliability in distributed systems.

Configuration and Design

Membership Assignment

VLAN membership assignment refers to the process of associating switch ports or devices with specific virtual local area networks (VLANs) to enforce during configuration. This can be achieved through static or dynamic methods, each suited to different needs. Static assignment involves manual configuration by network administrators, typically using command-line interfaces on managed switches to designate ports to a particular VLAN. For instance, on switches, the command switchport access vlan 10 assigns a to VLAN 10, ensuring that all untagged traffic from connected end devices is placed in that VLAN. In contrast, dynamic assignment automates VLAN placement based on device attributes, such as MAC addresses or user credentials, reducing manual errors in large-scale environments. A standard method for dynamic assignment based on user or device authentication is port-based network access control, which integrates with servers to assign VLANs dynamically. Upon successful authentication, the server returns attributes (e.g., Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = ) to instruct the switch to place the port in the specified VLAN, enabling secure, policy-driven segmentation commonly used in enterprise wired and networks. Another standard method employs the Generic VLAN Registration Protocol (GVRP), defined in , which enables switches to dynamically register and propagate VLAN information across the network via GARP (Generic Attribute Registration Protocol) messages, allowing ports to join VLANs based on announcements from other devices without manual intervention. In wireless networks, VLAN membership assignment often involves mapping service set identifiers (SSIDs) to specific VLANs using a wireless management controller or access point configuration interface. Administrators create multiple SSIDs, each bound to a unique VLAN ID, to segment wireless traffic for different user groups or purposes. The access point is then connected to a trunk port on a switch that allows the relevant VLANs, with the access point outputting tagged traffic using 802.1Q in pure access point mode. Modern access points support multiple SSIDs (typically 4 to 16 per radio) bound to different VLANs, enabling flexible segmentation. Post-configuration, it is essential to test for proper isolation between VLANs to ensure security and functionality. Switch ports are categorized into access and trunk types to handle VLAN traffic appropriately. Access ports connect to end-user devices, such as computers or printers, and operate in untagged mode, associating all incoming traffic with a single VLAN while stripping any VLAN tags on egress to maintain compatibility with non-VLAN-aware devices. Trunk ports, used for links between switches or to routers, support multiple VLANs by tagging frames with headers, enabling the transport of traffic from various VLANs over a single physical link while preserving isolation. To accommodate legacy or untagged traffic on trunk ports, the native VLAN serves as the default untagged VLAN, carrying frames without tags to ensure interoperability with older equipment that does not support VLAN tagging. By default, VLAN 1 is designated as the native VLAN on most switches, but it can be reconfigured to another ID using commands like switchport trunk native vlan 999 to align with security policies. Best practices for VLAN membership assignment emphasize structured numbering and security measures to enhance manageability and reduce vulnerabilities. Administrators often reserve low VLAN IDs (e.g., 2-100) for production user networks, mid-range IDs (e.g., 101-500) for voice or guest access, and higher IDs (e.g., 1000+) for management or infrastructure to facilitate intuitive organization and troubleshooting. Critically, VLAN 1 should be avoided for user traffic or as the native VLAN on trunks, as it is the default broadcast domain on most switches and serves as a common vector for attacks like VLAN hopping; instead, explicitly prune it from trunks and assign unused ports to a dedicated "blackhole" VLAN to contain potential threats.

Design Considerations

When designing VLAN deployments, scalability is a primary concern due to the limitations imposed by the standard, which uses a 12-bit VLAN Identifier (VID) field supporting up to 4096 VLANs per domain, with VLAN IDs ranging from 0 to 4095 and 0 and 4095 typically reserved, leaving 4094 usable VLANs. In large topologies, this cap necessitates careful planning to partition networks into multiple domains if exceeding 4094 VLANs is anticipated, while also addressing challenges. To mitigate risks of loops in expansive networks, implement (MSTP) as defined in IEEE 802.1s, grouping VLANs into instances to reduce overhead and placing as many switches as possible into a single MST region for optimized convergence and loop prevention. Additionally, designate core switches with low bridge priorities as root bridges per instance to balance traffic loads and minimize convergence times in large-scale environments. Interoperability across diverse vendor equipment is enhanced by adhering to standards for VLAN tagging and , which provide a vendor-neutral framework unlike proprietary protocols such as Cisco's Inter-Switch Link (ISL). Designers should prioritize 802.1Q in configurations to ensure seamless frame transmission between switches from different manufacturers, avoiding reliance on vendor-specific features that could fragment the network architecture. For inter-VLAN communication, Layer 3 devices such as routers or Layer 3 switches are essential to route traffic between VLANs, as VLANs operate at Layer 2 and cannot forward packets across broadcast domains without higher-layer intervention. A common configuration, known as "router-on-a-stick," uses a single physical router interface subinterfaced for each VLAN, connected via a trunk link to the switch, enabling efficient routing without multiple physical ports. This approach, while cost-effective for smaller setups, requires trunk encapsulation (e.g., 802.1Q) on subinterfaces to properly tag and route VLAN traffic. Common pitfalls in VLAN design include VLAN hopping attacks arising from misconfigured trunks, where attackers exploit dynamic trunking protocols like Cisco's Dynamic Trunking Protocol (DTP) to negotiate unauthorized trunks or insert double tags to breach segments. To counter this, explicitly configure trunk ports with static mode, disable DTP using "switchport nonegotiate," and restrict allowed VLANs on trunks to only necessary ones. Furthermore, maintain comprehensive documentation of VLAN assignments, trunk configurations, and topology diagrams, coupled with regular auditing to verify compliance with security policies and detect misconfigurations early.

Tagging and Trunking Protocols

IEEE 802.1Q

is the IEEE standard that defines the protocol for adding VLAN tags to Ethernet frames, enabling the multiplexing of multiple virtual LANs over a single physical link known as a trunk. This tagging mechanism allows switches to identify and segregate traffic belonging to different VLANs while traversing shared infrastructure, supporting efficient without requiring separate physical cables for each VLAN. The standard ensures interoperability among devices from different vendors by specifying a consistent frame modification process. The 802.1Q tag consists of a 4-byte header inserted into the immediately after the source and before the original or Length field, which is shifted to follow the tag. This header begins with a 16-bit Tag Protocol Identifier (TPID) set to the value 0x8100, signaling that the frame carries a VLAN tag. The remaining 16 bits form the Tag Control Information (TCI) field, which includes a 3-bit Priority Code Point (PCP) for indicating priority levels from 0 to 7, a 1-bit Canonical Format Indicator (CFI) that specifies the bit-ordering convention for the MAC addresses (typically 0 for standard Ethernet), and a 12-bit VLAN Identifier (VID) that assigns the frame to one of up to 4094 active VLANs (with VID values 0 and 4095 reserved for special purposes). In operation, access ports connected to end devices transmit and receive untagged frames, associating them implicitly with a single configured VLAN, while trunk ports between switches or routers handle tagged frames to carry traffic from multiple VLANs simultaneously. On ingress to a trunk port, a switch adds the appropriate 802.1Q tag based on the frame's source port VLAN membership; on egress, it removes the tag for access ports or retains it for other trunks. For scenarios requiring further VLAN nesting, such as service provider networks, the 802.1ad amendment (also known as QinQ) extends 802.1Q by allowing double-tagging, where an outer tag (using TPID 0x88a8) encapsulates an inner customer 802.1Q tag, preserving the original VID transparently across the provider domain. As an open IEEE standard, 802.1Q promotes vendor-neutral and widespread adoption in enterprise and carrier networks, supporting a scalable VLAN of 4094 identifiers to accommodate large deployments. It also integrates (QoS) capabilities through the PCP field, enabling priority queuing and traffic class differentiation within the same frame, which helps manage bandwidth for time-sensitive applications like voice or video. In , the modified format can be visualized as follows:
FieldSize (bits)Description
Destination MAC48Original recipient address
Source MAC48Original sender address
TPID (0x8100)16Identifies 802.1Q tag
PCP3Priority (0-7)
CFI1Canonical format (0 for Ethernet)
VID12VLAN ID (1-4094)
EtherType/Length16Original field, now after tag
PayloadVariableData
FCS32Frame check sequence
Switches typically validate tags on receipt; invalid structures, such as a non-0x8100 TPID or out-of-range VID, result in the frame being discarded to prevent misrouting or issues.

Proprietary Protocols

In the early days of VLAN deployment, vendors developed proprietary protocols to enable and management across their switches, addressing the lack of a universal standard. 's Inter-Switch Link (ISL), introduced in the mid-1990s, served as a key encapsulation method for carrying VLAN information over links between switches. ISL operates by fully encapsulating the original with a 26-byte header and a 4-byte trailer, where the header includes a 10-bit VLAN ID field supporting up to 1,024 VLANs (0-1,023). This proprietary approach was limited to hardware, restricting with other vendors' equipment. The reliance on proprietary protocols like ISL waned in the due to interoperability challenges in multi-vendor networks, prompting a widespread shift to the standard for trunking. deprecated ISL support in newer switch models, favoring 802.1Q for its openness and efficiency.

Advanced Features

Protocol-Based VLANs

Protocol-based VLANs enable network switches to dynamically classify and assign untagged incoming traffic to specific VLANs based on the Layer 3 protocol embedded in the Ethernet frame, rather than relying solely on port assignments. This approach allows a single physical port to support multiple VLANs by filtering packets according to their protocol type, such as Internet Protocol (IP), Internetwork Packet Exchange (IPX), Address Resolution Protocol (ARP), or AppleTalk (AT). For instance, IP traffic can be directed to one VLAN while IPX traffic from the same port is routed to another, providing logical segmentation without requiring separate physical connections. This feature is particularly useful in legacy or mixed-protocol environments where devices on the same use disparate protocols, ensuring that protocol-specific remains isolated for better and reduced broadcast domains. A common use case involves separating legacy non-IP protocols like IPX, often used in older networks, from modern IP-based communications, allowing administrators to maintain compatibility without overhauling cabling . Unlike static port-based membership, protocol-based assignment offers more flexibility for dynamic handling on shared ports. Implementation typically involves defining protocol groups—collections of supported protocols—and mapping these groups to target VLANs via switch configuration interfaces. In Cisco devices, for example, administrators create protocol-based VLAN groups through (CLI) commands or web-based utilities, specifying protocols like IP or IPX and associating them with VLAN IDs; similar mechanisms exist in vendors such as and H3C, where rules function like access control lists (ACLs) but focused on protocol identification. The switch inspects the field or equivalent in the frame header upon ingress to apply the mapping, supporting untagged frames primarily. Despite their utility, protocol-based VLANs introduce potential performance overhead, as the switch must parse frame headers to identify protocols before forwarding, which can strain resources in high-throughput scenarios or software-forwarding implementations. This inspection requirement makes the feature less prevalent in contemporary high-speed hardware, where simpler port- or tag-based methods predominate to minimize latency. Additionally, support is often limited to specific legacy protocols, restricting applicability in purely IP-centric modern networks.

VLAN Stacking and Cross-Connects

VLAN stacking, also known as QinQ or 802.1Q-in-802.1Q, enables service providers to tunnel customer Ethernet frames across their networks by adding an outer VLAN tag to an existing inner customer tag. The inner tag, referred to as the C-Tag (customer tag), uses the standard 12-bit VLAN ID from to identify customer-specific VLANs, while the outer S-Tag (service tag) allows the provider to segregate traffic from multiple customers into a single provider VLAN. This double-tagging mechanism expands the effective VLAN space from 4096 to over 16 million unique combinations (4096 customer IDs × 4096 service IDs), addressing scalability limitations in large provider networks. The IEEE 802.1ad standard, ratified in 2005 and first incorporated into IEEE 802.1Q-2011, formalizes this stacking approach for provider bridges, ensuring transparent transport of customer-tagged frames without modification by the provider's infrastructure. In practice, provider edge switches add the S-Tag upon ingress from the customer and remove it upon egress, preserving the original C-Tag for end-to-end delivery. This technique is particularly valuable in Metro Ethernet services, where providers offer transparent LAN extensions by tunneling multiple customer VLANs over a shared backbone, isolating customer traffic while simplifying management. Cross-connects extend VLAN connectivity across non-adjacent switches or wide-area networks by linking attachment circuits (ACs) through pseudowires (PWs) or , often using MPLS or (EVPN) technologies. In EVPN-VPWS (Virtual Private Wire Service), for instance, BGP signaling establishes point-to-point or multipoint connections that multiplex multiple VLAN-based ACs onto a single , enabling seamless extension of Layer 2 domains over IP/MPLS backbones as defined in RFC 7432. This approach supports flexible cross-connect services in data centers and environments, where VLANs from disparate sites are interconnected without requiring native Layer 2 adjacency. In modern deployments, VLAN stacking and cross-connects integrate with (SDN) controllers for automated provisioning, such as dynamically configuring S-Tags or EVPN routes via or NETCONF/YANG models that support IEEE 802.1Q sub-interfaces. These capabilities, enhanced through amendments such as IEEE 802.1Qat-2010 for stream reservation protocol (with enhancements in IEEE 802.1Qcc-2018), and the base standard revised as IEEE 802.1Q-2022 to incorporate these and further enhancements, facilitate scalable automation in and edge networks while maintaining compatibility with legacy 802.1ad stacking.

Security and Limitations

Security Implications

VLAN hopping attacks represent a significant vulnerability in networks relying on VLAN segmentation, allowing unauthorized access to restricted VLANs through exploitation of tagging mechanisms or protocol negotiations. In a double-tagging attack, an adversary connected to an access port in the native VLAN sends a frame with two 802.1Q tags: the outer tag matches the native VLAN, which the switch strips upon ingress, forwarding the inner-tagged frame on the trunk to the target VLAN. This exploit leverages the default behavior of switches handling untagged or native VLAN traffic, potentially enabling lateral movement across segmented domains. Similarly, switch spoofing occurs when an attacker manipulates Dynamic Trunking Protocol (DTP) to negotiate a trunk link from an access port, gaining access to all VLANs on the trunk if the port mode is not explicitly secured. To mitigate inter-VLAN breaches like hopping, network administrators must implement strict configuration controls, including disabling DTP on all access ports via commands such as switchport mode access and switchport nonegotiate to prevent unauthorized negotiations. Assigning a non-default VLAN as the native VLAN on trunks—avoiding VLAN 1—and explicitly configuring it only for necessary administrative traffic further reduces the by ensuring the native VLAN carries no user data. Additionally, enabling with limiting restricts each port to a predefined number of learned MAC addresses, dynamically or statically, blocking unauthorized devices from injecting malicious frames. For enhanced intra-VLAN isolation, Private VLANs (PVLANs), a Cisco-proprietary feature, divide a primary VLAN into secondary isolated and community VLANs to prevent direct communication between hosts within the same . Isolated ports restrict traffic to only promiscuous ports (typically connected to gateways or servers that require full access), while community ports allow communication among members of the same community and with promiscuous ports but block cross-community or isolated interactions. This setup effectively curbs lateral movement in scenarios like multi-tenant environments, where PVLANs map secondary VLANs to a primary one and assign ports accordingly to enforce unidirectional or limited bidirectional flows. In 2025, the proliferation of hybrid cloud architectures amplifies VLAN-related risks, as traditional Layer 2 segmentation struggles with dynamic spanning on-premises and cloud boundaries, potentially exposing misconfigured VLANs to broader attack vectors in multi-tenant setups. Integrating VLANs with zero-trust principles, such as microsegmentation, addresses these challenges by enforcing policy-based isolation at the workload level, combining PVLAN-like controls with continuous verification to maintain security across hybrid environments. Recommendations emphasize auditing trunk configurations and aligning VLAN policies with zero-trust frameworks to mitigate evolving threats in distributed networks.

Performance and Scalability Issues

VLAN tagging, as defined in the standard, introduces a 4-byte header to Ethernet frames, which can incrementally reduce effective bandwidth, particularly in high-throughput environments like or faster links where frame rates are high. Although modern hardware-accelerated implementations in application-specific integrated circuits () minimize processing overhead, the added bytes still represent a small but cumulative efficiency loss in scenarios with heavy tagged traffic, such as trunk links carrying multiple VLANs. Misconfigurations, such as improper or loops within a VLAN, can exacerbate performance issues by triggering broadcast storms, where excessive broadcast packets the domain and consume available bandwidth. Scalability in large VLAN deployments is constrained by protocols like (STP), which enforces loop prevention but introduces convergence delays of up to 50 seconds following topology changes, disrupting traffic in expansive Layer 2 domains spanning multiple switches. These delays become more pronounced in environments with numerous VLANs or devices, as STP's timer-based reconvergence (e.g., listening and learning states) propagates slowly across the network. Additionally, unknown flooding occurs when switches forward packets to MAC addresses not in their forwarding tables, replicating traffic across all ports in the VLAN and leading to congestion in scaled environments with high device mobility or asymmetric routing. This behavior, inherent to Layer 2 bridging, amplifies bandwidth waste and can degrade performance as VLAN sizes grow. To address these limitations, network designers often employ Layer 3 switching for inter-VLAN routing, which confines broadcasts to smaller domains and enables wire-speed forwarding via integrated routing , thereby reducing overall flood traffic and improving throughput compared to traditional router-on-a-stick setups. For exceeding the 4096 VLAN ID limit imposed by 802.1Q's 12-bit field, (VXLAN) overlays encapsulate Layer 2 frames in UDP packets with a 24-bit identifier, supporting up to 16 million segments and enabling scalable multi-tenancy in data centers without native VLAN constraints. Fabric architectures like Application Centric Infrastructure (ACI) further mitigate issues by providing a policy-driven, VXLAN-based underlay that abstracts VLAN scaling, with verified limits of 15,000 bridge domains per fabric in default configurations and up to 21,000 in L2 fabrics as of 2025 hardware releases. Practical VLAN limits per switch typically range from 1000 to 2000 active instances, depending on hardware; for example, many enterprise switches support up to 4094 VLANs theoretically, but memory and port density constraints make 1000 a common operational ceiling to avoid MAC table exhaustion or STP overhead. By , advancements in hardware-accelerated tagging—such as those in 100G+ Ethernet —allow switches to process tagged frames at line rate without CPU intervention, sustaining performance in dense VLAN configurations.

References

  1. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/15-s/lsw-15-s-book/lsw-vlan-cfg-rtg.pdf
  2. https://standards.ieee.org/ieee/802.1Q/6844/
  3. https://standards.ieee.org/ieee/802.1Q/1039/
  4. https://www.networkworld.com/article/971100/what-is-a-vlan-and-how-does-it-work.html
  5. https://www.cisco.com/c/m/ja_jp/meraki/documentation/general-administration/tools-and-troubleshooting/fundamentals-of-8021q-vlan-tagging.html
  6. https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5653-configure-port-to-vlan-interface-settings-on-a-switch-throug.html
  7. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/17-15/configuration_guide/vlan/b_1715_vlan_9600_cg/configuring_vlans.html
  8. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/xe-3s/lanswitch-xe-3s-book/m_lsw-conf-rout-vlan.pdf
  9. https://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_rtng_vlan_ovw.html
  10. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-10/configuration_guide/vlan/b_1610_vlan_9500_cg/b_1610_vlan_9500_cg_chapter_0101.pdf
  11. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/vlan/b_166_vlan_9300_cg/b_165_vlan_9300_cg_chapter_01.pdf
  12. https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/1778-tz-VLAN-Best-Practices-and-Security-Tips-for-Cisco-Business-Routers.html
  13. http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_rtng_vlan_ovw_ps6350_TSD_Products_Configuration_Guide_Chapter.html
  14. https://www.cisco.com/c/en/us/support/docs/lan-switching/8021q/17056-741-4.html
  15. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_digital_building_series_switches/software/15-2_5_ex/configuration_guide/b_1525ex_consolidated_cdb_cg/b_1525ex_consolidated_cdb_cg_chapter_0110101.html
  16. http://www.cisco.com/en/US/docs/ios-xml/ios/lanswitch/configuration/15-2s/lsw-vlan-cfg-rtg.html
  17. https://community.cisco.com/t5/network-access-control/cisco-ise-vlans-versus-trustsec-for-network-access-control/td-p/3559891
  18. https://www.esecurityplanet.com/networks/what-is-a-vlan/
  19. https://community.cisco.com/t5/ip-telephony-and-phones/why-we-need-to-separate-voice-vlan-and-data-vlan/td-p/3817134
  20. https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41260-189.html
  21. https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/14976-50.html
  22. https://www.rhyshaden.com/eth_vlan.htm
  23. https://www.seatech-eg.com/post/a-journey-through-the-history-of-network-switches
  24. https://knowledge.broadcom.com/external/article/311764/vlan-configuration-on-virtual-switches-p.html
  25. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/68100-wlan-controllers-vlans.html
  26. https://help.ui.com/hc/en-us/articles/26136823938583-Creating-UniFi-WiFi-SSIDs
  27. https://www.tp-link.com/us/support/faq/4303/
  28. https://www.cisco.com/c/en/us/support/docs/smb/wireless/cisco-small-business-100-series-wireless-access-points/smb5172-configure-ssid-to-vlan-mapping-on-a-wireless-access-point.html
  29. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/wpa3-dg.html
  30. https://docs.aws.amazon.com/evs/latest/userguide/concepts.html
  31. https://learn.microsoft.com/en-us/windows-server/networking/sdn/manage/understanding-usage-of-virtual-networks-and-vlans
  32. https://www.cisco.com/c/en/us/td/docs/dcn/whitepapers/cisco-vxlan-bgp-evpn-design-and-implementation-guide.html
  33. https://iot-analytics.com/number-connected-iot-devices/
  34. https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/
  35. https://spectrum.ieee.org/how-dec-engineers-saved-ethernet
  36. https://hackaday.com/2024/08/27/decs-lan-bridge-100-the-invention-of-the-network-bridge/
  37. https://standards.ieee.org/ieee/802.1D/3387/
  38. https://standards.ieee.org/beyond-standards/ethernet-50th-anniversary/
  39. https://standards.ieee.org/ieee/802.1ad/3374/
  40. https://standards.ieee.org/ieee/802.1aq/3818/
  41. https://standards.ieee.org/ieee/802.1Q/10323/
  42. https://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html
  43. https://www.broadband-forum.org/pdfs/tr-521-1-0-0.pdf
  44. https://standards.ieee.org/ieee/802.1Qcz/10758/
  45. https://ieeexplore.ieee.org/document/10542670
  46. https://ieeexplore.ieee.org/document/10797705
  47. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_3_e/consolidated_guide/b_1523e_consolidated_2960x_cg/b_consolidated_152ex_2960-X_cg_chapter_0111011.pdf
  48. https://standards.ieee.org/ieee/802.1X/5932/
  49. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html
  50. https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-350x-series-stackable-managed-switches/smb5824-dynamic-vlan-assignment-and-auto-smartport-configuration-on.html
  51. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_5_e/configuration_guide/b_1525e_consolidated_2960x_cg/b_1525e_consolidated_2960x_cg_chapter_01001001.pdf
  52. https://www.cisco.com/c/dam/global/fr_ca/assets/presentations/Security/Security_pratices_in_ethernet_Switched_networks.pdf
  53. https://grouper.ieee.org/groups/802/1/files/public/docs2022/cj-congdon-dot1q-types-yang-0922-v01.pdf
  54. https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24248-147.html
  55. https://www.ciscopress.com/articles/article.asp?p=3089357&seqNum=5
  56. https://assets.tequipment.net/assets/1/26/Documents/WhitePaper-VLANBestPractices.pdf
  57. https://www.zenarmor.com/docs/network-basics/what-is-vlan
  58. https://info.support.huawei.com/info-finder/encyclopedia/en/QinQ.html
  59. https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/vlntgqos.html
  60. https://openmetal.io/resources/blog/dedicated-vlans-and-vxlans/
  61. https://my.f5.com/manage/s/article/K24339502
  62. https://www.cisco.com/c/en/us/td/docs/ios/lanswitch/configuration/guide/15_0s/lsw_15_0s_book.pdf
  63. https://community.cisco.com/t5/switching/what-s-up-with-isl/td-p/532676
  64. https://www.computernetworkingnotes.com/ccna-study-guide/cisco-inter-switch-link-isl-explained.html
  65. https://kb.netgear.com/21598/How-do-I-create-a-protocol-based-VLAN-using-CLI-commands-on-my-managed-switch
  66. https://documentation.extremenetworks.com/exos_22.5/GUID-FC0204F1-ABDB-4591-BBE5-62696C02DDB6.shtml
  67. https://www6.h3c.com/en/Support/Resource_Center/EN/Home/Switches/00-Public/Configure___Deploy/Configuration_Guides/H3C_IE4300_IE4320_Switch_Series_CGs_R63xx-21358/03/202507/2578778_294551_0.htm
  68. https://www.winco.com.hk/support/emulator/WGS3-24000_UI_SAMPLE/WGS3-24000_UI_SAMPLE/help_pbvlan.html
  69. https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-350-series-managed-switches/smb5673-configure-protocol-based-vlan-groups-on-a-switch-through-the.html
  70. https://kb.netgear.com/21602/How-do-I-create-a-protocol-based-VLAN-using-the-web-interface-on-my-managed-switch
  71. https://www.diva-portal.org/smash/get/diva2:861021/FULLTEXT01.pdf
  72. https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/802_1ad.html
  73. https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/q-in-q.html
  74. https://standards.ieee.org/ieee/802.1Q/4410/
  75. https://dl.cdn-anritsu.com/en-us/test-measurement/files/Application-Notes/Application-Note/Stacked_VLAN_Application_Note_V_1.2.pdf
  76. https://standards.ieee.org/ieee/802.1Qav/
  77. https://www.cisco.com/c/en/us/td/docs/switches/metro/me3400e/software/release/12-2_44_ey/configuration/guide/3400escg/swtunnel.pdf
  78. https://www.juniper.net/documentation/us/en/software/junos/evpn/topics/concept/evpn-vpws-flexible-cross-connect-support-overview-mx-series.html
  79. https://www.ietf.org/archive/id/draft-ietf-bess-evpn-vpws-fxc-12.html
  80. https://documentation.nokia.com/acg/23-7-2/books/classic-cli-part-ii/c099-evpn-for-mpls.html
  81. https://standards.ieee.org/ieee/802.1Qat/5175/
  82. https://standards.ieee.org/ieee/802.1Qcc/5784/
  83. https://datatracker.ietf.org/doc/html/draft-ietf-netmod-sub-intf-vlan-model-07
  84. https://ieeexplore.ieee.org/iel7/9212763/9212764/09212765.pdf
  85. https://www.techtarget.com/searchsecurity/definition/VLAN-hopping
  86. https://learningnetwork.cisco.com/s/blogs/a0D3i000002SKPREA4/vlan1-and-vlan-hopping-attack
  87. https://learningnetwork.cisco.com/s/question/0D53i00000KsunnCAB/common-layer-2-threats-and-how-to-mitigate-them
  88. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-13/configuration_guide/sec/b_1713_sec_9200_cg/port_security.html
  89. https://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html
  90. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/503_n2_1/503_n2_1nw/Cisco_n5k_layer2_config_gd_rel_503_N2_1_chapter5.pdf
  91. https://www.cisa.gov/sites/default/files/2025-07/ZT-Microsegmentation-Guidance-Part-One_508c.pdf
  92. https://blogs.cisco.com/security/defining-a-standard-taxonomy-for-segmentation
  93. https://www.ieee.li/pdf/viewgraphs/exploring_the_ieee_802_ethernet_ecosystem.pdf
  94. https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/pdf/data-center-solutions/netxtreme/EtherNIC-Ctrl-UG2XX.pdf
  95. https://www.geeksforgeeks.org/computer-networks/whats-a-broadcast-storm/
  96. https://networklessons.com/spanning-tree/spanning-tree-stp-limitations
  97. https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10556-16.html
  98. https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html
  99. https://www.cisco.com/c/en/us/support/docs/lan-switching/virtual-lans-vlan-trunking-protocol-vlans-vtp/23637-slow-int-vlan-connect.html
  100. https://www.ciscopress.com/articles/article.asp?p=2999385&seqNum=3
  101. https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/verified-scalability/cisco-aci-verified-scalability-guide-614.html
  102. https://community.cisco.com/t5/switching/cisco-switch-maximum-number-of-vlan-support/td-p/4456815
  103. https://www.cisco.com/c/en/us/td/docs/dcn/whitepapers/cisco-application-centric-infrastructure-design-guide.html
Add your contribution
Related Hubs
User Avatar
No comments yet.