VLANs don’t actually isolate traffic at the hardware level; they’re a Layer 2 trick that switches interpret to group traffic, but packets still flow over the same physical wires.
Let’s see how this actually plays out. Imagine you have a network with a main switch and a couple of servers connected directly. We’ll set up two VLANs: VLAN 10 for "internal" services and VLAN 20 for "guest" access.
Here’s a simplified view of the switch configuration:
interface GigabitEthernet1/0/1
description Uplink to Router
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/2
description Server A (Internal)
switchport mode access
switchport access vlan 10
spanning-tree portfast
!
interface GigabitEthernet1/0/3
description Server B (Guest)
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/4
description Guest Workstation
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
vlan 10
name Internal_Services
!
vlan 20
name Guest_Access
!
On our Linux servers, specifically Server A (internal) and Server B (guest), we’ll configure their network interfaces to be members of these VLANs. This is done using the vconfig command or by configuring it within networkd or NetworkManager.
For Server A, you’d typically create a virtual interface:
sudo vconfig add eth0 10
sudo ip link set eth0.10 up
sudo ip addr add 192.168.10.10/24 dev eth0.10
And for Server B:
sudo vconfig add eth0 20
sudo ip link set eth0.20 up
sudo ip addr add 192.168.20.20/24 dev eth0.20
The key here is that the switch port connected to Server A is configured as an access port for VLAN 10, and the port for Server B is an access port for VLAN 20. When Server A sends traffic, the switch tags it with VLAN 10. When Server B sends traffic, it’s tagged with VLAN 20. The switch then only forwards traffic tagged for VLAN 10 to ports also in VLAN 10 (and the trunk port), and similarly for VLAN 20.
This configuration effectively segments the network. Devices in VLAN 10 can only communicate with other devices in VLAN 10 (and vice-versa), and devices in VLAN 20 can only communicate with other devices in VLAN 20. Communication between VLAN 10 and VLAN 20 is blocked at the switch level, requiring a router or Layer 3 switch to permit it.
The problem this solves is network segmentation for security and broadcast domain reduction. If you have a public-facing server and internal corporate servers, you don’t want them sharing the same broadcast domain. A broadcast storm on the guest network shouldn’t impact your internal systems. With VLANs, these are separate logical networks even if they share physical cabling.
Internally, the switch uses the 802.1Q standard. When traffic from an access port (like eth0.10) enters the switch, the switch adds a VLAN tag (a small header) to the Ethernet frame. For traffic on a trunk port (like the uplink to the router), the switch forwards frames with their VLAN tags intact. When a frame arrives at an access port, the switch strips the VLAN tag before sending it to the host. This tagging and untagging is how the switch knows which logical network the frame belongs to.
The most surprising thing about VLANs is how easily they can be bypassed if not properly secured, despite the illusion of isolation. A compromised host within a VLAN can often sniff traffic from other VLANs on the same physical link if the switch ports aren’t configured correctly, especially if there are other devices on the same physical segment that are also part of the trunk. More commonly, if a user plugs a rogue unmanaged switch into a port that is configured as a trunk or even an access port for a sensitive VLAN, they can effectively bridge multiple VLANs or gain access to traffic they shouldn’t see.
The next step in securing this setup involves configuring your router or firewall to act as a Layer 3 gateway, defining access control lists (ACLs) to permit or deny traffic between the VLANs.