VLAN Port Configuration Cheatsheet

Core Concepts

VLAN (Virtual Local Area Network)

  • What it is: A logical network segment created within a physical network
  • Purpose: Separates traffic at Layer 2, improving security and reducing broadcast domains
  • VLAN ID: Number from 1-4094 that identifies each VLAN

Port Types & Configurations

1. Access Port

  • Definition: A port that belongs to exactly ONE VLAN
  • Frame handling:
    • Incoming: Accepts untagged frames only
    • Outgoing: Sends untagged frames only
  • Use case: Connecting end devices (PCs, printers, phones)

  • Configuration example:

    switchport mode access
switchport access vlan 10

2. Trunk Port

  • Definition: A port that carries traffic for MULTIPLE VLANs
  • Frame handling:
    • Incoming: Accepts both tagged and untagged frames
    • Outgoing: Sends tagged frames (except for native VLAN)
  • Use case: Connecting switches, routers, or servers that need multiple VLANs

  • Configuration example:

    switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 99

Frame Tagging Concepts

Tagged Frames

  • What: Ethernet frames with 802.1Q VLAN tag inserted
  • Contains: 4-byte tag with VLAN ID and priority info
  • When used: On trunk links for non-native VLANs
  • Purpose: Identifies which VLAN the frame belongs to

Untagged Frames

  • What: Regular Ethernet frames without VLAN tag
  • When used:
    • All frames on access ports
    • Native VLAN frames on trunk ports
  • Purpose: Normal traffic from devices that don’t understand VLANs

Native VLAN

  • Definition: The VLAN whose traffic crosses a trunk link WITHOUT tags
  • Default: Usually VLAN 1 (but should be changed for security)
  • Purpose:
    • Backward compatibility with non-VLAN devices
    • Management traffic
    • CDP/LLDP/BPDU frames
  • Security note: Should match on both ends of trunk link

Quick Reference Table

Port Type VLANs Carried Incoming Frames Outgoing Frames Typical Use
Access 1 VLAN Untagged only Untagged only End devices
Trunk Multiple VLANs Tagged & Untagged Tagged (except native) Switch-to-switch

Practical Examples

Scenario 1: PC Connection 

PC → [Access Port VLAN 10] → Switch
- PC sends untagged frames
- Switch adds VLAN 10 internally
- Frames stay in VLAN 10

Scenario 2: Switch-to-Switch Connection 

Switch A [Trunk] ←→ [Trunk] Switch B
- VLAN 10 traffic: Tagged with 10
- VLAN 20 traffic: Tagged with 20
- VLAN 99 (native): Untagged

Scenario 3: Router on a Stick 

Router (subinterfaces) → [Trunk] → Switch
- Router.10: Receives VLAN 10 tagged
- Router.20: Receives VLAN 20 tagged
- Router.99: Receives native (untagged)

Common Commands

Cisco IOS 

# View VLAN information
show vlan brief
show interfaces trunk
show interfaces switchport

# Configure access port
interface gi0/1
  switchport mode access
  switchport access vlan 10

# Configure trunk port
interface gi0/24
  switchport mode trunk
  switchport trunk native vlan 99
  switchport trunk allowed vlan 10,20,30

Linux (with vconfig or ip) 

# Add VLAN interface
ip link add link eth0 name eth0.10 type vlan id 10

# Bring up VLAN interface
ip link set eth0.10 up

# Assign IP to VLAN interface
ip addr add 192.168.10.1/24 dev eth0.10

Key Takeaways

  1. Access ports = One VLAN, no tags, for end devices
  2. Trunk ports = Multiple VLANs, uses tags, for infrastructure
  3. Tagged = Has VLAN ID in frame header
  4. Untagged = No VLAN ID in frame header
  5. Native VLAN = The untagged VLAN on a trunk

Security Best Practices

  • Change native VLAN from default (VLAN 1)
  • Use VLAN pruning on trunks (only allow needed VLANs)
  • Disable unused ports or put in unused VLAN
  • Enable port security on access ports
  • Use Private VLANs for enhanced isolation where needed

This project is for educational and home lab purposes.