VLANs and 802.1Q VLAN Tagging explained

VLANs and 802.1Q VLAN Tagging explained

VLANs are a feature of almost all managed network switches. A managed switch will allow you to assign ports to VLAN groups. Devices in one VLAN will not be able to directly communicate with devices in another VLAN. In simple terms, creating VLANs is a bit like splitting a switch into multiple smaller switches.

Why would I buy an expensive managed switch when I could just buy multiple cheap unmanaged switches, I hear you ask. Well, a port can be assigned to multiple VLANs. If you wanted to, for example, break (254 usable IP addresses) into 2 groups of and you could create 2 VLANs, one for devices in each IP range. You could then have an administrative terminal connected to a switch port which is in both VLANs. This administrative terminal can then access devices in both IP ranges.

So what is 802.1Q VLAN tagging? Well, it allows a single port to access multiple VLANs, even if devices in each VLAN are in a different IP subnet. For example, if your network had two departments one which used and the other which used, you could create two VLANs as described above. You could then create a 802.1Q VLAN tagged port on the switch and connect a device such as an administrative computer or a router into it. You would then configure the administrative computer or router to assign it 2 IP addresses (for example and and associate each IP with the correct VLAN. Every packet of data that is sent from the router to the switch would tell the switch which VLAN it is for (and visa versa).

Here is an example usecase for 802.1Q VLANs:

A switch has 3 VLANs on it…

  1. Ports 1-4 :: Internet facing devices such as the modem and servers
  2. Ports 5-14 :: Devices in the finance department
  3. Ports 14-20 :: Devices in the HR department

In ports 1-4 (VLAN1) we have connected the modem and a Linux server. These have public IP addresses in the range. In ports 5-14 we have connected PCs in the finance department which have private IP addresses in the range. In ports 14-20 we have devices in the HR department which have private IP addresses in the range.

Port 21 is 802.1Q VLAN tagged with access to all 3 VLANs. Into this port, we have connected a router. This router has an IP address for each VLAN (, and The router routes packets between the three VLANs to give private IPs access to the Internet, using NAT, as well as routing packets between the two private subnets to give the HR department access to files in the finance department and visa versa.