Basics of VLAN and Q-in-Q Tunneling

VLAN stands for Virtual Local Area Network. It's a network protocol used to create logically segmented networks within a physical network. Each VLAN forms its own broadcast domain, which means devices in the same VLAN can communicate with each other directly, but to communicate with devices in a different VLAN, they must go through a router.

VLAN is a crucial technology that allows for better management, security, flexibility, and optimization of network resources, improving overall network performance and efficiency. It was invented to overcome the limitations of traditional LAN technologies by providing logical segmentation and efficient utilization of network resources.

Components of VLAN:

  1. VLAN ID: Each VLAN is identified by a unique VLAN ID, typically ranging from 1 to 4095.

  2. Tagging: VLANs use tagging to identify network frames as belonging to a particular VLAN. A standard called IEEE 802.1Q inserts a tag in the Ethernet frame, marking it as belonging to a specific VLAN.

Why VLAN Was Invented:

VLAN was invented for several key reasons:

  1. Security: VLANs allow network administrators to group users by logical instead of physical connections, which can enhance security. Users can be segmented by department or function, isolating sensitive information and applications.

  2. Reduced Network Congestion: By segregating large broadcast domains into smaller ones, VLANs reduce network traffic, congestion, and collisions. This enables more efficient use of network bandwidth.

  3. Ease of Management: VLANs facilitate easier network management and configuration, allowing administrators to add, change, or move devices logically without requiring physical changes to the network cabling.

  4. Cost-Efficiency: They offer a cost-effective solution to enhance network performance without the need for extensive physical network modifications or additional hardware.

  5. Enhanced Performance: Dividing a network into VLANs can optimize network performance by reducing the amount of broadcast traffic each device has to process, thus improving the network's speed and efficiency.

  6. Flexibility and Scalability: VLANs provide a flexible and scalable way to adapt the network to the changing needs of an organization. They allow logical grouping of network users and resources, regardless of their physical location.

Working Mechanism:

Here is a simplified working mechanism of VLAN:

  1. Creation and Assignment: Network administrators create VLANs on switches and assign each port on a switch to a specific VLAN.

  2. Tagging: When a device sends a frame to a switch, the switch tags the frame with the VLAN ID of the port it received the frame on.

  3. Forwarding: The switch only forwards frames to ports that are assigned to the same VLAN as the incoming frame.

  4. Routing between VLANs: To enable communication between different VLANs, a router or a Layer 3 switch is needed to route packets between them, as each VLAN is a separate subnet.

Access and Trunk ports in VLAN

In VLAN configurations, ports on a switch are typically assigned as either Access ports or Trunk ports, each serving a distinct purpose in the network.

1. VLAN Access Ports:

Access ports are the network ports that are connected to end devices like computers, printers, and servers. Each access port is assigned to only one VLAN and marks frames with the VLAN ID as they enter the switch.

Characteristics of Access Ports:

  • Single VLAN Assignment: Access ports are members of one and only one VLAN.

  • Untagged Frames: Frames sent from access ports do not have a VLAN tag. The switch automatically assigns the VLAN tag as the frame enters the switch, based on the configured VLAN for the port.

  • Ingress Filtering: If a frame with a VLAN tag is received on an access port, it is typically dropped.

Use Case of Access Ports:

Access ports are used when the connected device does not require knowledge or understanding of VLANs, i.e., it is typically used for endpoints like PCs, laptops, printers, etc.

2. VLAN Trunk Ports:

Trunk ports are used to carry traffic from multiple VLANs between switches, routers, and servers, allowing them to share VLAN information. A Trunk port typically connects to another switch or a router.

Characteristics of Trunk Ports:

  • Multiple VLANs: Trunk ports can carry traffic for multiple VLANs.

  • Tagged Frames: Frames sent from trunk ports usually carry VLAN tags (using the IEEE 802.1Q standard), specifying the VLAN to which the frame belongs.

  • Native VLAN: Trunk ports are typically configured with a native VLAN, whose traffic is untagged. If a frame doesn’t have a VLAN tag as it arrives on a trunk port, the switch assigns the native VLAN to the frame.

Use Case of Trunk Ports:

Trunk ports are essential when there is a need to maintain VLAN information across multiple devices, such as between switches or between a switch and a router in router-on-a-stick configurations.


Consider a scenario where there are two switches, Switch A and Switch B, each having computers connected to them belonging to VLAN 10 and VLAN 20. To allow computers from VLAN 10 on Switch A to communicate with computers from VLAN 10 on Switch B (and similarly for VLAN 20), a trunk port is set up between Switch A and Switch B to carry traffic for both VLAN 10 and VLAN 20. Access ports on each switch are used to connect the computers to the appropriate VLANs.


  • Access Ports: Connect end devices to the network and are assigned to a single VLAN. Frames are untagged.

  • Trunk Ports: Connect switches, routers, and servers to transport multiple VLANs' traffic. Frames are usually tagged with VLAN IDs, except for frames from the native VLAN.

Native VLAN

Native VLAN refers to a designated VLAN (Virtual Local Area Network) assigned to untagged frames entering a switch port. In a switched network, VLANs are used to segment the network into multiple, isolated broadcast domains, with each VLAN being assigned a unique VLAN ID.

The Native VLAN is essentially the default VLAN that is assigned to a trunk port and is used for untagged traffic. Proper configuration and management of the native VLAN are essential to ensure network security and efficiency.

Basic Concept:

When frames traverse a trunk link, which is designed to transport multiple VLANs, they are tagged with a VLAN identifier to distinguish to which VLAN the frame belongs, except for the frames belonging to the native VLAN. Frames on the native VLAN are sent untagged across the trunk link.

Configuration and Purpose:

  • Configuration: When configuring a trunk link on a switch, a specific VLAN can be assigned as the native VLAN. The default native VLAN ID on most switches is 1, but it can be changed according to the network design.

  • Purpose: The native VLAN provides a way to maintain backward compatibility with network devices that do not support VLAN tagging and is crucial for the transmission of control traffic, like CDP (Cisco Discovery Protocol) and STP (Spanning Tree Protocol).

Potential Security Risks:

The native VLAN can pose a security risk as it may allow the potential for VLAN hopping attacks. If a malicious user sends tagged frames on the native VLAN, those frames might be able to reach other VLANs. To mitigate such risks, it is considered best practice to change the native VLAN to a VLAN ID other than the default, and to ensure that the native VLAN is not used by any user or data VLANs.

Usage Scenario:

Consider a network where there are two VLANs, VLAN 10 and VLAN 20, with VLAN 10 as the native VLAN. When frames from VLAN 20 traverse a trunk link, they are tagged with a VLAN 20 identifier, but frames from VLAN 10 are sent untagged.

Q-in-Q Tunneling

Q-in-Q tunneling, also known as VLAN stacking, is a networking technology often used by service providers to multiplex multiple customer VLANs across the same service provider network. It is based on the IEEE 802.1ad standard, an extension of the original 802.1Q VLAN standard.

How Q-in-Q Works:

  1. Tagging: In Q-in-Q, two VLAN tags are added to each frame - an inner tag and an outer tag.

    • The inner tag denotes the customer’s original VLAN ID and is assigned by the customer's edge device.

    • The outer tag is assigned by the service provider's edge device to differentiate traffic from different customers.

  2. Tunneling: Once the frame is double-tagged, it is then transported across the service provider network. The provider’s switches and routers use only the outer tag to forward the frame and are unaware of the customer’s inner tag.

  3. Untagging: When the frame reaches the other end of the service provider network, the outer tag is removed, and the frame is delivered to the receiving customer’s edge device with the original (inner) VLAN tag intact.

Why Q-in-Q is Important:

  1. Scalability: Q-in-Q allows service providers to create a larger number of unique VLAN identifiers by stacking VLAN tags, which is crucial for servicing multiple customers, each with their own set of VLANs.

  2. Customer VLAN Preservation: Customers can maintain their VLAN configurations, and there is no need for coordination between customer and provider regarding VLAN IDs, allowing for simpler configuration and management.

  3. Isolation and Security: By using different outer tags for each customer, service providers can keep each customer's traffic isolated and secure as it traverses the shared network infrastructure.

  4. Efficiency and Cost-Effectiveness: Service providers can efficiently utilize their infrastructure to transport traffic for multiple customers over a shared network, reducing the need for separate physical networks for each customer and hence lowering costs.


To visualize how Q-in-Q works, imagine Customer A and Customer B, both utilizing VLAN 10 within their respective networks. When Customer A's traffic enters the service provider network, it might be assigned an outer tag of 1001, and Customer B's traffic might be assigned an outer tag of 1002. Despite both customers using VLAN 10 internally, their traffic is kept distinct and isolated within the service provider's network by the unique outer tags.

Customer A VLAN 10 -> [Inner Tag 10, Outer Tag 1001] -> Service Provider Network
Customer B VLAN 10 -> [Inner Tag 10, Outer Tag 1002] -> Service Provider Network

In this manner, Q-in-Q tunneling enables the simultaneous transport of multiple VLANs across a single service provider connection while maintaining customer VLAN configurations and ensuring traffic isolation.


  1. What are VLANs?