VLANs - It's all a game of tagA long time ago in an industry that has rapidly changed, there was the local-area network (LAN).  The LAN was a single broadcast domain where all devices would hear broadcast traffic. 


As LANs grew and broadcasts increased, traffic became congested, security threats grew, and segmentation was needed.  The LAN needed to be divided.  In the old days, one could run new dedicated cable, install a separate new switch, get a router to route traffic between the two LANs, and all was well.


Luckily, a better solution became available.  Instead of running more cable and buying more switches, virtual LANs (VLANs) came to be.  The way VLANs work is actually quite simple; it’s all a game of tag!


First you need to identify the VLANs.  The VLAN is identified by a number.  The default VLAN is VLAN 1.  Let’s say that we add VLAN 2.  We now have two different VLANs.  In order to distinguish what packets belong to which LAN (VLAN), an ID tag is inserted into the frame. The ID tag matches the VLAN ID number.  As frames flow through different switches, the different switches need to know about the different VLANs, and the tag needs to remain intact.  Switch ports that allow tags in Cisco terms are called trunk ports.  Ports that do not allow tags are called access ports.


By default the main VLAN is VLAN 1.  If we have a network with just one VLAN, no tagging is needed because there is only one VLAN and no other VLANs to identify.  When VLAN 2 is added, the VLAN tag is added to frames that are a part of VLAN 2. We now have two VLANs, and at least one of them must be tagged to be identified.  Now, let’s add VLAN 3.  In this setup, two VLANs would need to be tagged, one would not because it was the original lan (VLAN)  The VLAN that is not tagged is known as the native VLAN.


There are a lot of questions of when and why to use the native VLAN or if you should use the native VLAN at all.  As always in IT, the answer is, it depends on what you are doing. VLAN 1 does not have to be your management VLAN.  It does not have to be the native or untagged VLAN. You can do whatever you need for your environment.  Typically, I do not use the native VLAN for security reasons, and I choose to tag everything. 


However, there are times where the native or untagged VLAN is a necessity.  Take a wireless access point for example.  Let’s say there is a customer that has an access point that has 3 different Wi-Fi network names, and each wireless network name (SSID) maps to a different VLAN.  Let’s say that the VLANs for these wireless networks are VLAN 41, 42, and 43.  The access point itself needs to reside in a VLAN for management purposes.  We’ll put the AP in VLAN 90.  Furthermore, you want to use DHCP to assign your AP an IP address.  Notice VLAN 1 is not in use in this example.  So, when your AP is plugged in, how does it know which VLAN to use? 

Here is where the native VLAN or untagged VLAN comes in.  By using an untagged VLAN as your management VLAN, the AP will use the untagged VLAN to request its DHCP address.  On your AP, you would need to assign the native VLAN as 90 and do the same thing on your switch port.  Switch port trunk native VLAN 90.  The AP would then use VLAN 90 as its management VLAN, and VLANs 41, 42, and 43, would be used for the wireless networks.


The terminology can be confusing, especially when dealing with different networking vendors because they use different terminology to describe the same thing.  The native VLAN, as Cisco calls it, is the same thing that HP calls the untagged vlan.  If you understand the game of tag that is going on with VLAN identification, regardless of the terminology, VLANs are a simple concept to understand.  It’s all a game of tag!  The 802.1Q tag, that is.