VLANs: Why You Need Them and How They Work (Part 2)

vlan tagging
VLANs, or Virtual Local Area Networks, are one of the most powerful, most misunderstood and underutilized tools for Wi-Fi networks in private homes and small-to-medium businesses. This post is part two of three articles on VLANS and provides a practical guide as to why and how you should use them.

How do VLANs work?

Client devices don’t know, and generally shouldn’t know, anything about the VLAN configuration of a network. All VLAN configuration is done on the network router, switch(es), and access point(s). When a client device sends data, each packet is “tagged” as it enters the network so it can be routed to the correct destination, in much the same way your luggage is tagged when you check it at the airport. When the data reaches its intended destination, the tag is removed, which is commonly referred to as either “untagging” or “stripping the tag”.

In networking, the VLAN tag is a 4 byte element inserted into the Media Access Control (MAC) header of the packet. This element contains a 12 bit number indicating the VLAN ID (or VID), meaning that, in theory, a network can have 2^12 or 4096 tags. The all-zero and all-one tag (i.e. VLAN 0 and VLAN 4095) are not used, per the 802.1q specification. Furthermore, VLAN 1 is reserved for “untagged traffic,” meaning that any data traffic in a network that does not have a VLAN tag is considered to be on VLAN 1. This is why all switch and access point VLANs are defaulted to VLAN 1.

By default, each port on a switch will drop VLAN traffic, so any VLAN traffic that is allowed through a switch port must be explicitly defined in the switch configuration. Trunk ports are used to interconnect switches (and access points), where each VLAN in use on the network is explicitly defined as a tagged VLAN, meaning that the switch will pass traffic on that VLAN without touching the VLAN tag.

The tagging/untagging mechanisms in switches and access points differ depending on whether the client is wired or wireless, but functionally they are identical:


  • A wireless client associates to a particular SSID. In the AP configuration, the SSID is associated with a particular VLAN. All traffic coming from a wireless client is tagged with the VLAN ID associated with the SSID. The AP strips the tag associated with the SSID for all data traffic transmitted to a wireless client.
  • So, from the perspective of the switch, all traffic coming from or going to an access point is tagged.


  • #1 The PVID or Port LAN ID, indicates the VLAN ID that should be tagged onto all traffic coming into the port (i.e. from the wired client). Since each port has allowed VLANs explicitly defined on it, an untagged VLAN can be defined, such that any traffic on that particular VLAN gets its tag stripped before the traffic leaves the port. By definition, a wired port connected to a client can have only one PVID and should have only one untagged VLAN. These two should match in order for the connected wired client to communicate in both directions on that VLAN.
  • #2 The router configuration similarly becomes a bit more complex. Each VLAN on the network is considered to be a sub-interface of the LAN interface (since multiple VLANs exist on the same physical wire/NIC). So, instead of defining an IP address, subnet, and DHCP range for a single LAN, each VLAN is treated as a separate LAN, and requires an independent subnet, IP address, and DHCP range.*
Typically, VLANs are used to keep the various LAN subnets isolated, so the router is generally routing WAN to VLAN. Cross-VLAN routing can be done in specific instances, and usually requires the setup of explicit rules with particular exceptions.

One common example would be a hotel with a printer in the lobby. If staff and guests are both meant to use the printer, it could be placed on the visitor VLAN with router rules defined to route traffic from the operations VLAN to the printer on the visitor VLAN. In such a case, however, it is often simpler and cheaper to just buy two printers.

Next time we’ll talk about, “What is Management VLAN and whether or not you should use it.”

Editor’s Note:  This post was originally published in June 2015 and has been updated.

* By convention, some people like matching the second or third octet of the subnet to the VLAN ID. For example, VLAN 8 could be given the subnet or, VLAN 16 could be given the subnet or, etc. These settings are independent, so no correlation between the VLAN ID and the subnet is required, but it is often convenient.