Understanding VLANs and the 802.1Q Standard

Before you can configure VLANs on your home network, you need to understand what they actually are, how the underlying standard works, and what hardware is required. This lesson breaks down the IEEE 802.1Q standard, explains tagged versus untagged traffic, and walks through the planning process for a segmented smart home network.

What Is a VLAN?

A VLAN (Virtual Local Area Network) is a logical grouping of network devices into an isolated broadcast domain, regardless of their physical location on the network. In practical terms, devices on VLAN 10 cannot communicate with devices on VLAN 20 unless a router explicitly permits traffic between them.

Without VLANs, every device connected to a switch exists in the same broadcast domain. A broadcast sent by any one device—such as an ARP request or an mDNS announcement—is received by every other device. This is efficient for small networks, but it means every device can discover and attempt to communicate with every other device. VLANs break this up. Each VLAN is its own isolated network at Layer 2 (the data link layer), and traffic between VLANs must pass through a Layer 3 device (a router or a Layer 3 switch) that can apply firewall rules.

IEEE 802.1Q: The Tagging Standard

The IEEE 802.1Q standard, ratified in 1998 and updated multiple times since, defines how VLAN information is embedded into Ethernet frames. When an Ethernet frame needs to carry VLAN membership information—typically when traveling between switches or between a switch and a router—a 4-byte tag is inserted into the frame header immediately after the source MAC address field.

Anatomy of an 802.1Q Tag

The 4-byte 802.1Q tag contains the following fields:

• Tag Protocol Identifier (TPID): 16 bits, always set to 0x8100 for standard 802.1Q frames. This value tells the receiving device that the frame is VLAN-tagged.
• Priority Code Point (PCP): 3 bits, used for Quality of Service (QoS) prioritization under IEEE 802.1p. Values range from 0 (best effort) to 7 (highest priority). In a home network, this is rarely configured, but it exists for scenarios like prioritizing voice or video traffic.
• Drop Eligible Indicator (DEI): 1 bit, formerly called the Canonical Format Indicator (CFI). When set to 1, it indicates the frame is eligible to be dropped during network congestion. This is primarily used in service provider environments.
• VLAN Identifier (VID): 12 bits, which provides a range of 0 to 4095. VID 0 is reserved for priority tagging (frame carries QoS priority but no VLAN assignment), and VID 4095 is reserved for implementation use. This leaves VIDs 1 through 4094 available for assignment, which is far more than any home network will ever need.

The inserted tag increases the Ethernet frame size from the standard maximum of 1518 bytes to 1522 bytes. Network equipment that supports 802.1Q handles this transparently.

Access Ports vs. Trunk Ports

Understanding the difference between access ports and trunk ports is fundamental to configuring VLANs correctly.

Access Ports

An access port belongs to a single VLAN. When a device—such as an IoT sensor, a smart plug, or a laptop—connects to an access port, it sends and receives normal, untagged Ethernet frames. The switch knows which VLAN the port belongs to and internally tags the traffic with the appropriate VID. When the frame exits through another access port on the same VLAN, the tag is stripped and the device receives a normal, untagged frame.

The device connected to an access port has no awareness that VLANs exist. It simply sends and receives frames as if it were on a regular, non-segmented network. This is important because most IoT devices have no capability to tag their own traffic.

Trunk Ports

A trunk port carries traffic for multiple VLANs simultaneously. Frames on a trunk port are tagged with 802.1Q headers so the receiving device knows which VLAN each frame belongs to. Trunk ports are used for the links between switches, and between switches and routers.

For example, if your managed switch connects to your router via a single Ethernet cable, that cable must carry traffic for all VLANs. The switch port and the router port are both configured as trunk ports. A frame from VLAN 10 travels the trunk with VID 10 in its 802.1Q tag; a frame from VLAN 20 carries VID 20. The router receives both, processes them according to its firewall rules, and can route traffic between VLANs where permitted.

Most trunk ports also have a native VLAN (also called the PVID or default VLAN). Frames on the native VLAN are sent untagged across the trunk. By convention, this is often VLAN 1, but best practice is to either change it or avoid using it for any real traffic.

Subnetting: Each VLAN Gets Its Own IP Range

At Layer 2, VLANs create separate broadcast domains. But for devices to actually communicate with the internet or with each other (through the router), each VLAN also needs its own IP subnet at Layer 3. A typical home VLAN setup might use:

• VLAN 1 (192.168.1.0/24): Trusted devices—laptops, phones, tablets, desktop computers. Gateway at 192.168.1.1.
• VLAN 20 (192.168.20.0/24): IoT devices—smart plugs, bulbs, sensors, voice assistants. Gateway at 192.168.20.1.
• VLAN 30 (192.168.30.0/24): Security cameras—isolated due to high bandwidth and sensitivity. Gateway at 192.168.30.1.
• VLAN 40 (192.168.40.0/24): Guest network—internet access only, no access to any internal VLAN. Gateway at 192.168.40.1.
• VLAN 99 (192.168.99.0/24): Management—access to switch admin interfaces, router admin, access point management. Gateway at 192.168.99.1.

Each VLAN runs its own DHCP scope on the router, handing out IP addresses from the corresponding subnet. When a device on VLAN 20 (192.168.20.x) tries to reach a device on VLAN 1 (192.168.1.x), the traffic must go through the router, which can apply firewall rules to allow or deny the connection.

Hardware Requirements

Not all networking equipment supports VLANs. Here is what you need:

Managed Switch

A managed switch (or a "smart" switch that supports 802.1Q) is required. Unmanaged switches do not understand VLAN tags and will either drop tagged frames or forward them incorrectly. Popular options for home use include:

• TP-Link TL-SG108E / TL-SG116E: Budget-friendly 8- and 16-port smart switches with full 802.1Q VLAN support. These cost approximately $25-40.
• Netgear GS308E / GS316EP: Similar price range, with PoE options available for powering access points and cameras.
• UniFi Switch Lite 8 PoE / USW-16-PoE: Part of the Ubiquiti UniFi ecosystem, managed through the UniFi controller with a polished interface.

VLAN-Capable Router or Firewall

Your router must be able to create VLAN interfaces (also called sub-interfaces), run DHCP servers per VLAN, and apply firewall rules between VLANs. Common options include:

• Ubiquiti UniFi Dream Machine (UDM) / UDM Pro: All-in-one router, switch, and access point controller with excellent VLAN support through the UniFi interface.
• TP-Link Omada: TP-Link’s business line with centralized management similar to UniFi, at a lower price point.
• pfSense / OPNsense: Free, open-source firewall/router software that runs on commodity hardware or a dedicated appliance. Offers the most granular control over firewall rules, but requires more technical knowledge.
• Firewalla Gold / Purple: Consumer-friendly firewall appliances with built-in VLAN support, a good option for those who want segmentation without diving into enterprise-grade configuration.

VLAN-Aware Access Points

If you want wireless IoT devices on a separate VLAN, your Wi-Fi access points must support assigning different SSIDs to different VLANs. Most enterprise and prosumer access points support this, including UniFi, TP-Link Omada, and any access point running OpenWrt firmware. Most consumer mesh systems (Eero, Google Nest WiFi, standard TP-Link Deco) do not support VLAN tagging on wireless SSIDs, which limits your segmentation options to wired devices only.

Planning Your VLAN Layout

Before touching any configuration, plan your VLAN structure on paper. A typical smart home uses three to five VLANs:

1. Trusted (VLAN 1 or 10): Your personal devices. This is the most privileged network.
2. IoT (VLAN 20): All smart home devices that need internet access but should not reach trusted devices.
3. Cameras (VLAN 30): Surveillance cameras, often isolated further because they are high-bandwidth, frequently targeted, and may phone home to servers in jurisdictions with different privacy standards.
4. Guest (VLAN 40): Visitor devices. Internet-only access, completely isolated from all internal VLANs.
5. Management (VLAN 99): Administrative access to network infrastructure. Only your admin workstation should reach this VLAN.

Document which devices belong to which VLAN, which switch ports connect to which devices, and what traffic should be allowed between VLANs. This planning pays enormous dividends when you begin configuration in the next lesson.

Summary

A VLAN is a logical broadcast domain created on a managed switch using the IEEE 802.1Q tagging standard. The 4-byte 802.1Q tag—containing a VLAN Identifier, Priority Code Point, and Drop Eligible Indicator—is inserted into Ethernet frames on trunk links that carry multiple VLANs. Access ports connect end devices to a single VLAN with no tagging required. Each VLAN needs its own IP subnet and DHCP scope. The hardware you need is a managed switch, a VLAN-capable router or firewall, and VLAN-aware access points for wireless segmentation. With a plan for three to five VLANs mapped out, you are ready to begin the actual configuration process.