Skip to content

What is a VLAN, and what is its security value?

Short answer

A VLAN (Virtual LAN) logically partitions a physical switch into separate Layer 2 broadcast domains, so devices on different VLANs can't reach each other directly even on the same hardware. It's labeled with an 802.1Q tag on trunk links. The security value is segmentation: isolating user, server, guest, and IoT traffic limits broadcast scope and lateral movement, with inter-VLAN traffic forced through a router or firewall where policy is applied.

A VLAN lets one physical switch behave like several independent switches. Instead of buying separate hardware for each network segment, you assign ports to virtual LANs that can't see each other's traffic at Layer 2. This is one of the most common, cost-effective segmentation tools, which is why it shows up in interviews.

How VLANs work

Each VLAN is its own broadcast domain. A frame sent on VLAN 10 stays within VLAN 10's ports; a host on VLAN 20 never sees it. Access ports carry a single VLAN's untagged traffic (a workstation plugged into one). Trunk ports carry many VLANs between switches and use 802.1Q tags — a small header inserted into each frame identifying which VLAN it belongs to — so the receiving switch knows where it goes. To move traffic between VLANs, it must pass through a Layer 3 device (a router or "router-on-a-stick" / SVI), which is exactly where you can enforce firewall policy.

The security value

Segmentation. Putting servers, employee laptops, guest Wi-Fi, and IoT on separate VLANs means a compromised IoT camera can't directly reach the finance servers — it has to cross a routed boundary you control and monitor. Smaller broadcast domains also reduce sniffing exposure and noise.

The caveats

A VLAN tag is not a security boundary by itself. VLAN hopping attacks abuse misconfiguration: switch spoofing (a host negotiates a trunk via DTP) and double tagging (stacking two 802.1Q tags to leak a frame onto another VLAN). Defenses: disable DTP/auto-trunking, set a dedicated unused native VLAN, prune unused VLANs, and put a real firewall between sensitive segments.

Interviewers want the broadcast-domain isolation idea, the segmentation/lateral-movement benefit, and awareness that VLANs alone aren't a firewall.

Likely follow-ups

  • What is VLAN hopping (switch spoofing, double tagging) and how do you prevent it?
  • How does 802.1Q tagging work on a trunk versus an access port?
  • Why is VLAN separation not a substitute for a firewall between segments?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.