Ping Labz

How VLANs Work: Tagging, Broadcast Domains, and Frame Forwarding

VLANs are more than a configuration checkbox — they change how every frame is tagged, forwarded, and filtered inside the switch. Here's the mechanics.

Knowing that VLANs segment broadcast domains is the starting point, not the finish line. To troubleshoot a VLAN problem — a device that cannot reach its gateway, a trunk that silently drops traffic for one VLAN, a MAC address that appears and disappears — you need to understand what the switch is actually doing with every frame that enters and leaves its ports.

This article takes you inside the Catalyst switch to see the frame-level mechanics: 802.1Q tag insertion, VLAN-aware MAC address tables, and the forwarding decisions that happen in hardware before a frame ever reaches the wire.

The 802.1Q Tag

IEEE 802.1Q is the standard that defines VLAN tagging. When a switch needs to carry VLAN information across a trunk link, it inserts a 4-byte tag into the Ethernet frame between the source MAC address and the EtherType/Length field.

The 802.1Q tag structure:

Field Size Description
TPID (Tag Protocol Identifier) 16 bits Always 0x8100 — identifies the frame as 802.1Q tagged
PCP (Priority Code Point) 3 bits CoS value (0–7) for QoS — maps to queue priority
DEI (Drop Eligible Indicator) 1 bit Indicates the frame can be dropped under congestion
VID (VLAN Identifier) 12 bits The VLAN ID (0–4095)

The 12-bit VID field gives us 4,096 possible values, but VLAN 0 and VLAN 4095 are reserved, leaving 4,094 usable VLAN IDs. The 3-bit PCP field is what gives us 802.1p CoS marking — this is how voice VLAN traffic (typically CoS 5) gets priority treatment on trunk links.

Because the tag adds 4 bytes to the frame, the maximum frame size on a trunk increases from 1,518 bytes to 1,522 bytes. Switches handle this internally, but be aware of it when you see "giant" or "oversize" frame counters on non-VLAN-aware devices in the path.

Access Port Behavior: Tag on Ingress, Strip on Egress

When an end device sends a frame into an access port configured for VLAN 10, the switch performs these steps:

Ingress (frame arrives):

  1. The frame arrives untagged from the end device.
  2. The switch associates the frame with VLAN 10 (the port's configured access VLAN).
  3. The source MAC address is learned in the MAC address table, associated with VLAN 10 and the ingress port.
  4. The switch looks up the destination MAC in the MAC address table — but only within VLAN 10 entries.
  5. If the destination is found on another access port in VLAN 10, the frame is forwarded to that port.
  6. If the destination is found on a trunk port, the frame is sent out the trunk with an 802.1Q tag for VLAN 10.
  7. If the destination is unknown, the frame is flooded to all ports in VLAN 10 (access ports and trunk ports carrying VLAN 10).

Egress (frame leaves an access port):

  1. The 802.1Q tag (if present internally) is stripped.
  2. The frame exits the port as a standard untagged Ethernet frame.
  3. The receiving device has no knowledge of VLAN membership.

This tag-on-ingress, strip-on-egress behavior is why end devices do not need any VLAN configuration. The switch handles everything transparently.

Trunk Port Behavior: Tags Preserved

Trunk ports operate differently. They carry frames for multiple VLANs simultaneously, and the 802.1Q tag stays intact so the receiving switch knows which VLAN each frame belongs to.

Ingress (tagged frame arrives on trunk):

  1. The switch reads the 802.1Q tag to determine the VLAN ID.
  2. If the VLAN is in the trunk's allowed VLAN list, the frame is accepted.
  3. If the VLAN is not allowed, the frame is silently dropped.
  4. The source MAC is learned for that VLAN on the trunk port.
  5. Forwarding proceeds normally within the VLAN.

Ingress (untagged frame arrives on trunk):

  1. The frame has no 802.1Q tag.
  2. The switch places the frame in the native VLAN.
  3. Processing continues as if the frame were tagged with the native VLAN ID.

Egress (frame leaves trunk port):

  1. If the frame's VLAN matches the native VLAN, it is sent untagged (by default).
  2. If the frame's VLAN is any other allowed VLAN, the 802.1Q tag is inserted.
  3. The tagged frame exits the trunk port.

This native VLAN behavior is the source of many misconfigurations. If two connected switches have different native VLANs configured on a trunk, traffic crosses VLANs — a security issue called VLAN hopping. We address this directly in Native VLAN Configuration and Security on Cisco Switches.

The VLAN-Aware MAC Address Table

Every managed switch maintains a MAC address table (also called a CAM table). With VLANs, this table has an additional dimension: each entry maps a MAC address to a port and a VLAN.

ACC-SW1# show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0050.7966.6800    DYNAMIC     Gi1/0/1
  10    0050.7966.6801    DYNAMIC     Gi1/0/2
  10    0050.7966.6802    DYNAMIC     Gi1/0/3
  20    0050.7966.6810    DYNAMIC     Gi1/0/10
  20    0050.7966.6811    DYNAMIC     Gi1/0/11
  30    0050.7966.68f0    DYNAMIC     Gi1/0/23
  10    aabb.cc00.0100    DYNAMIC     Gi1/0/24
  20    aabb.cc00.0200    DYNAMIC     Gi1/0/24
Total Mac Addresses for this criterion: 8

Notice the last two entries: the same physical port (Gi1/0/24 — a trunk uplink) has MAC addresses in both VLAN 10 and VLAN 20. This is normal — trunk ports carry multiple VLANs, so they appear in multiple VLAN sections of the table.

This is also why the show mac address-table vlan 10 command exists — it filters the table to show only VLAN 10 entries, which is essential when troubleshooting.

ACC-SW1# show mac address-table vlan 10
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0050.7966.6800    DYNAMIC     Gi1/0/1
  10    0050.7966.6801    DYNAMIC     Gi1/0/2
  10    0050.7966.6802    DYNAMIC     Gi1/0/3
  10    aabb.cc00.0100    DYNAMIC     Gi1/0/24
Total Mac Addresses for this criterion: 4

Broadcast, Unknown Unicast, and Multicast (BUM) Traffic

BUM traffic is where VLANs have their most visible impact. Without VLANs, a broadcast frame hits every port on the switch. With VLANs, it only hits ports in the same VLAN.

Broadcast: A frame with destination FF:FF:FF:FF:FF:FF (ARP requests, DHCP discovers) is flooded to every port in the VLAN — all access ports in that VLAN plus all trunk ports that carry that VLAN. Ports in other VLANs never see it.

Unknown unicast: A frame with a destination MAC that is not in the MAC address table is flooded the same way as a broadcast — but only within the VLAN. This is why the per-VLAN MAC table matters: an unknown unicast in VLAN 10 is only flooded to VLAN 10 ports.

Multicast: By default, multicast is flooded like broadcast within the VLAN. IGMP snooping (enabled by default on Catalyst switches) can constrain multicast to only the ports with interested receivers, but the VLAN boundary is still enforced.

This BUM containment is the primary operational benefit of VLANs. A network with 500 devices in one broadcast domain will have measurably higher CPU load on every device than the same 500 devices split across 10 VLANs of 50 each — simply because broadcasts only reach 50 devices instead of 500.

Frame Forwarding: Putting It All Together

Here is the complete forwarding path for a frame from a PC in VLAN 10 on ACC-SW1 to a server in VLAN 10 on ACC-SW2:

  1. PC sends frame — untagged Ethernet frame, destination MAC is the server.
  2. ACC-SW1 ingress — frame enters Gi1/0/1 (access port, VLAN 10). Switch tags it internally as VLAN 10, learns source MAC.
  3. ACC-SW1 lookup — destination MAC is not in ACC-SW1's table (the server is on a different switch). Frame is flooded within VLAN 10 — out Gi1/0/2, Gi1/0/3 (other VLAN 10 access ports), and Gi1/0/24 (trunk to DIST-SW1).
  4. Trunk to DIST-SW1 — frame exits Gi1/0/24 with an 802.1Q tag for VLAN 10.
  5. DIST-SW1 ingress — frame arrives on trunk port, tag says VLAN 10, VLAN 10 is in the allowed list. Frame is accepted.
  6. DIST-SW1 lookup — DIST-SW1 has the server's MAC in its table for VLAN 10, learned via trunk to ACC-SW2. Frame is forwarded out that trunk.
  7. ACC-SW2 ingress — frame arrives on trunk, VLAN 10 tag. ACC-SW2 knows the server's MAC is on Gi1/0/10 (access port, VLAN 10).
  8. ACC-SW2 egress — 802.1Q tag is stripped. Untagged frame exits Gi1/0/10 to the server.

The entire path preserves VLAN isolation. At no point does the frame interact with VLAN 20, 30, or any other VLAN. The switch hardware (TCAM/ASIC) makes these forwarding decisions in microseconds.

[DIAGRAM: Frame flow from PC on ACC-SW1 VLAN 10 → trunk (tagged) → DIST-SW1 → trunk (tagged) → ACC-SW2 → Server. Show the 802.1Q tag being added at the first trunk and stripped at the last access port.]

What Happens When VLANs Need to Talk

By design, VLANs isolate traffic. A device in VLAN 10 cannot send a frame to a device in VLAN 20 through switching alone. The frame will never be forwarded because the destination MAC (even if known) is in a different VLAN in the MAC table.

Inter-VLAN communication requires routing — a Layer 3 device that has interfaces in both VLANs. In the PingLabz Switching Lab, CORE-SW1 handles this with SVIs: one SVI in VLAN 10 (10.10.10.1) and one in VLAN 20 (10.10.20.1). When a VLAN 10 device needs to reach VLAN 20, it sends the frame to its default gateway (the VLAN 10 SVI), the switch routes the packet to the VLAN 20 SVI, and forwards it out as a VLAN 20 frame.

We cover this in depth in Inter-VLAN Routing on a Layer 3 Switch and Inter-VLAN Routing with Router-on-a-Stick.

Useful Show Commands for Understanding VLAN Behavior

ACC-SW1# show vlan brief

Shows all VLANs and which ports are assigned to each. Only shows access port assignments — trunk ports do not appear here.

ACC-SW1# show interfaces trunk

Shows all trunk ports, the native VLAN, allowed VLANs, and active VLANs (VLANs actually forwarding on the trunk). This is the command to verify trunk-side VLAN behavior.

ACC-SW1# show interfaces Gi1/0/1 switchport

Shows detailed switchport information for a specific port: mode (access/trunk), access VLAN, voice VLAN, trunking encapsulation, and negotiation status.

ACC-SW1# show mac address-table dynamic vlan 10

Shows dynamically learned MAC addresses in a specific VLAN — essential for verifying that devices are in the correct VLAN and reachable.

Key Takeaways

  • 802.1Q inserts a 4-byte tag into Ethernet frames to carry VLAN identity across trunk links. The 12-bit VID field supports 4,094 usable VLANs.
  • Access ports strip tags on egress and add them on ingress — end devices never see VLAN tags.
  • Trunk ports preserve tags. Untagged frames on a trunk are placed in the native VLAN.
  • The MAC address table is VLAN-aware: same MAC on different VLANs creates separate entries. Lookups and flooding are always scoped to the VLAN.
  • Inter-VLAN traffic requires routing. Switches will never forward frames between VLANs at Layer 2.

Next: Configuring VLANs on Cisco Catalyst Switches walks through creating, naming, and assigning VLANs in the PingLabz Switching Lab.

Share Share Share Share Share Email

Read next

© 2025 Ping Labz. All rights reserved.