Some VLAN-related nuggets that you may find useful for your post/blog:

• 99% of the time when people refer to VLAN, they're talking about 802.1Q (tag-based VLANs). There are others (Such as port based), so it's up whether you want to cover those as well.
• The word "Trunk" can mean different things, depending on vendor. In the Cisco world, it means a line/port carrying multiple VLANs. With many other vendors, such as Aruba/HPE, it refers to link aggregation which isn't necessarily relevant to VLANs
• A lot of hardware still use VLANs even if none have been configured. For example, defaulting all switch ports to have an Access tag of 1 makes it behave like a dumb switch. This can cause issues later if you're configuring VLANs elsewhere
• Anything non-vlany connected to a VLAN-enabled switch will have to be connected to a port with a default VLAN tag. This is usually referred to as an "Access port" or an "Untagged port"
• "How do I configure the switch to allow units on VLAN 123 to talk to VLAN 321?". You don't. Connect both VLANs to a router which will route between them. Either connect the router to both VLANs individually and skip the tagging on the router, or you can run a single trunk between the switch and the router which carries both VLANs. The latter requires you to configure VLANs on your router accordingly.
• It might make sense in many cases to have the VLAN tag the same as the last octet in the IPv4 subnet. Makes it easier to keep track of.
• A PC can implement VLANs on its network port, allowing you to connect to a trunk port and access several VLANs with one cable.

Source: VLANs have been an integral part of my career for 20ish years.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

7 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.

[Thread #75 for this comm, first seen 8th Feb 2026, 20:40] [FAQ] [Full list] [Contact] [Source code]

I know that people often find IPv6 confusing and that's fine, but at the very least you need to explain that you're specifically talking about IPv4 IP and Subnetting configuration and that is very much how things used to be done. IPv6 is finally gaining real adoption and can make a lot of things confusing.

For example, until I got a handle of IPv6, my Android phone never had proper ad-blocking from my Pi-Holes because Google would make Android auto-configure an IPv6 DNS address that would bypass my IPv4 DNS addresses. Even if I filled every IPv4 DNS slot, my phone would still automatically make a slot for the IPv6 DNS and fill it with a Google-chosen DNS. There were two ways to fix this, and I've done both: Set up IPv6 and fill that slot with my Pi-Hole IPv6 DNS address, and/or setting up a VPN that hands out the Pi-Holes as DNS and bypasses Google's auto-configurations entirely. I ended up with both because I also use the VPN to keep ad-blocking functional on my phone while I'm away from home.

Especially in keeping with your "Zero trust" idea, you can't have rogue IPv6 traffic all over your network unless you've managed to disable IPv6 on every network interface and the traffic is just being dumped since it's disabled. (Also, personal opinion, subnetting on IPv6 is so much more elegant and straightforward than on IPv4)

Finally, you mention "bytes" (it's actually bits) and CIDR notation, but that's probably more confusing than illuminating if someone has no idea that an IPv4 address has four sets of octets (eight bits) for a 32-bit addressing scheme. You might consider expanding on how IPv4 addresses function to make that a little clearer.

Step 0. Make sure your networking equipment can do vlans and subnets.

Given how much I paid for a “high end” consumer router, I just assumed …..

Small advice: would be nice if there was a dark mode, so I can read it at night. (without flash bang)