VLAN (Virtual Local Area Network)

Definition

A VLAN is a logical subdivision of a physical network that creates separate broadcast domains on the same infrastructure. Devices in different VLANs cannot communicate directly without a router or Layer 3 switch, regardless of physical connectivity.

VLANs are defined by 802.1Q tagging, where each Ethernet frame carries a VLAN ID (1-4094) identifying which logical network it belongs to.

Key Concepts

• 802.1Q: IEEE standard for VLAN tagging
• VLAN ID: Number 1-4094 identifying the VLAN (4096 total, but 2 reserved)
• Trunk Port: Carries multiple VLANs between switches (tagged)
• Access Port: Carries untagged traffic for a single VLAN
• Inter-VLAN Routing: Required for communication between VLANs (router or L3 switch)
• VLAN Hopping: Security attack where an attacker sends traffic to unintended VLANs

Common Use Cases

• Network segmentation: Separate departments (HR, Engineering, Guests)
• Security isolation: IoT devices, cameras on separate VLANs
• Broadcast reduction: Smaller broadcast domains improve performance
• Multi-tenant environments: Isolate different customers on shared infrastructure

Related Terms

• Subnet — IP-level equivalent; one VLAN typically maps to one subnet
• VXLAN — overlay network extending VLANs across data centers
• Firewall — often placed between VLANs for traffic control
• SDN — software-defined networking can manage VLANs programmatically

References

• Wikipedia: https://en.wikipedia.org/wiki/VLAN
• Cisco: https://www.cisco.com/c/en/us/support/switches/catalyst-switches/concept-guide-CG-09186a00800a75ee.html