What Is a VLAN?

A virtual LAN (VLAN) is a logical subdivision of a physical network that separates one switch infrastructure into multiple isolated broadcast domains. A VLAN groups devices into the same logical network regardless of their physical location, so traffic from one group stays separate from another even on the same switch. The Institute of Electrical and Electronics Engineers (IEEE) defines VLAN tagging in the 802.1Q standard.

This article defines a VLAN, explains how VLANs work through switch port assignment and 802.1Q tagging, sets out the difference between access and trunk ports, lists the benefits, describes common use cases, and compares a VLAN with a subnet. Each section states one part of the topic and connects it to the isolated logical networks at the center of the definition. The result is a complete account of what a VLAN is, how a switch separates one physical network into many logical ones, and why network designs use VLANs for segmentation, security, and performance.

What Is a VLAN?

A virtual LAN (VLAN) is a logical subdivision of a physical network that groups devices into separate broadcast domains, regardless of where the devices physically connect. A VLAN lets one physical switch carry several independent logical networks, with traffic in each kept isolated from the others. The defining traits of a VLAN are listed below:

• Logical grouping assigns devices to a network by configuration rather than physical wiring.
• Separate broadcast domains keep broadcast traffic within each VLAN, not across the whole switch.
• Location independence places devices in the same VLAN even when connected to different switches.
• A VLAN identifier tags each VLAN with a number so switches keep its traffic separate.

A VLAN runs on the switch that connects devices within a local area network, the device described in the overview of a network switch. Devices in different VLANs reach each other only through a router, using the addressing in the overview of an IP address.

How Do VLANs Work?

VLANs work by assigning switch ports to VLAN numbers and tagging frames with those numbers under the IEEE 802.1Q standard, so a switch keeps each VLAN’s traffic separate. A VLAN uses the switch to label and segregate traffic, ensuring frames stay within their assigned VLAN. The mechanisms behind a VLAN are listed below:

• Switch port assignment places each port into a VLAN, so devices on that port join that VLAN.
• 802.1Q tagging inserts a VLAN identifier into each frame’s header to mark its VLAN.
• Broadcast containment keeps broadcast frames within their VLAN instead of flooding the whole switch.
• Inter-VLAN routing uses a router or layer-3 switch to pass traffic between separate VLANs.

The IEEE 802.1Q standard defines the VLAN tag, a four-byte field added to the Ethernet frame header that carries a 12-bit VLAN identifier. Traffic between two VLANs must pass through a router, following the routing path set out in the guide to how networks work.

What Is the Difference Between Access and Trunk Ports?

An access port carries traffic for a single VLAN to an end device, while a trunk port carries traffic for multiple VLANs between switches using 802.1Q tags. A switch port acts either as an access port for one device’s VLAN or as a trunk port that carries many VLANs at once. The differences are listed below:

• An access port belongs to one VLAN and connects a single end device such as a computer or printer.
• An access port sends and receives untagged frames, since the device need not know its VLAN.
• A trunk port carries traffic for multiple VLANs between switches or to a router.
• A trunk port uses 802.1Q tags to mark which VLAN each frame belongs to as it crosses the link.

An access port hides the VLAN from the connected device by sending untagged frames, while a trunk port preserves VLAN information across the link with 802.1Q tags. A trunk between two switches carries every VLAN that both switches share, keeping each one separate by its tag.

What Are the Benefits of VLANs?

VLANs provide network segmentation, improved security, better performance, and flexible design without adding physical hardware. A VLAN divides one physical network into isolated logical networks, gaining the advantages of separate networks on shared equipment. The benefits of VLANs are listed below:

• Segmentation separates groups of devices into isolated logical networks on one switch.
• Security improves because devices in one VLAN cannot directly reach another without a router.
• Performance rises because broadcast traffic stays within each VLAN instead of the whole network.
• Flexibility lets administrators group devices logically without rewiring the physical network.

VLAN segmentation contains broadcast traffic, which raises performance by reducing the number of devices that receive each broadcast frame. Isolation between VLANs adds a security boundary, since crossing it requires a router that can apply filtering using network ports.

What Are Common VLAN Use Cases?

Common VLAN use cases include separating departments, isolating IoT devices, segmenting guest access, and dividing voice from data traffic. A VLAN groups devices by function or trust level, applying the same separation a physical network would provide. The common use cases are listed below:

• Separating departments places finance, engineering, and other teams in their own VLANs.
• Isolating IoT devices confines smart cameras and sensors to a VLAN away from sensitive systems.
• Segmenting guest access gives visitors a VLAN with internet access but no reach into internal resources.
• Separating voice and data places IP phones in a voice VLAN for prioritized, isolated traffic.

Isolating IoT and guest devices in their own VLANs limits the reach of a compromised device, keeping it away from sensitive internal systems. A voice VLAN carries IP phone traffic separately, often prioritized over the same switches that serve data, configured per the network switch settings.

What Is the Difference Between a VLAN and a Subnet?

A VLAN is a layer-2 broadcast domain defined on a switch, while a subnet is a layer-3 range of IP addresses, and the two usually map one-to-one in network design. A VLAN separates traffic at the switch level, and a subnet groups addresses at the IP level, with each VLAN typically assigned its own subnet. The differences are listed below:

• A VLAN operates at layer 2, separating broadcast domains on a switch by VLAN tag.
• A subnet operates at layer 3, grouping a range of IP addresses behind a subnet mask.
• A VLAN and a subnet commonly map one-to-one, with each VLAN carrying one subnet.
• Routing between subnets matches routing between VLANs, both requiring a router or layer-3 switch.

A VLAN and a subnet describe the same separation at different layers, which is why designs assign one subnet per VLAN. The IP addresses within each subnet follow the addressing rules in the overview of an IP address.

What Are the Types of VLANs?

The types of VLANs include the default VLAN, data VLANs, voice VLANs, management VLANs, and the native VLAN, each serving a specific role on a switch. A VLAN type defines the purpose of the traffic it carries, from ordinary user data to switch management and untagged trunk frames. The types of VLANs are listed below:

• The default VLAN is VLAN 1, to which all switch ports belong until reassigned.
• A data VLAN carries ordinary user-generated traffic, such as files and web requests.
• A voice VLAN carries IP phone traffic separately, often with priority over data.
• A management VLAN isolates the traffic used to administer the switches themselves.
• The native VLAN carries untagged frames on a trunk port under the IEEE 802.1Q standard.

The native VLAN handles any untagged frames that arrive on a trunk port, and network designs often change it from the default VLAN 1 for security. A management VLAN keeps administrative access to the network switch separate from user data traffic.

What Are the Security Considerations for VLANs?

VLAN security considerations include VLAN hopping attacks, the risks of the default VLAN, and the need to restrict trunk ports. A VLAN provides isolation only when configured correctly, since misconfiguration can let traffic cross between VLANs. The security considerations for VLANs are listed below:

• VLAN hopping is an attack where crafted frames reach a VLAN the attacker should not access.
• Default VLAN risks arise when management and user traffic share VLAN 1 without separation.
• Trunk port restriction limits each trunk to only the VLANs it must carry.
• Disabling unused ports prevents an attacker from connecting a device to an active VLAN.

VLAN hopping exploits trunk misconfiguration, so administrators restrict trunk ports and avoid using the default VLAN for sensitive traffic. Crossing between VLANs requires a router, which can apply filtering on the network ports that identify each service.

Key Takeaways

• A VLAN is a logical subdivision of a physical network into isolated broadcast domains.
• It works through switch port assignment and IEEE 802.1Q frame tagging.
• An access port carries one VLAN to a device, while a trunk port carries many between switches.
• Benefits include segmentation, security, performance, and flexible design without new hardware.
• Use cases include separating departments, IoT, guest access, and voice from data.
• A VLAN is a layer-2 domain, while a subnet is a layer-3 address range, often mapped one-to-one.

Last Thoughts on VLANs

A VLAN is a logical subdivision of a physical network that separates one switch infrastructure into isolated broadcast domains. A VLAN works through switch port assignment and IEEE 802.1Q tagging, with access ports carrying one VLAN to a device and trunk ports carrying many between switches.

VLANs provide segmentation, security, performance, and flexible design, applied in use cases such as separating departments, IoT, and guest access, and they map closely to subnets at layer 3. Readers can continue with the overview of a network switch, the overview of an IP address, the guide to NAT, or the guide to how networks work.