Virtual LAN (VLAN)

By default, most switches are configured to be one network, one broadcasting domain. This would mean that any isolated network would require a separate set of switches.

../../_images/multi_network.png — Each LAN network has its own switch

VLAN (Virtual LAN) can be used to set up multiple broadcast domains in a single set of switches to create virtual networks.

It allows a single switch to act like multiple ones and is used to isolate traffic between switch-ports. Each VLAN has a unique ID, between 1 and 4095. Each switch port can be associated to a VLAN ID, which makes it an access port. Packets coming into an access port are automatically tagged for a particular VLAN. Packets of one VLAN will only be forwarded to access ports of that VLAN.

../../_images/vlan.png — Multiple VLAN networks share same switch

Ports connecting switches that serve the same VLANs must be configured to forward frames of those VLANs and must add the VLAN information to each frame. Such ports are called trunk ports. IEEE 802.1Q is the standard on how VLAN information is encoded in frame, which makes this work between different switch vendors.