A VLAN is fundamentally a broadcast domain, not a physical one, allowing you to chop up a single switch into multiple virtual switches.
Let’s see this in action. Imagine you have a single physical switch, and you want to isolate your "Servers" from your "Workstations."
# On a Cisco-like switch CLI
Switch> enable
Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan-10)# name Servers
Switch(config-vlan-10)# exit
Switch(config)# vlan 20
Switch(config-vlan-20)# name Workstations
Switch(config-vlan-20)# exit
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit
Switch(config)# interface GigabitEthernet1/0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)# exit
Switch(config)# interface GigabitEthernet1/0/3
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit
Switch(config)# interface GigabitEthernet1/0/4
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)# end
Switch# show vlan brief
VLAN Name Status Ports
1 default active Gi1/0/5, Gi1/0/6, ...
10 Servers active Gi1/0/1, Gi1/0/3
20 Workstations active Gi1/0/2, Gi1/0/4
Here, Gi1/0/1 and Gi1/0/3 are now on VLAN 10 (Servers), and Gi1/0/2 and Gi1/0/4 are on VLAN 20 (Workstations). Devices plugged into Gi1/0/1 and Gi1/0/3 can talk to each other directly, but they cannot directly "hear" or talk to devices plugged into Gi1/0/2 and Gi1/0/4 at layer 2. They are on separate broadcast domains.
This segmentation solves a few key problems. First, security: isolating sensitive servers from general user traffic prevents unauthorized access or snooping. Second, performance: by reducing the size of broadcast domains, you decrease the amount of unnecessary traffic each device has to process, leading to less network congestion. Third, management: you can group users or devices logically (e.g., by department, function) regardless of their physical location, simplifying policy application and troubleshooting.
Internally, a switch identifies which VLAN a frame belongs to based on its port assignment. For frames that need to travel between switches (inter-switch links), a mechanism called tagging is used. The most common tagging protocol is IEEE 802.1Q. When a frame crosses a trunk link (a link configured to carry traffic for multiple VLANs), a small tag is inserted into the Ethernet frame header. This tag includes a VLAN ID. The receiving switch reads this ID and knows which VLAN the frame belongs to, ensuring it’s only delivered to ports assigned to that same VLAN.
The "native" VLAN on a trunk link is special: frames belonging to the native VLAN are not tagged as they cross the trunk. This can be a security vulnerability if not managed carefully, as untagged traffic will be placed into the native VLAN on the other side, potentially allowing unintended access. It’s generally recommended to set the native VLAN to an unused VLAN ID and ensure it matches on both ends of the trunk.
The core concept is that a VLAN is a logical grouping of network ports that behave as if they were on their own separate physical network, even if they share the same physical switch hardware.
Once you’ve segmented your network with VLANs, the next logical step is to enable communication between these VLANs, which requires layer 3 routing.