In a regular switch, all connected devices share the same “conversation room” - the broadcast domain.
A VLAN (Virtual Local Area Network) is like building invisible walls inside that switch, creating separate logical networks within a single physical device. Devices in different VLANs cannot see each other, even if they are connected to the same switch.
The magic happens through a 12-bit tag (0–4095) inserted into the Ethernet frame header, defined by the IEEE 802.1Q standard.
When a frame enters a VLAN-configured switch, the switch inserts this tag to identify which VLAN it belongs to.
Switch ports can operate in two main modes:
Access ports – belong to a single VLAN and do not expose VLAN tags to end devices.
Trunk ports – carry multiple VLANs simultaneously, preserving the tags (typically used between switches or between a switch and a router).
Think of a building:
VLAN 10 – Guests (public Wi-Fi)
VLAN 20 – Employees (corporate network)
VLAN 30 – Security cameras (IoT)
All traffic flows through the same cables and switches, yet each network remains isolated. This improves security, reduces broadcast traffic, and provides logical organization.
Communication between VLANs requires a Layer 3 device (router or Layer 3 switch).
One classic design is called “router-on-a-stick.”
In this setup, a single physical trunk link connects the switch to a router. The router uses virtual interfaces (SVIs or subinterfaces), one per VLAN, to route traffic between them while enforcing security policies such as ACLs.
VLANs are a foundational element of modern network segmentation. They allow a single physical infrastructure to support multiple purposes, isolated test environments, and granular access policies.
They are also one of the first steps toward Software-Defined Networking (SDN).
Reference: IEEE 802.1Q – Virtual Bridged Local Area Networks.
Which concept do you find more impactful in network design: VLANs, VPNs, or Subnets?
LinkedIn: 