VLANs: Slicing Up the Network Without Buying More Cables

If you build a small network in your home, it's a very simple affair. You buy a switch, you plug in your PC, your TV, and your printer. They are all on the same physical network. They all share the same IP subnet (e.g., `192.168.1.x`). If your PC sends a broadcast message, the TV and the printer both hear it.

This is a single Local Area Network (LAN). It represents a single Broadcast Domain.

Now imagine you are tasked with designing the network for a medium-sized corporate office with 200 employees.

You have three groups of people:

1. The Executive Team: They handle highly sensitive financial data.

2. The General Staff: They need normal internet access and access to internal servers.

3. The Guest WiFi: Visitors in the lobby who just need to check their email, but who absolutely should not be able to access the internal servers or see the Executive computers.

If you plug all 200 of these devices into the same giant switch, you have a massive security problem. They are all in the same LAN. A guest whose laptop is infected with malware could easily scan the network and attempt to infect the Executive servers, because they are sitting on the exact same local subnet.

Furthermore, with 200 devices constantly sending out ARP broadcasts and other noisy background traffic, the network performance will start to degrade.

The Old Solution: Physical Separation

In the 1990s, the solution to this problem was brutal but effective: physical separation.

You would buy three completely separate physical switches.

You then connect each switch to a different port on the main router, and apply firewall rules between the router ports.

This works perfectly for security. But it is an absolute nightmare for cost and logistics. What if an Executive moves their desk to the other side of the building? You have to physically trace their wall port all the way back to the server room, unplug their cable from the Staff Switch, and plug it into the Executive Switch. What if you run out of ports on the Executive switch, but the Guest switch is mostly empty? Too bad, you have to buy a new hardware switch.

There had to be a better way to separate networks logically without relying on physical hardware separation.

The Modern Solution: VLANs

The solution is the Virtual Local Area Network (VLAN).

A VLAN allows a network engineer to take a single, large, physical network switch and logically slice it up into multiple, completely isolated virtual switches.

Here is how it works in practice:

You buy one large, 48-port enterprise switch.

You log into the switch's configuration interface, and you create three VLANs:

Then, you assign specific physical ports on the switch to specific VLANs.

Even though all these ports are on the exact same piece of metal, sharing the exact same power supply and processing chip, the switch treats them as if they are completely separated by concrete walls.

If a computer plugged into Port 5 (VLAN 10) sends a broadcast message, the switch will *only* forward that message out of Ports 1-10. The computers on VLAN 20 and 30 will never hear it. They are in completely separate Broadcast Domains.

From a security and routing perspective, a VLAN is indistinguishable from a physically separate network. To allow VLAN 10 to talk to VLAN 20, you must route the traffic through a Layer 3 router or a Layer 3 switch with strict firewall rules, just as if they were separate buildings.

The Magic of VLAN Tagging (802.1Q)

Assigning physical ports to a single VLAN is great, but it introduces a new problem.

What happens when you have two switches? Imagine a two-story building. Switch A is on the 1st floor. Switch B is on the 2nd floor. Both switches have Executive (VLAN 10) and Staff (VLAN 20) computers plugged into them.

How do you connect Switch A to Switch B so that the Executives on the 1st floor can talk to the Executives on the 2nd floor?

You *could* run two cables between the switches—one dedicated to VLAN 10 traffic, and one dedicated to VLAN 20 traffic. But if you have 50 VLANs, running 50 uplink cables between every switch is absurd.

Instead, we use a single cable between the switches and turn it into a Trunk Port (or Tagged Port).

A Trunk Port is allowed to carry traffic for *multiple* VLANs simultaneously. But if multiple VLANs are mixing their traffic on a single cable, how does the receiving switch know which packet belongs to which VLAN?

This is solved by the IEEE 802.1Q standard, commonly known as VLAN Tagging.

Before Switch A sends an Executive packet across the trunk cable, it pries open the Ethernet frame and inserts a tiny, 4-byte "Tag" right in the middle of the header. This tag simply says: `[VLAN: 10]`.

Switch B receives the frame, reads the tag, says "Ah, this is for the Executives," strips the tag completely off, and forwards the normal, untagged packet to the appropriate Executive port.

Because the tag is added and removed dynamically by the switches, the computers themselves have absolutely no idea that VLANs even exist. As far as your laptop is concerned, it's just plugged into a normal network.

Why VLANs are Essential

Today, VLANs are the foundation of all enterprise network design. They solve three massive problems simultaneously:

1. Security: You can isolate IP security cameras, guest WiFi, and finance servers into completely unreachable silos.

2. Performance: By shrinking the Broadcast Domains, you reduce the amount of noisy "junk" traffic that every computer has to process.

3. Flexibility: If the Accounting department moves from the 1st floor to the 3rd floor, you don't need to rewire the building. You just log into the switches and change the VLAN assignments on their new wall ports.

VLANs are the ultimate proof of a core networking philosophy: whenever physical reality becomes too expensive or cumbersome, solve it with software abstraction.