VLANs: Logical Network Segmentation on a Physical Switch

A Virtual LAN (VLAN) partitions a physical network switch into multiple independent logical networks. Devices on different VLANs cannot communicate at Layer 2, even if they share the same hardware — just as if they were on entirely separate switches. VLANs are defined by IEEE 802.1Q, which inserts a 4-byte tag into Ethernet frames to identify which VLAN the traffic belongs to. Switch ports are configured either as access ports (carrying traffic for a single VLAN, typically used for end devices) or trunk ports (carrying tagged traffic for multiple VLANs, used between switches or to routers). A classic use case: separating the corporate LAN, a guest Wi-Fi network, and IP cameras onto three VLANs on the same physical infrastructure. Each segment is isolated at Layer 2. Inter-VLAN routing, if needed, is handled by a router or Layer 3 switch with explicit access control lists in between. VLANs reduce broadcast traffic, contain security incidents, and allow IT teams to apply different policies per segment without running separate cables.