VLAN stands for Virtual Local Area Network.
What you do using a VLANs is cutting a normal layer 2 switch in several little switches. VLANs have an ID of 1-4096. The interesting property of a VLAN is that it sets a boundary of communication.
Let’s say that 4 computers that are connected to a switch and that only these 4 need to be able to communicate. The easiest way to accomplish this is to put them into the same VLAN. Let’s just take VLAN 10 as an example. So you put the port in to access mode and you put a VLAN tag of 10 on the port. The terminology might vary across vendors.
Are VLANs a security feature?
Well, this is debatable. Although VLANs separate machines from different subnets, they do not secure any of the hosts within the same VLAN. Therefore we would need a layer 2 firewall or a host firewall together with a HIPS solution.
VLANs and subnets
These terms live in close proximity in the network world. Although not strictly necessary, usually one VLAN has all devices that are in the same IP subnet. When designing your network you should take this into account and allow space for expansion. On most platforms vendors allow to give a description to the VLAN. If your equipment does, please do so! It will save you a ton of time when troubleshooting.
Can a VLAN span multiple switches?
Yes, it can. This is accomplished with the help of trunk ports. Trunk ports can, in contrast with access port, carry multiple VLANs at the same time. The packets that they receive for a specific VLAN will be send over the trunk to another switch. This operation will continue until there is a switch that has an access port in this VLAN and having the MAC address of the destination in its MAC address table.
