What is a VLAN?



VLAN is a term meaning Virtual Local Area Network. By "Virtual" its not a physical network segment but a logical network segment.

Example A



A physical network segment could be two Ethernet switches with different networks running on each of them.

Example B



A logical network segment or "VLAN" could be a single Ethernet switch configured for multiple networks.


What is the point of using VLANs?



In todays networking environments many LANs (Local Area Networks) are scaled very large. In good network practices you would want to break up the broadcast domain into smaller pieces or multiple LANs. You might also want to separate a network in order to filter traffic between the two for security purposes if you have different departments like Accounting and Sales for example. Sales might need to access certain types of systems on the Accounting departments network but not all of them.


Example:



Lets say you have a large building with two departments, Accounting and Sales. Accounting has 125 users and Sales has 200 users. You could supply each department with a single Class C IP subnet allowing up to 254 usable host addresses on each. This would be more than enough to support the clients in each group. You have a single Ethernet switch with enough port density to support all 325 users and then some and the switch is VLAN and Inter-Vlan routing capable. You could create VLAN 1 for Sales and VLAN 2 for Accounting. Then simply find the ports the users are connected to and set the VLAN of the port to the relative department.

Now, you have your departments segmented but there is no way for them to currently communicate because even though they are connected to the same physical device, they're are separated by different logical segments or VLANs. This is where the Inter-VLAN routing comes into play. You will need to configure the internal router of the switch such that it can route the data between the two logical segments or VLANs. In most cases the internal router will also have some sort of security functionality like Cisco's ACLs (Access Control Lists). You can generally specify source and destination addresses, networks and protocol ports for inbound and or outbound traffic.

Sometimes you will have multiple buildings in a MAN (Metropolitan Area Network) situation or just multiple floors in a LAN (Local Area Network) situation. In this situation you would need to establish uplink interfaces between multiple Ethernet switches and "Trunk" the VLAN info over these uplinks by way of VTP (Virtual Trunking Protocol).

Generally in a VTP environment you will have a primary switch or Root Switch running VTP in server mode. (NOTE: There are multiple versions levels of VTP) Connected to the "Root" you will have access switches running in client or transparent VTP mode. The uplinks between the "Root" and the "Clients" will be configured as "Trunks" in order to carry the VTP information and traffic for multiple VLANs. Once the links are established the VTP Server will update the Clients with all the VLAN information that it knows about. At this point you can configure the ports on the client switches with these VLANs and the data for these VLANs will traverse the trunks in their respective Virtual LAN.

Of course this is a very simple explaination, I haven't taken redundancy and the STP (Spanning Tree Protocol) into consideration here for simplicity.