A VLAN is a group of computers, network printers, network servers, and other network devices that behave as if they were in a single broadcast domain. To implement VLANs in a network environment, you need a Layer 2 switch that has VLAN capability. Almost all switches sold today that are described as managed switches provide the capability to configure switch ports as members of different VLANs. However, switches that don't provide any configuration function, such as many basic, lower-end switches, don't provide this capability to configure VLANs. For example, a switch you might buy at your local computer store for a home network probably wouldn't have VLAN capability.
VLANs define broadcast domains without being constrained by the physical location of the network device, such as a computer, server, or network printer. For example, instead of making all the users on the fifth floor part of the same broadcast domain regardless of their departments, you might use VLANs to make all the users in the HR department part of the same broadcast domain, separate from the users in other departments.
There are several benefits to using VLANs. Users might be spread throughout different floors of a building, so a VLAN would enable you to make all these users part of the same broadcast domain. This can also be a security feature. For example, because all HR department users are part of the same broadcast domain, you might later use security measures, such as an access list, to control which areas of the network these users can access, or which users have access to the HR broadcast domain. In addition, if the HR department's server were placed on the same VLAN, HR users would be able to access their server without the need for traffic to cross routers and impact other parts of the network, possibly resulting in network congestion and causing slowdowns.
Port-based VLANs are defined on a switch on a port-by-port basis. That is, you might choose to make ports 1 through 6 part of VLAN 1, and ports 7 through 12 part of VLAN 2. There's no need for ports in the same VLAN to be contiguous; for example, you might configure ports 1, 3, and 7 on a switch part of VLAN 1. If you want to implement VLANs, you must first configure the VLAN in the switch and then add ports to that VLAN.
Address-based VLANs are defined by the Layer 2, or the MAC, address of each device. You configure each VLAN within the switch and then assign MAC addresses to the appropriate VLAN. Address-based VLANs are port independent, which means that it does not matter to which switch port the device is connected. Its VLAN membership is determined by its MAC, or hardware, address.
Layer 3-based VLANs work in much the same fashion as address-based VLANs, but there is one exception. Although address-based VLANs use the Layer 2 (MAC) address, Layer 3-based VLANs use the Layer 3 (network) address, such as an IP address. Like address-based VLANs, Layer 3-based VLANs are port independent, and when the VLAN is defined, the membership of each device is determined by its network address.
The primary reason for VLAN implementation is the cost reduction of handling user moves and changes. Any network device moved or added can be dealt with from the network-management console rather than the wiring closet. VLANs provide a flexible, easy, and less-costly way to modify and manage logical groups of computers in changing environments.
Forming virtual workgroups is another advantage of VLAN. VLANs provide independence from the physical topology of the network by allowing geographically diverse workgroups, such as users on different floors or different buildings, to be logically connected within a single broadcast domain. If a department expands or relocates, VLAN implementations make it easier to add ports in new locations to existing VLANs.
VLANs can increase performance of switched networks over shared media devices by reducing the number of collision domains. Forming logical networks improves performance by limiting broadcast traffic to users performing similar functions or within individual workgroups.
VLANs can enhance network security in a shared media network environment. In a switched VLAN-based network, frames are delivered only to the intended recipients, and broadcast frames only to other members of the VLAN. This enables network managers to segment users requiring access to sensitive information into separate VLANs from the general user community regardless of physical distance.
A VLAN is not limited to a single switch if trunk links are used to interconnect switches. A VLAN might have three ports on one switch, and seven ports on another. It is the trunk link that provides the interconnection between the VLAN ports on each of these switches. The logical nature of a VLAN makes it an effective tool in large networking environments.