← Lessons

quiz vs the machine

Gold1340

Networking

VLANs And Network Segmentation

Learn how one physical switch can host several isolated logical networks.

5 min read · core · beat Gold to climb

One Wire Many Networks

A VLAN, or virtual local area network, lets a single physical switch carry several logically separate networks. Devices on different VLANs cannot talk directly even though they share the same hardware.

How Tagging Works

VLANs rely on a small tag added to the Ethernet frame.

  • Each VLAN has a numeric VLAN identifier.
  • An access port belongs to one VLAN and carries untagged frames for that VLAN.
  • A trunk port carries many VLANs at once, tagging each frame with its identifier so the other switch can sort them.

A frame stays within its VLAN as it crosses switches, preserving isolation.

Why Segment A Network

  • Isolation keeps traffic of one group, such as guests, away from another, such as servers.
  • Security limits how far an attacker on one segment can reach.
  • Broadcast control keeps broadcast storms contained to a smaller domain.

Crossing Between VLANs

Because VLANs are separate networks, traffic between them must pass through a router or layer three switch that can apply policy. This is often called routing on a stick when one router interface handles several tagged VLANs.

Key idea

A VLAN tags frames with an identifier so one physical switch hosts several isolated logical networks, and traffic between them must cross a router that can enforce policy.

Check yourself

Answer to earn rating on the learn ladder.

1. How does a trunk port carry several VLANs at once?

2. What is required for traffic to move between two VLANs?