Virtual local area networks (VLAN) allow a switch to support multiple LANs over a single physical LAN’s infrastructure. This solves a few key issues with solely working with physical LANs:
- Isolation — typically, broadcasts must traverse the entire subnet. VLANs allow isolation for security, privacy, and performance, so that broadcasts only traverse a subset of the network.
- Efficiency — this reduces the number of physical layer switches that are required to support larger numbers of people.
- Managing people — if people switch between groups or belong to multiple groups, VLANs allow for them to be connected without needing to lay out new cable.
Port-based
Port-based VLANs physically group switch ports so that the physical switch operates as multiple virtual switches. This is controlled by the switch’s management software. This achieves traffic isolation by allowing frames to/from certain ports to only reach them (no broadcast issue). Ports can also be dynamically assigned (so users can switch groups easily). And forwarding between VLANs is done via routing (but in practice, usually in the same hardware).
A trunk port carries frames between VLANs defined over multiple physical switches. The 802.1q protocol adds/removes additional header fields for frames forwarded between trunk ports.
