Editing VLAN (section)

{{Technical|date=May 2024}}
{{Short description|Network communications domain that is isolated at the data link layer}}
{{More citations needed|date=January 2014}}

{{OSI model}}
[[File:VLAN Concept.svg|thumb|The general concept of virtual LANs.]]

A '''virtual local area network''' ('''VLAN''') is any [[broadcast domain]] that is [[network segmentation|partitioned]] and isolated in a [[computer network]] at the [[data link layer]] ([[OSI model#Layer 2: Data link layer|OSI layer 2]]).<ref>IEEE 802.1Q-2011, ''1. Overview''</ref><ref name="802.1Q 1.4">IEEE 802.1Q-2011, ''1.4 VLAN aims and benefits''</ref> In this context, [[virtualization|virtual]] refers to a physical object recreated and altered by additional logic, within the [[local area network]]. Basically, a VLAN behaves like a virtual switch or network link that can share the same physical structure with other VLANs while staying logically separate from them. VLANs work by applying tags to network frames and handling these tags in networking systems, in effect creating the appearance and functionality of [[network traffic]] that, while on a single physical network, behaves as if it were split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

VLANs allow [[network administrator]]s to group hosts together even if the hosts are not directly connected to the same [[network switch]]. Because VLAN membership can be configured through software, this can greatly simplify [[network design]] and deployment. Without VLANs, grouping hosts according to their resource needs the labor of relocating [[Node (networking)|nodes]] or rewiring [[data link]]s. VLANs allow devices that must be kept separate to share the cabling of a physical network and yet be prevented from directly interacting with one another. This managed sharing yields gains in simplicity, [[network security|security]], [[traffic management]], and economy. For example, a VLAN can be used to separate traffic within a business based on individual users or groups of users or their roles (e.g. network administrators), or based on traffic characteristics (e.g. low-priority traffic prevented from impinging on the rest of the network's functioning). Many [[Internet hosting service]]s use VLANs to separate customers' private zones from one other, allowing each customer's servers to be grouped in a single network segment no matter where the individual servers are located in the [[data center]]. Some precautions are needed to prevent traffic "escaping" from a given VLAN, an exploit known as [[VLAN hopping]].

To subdivide a network into VLANs, one configures [[network equipment]]. Simpler equipment might partition only each physical port (if even that), in which case each VLAN runs over a dedicated [[network cable]]. More sophisticated devices can mark [[Frame (networking)|frames]] through [[VLAN tagging]], so that a single interconnect (''[[trunking|trunk]]'') may be used to transport data for multiple VLANs. Since VLANs share bandwidth, a VLAN trunk can use [[link aggregation]], [[quality-of-service]] prioritization, or both to route data efficiently.