Editing VLAN (section)

==Configuration and design considerations==
Early network designers often segmented physical LANs with the aim of reducing the size of the Ethernet [[collision domain]]&mdash;thus improving performance. When Ethernet switches made this a non-issue (because each switch port is a collision domain), attention turned to reducing the size of the [[data link layer]] broadcast domain. VLANs were first employed to separate several broadcast domains across one physical medium. A VLAN can also serve to restrict access to network resources without regard to physical topology of the network.{{efn|The strength of VLAN security can be compromised by [[VLAN hopping]]. VLAN hopping can be mitigated with proper switchport configuration.<ref>{{cite web |url=http://rikfarrow.com/Network/net0103.html |archive-url=https://web.archive.org/web/20140421082757/http://rikfarrow.com/Network/net0103.html |archive-date=2014-04-21 |title=VLAN Insecurity |author=Rik Farrow}}</ref>}}

VLANs operate at the data link layer of the [[OSI model]].  Administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving the [[network layer]]. Generally, VLANs within the same organization will be assigned different non-overlapping [[network address]] ranges. This is not a requirement of VLANs. There is no issue with separate VLANs using identical overlapping address ranges (e.g. two VLANs each use the [[private network]] {{IPaddr|192.168.0.0|16}}). However, it is not possible to [[Router (computing)|route]] data between two networks with overlapping addresses without delicate [[network address translation|IP remapping]], so if the goal of VLANs is segmentation of a larger overall organizational network, non-overlapping addresses must be used in each separate VLAN.

A basic switch that is not configured for VLANs has VLAN functionality disabled or permanently enabled with a ''default VLAN'' that contains all ports on the device as members.<ref name="802.1Q 1.4" /> The default VLAN typically uses VLAN identifier 1. Every device connected to one of its ports can send packets to any of the others. Separating ports by VLAN groups separates their traffic very much like connecting each group using a distinct switch for each group.

Remote management of the switch requires that the administrative functions be associated with one or more of the configured VLANs.

In the context of VLANs, the term ''trunk'' denotes a network link carrying multiple VLANs, which are identified by labels (or ''tags'') inserted into their packets.  Such trunks must run between ''tagged ports'' of VLAN-aware devices, so they are often switch-to-switch or switch-to-[[router (computing)|router]] links rather than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels" : [[port trunking|Link Aggregation or Port Trunking]]).  A router (Layer 3 device) serves as the [[Internet backbone|backbone]] for network traffic going across different VLANs. It is only when the VLAN port group is to extend to another device that tagging is used.  Since communications between ports on two different switches travel via the uplink ports of each switch involved, every VLAN containing such ports must also contain the uplink port of each switch involved, and traffic through these ports must be tagged.

Switches typically have no built-in method to indicate VLAN to port associations to someone working in a [[wiring closet]].  It is necessary for a technician to either have administrative access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet.