A VLAN is a switched network that is logically segmented on an organizational
basis, by functions, project teams, or applications rather than on a physical
or geographical basis. For example, all workstations and servers used by a
particular workgroup team can be connected to the same VLAN, regardless of
their physical connections to the network or the fact that they might be intermingled
with other teams. Reconfiguration of the network can be done through software
rather than by physically unplugging and moving devices or wires.
A VLAN can be thought of as a broadcast domain that exists within a
defined set of switches. A consists of a number of end systems, either hosts
or network equipment (such as bridges and routers), connected by a single
bridging domain. The bridging domain is supported on various pieces of network
equipment; for example, LAN switches that operate bridging protocols between
them with a separate bridge group for each VLAN.
VLANs are created to provide the segmentation services traditionally
provided by routers in LAN configurations. address scalability, security,
and network management. Routers in topologies provide broadcast filtering,
security, address summarization, and traffic flow management. None of the
switches within the defined group bridge any frames, not even broadcast frames,
between two . Several key issues need to be considered when designing and
building switched LAN internetworks.
VLANs allow logical network topologies to overlay the physical, switched infrastructure such that any arbitrary
collection of LAN ports can be combined into an autonomous user group or community
of interest. The technology logically segments the network into separate Layer
2 broadcast domains whereby packets are switched between ports designated to be within the same
VLAN. By containing traffic originating on a particular LAN sent only to other
LANs in the same , switched virtual networks avoid wasting bandwidtha
drawback inherent to traditional bridged and switched networks in which packets
are often forwarded to LANs with no need for them. Implementation of VLANs
also improves scalability, particularly in LAN environments that support broadcast-
or multicast-intensive protocols and applications that flood packets throughout
illustrates the difference between traditional physical LAN segmentation
and logical VLAN segmentation.
VLANs also improve security by isolating groups. High-security users can be grouped into a ,
possibly on the same physical segment, and no users outside that VLAN can
Just as switches isolate collision domains for attached
hosts and forward appropriate traffic through a particular port, VLANs provide
complete isolation between VLANs. A VLAN is a bridging domain and all broadcast
and multicast traffic is contained within it.
The logical grouping of
users allows an accounting group to make intensive use of a networked accounting
system assigned to a VLAN that contains just that accounting group and its
servers. That group's work does not affect other users. The VLAN configuration
improves general network performance by not slowing down other users sharing
The logical grouping of users allows easier network management.
It is not necessary to pull cables to move a user from one network to another.
Adds, moves, and changes are achieved by configuring a port into the appropriate
Communication between VLANs is accomplished through routing, and the traditional
security and filtering functions of the router can be used. CiscoIOS software
provides network services such as security filtering, QoS, and accounting
on a per-VLAN basis. As switched networks evolve to distributed VLANs, CiscoIOS
provides key inter-VLAN communications and allows each network to scale.