Overview of VLAN and its basic theory of operation

What is a VLAN

A Virtual LAN (VLAN), as its name indicates, is a virtual or logical separation of a LAN into multiple sub-LANs, with each sub-LAN  having its own members (end nodes).
VLANs are created mainly for administrative purposes to ensure that network traffic is seen only by members of a specific group, rather than by all members of the LAN. This way confidentiality is maintained and additionally nodes are protected from unnecessary traffic. For example, in an enterprise, each department (like Engineering, HR, Accounts etc.) may be maintained as a separate VLAN. Similarly, in a campus or a university network, each department (e.g. maths, physics, computer science  etc.) would typically be part of a separate VLAN.

An Example VLAN network

See the diagram below for an example of a network with two VLANs.

In the above example, EN1 through EN4 belong to VLAN1 and EN5 through EN8 belong to VLAN2. The L2 switch ports S1 to S4 are configured to be part of VLAN1 and ports S5 to S8 are configured to be part of VLAN2.

L2 Broadcasts and Multicasts in VLAN aware L2 Switches

The main difference comes in the way L2 broadcast and multicast frames are handled by the L2 switches. If it is a single LAN (without VLANs), then the L2 switches forward the L2 broadcast and multicast frames to all members (end nodes) of the LAN (flooding). In case of a LAN being logically divided into multiple VLANs, then the L2 switch confines the flooding of the L2 broadcasts and multicasts frames only to members of a specific VLAN (which is the VLAN to which the end node transmitting the L2 broadcast/multicast frame belongs).
VLANs basically create separate broadcast domains within a network.
The example diagram below illustrates the handling of a L2 broadcast frame by a L2 switch.

In this example, one of the members belonging to VLAN 1 (say EN4) transmits a L2 broadcast frame. The L2 switch recognizes that EN4 belongs to VLAN1 and hence floods the frame only to ports that belong to VLAN1. Thus the broadcast frame is forwarded only to EN1, EN2 and EN3. The frame is not sent out of ports 5 to 8, as these ports do not belong to VLAN1.

VLAN Port Types (Access and Trunk)

Ports in a VLAN enabled L2 Switch can be of two types, namely Access and Trunk Ports. Ports that carry traffic belonging to a single VLAN are termed as Access ports. Typically the ports connecting end nodes to a L2 Switch are Access ports, as end nodes typically belong to a single VLAN. Ports that carry traffic belonging to multiple VLANs are classified as Trunk Ports. Typically trunk ports are those that connect L2 Switches and those that connect a L2 switch to a L3 Router.
The diagram given below illustrates both types of ports.

In the above diagram, all the 16 EN ports are access ports and the ports connecting the L2 Switches are the trunk ports. Each L2 switch has 4 End Nodes belonging to VLAN1 and another 4 End Nodes belonging to VLAN2. The diagram shows a sample frame on VLAN1 sent from EN6 to EN13 and another sample frame on VLAN2, sent from EN7 to EN11. Both frames travel via. the trunk ports connecting the two L2 Switches.

VLAN Tagging

In order for trunk ports to identify the VLAN corresponding to an incoming frame, frames sent on the trunk ports carry an additional 4 byte header named as the VLAN header inside the Ethernet frame. VLAN header is sandwiched between the L2 and L3 headers as shown in the diagram below:

 Basic Theory of Operation of a VLAN aware L2 Switch

Role of a L3 Router in a VLAN Network

VLAN Configuration Methods

Since end nodes do not send VLAN tagged frames (tagging is used only on trunk ports by L2 Switches and L3 Routers), there has to be a method that enables a VLAN aware Switch/Router to identify the VLAN of each of its port. This is done by configuration of the Switch or Router based on three methods, namely port based or MAC address based or IP address based configuration.