VLANs (Virtual Local Area Networks) are virtual networks by means of which an existing physical network can be divided into several logical networks. VLANs are isolated from each other and work on layer 2 of the OSI layer model. The principle of VLANs is specified in IEEE 802.1Q.

Each VLAN forms its own broadcast domain. If a computer or server sends a broadcast within the VLAN to which it is assigned, all other participants of the same VLAN receive the message. However, subscribers of other VLANs do not receive the broadcasts.


VLANs offer the following advantages, among others:

  • VLANs can significantly improve security within a physical network. If an attacker exploits a vulnerability, he cannot access the entire network if it is divided into VLANs.

  • For example, different areas of the company can have their own networks. This enables faster data exchange, for example. Furthermore, different software can be distributed on the computers or servers.

  • Computers or servers on which confidential data is stored can be isolated by a VLAN.

  • Changes can be easily mapped with VLANs.

VLAN Types

Basically, the following VLAN types can be distinguished:

Port-based VLANs

Port-based VLANs divide physical switches into multiple logical switches. Individual ports are assigned to a logical switch or to a VLAN. For this it is necessary that the switches can be configured. As a rule, the IP address of the switch can only be reached via ports that are permanently assigned to this VLAN. The data packets are not marked separately for port-based VLANs. Based on the number of the port on which it receives a data packet, the switch knows to which VLAN it must assign the data packet.

Switches are coupling elements that interconnect several hosts in a network. Switches ensure that the data packets are forwarded to the port specified for a destination address.

If a device (e.g. a computer or server) is connected to a port of a logical switch, it can only communicate with devices within the logical switch or VLAN. A router is required to send data packets to another VLAN.

Tagged VLAN

Tagged VLANs do not have a fixed assignment between the virtual network and a port. The assignment is made by marking the data packages. The data packets are provided with tags in which the VLAN ID is stored. This process is called VLAN trunking. According to IEEE 802.1Q, this is done by the respective end device (e.g. a tagging-enabled server) or by a switch. Using the VLAN ID, a switch can recognize to which VLAN the data packet belongs. In this way, VLAN trunking allows multiple VLANs to be used via a single switch port. You can either use one line or several bundled lines.

Tagged VLANs can also be implemented directly via network cards. Linux supports the 802.1Q standard and has all the necessary components. Under Microsoft Windows, the functionality for Tagged VLANs must be supported by the network card driver.