VLans (Virtual local area network) provide separation of ethernet communication on a single physical network. Basically you can have multiple subnets, without access to each other on the same cable.

This standard is called IEEE802.1Q is supported by most modern switches (more below) and operating systems like linux or windows.

How separation works

An 802.1Q header is added to ethernet frames, which identifies the vlan of the specific packet. That allows to separate frames from each other using a managed switch. The process of adding an identification is called VLan Tagging.

Basically a number is added to each frame, this number is the vlan number. Same number, same vlan.

Switches

While you can use unmanaged modern switches and clients (e.g. PCs) create the Vlan themselves, each client can change its vlan and no security aspect is met, since those switches learn which vlan is connected to a port. There is no way to tell those switches to separate the ports, tag incoming frames or remove tags. Therefore managed switches are needed, which can be configured in this way.

The idea about security and real separation builds upon switches which remove incoming VLan Tags from clients (they are not allowed to tag themselves), tag the frame based upon the connected port and redirect the packet only to ports in the same VLan.

This way only clients on the same vlan can communicate with eachother and there’s no way to hop that border.

Routing

But how is it possible to communicate with another allowed vlan? Of course through a router.

The router is attached to a port with all vlans allowed, it can tag the frames itself (permission set on the switch port) and send them back to the switch again. Only the router can change the vlan of frames and is in full control over separation logic and security.

Save your cables

This technology enables us to save a lot of cables to build our virtual networks. Imagine to buildings connected by ethernet. Workers are distributed among both buildings and either are from department 1 or department 2. Department 1 is only allowed to communicate with department 1, same for department 2.

In the old days, you need to have 2 wires between those buildings (each department) and separate switches. With vlan you can have a switch in building 1 and another in building 2, connected by a single wire. Both vlans are allowed to travel over this cable, but on each building ports are assigned to different vlan, depending on the worker (department 1 or 2).