VLAN
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/vlan/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/vlan/Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/vlan/)Use the native HTML custom element.
Định nghĩa
Mạng LAN ảo. Kỹ thuật phân đoạn mạng logic nhóm các thiết bị vào các miền broadcast riêng biệt bất kể vị trí vật lý, sử dụng gắn thẻ IEEE 802.1Q. VLAN cải thiện bảo mật, hiệu suất và khả năng quản lý.
Layer 2 Segmentation
A Virtual LAN partitions a single physical Ethernet switch — or a group of switches — into multiple isolated broadcast domains. Ports are assigned to VLANs either statically by port number or dynamically by MAC address or authentication result. Frames within a VLAN are tagged with a 12-bit VLAN ID (802.1Q), allowing a trunk port to carry traffic from many VLANs simultaneously. Broadcast traffic, ARP, and Layer 2 flooding are confined to the originating VLAN, reducing noise and improving security.
VLANs and Routing
VLANs are Layer 2 constructs — communication between VLANs requires a Layer 3 device such as a RouterA network device that forwards data packets between different networks by examining destination IP addresses and consulting its routing table. Routers operate at Layer 3 (Network) of the OSI model. or a Layer 3 switch with inter-VLAN routing configured. Each VLAN typically maps to a distinct IP subnet. A GatewayA network device (typically a router) that serves as the access point from a local network to other networks. The default gateway is the first hop for traffic destined outside the local subnet. interface on the router (or a Switch Virtual Interface) provides the default gateway for hosts in that VLAN. This mapping between VLANs and subnets is fundamental to Network SegmentationThe practice of dividing a network into smaller, isolated segments to limit the blast radius of security breaches and improve performance. Implemented through VLANs, subnets, firewalls, or micro-segmentation in zero-trust architectures. strategies that isolate production, development, and management traffic.
VLANs in Security Architecture
VLANs are a primary tool for isolating traffic classes and implementing Network SegmentationThe practice of dividing a network into smaller, isolated segments to limit the blast radius of security breaches and improve performance. Implemented through VLANs, subnets, firewalls, or micro-segmentation in zero-trust architectures.. A DMZDemilitarized Zone. A network segment that sits between an organization's internal network and the public internet, hosting public-facing services (web servers, email) while isolating the internal network from direct external access. is commonly implemented as a dedicated VLAN reachable from both the internet-facing interface and the internal network, with FirewallA network security device or software that monitors and filters incoming and outgoing traffic based on predefined rules. Firewalls can block traffic by IP address, port number, protocol, or application-layer content. policies controlling inter-VLAN access. NACNetwork Access Control. A security approach that enforces policies on devices attempting to join a network, verifying identity, health (antivirus, patches), and compliance before granting access. Integrates with RADIUS and 802.1X. solutions assign devices to VLANs dynamically based on authentication and posture assessment. However, VLAN hopping attacks can bypass segmentation if trunk port native VLANs are not carefully configured. Subnet Calculator simplifies planning VLAN-to-subnet mappings.