A virtual LAN is a logically-independent network. Several VLANs can exist parallel on a single physical switch. A VLAN consists of all computers that behave as if connected to the same wire - even though they may actually be physically connected to different segments of a LAN. VLANs have to be configured by a network administrator. In the shown example, we have 3 VLANs that are characterized by different colors.

In order to make VLANs function correctly, VLAN-aware switches are needed and all MAC-layer packets (e.g. Ethernet frames) need a VLAN identifier in the header. This identifier makes clear to which VLAN a packet belongs and switches should forward it only to computers that belong to the same VLAN.

Since not all computers are VLAN-aware, there exist two possibilities to tag the MAC-layer packet with a VLAN identifier:
  • Explicit Tagging: VLAN-aware hosts generate tagged packets directly and the switches forward these tagged packets.
  • Implicit Tagging: In this case the hosts are not VLAN-aware and now the switch has to build a tagged frame based on its knowledge of the sender's VLAN membership. Typically the VLAN membership is configured by ports or by MAC addresses.
Try implicit or explicit tagging by yourself!