VLANs are to logically separate traffic over a shared infrastructure.

Before VLANs, if you had the same Ethernet segments in different floors, for example sales on floor five and seven, to have their Ethernet segment connected you needed to bring a separate cable between every floor for every Ethernet segment. So worst case you needed N! cables in your services riser, where N is the number of floors.

Why do you need to be on the same Ethernet segment? Several reasons:

– Because the protocols for the discovery of printers, scanners, file shares are all based on Ethernet broadcast. Do you want to want to print something on the printer for your colleague at floor five? Just click on “Floor five printer Sales” icons, much easier than having to maintain lists of IP addresses of printers and hope you got it right.

– The security policy for the computers attached on that VLAN: Some computers you don’t want, or just do want, to be accessible by everybody: Printers for example could be accessible on the VLAN which everybody can access, the PABX and security cameras could be accessible on the VLAN only for the security team.

And the last part is the normalization of calling Ethernet broadcast domains (or Ethernet segments, or LANs) a VLAN. It’s not for the worst, but unless you know that a VLAN originally was for the logically separation of traffic over a shared infrastructure, it can be confusing if you have VLANs everywhere but never the same VLAN on other devices.

Hundreds of VLANs sounds super excessive, but simply, VLANs work by creating virtual (rather than physical) local networks.

Vlans separate traffic across your physical network. Your company doesnt have ACLs in place to prevent access, but the vlans are still useful for mitigating potential problems.

If one faulty NIC goes crazy, it affects just the devices on that same vlan.

Also, vlans are useful for controlling filtering of devices in some firewalls/content filters. For example, we have Student devices on their own vlan/subnet so we can filter them more strictly.

Any place you want to physically separate traffic as though it were on 2 (or more) different switches, you can use vlans to separate them in the same way. Two 4-port switches not connected to each other is functionally identical to a single 8-port switch with half the ports on vlan 1 and half on vlan 2.

Multiple vlans “talking to each other” requires something to be on multiple vlans at once and act as a relay. Usually that’s a router or firewall and those tend to have good firewall capabilities. PCs and servers can do it as well.

Thing is, switches (and servers if you go through the effort) support vlan tagging meaning that when you move data between two switches the vlan number is preserved on each individual packet and the other switch honours it. So now you can have multiple vlans safely traverse multiple buildings, cities, etc while still honouring your separation rules using a single “normal” network connection, where “normal” here is probably fibre-optic for such distances.

Hell, at home I have my router in one room because that’s best for the Wi-Fi and is where my computer and NAS etc are, but my cable modem is in another room with the TV and game systems because that’s where the cable comes into the house. So I have 2 vlan-enabled switches (yes I spent some cash on this) and one vlan is literally just cable modem -> router WAN port through 2 switches on a private vlan. One cable goes through the wall between switches and it all just works. And all the important stuff gets wired directly rather than WiFi when it can. So, yeah, lots of vlans is absolutely a thing.

Each VLAN is its own broadcast domain where each computer in it can talk directly to each other computer in it, without being restricted by the network infrastructure. In order to communicate with a computer in another VLAN, your computer’s data has to pass through a router, which has the capability of restricting the data in various ways.

It is far easier to restrict access between VLANs than to restrict access between computers in the same VLAN. That’s where the security benefits come from, but it’s not required that any restrictions exist.