« Back to Glossary Index
A VLAN divides a single physical network switch into multiple separate logical networks. A site with IoT sensors, SCADA equipment, and IP cameras can put each on a different VLAN on the same switch – so a problem or security breach in one group cannot spread to the others.
VLANs use 802.1Q tags added to Ethernet frames. Traffic does not cross VLAN boundaries without going through a router or Layer 3 switch. This is how you achieve network segmentation without adding physical hardware.
- Security isolation – a compromised IoT device cannot communicate with SCADA servers on a separate VLAN
- Performance – broadcast traffic is contained within each VLAN, not flooded across the entire network
- Tagged ports (trunk) – carry multiple VLANs between switches; used for uplinks and inter-switch connections
- Untagged ports (access) – carry a single VLAN; used for end devices like cameras and sensors