A virtual local area network is a logical (as oppsed to physical) subnetwork. They can be used to group devices together, even when the devices are on separate physical LANs. They are often used for security purposes. Both wired and wireless connections support VLANs.

VLAN IDs can be any integer from 1 to 4095. VLANs can have any valid subnet.

Static VLANs are often referred to as port-based VLANs. When a switch port is configured with one or more VLANs, any device plugged into that port will join that VLAN.

Dynamic VLANs are assigned by the network based on the characteristics of the device. For example, you may choose to assign a device to a network based on its MAC address. This is often used in conjuction with an external authentication server.

For port-based VLANs, an untagged VLAN is the default VLAN for the port. If the untagged VLAN for a port is VLAN 10, then a computer plugged into that port will automatically be assigend to VLAN 10.

Additional VLANs can be sent over a port using tagged VLANs. For example, VoIP phones with passthrough ports can be configured to listen to VoIP traffic on a tagged VoIP VLAN, then send the untagged corporate VLAN along the passthrough port to a connected workstation.

“Trunk ports” that connect multiple switches together will usually have the management VLAN as the untagged VLAN and all other VLANs as tagged. Similarly, a WAP with multiple networks will usually operate on multiple tagged VLANs—one for the corporate network, one for the guest network, etc.

The native VLAN is the VLAN that devices are assigned to by default. This is almost always VLAN 1.

The management VLAN is for administration of network devices (switches, routers, etc.). This is usually VLAN 1 but can be set to something else.