A
VLAN logically segments a physical network into isolated broadcast domains — separating traffic without physical separation. 802.1Q tagging carries VLAN information on trunk ports.
VLANs enable network segmentation with minimal hardware. Access ports: single VLAN, no tag (endpoint devices). Trunk ports: multiple VLANs with 802.1Q tags (between switches/routers). VLAN hopping attacks can bypass segmentation — add firewall controls.