A VLAN functions like any other physical LAN, but it enables computers and other devices to be grouped together even if they are not physically attached to the same network switch. The partitioning occurs in the data link layer (two) of the OSI model. VLANs are a form of network segmentation of devices, applications, or users, although they share the same physical network. A VLAN can also group hosts together, although they are not on the same network switch, essentially easing the burden of partitioning networking without running extra cables. IEEE 802.1Q is the standard by which VLANs are built. Essentially, a VLAN uses an identifier or tag consisting of 12 bits in the Ethernet frame. Therefore, there is a hard limit of 4096 potential VLANs on a single physical network.
A switch can assign a port to directly map to a particular VLAN. Since the VLAN is designed in layer two of the stack, traffic can be tunneled through layer three, allowing for geographically separated VLANs to share a common topology:
Shown above is a corporate point-of-sale (POS) and a VOIP system that is virtually isolated from a set of IoT devices as well as the guest Wi-Fi. This is done through VLAN addressing although the system shares the same physical network. Here we assume this is a smart IoT deployment where all edge IoT devices and sensors carry an IP stack and are addressable through the LAN.