What is the difference between a VLAN and a subnet?
Subnet - is a range of IP addresses determined by part of an address (often called the network address) and a subnet mask (netmask). For example, if the netmask is 255.255.255.0 (or /24 for short), and the network address is 192.168.10.0, then that defines a range of IP addresses 192.168.10.0 through 192.168.10.255. Shorthand for writing that is 192.168.10.0/24.
VLAN - A good way to think of this is "switch partitioning." Let's say you have an 8 port switch that is VLAN-able. You can assign 4 ports to one VLAN (say VLAN 1) and 4 ports to another VLAN (say VLAN 2). VLAN 1 won't see any of VLAN 2's traffic and vice versa, logically, you now have two separate switches. Normally on a switch, if the switch hasn't seen a MAC address it will "flood" the traffic to all other ports. VLANs prevent this.
If two computers are going to talk using TCP/IP, then one of two conditions must be met:
They must belong to the same subnet. This means the network address must be the same and the netmask must be equal or smaller. So, a computer with an interface with an IP address of
192.168.10.4/24can talk to a computer with an interface with an IP address of192.168.10.8/24with no issues, provided they are both connected to the same physical switch or VLAN. If the second computer's interface connected to that same physical switch or VLAN was192.168.11.8/24, it would ignore the traffic (unless the interface was in promiscuous mode).A router needs to exist between both computers that can forward traffic between subnets. Computer A and computer B need a route (or default gateway) to this router. Let's say a computer with an interface with an IP address of
192.168.10.4/24wants to talk to a computer with an interface with an IP address of192.168.20.4/24. Different subnets, so we must go through a router. Let's say there's a router with two interfaces (routers by definition have two interfaces), one on192.168.10.254/24and192.168.20.254/24. If the route table or DHCP is setup correctly and both computer A and B can reach the router's interfaces on their respective subnets, then they can talk to each other indirectly via the router.
Forcing traffic to go through a router, even though it's not needed such as on our 8-port switch above, has security and performance benefits - it gives you an opportunity to filter traffic, an opportunity to optimally route traffic based on type, and routers do not forward broadcast traffic (unless unusually configured). VLANs are sometimes used as a "hack" to manage flows/visibility of IPv4 broadcast traffic.
Edit to answer some of your questions:
Conceptually VLANs are equivalent to switches. What comes in 1 port of a VLAN is replicated("flooded") to all other ports unless the VLAN has seen/learned the MAC address before, then it is directed to that port. There is no gateway to the VLAN proper. A "gateway" always means the IP address of a router.
For VLAN 1 to talk to VLAN 2, an interface in VLAN 1 must be connected to a router, an interface in VLAN 2 must be connected to a router, and that router must be configured to forward traffic between those subnets. In our 8 port example above, if we wanted to route traffic between those VLANs, we'd have to spend 1 port on each VLAN connecting to a router. Same with a switch.
I'm sure many high-end switches/hardware have a "VLAN router" "built-in" to them where spending an extra port within each VLAN connecting it to a physical router really isn't necessary if you want to route between VLANs in the same switch. This might be where the VLAN IP or "gateway" comes into play. (I invite those more knowledgeable to edit this)
When a computer gets its IP via DHCP, it also usually gets the "default gateway" from that same DHCP server. Someone has to configure the DHCP server correctly. Routing protocols such as RIP, IS-IS, OSPF, and BGP can also add routes. Of course you have the option of adding routes manually ("static" routes)
If your switch has a serial port or port labeled "console" it's likely managed and supports VLANs.
I found the other explanations complicated.
- VLAN lets you tag all network packets with a magic number (e.g.
3). - Only other network cards set to
3will see those packets
Set a bunch of computers to VLAN 3 and they'll be in their own little isolated world; they won't see any other traffic.
Suddenly you can have multiple LANs operating on the same wires (i.e. virtual LANs). You can even have two computers with the same IP, since they have a different VLAN tags (e.g. 3 verses7)
Setting a VLAN ID is done by configuring the network card driver:
Your mileage will vary with your network card and its drivers.
The simplistic explanation is that VLANs exist to allow different subnets to share physical cabling, ports, and switching. You could have distinct subnets on your network without vlans, but you'd have to have a different set of wires for each.