Imagine you have a company that has two networks. On one network you have all the workers, and on another you have all the servers. They're on separate networks so that you can enforce security on the router between the two networks. Now the company grows and you move into a second building. You need to add more servers to the network and they're going to live in the second building, with the new workers. You really want to keep the two networks separate, still, but you don't want to run two cables between the two buildings - you'd like to just run one. So, you come up with a solution - On the switches in each building you put all the workers machines into the first half of the switch, and all the servers into the second half of the swtich. You then have the switch add a tag to the beginning of each packet to tell you which network the packet has come from on the link between the two buildings, and when it gets to the other end of the link the switch removes the tag and only sends the packet on the network the tag told it to. Congratulations - you've invented VLANs. VLANs can be tagged or untagged - when they're untagged, it's a method for using one piece of network equipment (such as a switch) as more than one smaller switch for more than one network. When they're tagged, they're adding an identifier to the beginning of the packet to say which network they're supposed to be on, so that several links can be combined but the traffic kept separate. Devices can do a combination of both, if they need to. It also allows for neat things like a router or firewall with only one network cable plugged in, because it can send and receive packets on different networks by using different tagged VLANs. ... View more