A VLAN (Virtual Local Area Network) is a feature on a switch that groups devices together and prevents them from seeing traffic from other groups. Each group is a layer 2 broadcast domain.
But what does that actually mean, and why does it matter?
To understand that, it helps to go back to the early days of networking.
Hubs
Before switches existed, computers were commonly connected using a hub. A hub looks similar to a modern switch, but it worked very differently. When one computer sent data, the hub simply repeated that signal to every connected device.
This caused two problems.
First, performance.
Only one device could talk at a time, so as more computers were added, the network became slower. Each computer had to wait its turn to send data. It was one big collision domain.
Second, security.
Because a hub sent all traffic to every port, any connected computer could see traffic meant for others.
Switches
The successor to the hub was the switch. Unlike hubs, switches had some intelligence. They learned the MAC addresses of connected devices and kept track of which MAC address was on each port. This allowed switches to send traffic only to the port where the destination device was connected, instead of flooding it to every port. Broadcast traffic still used the special MAC address FF:FF:FF:FF:FF:FF.
VLANs
The problem is that all devices on a switch still share the same Layer 2 network. They can communicate directly using MAC addresses or indirectly through broadcast traffic. A VLAN divides connected devices into separate groups, making one physical switch behave like multiple separate switches.
For example, if you create VLAN 10 and VLAN 20, any port assigned to VLAN 10 can only communicate at Layer 2 with other ports in VLAN 10. The same is true for VLAN 20.