A VLAN is similar in concept to an IP subnet in so much as it breaks a larger network into smaller segregated networks, which improves performance and security. The fundamental difference is that a VLAN is a layer-2 switched LAN concept as opposed to an IP subnet at layer-3 in a routed network. With VLANs, the network designer is breaking down a larger broadcast domain into many smaller broadcast domains.
To understand this we first need to know what a broadcast domain is and why making smaller segregated broadcast domains in beneficial. Switched networks (LANs) operate at the layer-2 level for example Ethernet and at this level, computers or devices on the network communicate using their individual MAC addresses. At layer-2, computers encapsulate data packets with a source and destination MAC address, which is hardcoded into their network adaptors. So for example if a host computer wants to send information to another host computer on IP address 172.16.1.2, it must first discover what is the MAC address of host 172.16.1.2 and it does this by broadcasting (sending a message to all hosts) a message asking, “Who has address 172.16.1.2?”. When the host configured with that IP address replies it will do so using its MAC address, from then on both computers can communicate directly using their MAC addresses. The point to note here is that to find the MAC address to IP mapping requires a broadcast to all devices on the network. On a small network, this is manageable but on a large LAN, the amount of broadcast traffic generated becomes a real problem, so the goal is to make the broadcast domains smaller.
The mechanism for reducing a large broadcast domain (LAN) into smaller virtual LANs is a VLAN. The way this is achieved is to group computers with common features for example the computers in Finance department, or the Sales departments into separate VLANs. This is a configuration element on a switch, and by tagging each VLAN with an identifier, the LAN is sub-divided into logical LANs, hence the term VLAN. Computers or hosts within a VLAN can communicate with each other, but not with computers in another VLAN. The VLAN improves performance and provides a mechanism for implementing security.