A local area network, or LAN, provides the nodes connected to it with direct (Layer 2) access to one another. It is usually comprised of one or more Ethernet switches. Computers on different LANs talk to each other using Layer 3 (IP), via a router.
A virtual LAN (VLAN) abstracts the idea of the LAN; A VLAN might comprise a subset of the ports on a single switch or subsets of ports on multiple switches. By default, systems on one VLAN don't see the traffic associated with systems on other VLANs on the same network.
VLANs allow network administrators to partition their networks to match the functional and security requirements of their systems without having to run new cables or make major changes in their current network infrastructure. IEEE 802.1Q is the standard defining VLANs; the VLAN identifier or tag consists of 12 bits in the Ethernet frame, creating an inherent limit of 4,096 VLANs on a LAN.
Ports on switches can be assigned to one or more VLANs, allowing systems to be divided into logical groups -- e.g., based on which department they are associated with -- and rules to be established about how systems in the separate groups are allowed to communicate with each other. These can range from the simple and practical (computers in one VLAN can see the printer on that VLAN, but computers outside that VLAN cannot), to the complex and legal (e.g., computers in the trading departments cannot interact with computers in the retail banking departments).
Moreover, VLANs can be tunneled across Layer 3 boundaries (that is, across a router link) to allow geographically dispersed systems to communicate as if they were physically on the same LAN.