VLANs Offer Security & Network Segregation Without the Cost

VLANs (Virtual Local Area Networks) are two or more LAN subnets that exist on the same networking equipment, such as a switch or firewall. Given that ports on a switch function independently, this creates the ability to treat each port as if it is its own network. Grouping these ports together creates a VLAN, essentially creating subsets of logical networks on a physical switch.

For example, assume you are using an eight port switch. If no VLANs existed, assume the entire switch operated on the 10.81.44.X network. Any devices attached to the switch could communite to one another as long as their IP address fall between 10.81.44.1 and 10.81.44.254. Now assume we have implemented VLANs on the switch. The first four ports are still associated with the 10.81.44.X network; however, we have configured the last four ports to act on the 192.168.1.X network. Doing so, we have essentially created two logical networks on one physical network switch. Only devices on the first four ports can now communicate with each other and the same goes for devices attached to the last four ports.

So what benefits do VLANs give us?

Broadcast Domain

Each network has its own broadcast domain. Whenever a broadcast packet is sent out, this packet gets sent to every device on the network. As the number of devices attached to the network grow, so do the amount of broadcast packets being sent throughout the network. As the amount of traffic grows, these broadcast packets can congest the network and could potentially slow things down. Splitting the traffic into two networks created by VLANs can greatly reduce the broadcast traffic and reduce congestion on the network.

Security

VLANs offer the ability to keep data packets from multiple networks separated. Organizations who wish to utilize wireless Internet in their workspace, yet still wish to maintain a private and secure network can utilize VLANs to achieve this goal. Take the example used earlier where two networks exist: 10.81.44.X and 192.168.1.X. The 10.81.44.X network is a private network that contains critical file servers, e-mail servers, and potentially private data that should only be accessed by internal employees. If the company simply attached a wireless router to this network, anyone with some computer knowledge could easily hack into the router from within the wireless range and access this private data network. This is where VLANs and the 192.168.1.X network come into play. On the company’s switch, a VLAN can be created specifically for the new wireless network of 192.168.1.X. These ports on the switch associated with the wireless VLAN would communicate only to the Internet and traffic would never pass between the two networks. A router would need to be placed in the middle of these two networks in order for the two to communicate. As a switch does not function as a router, the packets pass only to those ports associated with the same VLAN and function as if there are two physical networks in place.

Dividing Critical Network Traffic

Often, networks will have some sort of device or system that requires a large amount of network bandwidth. One example are VOIP phones which require voice packets to travel at a higher priority compared to file or email packets. VLANs offer a chance to segregate this higher priority traffic to their own network to avoid voice traffic from clogging network bandwidth. Similar to the example explained above, a new network could be created without purchasing any more switching hardware utilizing VLANs. The 10.81.44.X network would remain as the primary data network and a new network, 192.168.1.X, created for the VOIP traffic. The way this differs is that the same ports can be utilized for both voice and data VLANs, meaning a single port can function on two VLANs at once. Doing so still divides the traffic, as the data packets from each network will be tagged with a specific ID number correlating to each VLAN. Assume the data VLAN has a VLAN ID of 1 and the voice VLAN has a VLAN ID of 200. When a packet travels to a switch port with both a computer and VOIP phone attached, the port looks at the VLAN ID and knows which device to pass the packet to. Devices also check this VLAN and discard any packets that do not match the same network as their own. Through the use of VLANs and unique VLAN IDs, devices can reside on the same physical switch port yet still function on two logical networks.

Configuring a VLAN on a network brings multiple benefits to the security and functionality of a network, without the need to purchase more hardware. If bandwidth issues or the need for a separate wireless network arises, first turn to VLANs to save the day. You’ll save yourself some money and learn a lot about how networks functions along the way.

Leave a Reply