"The VLAN is probably the least sexy topic you're ever going to talk about," said James Gudeli, VP of business development at the IT infrastructure firm Kerio Technologies.
Wait, why are we talking about this?
VLANs, short for virtual local area networks, might not be cocktail party material, but they have compelling uses for smaller office environments. (If VLANs are your cocktail party material, you need new cocktail party material. Fast.) Small and midsize businesses (SMBs) deal with security, big data, BYOD and related issues, too. Users -- even when there are fewer of them -- come with their own set of challenges and needs, and they're rarely uniform. VLANs can be an effective tool for better managing those users and what they do on a corporate network.
"What a VLAN allows you to do is, with an existing single switch or network infrastructure, to have multiple virtual subnets that you can segregate from each other for a variety of reasons," Gudeli said. For a quick primer or refresher course on VLANs, Gudelli also recommends this brief video from Cisco's Jimmy Ray Pursur.
[ Is your IT "department" just you? See what happens When IT Becomes A One Man Show. ]
The upside in a VLAN relative to its traditional older sibling, the physical LAN, is that organizations can segregate portions of their network without necessarily having to invest in a bunch of expensive networking gear. "[Small businesses] are going to complain about buying one switch, much less two or three or four," Gudeli said.
The VLAN's basic ability to split a network into segments underpins these three scenarios in which SMBs might want to consider using one. Here they are, with a specific example of each.
1. Separating Data
Gudeli notes that VLANs were originally intended as a means to improve quality of service on networks. That still holds true. "With all these different services running on your network, there's a lot of chatter, a lot of broadcast traffic going across the network which can impact the performance of a service that needs more bandwidth," Gudeli said, adding: "It doesn't matter how small your business is. You probably don't have the same Internet connectivity as an enterprise, so it's just as precious to you to maintain the quality of that. A VLAN is one way to maintain that quality of service."
Example: VoIP phone systems. VoIP is a popular choice among SMBs for cost and ease-of-use reasons, but it can also be bandwidth intensive. "If you can segregate your voice phones into a separate subnet, you can restrict all other traffic going to those specific devices, and so you can improve the performance."
2. Separating Users
It can be tough -- or totally impossible -- to physically separate users in a small office environment. Shared or open offices, small spaces and other physical limitations are common. That's true at Kerio itself after a recent office move, according to Gudelli. VLANs offer a way to keep users separate on the network even if they're side-by-side in the office. And user groups don't have to be big -- just two will do, if there's a good reason for it.
Security and access restriction are often reasons for segregating user groups. Sometimes it's more a matter of segmenting groups by job function for network optimization and bandwidth management purposes.
Example: These depend on the business and how it's organized, but you can likely imagine reasons to segregate just about any traditional department. Finance is a common example, HR another. There's a case to be made for any user group that handles sensitive data. But the data or job functions don't have to be particularly high risk. It may make sense to segment a creative team that regularly handles large media files, Gudeli noted, for network performance reasons.
3. Separating Both Data And Users
In some settings, there's good reason to separate both users and data altogether, such as in retail businesses that offer public Wi-Fi. You don't want your customers' iPad traffic intermingling with your payroll or HR systems, not just for security reasons but for performance reasons, too. Again, VLANs can be a tool for keeping public and private apart.
Example: Gudeli laid out this relatively straightforward scenario for creating a public external network and private internal network. This involves a single VLAN switch and two wireless access points; each WAP gets a unique name, such as Public and Private; each connects to separate ports on the VLAN switch, such ports 7 and 8; both are configured as separate VLANs, as in VLAN ID 7 and VLAN ID 8; finally, the VLAN switch is also configured to tag network traffic with the appropriate VLAN ID so that the switch can tell the firewall "this traffic comes from that network" and vice versa.
"By associating each WAP to a separate VLAN ID, the firewall can identify wireless [and other] devices on the guest network, and can therefore apply a unique set of filtering and bandwidth policies," Gudeli said. "Meanwhile, the VLAN switch will ensure that the guest network cannot interact with resources on the internal networks, such as a file server, intranet or network printer."