Now that you understand VLAN basics, let's get to the fun part! I'll be showing you how to segment a single-subnet LAN into multiple private segments.This basic application of VLANs is handy for adding an extra measure of security to clients or servers that contain confidential information. It can also be used in multi-tenant applications, to share a single Internet connection, yet allow each tenant to share files and printers without worrying about the others. I'm sure you can think of other applications.
I'll be using a Linksys SRW2008 (Figure 4), an eight port 10/100/1000 switch with a nice web utility for configuration. The SRW (reviewed here) is a Layer 2 switch with a large number of features, including VLAN support.
Figure 4: The Linksys SRW2008 switch
The basic steps in configuring a VLAN are:
- Plan your network.
- Create the VLANs.
- Associate switch ports with the VLANs.
- Test VLAN connectivity.
- Implement security measures as appropriate.
The most important part of VLAN implementation, even in a small network, is planning. You need to review your devices and decide which ones should go in which VLAN. A network administrator must consider the components, functions, and traffic types of all the elements of the network when planning VLANs.
The network components connected to the eight port SRW switch I'm using for this VLAN example are a LAN port from the RV042 router on port 1, a WiFi router on port 2, a Windows Server on port 3, a NAS on port 4, a printer on port 5, a Linux VoIP Server on port 6, a VoIP ATA on port 7, and a laptop computer on port 8. Figure 5 is a simple diagram of the "Before LAN."
Figure 5: The network before dividing into VLANs
None of these components are "VLAN-aware," meaning they will send all frames to the switch "UnTagged." VLAN-aware devices, such as VLAN-enabled switches, as well as advanced network interface cards, can specify VLAN information by "Tagging" a frame with a VLAN number. This is an important factor when it comes to multi-switch configurations.
A common VLAN best practice is to place all VoIP devices in their own VLAN to prevents data traffic from interfering with time-sensitive voice traffic. So we have:
- a VLAN for the Data devices
- a VLAN for the VoIP devices
But I also need both Data and VoIP devices to have Internet access. So I'll need:
- a VLAN to enable Internet access for both VLANs
This ability to allow ports to access multiple VLANs comes in very handy and is key to our example.
I'm also going to configure the Laptop switch port for access to all VLANs and the management functions of the SRW. The SRW switch itself is also a member of the LAN, and has its own IP address. It is important to remember this device and include it in a VLAN to retain access to the switch's management utility. More on this later.
Mapping your network is a big part of the planning. The SRW allows for naming the devices on each port, which is time well spent for the future date when you're troubleshooting. I took a few minutes and wrote down which devices in my LAN were going to be plugged into which physical port on the switch. I then configured the SRW with a recognizable name for each port in the Description field of the Port Management menu (Figure 6), making it easier to see what was where.