Virtual Local Area Networks (VLANs) are commonly used within networks to organize and segment. Originally, VLANs were developed to break up broadcast domains to prevent overloading hosts’ network cards, attempting to process or drop broadcast packets. However, today, VLANs have become useful for much more than just segmenting broadcast domains.
Internal segmentation is the biggest reason for VLANs. For example, we recommend a VLAN for guest wireless, a VLAN for internal wireless, one for servers, and end user computers. This segmentation can help keep your data safe in the event that one VLAN experiences a breach of some kind (hacked into or malware infection) and will provide you with better visibility into what traffic is coming from where.
You may also want to use a VLAN for splitting an ISP connection in an HA scenario. There are also some other edge cases for specific applications or configurations requiring separate VLANs. Load balancers in general perform better when given their own VLANs, for example.
Having a basic understanding of VLAN tagging is important in a multi-switch environment in order to allow the same VLANs on different switches to talk to each other. Without the tags, the switches won’t know to move the traffic to the corresponding VLAN. The tag keeps track of what VLAN the traffic belongs to. Keep in mind that different vendors use different programming terms to accomplish this same task.
Most switches out of box are set up with all the ports untagged on VLAN 1. In other words, all the ports can access VLAN 1. A switch’s access port untags the incoming traffic and allows all the untagged traffic interact (in other words, undermining any VLAN segmentation you might have). When connecting two switches together, tag the information from switch to switch to allow visibility. This allows the untagged traffic local to each switch to begin communicating.
This is why we recommend avoiding the use of VLAN 1, which is the default on every switch. If you use that VLAN, someone can easily hardwire into your switch and access that network. This is a good practice, along with ensuring you have good physical security set up.
Take care with your Spanning Tree Protocol (STP). STP is a protocol that protects your network from “loops,” which is when packets continuously travel a path back and forth and is frequently caused by poor design or simply not understanding where your cables are plugged in. With STP, you can designate a switch to identify and prevent loops.
Another good security practice with your VLAN trunks between switches is to create a “dead” VLAN. This type of VLAN doesn’t function, but your switches are programmed to drop any untagged frames into it so it won’t go anywhere. In other words, if something is weird on your network or there is unauthorized activity, this is good stopgap to prevent unintended access.
When connecting multiple switches, it’s important to have the same configuration of VLANs allowed across both. This happens very frequently, so be sure to know your trunk configuration.
Finally, there is such thing as too many VLANs. While you will mostly likely need multiple in order to segment out and add some security, getting too granular with your VLANs can add lots of administrative burden on your IT personnel that is not necessary.