A Virtual Local Area Network (VLAN) is a logical grouping of devices in the same broadcast domain that can all talk over the network to one another. A VLAN in the simplest terms, is a private sub-network that trusted users can be added to. Those users and devices usually work in a company division (finance) together. It is meant to provide network segmentation to prevent rapidly spreading malware from impacting the entire organization if one breach or infection occurs. VLAN’s create better privacy, reduce security risks, create more flexible network designs, and enables the ability use a layered defense-in-depth security approach to protecting critical and sensitive data in your organization.
The Titanic Analogy to VLANs: The Titanic had faulty VLAN segmentation. When it struck an iceberg, water filled each compartment in the entire ship by spilled over the top of the walls for each compartment ultimately leading to its sinking. Unlike that, VLAN’s and Network Segmentation are like the door locks in a submarine. If one area is breached that section can be completely sealed off and isolated from the rest of the submarine (or network) preventing it from sinking. Networks can behave in the same way through the use of VLANs and segmentation.
Should SMB’s use VLANs and Network Segmentation?
It depends. The smallest SMB’s with no more than a dozen workstations and maybe one server can get away with a single flat network. The exception to this would be your Trusted and Untrusted WiFi networks which should be segmented even in this size SMB.
However, for larger SMB’s, you should consider network segmentation between office locations and potentially within an office between discrete business groups such as Account, Finance, development, and support (in addition to trusted and guest WiFi). In the end network segmentation is a powerful tool to slow hackers down in compromising your entire network and sinking your business.
Related Term: Virtual Private Network
Source: CCNA