Alex Williams

I’ve seen many corporate networks fail to observe the most simple rules of networking. Often, administrators try to implement solutions to solve problems (more bandwidth for VoIP), as opposed to using existing networking technology.

In today’s post, I will discuss the segmentation of a corporate network using VLANs.

A VLAN allows you to create a virtual LAN without making any physical changes to your network setup. In the old days, this would be accomplished by adding more hardware switches and network cabling to separate various parts of your network. Nowadays, VLAN Tagging, defined by the IEEE 802.1Q standard, can be configured on almost every managed network switch (i.e: HP ProCurve, SMC TigerSwitch, 3com SuperStack, NetGear FSM switches).

There are many advantages to segmenting your corporate network. If your company uses VoIP phones, adding them to a VLAN will allow you to perform simple QoS (quality of service) on those devices, thus providing the ability to guarantee bandwidth, therefore call quality. Another advantage is the ability to “hide” sensitive computers and servers (accounting & finance databases), from the rest of the network. If you experience chopped calls using your VoIP phones, the problem can easily be resolved by adding more bandwidth to the internal/external network, but it’s just a temporary fix. As your network and needs grow, the same problem will likely re-appear. With the use of VLANs and QoS, these problems can almost entirely be mitigated even with additional network growth. Depending on the size of your network, the cost of upgrading to managed switches can be much lower than the cost of upgrading your external bandwidth.

Each VLAN is assigned a tag (usually a number from 1 to 4094) to identify the traffic. On a managed switch, you can configure each port to assign a default VLAN number to each frame/packet. In a basic setup, I would dedicate a VLAN 100 for management (routers, switches & admin computers), VLAN 200 for VoIP phones, and VLAN 300 for office PCs.

Each VLAN on a switch’s port can be assigned the following options: tagged, untagged, non-member. Here’s an example: a VoIP phone is plugged into Port 5. Most VoIP phones also have an rj45 jack to plug a computer. Those phones can usually be configured with a pre-defined VLAN Tag (if they follow the 802.1Q standard). In our case, we’ll assign them to VLAN 200. Assuming VLAN 200 is dedicated to VoIP, Port 5 on the switch would be configured ‘tagged’ on VLAN 200, ‘untagged’ on VLAN 300, ‘non-member’ VLAN 100. This means the phone will always communicate ‘tagged’ on VLAN 200, the computer would be ‘untagged’ on VLAN 300 and neither of those devices would be able to communicate with VLAN 100. This is a simple setup, but it defines one way of segmentating a corporate network.

On that network, it would be preferable to leave every port untagged on VLAN 300, and every port which has a VoIP phone would be tagged on VLAN 200. Your phone system server (asterisk/avaya/etc) would need to communicate with the admin computers, and all the phones, so you can simply leave the server’s port to tagged on VLAN 200, tagged on VLAN 100, non-member on VLAN 300.

This can become a bit more complicated when you add multiple switches, but the idea remains the same. It improves security and allows for easy management of devices and extends the capabilities of your network to allow for the application of technology such as QoS.

If you have any questions, please write them in the comments below and i’ll try to answer as best I can. I will be more than happy to write another detailed post with real-world examples, as well as diagrams explaining how all this works.