VLANs: Why You Need Them and How They Work (Part 1)







Guest Network Teen Wi-Fi Photo
VLANs, or Virtual Local Area Networks, are one of the most powerful, most misunderstood and underutilized, tools for Wi-Fi networks in the private homes and small-to-medium-businesses. This post provides a practical guide as to why and how you should use VLANs.


What are VLANs?

At its simplest, VLANs enable you to transform one physical Local Area Network into multiple, isolated, logical Local Area Networks. VLANs give you multiple LANs with different purposes and intents that are co-located physically, without the expense of additional hardware and cabling. This is extremely useful even for small network applications, especially with the growth of IoT and the proliferation of network appliances measuring and controlling our environment.

Take the “simplest” case of a private home. Even when you only need a single access point to provide Wi-Fi coverage, there are, at least, two distinct and isolated networks needed.

  • For the residents, allowing access to all PCs, network printers, multimedia devices such as AppleTV or SONOS, IP cameras, NEST thermostats, and the like.
  • For guests, that allows Internet access, yet keeps the primary network secure. The homeowner undoubtedly doesn’t want their teenager’s friends, for instance, to hack any of the computers or network appliances in the home.
In more complex SMB applications such as coffee shops, restaurants, doctors’ offices, and multi-dwelling units (apartment buildings, dormitories, hotels), at least two distinct and isolated networks are needed.

  • For business staff for operations, such as point-of-sale, IP surveillance, access control, HVAC control, multimedia, etc.
  • For the businesses’ customers or visitors, which allows Internet access but not access to any network devices used for operations.
Most Wi-Fi networks need to be segmented, at least, into an operations network and a visitor network, with separate access and usage parameters.

Operations:

  • Access: Restricted to authorized personnel.
  • Data: Company confidential (e.g., especially financial and security data).
  • Security: For a small network, a WPA2-AES Pre-Shared Key provides sufficient security (i.e., a wireless client must know the code to connect). In larger setups, using 802.1x with RADIUS may be appropriate.
  • Device Interaction: Client devices should be able to communicate with each other.
  • Further Segmentation: In some environments, breaking up the operations network into multiple VLANs by function is appropriate, especially to separate out applications like security (i.e., cameras and access control), facilities (HVAC, lighting control), and VoIP.

Visitors:

  • Access: Unrestricted. Also commonly called a “hotspot.”
  • Data: Guest/user data.
  • Security: Typically no encryption is used to facilitate access, though a captive portal may or may not be used to capture email/social media information or set out terms and conditions.
  • Device Interaction: Not permitted. (For example, you don’t want a hotel guest hacking into a device in a different room).


Why a Password on Guest Wi-Fi Doesn’t Increase Data Security

A note on security for visitor/hotspot networks: I keep encountering “visitor” networks that require a WPA2-AES pre-shared key. This is actually quite pointless, and creates a false sense of security. The logic of using a pre-shared key is that a hacker sniffing unencrypted radio frequency transmissions can intercept data traffic. That is true. Unfortunately, using pre-shared key encryption doesn’t solve the problem.

A hacker that has the pre-shared key and who captures the association exchange (which is unencrypted) between a client device and an access point when it connects to the network can use the collective information to decrypt the client device traffic. Furthermore, most security issues on visitor/hotspot networks do not require sniffing the radio frequency, but come from the “wired side” of the network.

Wi-Fi encryption only occurs between the client device and the access point, as the AP decrypts all data traffic before passing it on to the wired network infrastructure. If client isolation on the network is not set up properly (an all-too-common problem), a wireless hacker can simply connect to another wireless client device through the wired network.

So the only thing a WPA2-AES pre-shared key really provides is increased work for the staff, who have to give out the passphrase to all of the visitors. If you want to remain secure when using a hotspot/visitor network, make sure you are using application level security, such as https for web surfing and SSL for your email service. Personal or corporate VPNs are also appropriate and effective.

Many consumer wireless router appliances, such as the EnGenius ESR series, and enterprise wireless access points, such as most EnGenius APs in the EAP/ECB/ENS/ENH/EWS series, come with the ability to set up a “guest network” with a separate subnet and DHCP range. This allows the access point to create a Layer 3 (IP) barrier between the guest network and the operations network to isolate them from each other. Why not use this instead of a VLAN?

This feature is only appropriate for single AP networks. On networks consisting of multiple APs, this configuration prevents roaming between APs since each is creating a separate stand-alone guest network. Any client attempting to roam on the “guest network” will have to re-establish a Layer 3 connection, thus interrupting any streaming applications. So on multi-AP networks, VLANs should always be used to provide visitor/guest networking.

To learn more about VLANs, join us TechTalk: VLAN Fundamentals
March 9 at 10 am PST
Register



Editor’s Note:  This post was originally published in June 2015 and has been updated.