A common misconception network administrators may have is that the cloud has made local VLANs (Virtual Local Area Networks) obsolete. This short article hopes to cut through the technical jargon using simple analogies to hopefully put this misconception to rest.
A VLAN is basically a segregated part of your network. To explain what a VLAN is with a simple analogy, imagine you have a box of fruit, this box of fruit is your local internal network. This box contains bananas and apples. The VLAN is like a divider within this box of fruit, that segregates your apples, from your bananas.The fruit in this analogy are data packets, and segregating your fruit in your box has many benefits, more on this later keep on reading.
Regarding VLAN network segregation at the cloud level and the local level. Imagine a water treatment plant, this water treatment plant segregates drinking water from sewage water (like how the cloud products; AWS VPC\Azures VNet\Virtual Subnets can segregate networks) . When the water treatment plant flows water to your home, the internal plumbing inside your home will segregate this water, so your drinking water does not mix with your sewage water (kind of like how a local VLAN segregates network traffic within an internal network)
Regarding data flow, on the copper network data packets ride on electrons communicating with voltage changes or via fiber on photons communicating with light pulsations. Encapsulated within these communications are data packets that contain ARP broadcast messages that speak
to all devices on your local network, ARP broadcasts can cause congestion with large local networks, VLANs fix this issue by containing ARP broadcasts within their own network domain, thus reducing congestion. I will explain this with an analogy, picture the link between your business and the cloud
as a superhighway, and your internal network as a gated suburb. Data flows freely down the highway and the data packets encapsulate ARP broadcast messages that contain the addresses of the local residents that live in this gated suburb. The gates (VLAN) stop outside residents who dont have an address in this gated suburb from wandering in, which keeps your streets clear and adds a layer of protection against unwanted traffic
Regarding the benefits of network segregation, Data packets can be segregated to different areas on your business network. For example, your accounts department, sales department or your companies VOIP telephone system. By segregating these data packets you can improve the quality of local traffic flow to those areas. This can fix various issues caused by network congestion. Such as if your customers complain about poor audio quality when calling your business on the telephone.
VLANs can be enabled on Layer 2 or Layer 3 switches. A Layer 2 switch can create and isolate VLANs, while a Layer 3 switch can route traffic between VLANs. Think of your network switch as a traffic controller: at Layer 2 it keeps voice traffic in its own lane, while at Layer 3 it can redirect that traffic into another lane when needed.
But thats not all, this traffic controller can also act like a security guard. For example, say you want to restrict remote access to your financial systems to an isolated network within your company. The traffic controller can block unauthorized data packets from entering that lane. This helps contain malware outbreaks or stop lateral movement by an attacker. Imagine someone in Sales falls victim to a phishing scam, giving a criminal remote access to their computer. Without segmentation, the attacker could pivot into your financial systems. With VLAN segregation, the attack is contained and the criminal is stuck in Sales and cannot reach more sensitive areas of your network.
I conclude that the cloud
does not make local VLANs obsolete. (The cloud afterall is just someone else's computer, on someone else's network) Your business can still benefit from using local VLANs (FYI, the IEEE 802.1Q industry standard still recommends VLAN taging). If configured correctly any downtime to apply a VLAN is very minimal (A few minutes downtime, not hours). All the network engineers have to do is write out a new configuration, apply it, reset your network switch and hey presto, your business now has a better quality VOIP telephone service and enhanced network security with concentric defense.