I’ve not heard much about VLANs until the last few days when our security pen testers mentioned possibly implementing some VLAN segmentation to control our traffic and manage groups of users. Since then I’ve been attempting to research them with mixed luck. My best lead is a technical article from Intel.
I have decided that VLANs don’t really truly segregate people into separate groups, but rather separate (layer 3, I think it is) broadcast traffic that simply does not need to be read by every workstation. It is much like 5 years ago with the big push away from “chatty” hubs into actual switches that were much more private with their information. Broadcast traffic adds a decent amount of traffic to most networks of decent sizes, especially when you factor in some variables like wireless traffic or VOIP traffic.
Anyway, I’m still researching this, and I think the best way to truly segregate users (I have developers in mind, who tend to want the most freedom with their computers coupled with the least security) would be to create VLANs, create their own subnets, and then plop a firewall between their VLAN and the rest of the network space. But…that’s just my initial understanding. I’ll post more links to information as I find them.