VLANs or Virtual LANs are another way of implementing network security by controlling broadcast traffic. Since network broadcasts are used by ARP to match up MAC and IP addresses, if you control broadcast traffic, you control the ability of devices to communicate.
Most smart switches allow you to set up VLANs either based on physical ports or using the 802.1Q protocol. Using 802.1Q adds VLAN information to packets so that VLANs can be created across multiple switches and even subnets. For single-switch LANs, you can use port-based VLANs, as shown in Figure 4. Note that VLANs don't create multiple subnets, so all devices will still be on whatever subnet that your router's DHCP server assigns.
Figure 4: Settting up port-based VLANs
Using port-based VLANs, it's simple to set up a "Guest" VLAN that allows Internet access, but no access to other LAN clients. Unfortunately, the GS108T's GUI shows VLAN membership for only one VLAN ID at a time. So Figure 5 is actually a composite that I created from two screenshots.
Figure 5: Guest VLAN port assignment
The "Guest" port 4 and the switch uplink port 8 (which connects out to my LAN's router) are assigned to VLAN 2 and port 4 is also removed from VLAN 1. Since the uplink port is a member of both VLANs, the computer connected to port 4 can connect out to the Internet, but can't connect to any devices connected to the other GS108T switch ports.
That's it for this time. The next and last installment will show you how to use a smart switch to control client bandwidth use.