Another example of judicious use of VLANs takes place when we consider accommodating IoT devices. IoT devices are devices embedded with electronics that enable them to connect to the internet and exchange data. An IoT device could be a heart monitor, an automobile, or even something as simple as a thermometer. These provide seemingly endless opportunities to integrate real world devices with computer networks, but they also, unsurprisingly, raise numerous security issues. It is not without reason that the IoT has come to be referred to as, somewhat humorously, as the internet of insecure things.

It is beyond the scope of this chapter to cover all of the security issues raised by IoT devices (for example, data privacy, the possibility that these devices could be hacked for malicious purposes, and the need to update the firmware on these devices). Even if you diligently secure all your IoT devices, however, you likely will not want to place these devices on your LAN network. Placing them in a DMZ network might seem like the prudent thing to do, and it is a good idea. It will prevent a hacker who compromises the security of a single IoT device from easily gaining access to the LAN:

The one weakness of this approach, however, is that the hacker potentially could find other devices on the DMZ/IoT network, thus leaving them vulnerable to attack. We can mitigate this with by creating private VLANs (PVLANs), in which a subset of ports on a VLAN are isolated and are only permitted to communicate with an uplink port. In the IoT VLAN diagram shown, each IoT device is placed on a separate I-Port (I stands for isolated). I-Ports are only permitted to communicate with an uplink (also known as P-Ports, with the P standing for promiscuous); therefore, each IoT device can communicate only with its uplink and cannot communicate with the other IoT devices. However, if two or more IoT devices need to communicate with each other, we can designate these ports as C-Ports (C stands for community) and place them in the same community VLAN, in which case they will be able to communicate with other devices on the community VLAN and the VLAN's uplink, but not with I-Ports (or, for that matter, other community VLANs). 

To summarize the most obvious advantages of VLANs, we have:

• The ability to easily segregate network traffic into different broadcast domains, which decreases bandwidth utilization and improves network performance
• Increased security from being able to easily segregate network traffic—even if two nodes are on the same switch, if they are on separate VLANs, they cannot talk to each other unless the router has been configured to grant them access
• The ability to create separate networks at a much lower cost than would be possible with traditional networks, and with a greatly reduced workload for those tasked with setting up the network

But VLANs also have many other features not available via traditional networking. They include:

• The ability to double tag traffic, referred to as QinQ.
• The ability to prevent a host from communicating with any other host on the network (hosts will only be able to communicate with the default gateway). As the example IoT network illustrated, PVLANs allow the network firewall to gain a more granular level of control over traffic. Otherwise, hosts could not be prevented from communicating with another host on the same subnet, as the traffic never reaches the firewall.