Lately, I've heard people arguing both for and against using virtual LANs to solve QoS (Quality of Service) challenges in wireless LANs. See for example, So you think you have a voice-ready network?. It is a complex issue, and it is worth reading up on Quality of service fundamentals, as well as the basics of VLAN security.
First, several vendors agree that putting VoIP traffic onto a separate VLAN is a recommended best practice, but that doing is more of a security benefit than a QoS advantage in the wireless portion of the network.
While wireless switch vendors such as Airespace, Aruba Wireless (see review) and Trapeze Networks (see review), for example, do support multiple queues and service classes, and voice VLANs can take precedence over data VLANs, these are proprietary mechanisms. Nothing in the 802.11 standard dictates that an 802.11 network must recognise 802.1p or 802.1Q tags, for example, the way a wired Ethernet must.
And priority queues don't necessarily buy you anything for scheduling, which will be one of the primary contributions of the forthcoming 802.11e QoS extension to the 802.11 standard (802.11s is, in effect, a new MAC for 802.11 - see Quality of Service over WLANs).
Says Jon Leary, product line manager in Cisco's wireless networking business unit: "A VLAN in and of itself won't create QoS. It will help you classify traffic only. But then you must apply policy" (see more on Cisco's SWAN architecture).
He advocates using VLANs to segregate traffic. "Then, there's the separate question about how to prioritise the voice VLAN over data traffic. And that's really what the Wi-Fi standards body [actually, the IEEE - Ed] is working on."
And while voice might get preferential treatment over the radio interface (using proprietary mechanisms today), queuing alone doesn't guarantee anything about latency, which is also crucial to VoIP QoS. So the industry has largely used the SpectraLink Voice Priority (SVP) protocol for scheduling.
Both SpectraLink and the WLAN systems makers agree that voice VLANs are important for security. The reason is that device authentication mechanisms for phones haven't caught up with those for other devices.
"MAC authentication is about the only way to figure out whether a phone is authenticated to a network now," says Andris Dindzans, director of product management at Trapeze. "It's primitive. If phones are put on one VLAN, you can put strong access-control filters on that VLAN."
For example, a VLAN could be restricted to accessing just a voice server and barred from accessing data servers and the Internet, he explains.