VLAN


Recommended Posts

I have a school project where I need to build a network to a larger company with 6500 employees. I only have to go into details with headquator, for that I made a network design. (Attached .VDF file changes and good ideas are very welcome.) But my point in the post, is that I need to put it into VLANs, as it is something new for me, I like to know. What are the advantages of a VLAN? What disadvantages does it have? If not an explanation, so maybe a finger pointed in the right direction for a credible source.

Thank you

Roblobster

NETV?RK (1).vsd

Link to comment
Share on other sites

Who says you have to put it into vlans, yes I would agree that your going to need to segment the network out. But it does not have to actually be vlans. It could be actual physical different networks.

Vlans are just a way of creating segments without having to use different hardware for each segment. So on the left I have 2 network segments 192.168.1.0/24 and 192.168.2.0/24 Now these are using the same hardware switch, I just used vlans to isolate the 2 different networks. On the router I have a physical interface but I can create subinterfaces or virtual interfaces in each of the vlans.

Think of breaking the switch into multiple switches where you assign ports to different switches. Now have the advantage of 2 broadcast domains, I could create ACLs or firewall rules between these segments depending on the feature set I have joining the vlans together. Be it a dumb router or intervlan routing on switch itself or full blown firewall, etc. And need less hardware to do it.

Now on the right side I did it the normal physical way. Each network segment is on its own hardware the router has 2 physical nics, one in each network. And each segment has its own switch.

So do you not see the advantage of vlans?

post-14624-0-25214800-1362576678.jpg

Now you can combine the 2 different ways to do it - maybe I have 2 physical interfaces in my router but run these connections to 2 different ports on the switch where each port is in its own vlan, etc. Vlans are just a way of creating a network segment without having to physically isolate it, ie the use of the term Virtual in the name - Virtual Local Area Network, Virtual LAN or VLAN

So depending on the feature set of the switch I am using on the left, maybe traffic between the 2 vlans does not have to go all the way back to the router, maybe its just handled at the switch. Where on the right, traffic has to go all the way back to the router to get to the other network segment.

Link to comment
Share on other sites

Yeah i do see the benefits, i can make the port give diffrent data depending on what vlan youre in. Then theres something about security, that on vlans you control it all, on server side and ip lans u can control it with the end device ip. So if u plug in a labtop with the right static ip you should have a security breach or something like that. But there must be like alot of importan cons and pros about vlans? The vlans is a demand coz its based on ccna :) Thank you for the post appreciated. And im sorry for my horrible english.

Link to comment
Share on other sites

', i can make the port give diffrent data depending on what vlan youre in."

What?? That has nothing to do with vlans to be honest, that has to do with firewalling between network segments. Access Control lists on a layer 3 switch, etc. Unless your talking about a protocol vlan?

There is not really any different security on a vlan vs a physical network segment. Now there are concerns with vlan security over complete physical network - yes there are attacks against vlans where it could be possible to access traffic that is on different vlan than your suppose to be on. Where these types of attacks would not be possible in actual physical networks.

Once you allow your lans to be virtual, then yes there are lots of things you could do much easier than having to use hardware for each network segment.

Link to comment
Share on other sites

What i meant was, with vlans, i can split the swithc up into diffrent networks, one port with vlan1 with the amount of access vlan1 needs lets say its a guest net, and only allowed to browse and then a vlan2 for admin who can access everything. Where u on the other way would need 2 swicthes one were u plugged in all the admins and one for the guest network or am i wrong? Like when u run Esx or Xen on a server.

Link to comment
Share on other sites

yeah that is an advantage of vlans, the ability to use 1 physical switch for different segments vs having to use multiple physical switches.

But keep in mind the ability to restrict what a vlan can access is not really the function of the vlan itself - the lan be physical or virtual does not determine its access. You would control that access via some other feature. either access controls on the switch that is say a layer 3 or layer 4 switch with that sort of feature set, or at your router/firewall that the lan connects to be it vlan or a true physical lan.

Yes at your filter/routing point you would be able to control access. But this is not really a native feature of a vlan. A vlan is just a "virutal" lan, nothing more. There are layer 2 switches that allow for tagging of vlans without the bells and whistles that a layer 3+ switch would provide.

Just because a switch allows for vlans, does not necessarily mean that device can route traffic between the vlans, nor does it mean that you would have any sort of access controls between the vlans.

Link to comment
Share on other sites

Thanks alot for the infomation Budman. Just to add a subject, Dual Wan Failover, is the only solution to determine if a link is up or down ping? Cause i read it wasnt bulletproof.

Link to comment
Share on other sites

It would depend on the device to what features it might use to know if a connection is down. Nothing is bulletproof ;) Sure just because the IP your using as your monitor via icmp does not respond does not always mean the line is down or that you can not route traffic through it, etc.

But if you can not ping your gateway for an whatever you decide to use as your monitor window, say it 3 cycles worth of checks then its prob a good sign that you have something wrong with that connection. Be it the gateway down, or just line is saturated or gateway is overloaded, etc.

Link to comment
Share on other sites

What i meant was, with vlans, i can split the swithc up into diffrent networks, one port with vlan1 with the amount of access vlan1 needs lets say its a guest net, and only allowed to browse and then a vlan2 for admin who can access everything. Where u on the other way would need 2 swicthes one were u plugged in all the admins and one for the guest network or am i wrong? Like when u run Esx or Xen on a server.

Yes as BudMan said, Vlans don't magically give all these features but they definitely allow you to do it cheaper on a small scale. In terms of security, take a hardware switched layer over a software based one annyyyyy day. When you have physical switches/routers/servers sharing traffic between, for an extreme example, the internet and you're top secret government servers, advanced hackers will work at the firewall or spoof or do what ever is on the table to be able to tap into that local TCP stream that is next door. If it is a software switched VLAN (as opposed to relay switched) there is a higher risk of compromise since they are not physically separated.

Anyway I can't really be bothered to dig deep into physical vs virtual but if you have the funds and have a network topography that will suit it then go with physical. VLANs can also be a B!4CH to setup and reconfigure so be weary of that as well!

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.