Where should I start with vLAN?
- 
 "All" firewalls support VLANs. What you need for VLANs is not a special firewall or router, what you need is 100% of all switching infrastructure to support VLANs. That is where you have or lack support for it. 
- 
 One Big Flat Network is a good starting point. 
- 
 Well Scott beat me to it.. why do you want to us vLAN? 
- 
 Remember don't add complexity for its own sake. Elegant solutions are normally more robust, cheaper, easier to maintain and more secure. Complexity is the enemy, not a goal. 
- 
 @Dashrender said: Well Scott beat me to it.. why do you want to us vLAN? Just hype thingy. Thought it might be better or improve something. 
- 
 @LAH3385 said: Just hype thingy. Thought it might be better or improve something. If it did that it wouldn't require hype to promote it. It's driven by the same things as SAN - huge enterprises need those things due to their scale, not because the technologies are cool, new or a paradigm shift. SMBs get their competitive advantage against the big scales of the enterprise by being able to run faster and leaner (read: avoiding the cost and problems of these big solutions.) If SMBs implement them they lose the advantages of being small but obviously lack the advantages of being big. So its the worst of both worlds. VLANs are absolutely necessary once you have many thousands of devices. Until then, they are just in your way. 
- 
 Out of curiosity, what would you recommend for a smaller company that wanted to segregate certain machines from the others, but still provide Internet access to both? 
- 
 @BRRABill said: Out of curiosity, what would you recommend for a smaller company that wanted to segregate certain machines from the others, but still provide Internet access to both? what kind of connectivity needs to exist between the two groups of computers? 
- 
 @Dashrender said: what kind of connectivity needs to exist between the two groups of computers? Let's say none. Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network. 
- 
 @LAH3385 said: @Dashrender said: Well Scott beat me to it.. why do you want to us vLAN? Just hype thingy. Thought it might be better or improve something. What is it going to improve if you have no need for it? 
- 
 @BRRABill said: @Dashrender said: what kind of connectivity needs to exist between the two groups of computers? Let's say none. Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network. You still need a firewall to properly separate them if you are sharing the same internet. 
- 
 @BRRABill said: @Dashrender said: what kind of connectivity needs to exist between the two groups of computers? Let's say none. Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network. Assuming you have to live internet IPs, from the ISP provided device - switch, - from switch, two separate ERLs, each ERL goes to a switch that feeds a desired segment. 
- 
 @BRRABill said: Out of curiosity, what would you recommend for a smaller company that wanted to segregate certain machines from the others, but still provide Internet access to both? You need a firewall for that, but the real question is... why do you want to segregate them? I'm not asking that because there are never reasons for needing to do this, but they would be very uncommon and exist purely in a "legacy LAN" environment where a LAN doesn't work. 
- 
 @BRRABill said: @Dashrender said: what kind of connectivity needs to exist between the two groups of computers? Let's say none. Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network. I'd want them totally isolated so that I didn't care what network they were on  
- 
 @Jason said: @BRRABill said: @Dashrender said: what kind of connectivity needs to exist between the two groups of computers? Let's say none. Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network. You still need a firewall to properly separate them if you are sharing the same internet. Even if not sharing an Internet connection, if you have VLANs for security, they always need a firewall to separate them. 
- 
 @Dashrender said: @BRRABill said: @Dashrender said: what kind of connectivity needs to exist between the two groups of computers? Let's say none. Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network. Assuming you have to live internet IPs, from the ISP provided device - switch, - from switch, two separate ERLs, each ERL goes to a switch that feeds a desired segment. You can do that fine with a single ERL. 
- 
 @scottalanmiller said: @BRRABill said: @Dashrender said: what kind of connectivity needs to exist between the two groups of computers? Let's say none. Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network. I'd want them totally isolated so that I didn't care what network they were on  This for so many reasons. If a VLAN won't cut it, it's time to go old school. 
- 
 @scottalanmiller said: You need a firewall for that, but the real question is... why do you want to segregate them? I'm not asking that because there are never reasons for needing to do this, but they would be very uncommon and exist purely in a "legacy LAN" environment where a LAN doesn't work. As someone who has steered away from vLANs for complexity reasons as you mentioned, I just know they were repeatedly mentioned in our HIPAA stuff as a way to safely segregate the PHI machines from the other machines. We do it another way, basically with a firewall. But was just wondering if that was the case, and if there was a simple alternative to the VLAN in that scenario. It might not even be a valid use case. 
- 
 @scottalanmiller said: @Jason said: @BRRABill said: @Dashrender said: what kind of connectivity needs to exist between the two groups of computers? Let's say none. Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network. You still need a firewall to properly separate them if you are sharing the same internet. Even if not sharing an Internet connection, if you have VLANs for security, they always need a firewall to separate them. Not if you don't put a router between the two at all.. Put the routers on access ports then no need for a firewall granted you could just use physically separate switches. 
- 
 @BRRABill said: @scottalanmiller said: You need a firewall for that, but the real question is... why do you want to segregate them? I'm not asking that because there are never reasons for needing to do this, but they would be very uncommon and exist purely in a "legacy LAN" environment where a LAN doesn't work. As someone who has steered away from vLANs for complexity reasons as you mentioned, I just know they were repeatedly mentioned in our HIPAA stuff as a way to safely segregate the PHI machines from the other machines. We do it another way, basically with a firewall. But was just wondering if that was the case, and if there was a simple alternative to the VLAN in that scenario. It might not even be a valid use case. What do you mean? VLANs are separated by a firewall. That's the only realistic way to separate VLANs. What else are you picturing? I find the idea of PHI with VLAN pretty silly. It assumes that you bother to secure some stuff and not others. Why? 



