Where should I start with vLAN?

scottalanmiller

@BRRABill said:

Out of curiosity, what would you recommend for a smaller company that wanted to segregate certain machines from the others, but still provide Internet access to both?

You need a firewall for that, but the real question is... why do you want to segregate them? I'm not asking that because there are never reasons for needing to do this, but they would be very uncommon and exist purely in a "legacy LAN" environment where a LAN doesn't work.

scottalanmiller

@BRRABill said:

@Dashrender said:

what kind of connectivity needs to exist between the two groups of computers?

Let's say none.

Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

I'd want them totally isolated so that I didn't care what network they were on

scottalanmiller

@Jason said:

@BRRABill said:

@Dashrender said:

what kind of connectivity needs to exist between the two groups of computers?

Let's say none.

Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

You still need a firewall to properly separate them if you are sharing the same internet.

Even if not sharing an Internet connection, if you have VLANs for security, they always need a firewall to separate them.

scottalanmiller

@Dashrender said:

@BRRABill said:

@Dashrender said:

what kind of connectivity needs to exist between the two groups of computers?

Let's say none.

Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

Assuming you have to live internet IPs, from the ISP provided device - switch, - from switch, two separate ERLs, each ERL goes to a switch that feeds a desired segment.

You can do that fine with a single ERL.

MattSpeller

@scottalanmiller said:

@BRRABill said:

@Dashrender said:

what kind of connectivity needs to exist between the two groups of computers?

Let's say none.

Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

I'd want them totally isolated so that I didn't care what network they were on

This for so many reasons. If a VLAN won't cut it, it's time to go old school.

BRRABill

@scottalanmiller said:

You need a firewall for that, but the real question is... why do you want to segregate them? I'm not asking that because there are never reasons for needing to do this, but they would be very uncommon and exist purely in a "legacy LAN" environment where a LAN doesn't work.

As someone who has steered away from vLANs for complexity reasons as you mentioned, I just know they were repeatedly mentioned in our HIPAA stuff as a way to safely segregate the PHI machines from the other machines. We do it another way, basically with a firewall. But was just wondering if that was the case, and if there was a simple alternative to the VLAN in that scenario.

It might not even be a valid use case.

Jason

@scottalanmiller said:

@Jason said:

@BRRABill said:

@Dashrender said:

what kind of connectivity needs to exist between the two groups of computers?

Let's say none.

Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

You still need a firewall to properly separate them if you are sharing the same internet.

Even if not sharing an Internet connection, if you have VLANs for security, they always need a firewall to separate them.

Not if you don't put a router between the two at all.. Put the routers on access ports then no need for a firewall

granted you could just use physically separate switches.

scottalanmiller

@BRRABill said:

@scottalanmiller said:

You need a firewall for that, but the real question is... why do you want to segregate them? I'm not asking that because there are never reasons for needing to do this, but they would be very uncommon and exist purely in a "legacy LAN" environment where a LAN doesn't work.

As someone who has steered away from vLANs for complexity reasons as you mentioned, I just know they were repeatedly mentioned in our HIPAA stuff as a way to safely segregate the PHI machines from the other machines. We do it another way, basically with a firewall. But was just wondering if that was the case, and if there was a simple alternative to the VLAN in that scenario.

It might not even be a valid use case.

What do you mean? VLANs are separated by a firewall. That's the only realistic way to separate VLANs. What else are you picturing?

I find the idea of PHI with VLAN pretty silly. It assumes that you bother to secure some stuff and not others. Why?

scottalanmiller

@Jason said:

@scottalanmiller said:

@Jason said:

@BRRABill said:

@Dashrender said:

what kind of connectivity needs to exist between the two groups of computers?

Let's say none.

Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

You still need a firewall to properly separate them if you are sharing the same internet.

Even if not sharing an Internet connection, if you have VLANs for security, they always need a firewall to separate them.

Not if you don't put a router between the two at all.. Put the routers on access ports then no need for a firewall

granted you could just use physically separate switches.

True, if they were to have no means of communicating whatsoever, like one being treated much like a SAN.

BRRABill

@scottalanmiller said:

What do you mean? VLANs are separated by a firewall. That's the only realistic way to separate VLANs. What else are you picturing?

I find the idea of PHI with VLAN pretty silly. It assumes that you bother to secure some stuff and not others. Why?

Don't know. Never got into it, and it might not even be a thing.

Quick Google turned up things like this...
"A simple technique for effective network segregation that requires little capital expenditure is called VLAN tagging, short for Virtual LAN. Different parts of your network can be logically separated into distinct "VLANs" and essentially create small quarantine zones between sets of machines that cannot speak to one another. This reduces data exposure, yet still allows internet connectivity for critical Windows Updates and antivirus definitions."

scottalanmiller

@BRRABill said:

@scottalanmiller said:

What do you mean? VLANs are separated by a firewall. That's the only realistic way to separate VLANs. What else are you picturing?

I find the idea of PHI with VLAN pretty silly. It assumes that you bother to secure some stuff and not others. Why?

Don't know. Never got into it, and it might not even be a thing.

Quick Google turned up things like this...
"A simple technique for effective network segregation that requires little capital expenditure is called VLAN tagging, short for Virtual LAN. Different parts of your network can be logically separated into distinct "VLANs" and essentially create small quarantine zones between sets of machines that cannot speak to one another. This reduces data exposure, yet still allows internet connectivity for critical Windows Updates and antivirus definitions."

VLANs are way simpler than that describes. Think of separate networks. Literally you have one, the guy across the street has one. They are unrelated to each other. Now imagine that you want that but you want to share physical switches. That's VLANing. Literally "Virtual LANs." You get completely separate LANs out of it. That's it. Nothing more, nothing less. Any other concept is misconception.

Dashrender

@scottalanmiller said:

@Dashrender said:

@BRRABill said:

@Dashrender said:

what kind of connectivity needs to exist between the two groups of computers?

Let's say none.

Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

Assuming you have to live internet IPs, from the ISP provided device - switch, - from switch, two separate ERLs, each ERL goes to a switch that feeds a desired segment.

You can do that fine with a single ERL.

yeah I suppose you're right.

scottalanmiller

VLANs are meant to replace what used to be stacks of actual switches. Before VLANs we used physically separate equipment for different LANs. Now we can have the LANs not be tied to specific switches but built the LANs in software on top of the switches.

But we used to do this a lot for performance and VLANs actually make that harder rather than easier. But many people confuse what a VLAN does with what a full LAN does and recommend VLANs for the opposite thing that they do.

dafyre

Like the others, I'd recommend using VLANs only if you need them to secure something. For instance, in a college where I worked previously, I helped migrate from the stacks of switches that @scottalanmiller mentions to a network using VLANs to separate student traffic from the admin traffic.

You will definitely need a router (or layer 3 switch) or firewall to ensure that the VLANs have access to the internet, but not to one another.