Are VLANs Appropriate Here



  • @scottalanmiller said in Why Are UTMs Not Recommended Generally:

    @dave247 said in Why Are UTMs Not Recommended Generally:

    @scottalanmiller said in Why Are UTMs Not Recommended Generally:

    @dave247 said in Why Are UTMs Not Recommended Generally:

    @scottalanmiller said in Why Are UTMs Not Recommended Generally:

    If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.

    I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).

    Are you talking about having sub-interfaces?

    VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.

    Basically it works this way....

    If you have VLANs to separate your LANs, you can do it all on one port.

    If you have physical port separation for your LANs, you have no purpose for VLANs.

    VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.

    Let me clarify. I have a switch with various trunk ports (from the different VLANs) which run directly to different ports on our SonicWall. Yes, I could run them all through one trunk port on the switch to a single port on the SonicWall with sub-interfaces, but then bandwidth will be limited to a single 1Gbps Ethernet port. Each zone is on it's own VLAN and then we have various firewall rules and policies for those.

    That's a weird way to do it. What you would normally want is...

    1. To move to a firewall with a faster interface that can handle your desired workload.
    2. Use the L3 switch for the ACLs, not the firewall, that's why these exist in the first place. If you have an L3 switch and are doing this, you are missing why you paid for the L3 switch.
    3. Use trunking to the firewall instead of individual ports for each VLAN.

    One of those three, #2 preferably.

    Now given how many VLANs you have, I'd recommend a thread to talk about if they are needed. Rule of thumb is that you want to avoid VLANs when possible. If you have devices that need to talk across VLANs, this pretty much tells you that the VLANs aren't right for your needs. There are loads of cases for VLANs, but most places do them when they are not needed and an unneeded VLAN means performance and management overhead that is just wasted resources.

    Of course, VLANs become smart when you have more than 2-4K devices on a single subnet.

    Yeah, I already know about your input on this stuff. We use VLANs to segregate things, and we don't really have that many. We have one for corp wifi, guest wifi, VoIP and then the default untagged VLAN 1. I do plan to add one more for workstations to segregate them from the servers for the sake of security. The idea is to separate thins into groups (VLANs) and then apply ACLs in order to control what flows back and forth.



  • This is pretty much the bread and butter reasoning that people give for VLANs. Keeping workstations away from the servers to which they need to communicate creates massive bottlenecks. And definitely shows, at the very least, that your networking setup in the other thread is incorrect, for this description, there is no question, if you need these VLANs, it is in the switch, not the firewall, that your routing and ACLs should exist. The switch is a firewall here, just to be clear, but not the SonicWall.



  • Why is corp wifi its own VLAN? Why are servers their own VLAN? Why is VoIP its own VLAN? Those three all appear to be crippling your network and adding cost, without any benefit, certainly not any security because they talk to each other anyway. The firewall between them is a red herring, does nothing of benefit.

    If you wanted security from this style of model, the only logical way to handle it is to have every device or port on its own VLAN. It's extreme, but this is how secure shops do it. If you don't go to that level, the VLANs do essentially nothing, but still have loads of overhead.

    The guest wifi on its own VLAN (or physical LAN, either way) is generally a good way to go. This is different because it is literally a completely different, unrelated network and never talks to the others, so this is where a VLAN really makes sense for sure.



  • I am in the process of redoing my network. My plan is to just have a single VLAN, just for guest stuff that will not talk to anything else. If you have all those devices on separate VLANs, and they do need to talk to each other, then you may be introducing a unnecessary point of failure, specifically the L3 switch. If they can all be on the same VLAN, or untagged, then you should be able to drop in just about any switch in a pinch and keep the network up when there is an outage. Ask me how I know.



  • @Donahue said in Are VLANs Appropriate Here:

    I am in the process of redoing my network. My plan is to just have a single VLAN, just for guest stuff that will not talk to anything else. If you have all those devices on separate VLANs, and they do need to talk to each other, then you may be introducing a unnecessary point of failure, specifically the L3 switch. If they can all be on the same VLAN, or untagged, then you should be able to drop in just about any switch in a pinch and keep the network up when there is an outage. Ask me how I know.

    Also a major bottleneck as traffic has to be filtered between each of those networks. It's overhead at exactly the spot where you don't want it. If you were able to VLAN by department that didn't share anything (or essentially anything) you could make an argument for VLANs between, say engineering and finance, assuming that they didn't share any server resources. Then put engineering workstations and engineering servers on on VLAN, and financial workstations and servers on another VLAN.

    The easy way to tell if VLANs make sense for security is "do you need to allow traffic between them?" If the answer is yes, the VLAN is smoke and mirrors. If the answer is no, then you need to still see if the VLAN has value, but it means that potentially it does.



  • Not sure if this will muddy up the water but we have 3 VLANS on our network. All wired traffic (Servers, PCs, and VOIP) on VLAN 1, All Secured "corp" wifi on VLAN 2, and all student/guest wifi on VLAN3.

    VLAN 3 cannot communicate with VLAN 1 or 2 without ACLs

    VLAN1 and 2 can communicate with each other but cannot see anyone on VLAN 3



  • then why do VLAN 1 and 2 need to be on different VLANs?



  • @Donahue said in Are VLANs Appropriate Here:

    then why do VLAN 1 and 2 need to be on different VLANs?

    Technically they don't but I kept all LAN traffic outside of the WIFI scope



  • @WLS-ITGuy said in Are VLANs Appropriate Here:

    @Donahue said in Are VLANs Appropriate Here:

    then why do VLAN 1 and 2 need to be on different VLANs?

    Technically they don't but I kept all LAN traffic outside of the WIFI scope

    I am setting mine up so that all my stuff on the corp network can be switched, not routed. I am coming from a setup where everything was separated, and its was all inefficient. When my router blew up, it took most of my network with it because it all had to be routed.



  • @WLS-ITGuy said in Are VLANs Appropriate Here:

    @Donahue said in Are VLANs Appropriate Here:

    then why do VLAN 1 and 2 need to be on different VLANs?

    Technically they don't but I kept all LAN traffic outside of the WIFI scope

    No, if they can talk to each other the their traffic is not kept out of that scope. They are comingled, so what is the purpose of the VLAN?



  • @Donahue said in Are VLANs Appropriate Here:

    @WLS-ITGuy said in Are VLANs Appropriate Here:

    @Donahue said in Are VLANs Appropriate Here:

    then why do VLAN 1 and 2 need to be on different VLANs?

    Technically they don't but I kept all LAN traffic outside of the WIFI scope

    I am setting mine up so that all my stuff on the corp network can be switched, not routed. I am coming from a setup where everything was separated, and its was all inefficient. When my router blew up, it took most of my network with it because it all had to be routed.

    My VLANs are all at the switch level and my wireless controller.



  • @Donahue said in Are VLANs Appropriate Here:

    @WLS-ITGuy said in Are VLANs Appropriate Here:

    @Donahue said in Are VLANs Appropriate Here:

    then why do VLAN 1 and 2 need to be on different VLANs?

    Technically they don't but I kept all LAN traffic outside of the WIFI scope

    I am setting mine up so that all my stuff on the corp network can be switched, not routed. I am coming from a setup where everything was separated, and its was all inefficient. When my router blew up, it took most of my network with it because it all had to be routed.

    That's the boat that the OP is in, he has this massive bottleneck and risk in the router that isn't serving a purpose. Even without removing the VLANs, he could fix that by moving their crossover point to the switch.



  • is this just a DHCP scope thing?



  • @Donahue said in Are VLANs Appropriate Here:

    is this just a DHCP scope thing?

    Right, DHCP is affected, but not security.



  • @scottalanmiller said in Are VLANs Appropriate Here:

    @Donahue said in Are VLANs Appropriate Here:

    is this just a DHCP scope thing?

    Right, DHCP is affected, but not security.

    I can see the argument of having two different DHCP scopes, one for wired and one for wireless. I cannot comment on if that is the best choice though, just that it makes sense.



  • @Donahue said in Are VLANs Appropriate Here:

    @scottalanmiller said in Are VLANs Appropriate Here:

    @Donahue said in Are VLANs Appropriate Here:

    is this just a DHCP scope thing?

    Right, DHCP is affected, but not security.

    I can see the argument of having two different DHCP scopes, one for wired and one for wireless. I cannot comment on if that is the best choice though, just that it makes sense.

    Based on what need? Just the fear that someone will hijack the secure wireless and perform a DHCP exhaustion attack? It's a huge amount of effort for a really trivial attack vector that has no serious impact.



  • no, I am saying that I could see that someone wanted to separate out their devices so each could have its own separate DHCP scope. I am not saying that this was a good idea, or that I would do it, just that I can see how VLAN's could be used to achieve that effect. Again, I am not saying this would be using VLANs correctly


Log in to reply