Where should I start with vLAN?



  • I want to hear your stories of vLAN. Where should I start with it? I just learned that our firewall switch (Watchguard) support vLAN, but I am not sure where to even start with numbering or setting. Any thoughts? When would vLAN comes in handy? etc

    Thanks!



  • VLAN is something you implement when you have to, not because you "can". A VLAN is a big negative if it is not fulfilling a specific purpose. VLANs are a necessity is certain large networks. It is a huge benefit to the SMB that they rarely have a use for them. And the more you avoid having VLANs, the faster and more reliable your network is.



  • "All" firewalls support VLANs. What you need for VLANs is not a special firewall or router, what you need is 100% of all switching infrastructure to support VLANs. That is where you have or lack support for it.



  • One Big Flat Network is a good starting point.



  • Well Scott beat me to it.. why do you want to us vLAN?



  • Remember don't add complexity for its own sake. Elegant solutions are normally more robust, cheaper, easier to maintain and more secure. Complexity is the enemy, not a goal.



  • @Dashrender said:

    Well Scott beat me to it.. why do you want to us vLAN?

    Just hype thingy. Thought it might be better or improve something.



  • @LAH3385 said:

    Just hype thingy. Thought it might be better or improve something.

    If it did that it wouldn't require hype to promote it.

    It's driven by the same things as SAN - huge enterprises need those things due to their scale, not because the technologies are cool, new or a paradigm shift. SMBs get their competitive advantage against the big scales of the enterprise by being able to run faster and leaner (read: avoiding the cost and problems of these big solutions.) If SMBs implement them they lose the advantages of being small but obviously lack the advantages of being big. So its the worst of both worlds.

    VLANs are absolutely necessary once you have many thousands of devices. Until then, they are just in your way.



  • Out of curiosity, what would you recommend for a smaller company that wanted to segregate certain machines from the others, but still provide Internet access to both?



  • @BRRABill said:

    Out of curiosity, what would you recommend for a smaller company that wanted to segregate certain machines from the others, but still provide Internet access to both?

    what kind of connectivity needs to exist between the two groups of computers?



  • @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.


  • Banned

    @LAH3385 said:

    @Dashrender said:

    Well Scott beat me to it.. why do you want to us vLAN?

    Just hype thingy. Thought it might be better or improve something.

    What is it going to improve if you have no need for it?


  • Banned

    @BRRABill said:

    @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

    You still need a firewall to properly separate them if you are sharing the same internet.



  • @BRRABill said:

    @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

    Assuming you have to live internet IPs, from the ISP provided device - switch, - from switch, two separate ERLs, each ERL goes to a switch that feeds a desired segment.



  • @BRRABill said:

    Out of curiosity, what would you recommend for a smaller company that wanted to segregate certain machines from the others, but still provide Internet access to both?

    You need a firewall for that, but the real question is... why do you want to segregate them? I'm not asking that because there are never reasons for needing to do this, but they would be very uncommon and exist purely in a "legacy LAN" environment where a LAN doesn't work.



  • @BRRABill said:

    @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

    I'd want them totally isolated so that I didn't care what network they were on 🙂



  • @Jason said:

    @BRRABill said:

    @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

    You still need a firewall to properly separate them if you are sharing the same internet.

    Even if not sharing an Internet connection, if you have VLANs for security, they always need a firewall to separate them.



  • @Dashrender said:

    @BRRABill said:

    @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

    Assuming you have to live internet IPs, from the ISP provided device - switch, - from switch, two separate ERLs, each ERL goes to a switch that feeds a desired segment.

    You can do that fine with a single ERL.



  • @scottalanmiller said:

    @BRRABill said:

    @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

    I'd want them totally isolated so that I didn't care what network they were on 🙂

    This for so many reasons. If a VLAN won't cut it, it's time to go old school.



  • @scottalanmiller said:

    You need a firewall for that, but the real question is... why do you want to segregate them? I'm not asking that because there are never reasons for needing to do this, but they would be very uncommon and exist purely in a "legacy LAN" environment where a LAN doesn't work.

    As someone who has steered away from vLANs for complexity reasons as you mentioned, I just know they were repeatedly mentioned in our HIPAA stuff as a way to safely segregate the PHI machines from the other machines. We do it another way, basically with a firewall. But was just wondering if that was the case, and if there was a simple alternative to the VLAN in that scenario.

    It might not even be a valid use case.


  • Banned

    @scottalanmiller said:

    @Jason said:

    @BRRABill said:

    @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

    You still need a firewall to properly separate them if you are sharing the same internet.

    Even if not sharing an Internet connection, if you have VLANs for security, they always need a firewall to separate them.

    Not if you don't put a router between the two at all.. Put the routers on access ports then no need for a firewall

    granted you could just use physically separate switches.



  • @BRRABill said:

    @scottalanmiller said:

    You need a firewall for that, but the real question is... why do you want to segregate them? I'm not asking that because there are never reasons for needing to do this, but they would be very uncommon and exist purely in a "legacy LAN" environment where a LAN doesn't work.

    As someone who has steered away from vLANs for complexity reasons as you mentioned, I just know they were repeatedly mentioned in our HIPAA stuff as a way to safely segregate the PHI machines from the other machines. We do it another way, basically with a firewall. But was just wondering if that was the case, and if there was a simple alternative to the VLAN in that scenario.

    It might not even be a valid use case.

    What do you mean? VLANs are separated by a firewall. That's the only realistic way to separate VLANs. What else are you picturing?

    I find the idea of PHI with VLAN pretty silly. It assumes that you bother to secure some stuff and not others. Why?



  • @Jason said:

    @scottalanmiller said:

    @Jason said:

    @BRRABill said:

    @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

    You still need a firewall to properly separate them if you are sharing the same internet.

    Even if not sharing an Internet connection, if you have VLANs for security, they always need a firewall to separate them.

    Not if you don't put a router between the two at all.. Put the routers on access ports then no need for a firewall

    granted you could just use physically separate switches.

    True, if they were to have no means of communicating whatsoever, like one being treated much like a SAN.



  • @scottalanmiller said:

    What do you mean? VLANs are separated by a firewall. That's the only realistic way to separate VLANs. What else are you picturing?

    I find the idea of PHI with VLAN pretty silly. It assumes that you bother to secure some stuff and not others. Why?

    Don't know. Never got into it, and it might not even be a thing.

    Quick Google turned up things like this...
    "A simple technique for effective network segregation that requires little capital expenditure is called VLAN tagging, short for Virtual LAN. Different parts of your network can be logically separated into distinct "VLANs" and essentially create small quarantine zones between sets of machines that cannot speak to one another. This reduces data exposure, yet still allows internet connectivity for critical Windows Updates and antivirus definitions."



  • @BRRABill said:

    @scottalanmiller said:

    What do you mean? VLANs are separated by a firewall. That's the only realistic way to separate VLANs. What else are you picturing?

    I find the idea of PHI with VLAN pretty silly. It assumes that you bother to secure some stuff and not others. Why?

    Don't know. Never got into it, and it might not even be a thing.

    Quick Google turned up things like this...
    "A simple technique for effective network segregation that requires little capital expenditure is called VLAN tagging, short for Virtual LAN. Different parts of your network can be logically separated into distinct "VLANs" and essentially create small quarantine zones between sets of machines that cannot speak to one another. This reduces data exposure, yet still allows internet connectivity for critical Windows Updates and antivirus definitions."

    VLANs are way simpler than that describes. Think of separate networks. Literally you have one, the guy across the street has one. They are unrelated to each other. Now imagine that you want that but you want to share physical switches. That's VLANing. Literally "Virtual LANs." You get completely separate LANs out of it. That's it. Nothing more, nothing less. Any other concept is misconception.



  • @scottalanmiller said:

    @Dashrender said:

    @BRRABill said:

    @Dashrender said:

    what kind of connectivity needs to exist between the two groups of computers?

    Let's say none.

    Perhaps you had a division the dealt with PHI and you wanted to keep that traffic away from the rest of the network.

    Assuming you have to live internet IPs, from the ISP provided device - switch, - from switch, two separate ERLs, each ERL goes to a switch that feeds a desired segment.

    You can do that fine with a single ERL.

    yeah I suppose you're right.



  • VLANs are meant to replace what used to be stacks of actual switches. Before VLANs we used physically separate equipment for different LANs. Now we can have the LANs not be tied to specific switches but built the LANs in software on top of the switches.

    But we used to do this a lot for performance and VLANs actually make that harder rather than easier. But many people confuse what a VLAN does with what a full LAN does and recommend VLANs for the opposite thing that they do.



  • Like the others, I'd recommend using VLANs only if you need them to secure something. For instance, in a college where I worked previously, I helped migrate from the stacks of switches that @scottalanmiller mentions to a network using VLANs to separate student traffic from the admin traffic.

    You will definitely need a router (or layer 3 switch) or firewall to ensure that the VLANs have access to the internet, but not to one another.


Log in to reply