To vlan or not to vlan, that's the question

Hello everyone, 1st. post on this group here! (hope it's the right place)

Actually the network I administer, consists of actually 3 networks,
INTERNAL, DMZ, and EXTERNAL, that may be a familiar scenario for most of
you, simple and effective. The three networks, are interconnected with a
firewall (on a linux box, using netfilter). I was asked to literally
divide the network in two (phisically and/or logically), intending to
improve security & performance.

That's why we considered the option of a switch with VLAN support (but
we haven't done it in a serious way yet). Notice that we're talking
about a network with <100 hosts, counting servers and workstations.

The 1st. question is:
1) Why would I spend $$ on a switch that supports VLAN, among other
features(*), if (IMHO) I can implement the same thing with 2 common
switches (less money), and a firewall interconnecting them (managing
security & routing) ?

beside the -probable- answer is 'you just don't need vlan!!! Don't burn
money!', please let me write some additional questions:

2) in what environment is really worthy implement vlan?
Google took me here:
http://nislab.bu.edu/nislab/educatio...ementation.htm
"Why implement Vlan?" but, It'd be nice to see comments about some
real-life examples.

3) What can I do with a vlan switch than I CANNOT DO with 2 switches?

4) The firewall/router interconnecting both networks will have any
special issues to consider if the interconnected networks are a vlan
network, or are independient?


(*) there may be other features, that I don't know, and even I may not
need, but this can be gently answered in question 2

Regards,

pd: sorry for my eventual lack of knowledge, in that case, here go my
apologies in advance, and I'd be glad to be pointed to some "FMs"...so I
can RTFM :P


--
Jose R. "Xous" Negreira
[ *xous*at*xouslab_dot_com* ]
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com

Xous - Jose R. Negreira wrote:
> Hello everyone, 1st. post on this group here! (hope it's the right
place)
>
> Actually the network I administer, consists of actually 3 networks,
> INTERNAL, DMZ, and EXTERNAL, that may be a familiar scenario for most
of
> you, simple and effective. The three networks, are interconnected
with a
> firewall (on a linux box, using netfilter). I was asked to literally
> divide the network in two (phisically and/or logically), intending to

> improve security & performance.
>
> That's why we considered the option of a switch with VLAN support
(but
> we haven't done it in a serious way yet). Notice that we're talking
> about a network with <100 hosts, counting servers and workstations.
>
> The 1st. question is:
> 1) Why would I spend $$ on a switch that supports VLAN, among other
> features(*), if (IMHO) I can implement the same thing with 2 common
> switches (less money), and a firewall interconnecting them (managing
> security & routing) ?

Unless you will now or in the near future implement vlans there is no
real reason to spend more $ to get more (unused) features. But many
newer, high speed switches are vlan capable anyway -- little $
difference.

> beside the -probable- answer is 'you just don't need vlan!!! Don't
burn
> money!', please let me write some additional questions:
>
> 2) in what environment is really worthy implement vlan?
> Google took me here:
> http://nislab.bu.edu/nislab/educatio...ementation.htm
> "Why implement Vlan?" but, It'd be nice to see comments about some
> real-life examples.

VLANs allow you to design/assign nodes by functional commonality
without depending on _physical_ location. You will still require
routers to route traffic _between_ different vlans as well as switches
that support vlan trunking (to transport multiple vlan traffic across a
common link). Thus print and file servers may be more "easily"
positioned. This has given rise to greater centralized administration
and server farms in the school district. The district has more than
3000 nodes scattered across more than 30 campuses. Thus geography
within and between campuses and the NOS servers are more easily
"conquered". The logical network is more "logical"

> 3) What can I do with a vlan switch than I CANNOT DO with 2 switches?

Create vlans It may be easier to control traffic/bandwidth to
accommodate varyied requirements of nodes. Thus office/admin nodes are
easier to accommodate _and_ isolate from student accessible nodes.
Allows library nodes to incorporate outlying stations. Still debating
whether to interconnect the high school libraries on a common vlan.
For me the greatest vlan advantage is the way you can overcome
goegraphical/physical location.

> 4) The firewall/router interconnecting both networks will have any
> special issues to consider if the interconnected networks are a vlan
> network, or are independient?

Not generally if you design the vlans and IP network(s) properly.

> (*) there may be other features, that I don't know, and even I may
not
> need, but this can be gently answered in question 2

Unless you have a pressing need for vlans there is no reason to go that
route, IMHO. They will not _inherently_ add to your security and
performance that you could not achieve with conventional
switching/routing.

If your physical distribution of nodes makes managing network
resources/access difficult, then I would seriously consider vlans as a
possible solution.

If you require more centralized control/administration of network
resources, then again I mnight consider vlan switching.

The "flexibility" and "ease of management" offered by vlans require
proper up-front setup (eg., MAC tracking) and may require "management
software" to keep a handle on everything.

For a given amount of $ you may be able to get better throughput
speeds/latencies with conventional switches and _good_ GigE (fiber)
links.

With only 100 nodes, I suspect that you don't really need vlans as
opposed to conventional switching. In fact, vlans are usually combined
with conventional switching. Could you substantially reduce the
number/use of routers by implementing a switched vlan network?

Much of the flexibility of vlans can be implemented with good use of
DHCP and policy routing. At some point vlans are "easier" for carving
up networks according to differing resource/bandwidth requirements, but
for 100 nodes I'm not too sure. Are you expecting to implement VOIP?

Cisco has some pretty good, somewhat dated, networking docs you may
want to look at:
http://www.cisco.com/univercd/cc/td/...c/lanswtch.htm
http://www.cisco.com/univercd/cc/td/...dg4/nd2012.htm
http://www.cisco.com/univercd/cc/td/...idg4/index.htm
http://www.cisco.com/univercd/cc/td/..._doc/index.htm
http://www.cisco.com/univercd/cc/td/...ntwk/index.htm

hth,
prg

Hmmm VLANs, why bother? I think it depends if you want to segment your
network logically. Depending on the features of the switch you buy,
will determine the security options you have to choose from, although
you're not going to get higher than Layer 4 on the switch for security.
But if your internal network is trusted then why would you firewall the
heck out it; these are business-to-business decisions, and are for
another discussion at another time. Let's carry on, a switch like
Extreme Networks will give you non-blocking, wire speed switching, but
if you want all your traffic to go slow path then pick a router. A
router in the middle will force all traffic to go slow path for routing
decisions between networks; for security reasons this may make sense
but for performance reasons you might want to use a vlan setup with
Access Control List to secure unwanted traffic. Whatever setup you
choose let the backbone have either a Cisco, Extreme, or Juniper Layer
3 switch...

Have fun!

prg, thanks for your kind and long answer.
I *really* appreciated it, and just with a few words, I've learned a lot!!

What you suspect were the same as mine. Now I completely realize that I
don't need VLANS.

"They (vlans) will not _inherently_ add to your security and performance
that you could not achieve with conventional switching/routing.".

So, a conventional switching-routing solution will be a better
cost/benefit solution (and about cost i'm talking about money, and
configuration administration), due to the current network size and
structure, no VoIP plans, etc. The real life example network (3000
nodes, 30 campus), are really outstanding numbers, we're talking
definitively about different stuff. Thanks 4 showing me the way!

Regards,

--
Jose R. "Xous" Negreira
[ *xous*at*xouslab_dot_com* ]
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com




prg escribió:
> Xous - Jose R. Negreira wrote:
>
>>Hello everyone, 1st. post on this group here! (hope it's the right
>
> place)
>
>>Actually the network I administer, consists of actually 3 networks,
>>INTERNAL, DMZ, and EXTERNAL, that may be a familiar scenario for most
>
> of
>
>>you, simple and effective. The three networks, are interconnected
>
> with a
>
>>firewall (on a linux box, using netfilter). I was asked to literally
>>divide the network in two (phisically and/or logically), intending to
>
>
>>improve security & performance.
>>
>>That's why we considered the option of a switch with VLAN support
>
> (but
>
>>we haven't done it in a serious way yet). Notice that we're talking
>>about a network with <100 hosts, counting servers and workstations.
>>
>>The 1st. question is:
>>1) Why would I spend $$ on a switch that supports VLAN, among other
>>features(*), if (IMHO) I can implement the same thing with 2 common
>>switches (less money), and a firewall interconnecting them (managing
>>security & routing) ?
>
>
> Unless you will now or in the near future implement vlans there is no
> real reason to spend more $ to get more (unused) features. But many
> newer, high speed switches are vlan capable anyway -- little $
> difference.
>
>
>>beside the -probable- answer is 'you just don't need vlan!!! Don't
>
> burn
>
>>money!', please let me write some additional questions:
>>
>>2) in what environment is really worthy implement vlan?
>>Google took me here:
>>http://nislab.bu.edu/nislab/educatio...ementation.htm
>>"Why implement Vlan?" but, It'd be nice to see comments about some
>>real-life examples.
>
>
> VLANs allow you to design/assign nodes by functional commonality
> without depending on _physical_ location. You will still require
> routers to route traffic _between_ different vlans as well as switches
> that support vlan trunking (to transport multiple vlan traffic across a
> common link). Thus print and file servers may be more "easily"
> positioned. This has given rise to greater centralized administration
> and server farms in the school district. The district has more than
> 3000 nodes scattered across more than 30 campuses. Thus geography
> within and between campuses and the NOS servers are more easily
> "conquered". The logical network is more "logical"
>
>
>>3) What can I do with a vlan switch than I CANNOT DO with 2 switches?
>
>
> Create vlans It may be easier to control traffic/bandwidth to
> accommodate varyied requirements of nodes. Thus office/admin nodes are
> easier to accommodate _and_ isolate from student accessible nodes.
> Allows library nodes to incorporate outlying stations. Still debating
> whether to interconnect the high school libraries on a common vlan.
> For me the greatest vlan advantage is the way you can overcome
> goegraphical/physical location.
>
>
>>4) The firewall/router interconnecting both networks will have any
>>special issues to consider if the interconnected networks are a vlan
>>network, or are independient?
>
>
> Not generally if you design the vlans and IP network(s) properly.
>
>
>>(*) there may be other features, that I don't know, and even I may
>
> not
>
>>need, but this can be gently answered in question 2
>
>
> Unless you have a pressing need for vlans there is no reason to go that
> route, IMHO. They will not _inherently_ add to your security and
> performance that you could not achieve with conventional
> switching/routing.
>
> If your physical distribution of nodes makes managing network
> resources/access difficult, then I would seriously consider vlans as a
> possible solution.
>
> If you require more centralized control/administration of network
> resources, then again I mnight consider vlan switching.
>
> The "flexibility" and "ease of management" offered by vlans require
> proper up-front setup (eg., MAC tracking) and may require "management
> software" to keep a handle on everything.
>
> For a given amount of $ you may be able to get better throughput
> speeds/latencies with conventional switches and _good_ GigE (fiber)
> links.
>
> With only 100 nodes, I suspect that you don't really need vlans as
> opposed to conventional switching. In fact, vlans are usually combined
> with conventional switching. Could you substantially reduce the
> number/use of routers by implementing a switched vlan network?
>
> Much of the flexibility of vlans can be implemented with good use of
> DHCP and policy routing. At some point vlans are "easier" for carving
> up networks according to differing resource/bandwidth requirements, but
> for 100 nodes I'm not too sure. Are you expecting to implement VOIP?
>
> Cisco has some pretty good, somewhat dated, networking docs you may
> want to look at:
> http://www.cisco.com/univercd/cc/td/...c/lanswtch.htm
> http://www.cisco.com/univercd/cc/td/...dg4/nd2012.htm
> http://www.cisco.com/univercd/cc/td/...idg4/index.htm
> http://www.cisco.com/univercd/cc/td/..._doc/index.htm
> http://www.cisco.com/univercd/cc/td/...ntwk/index.htm
>
> hth,
> prg
>

pizzy, thank you too, man. . About what u said:
"...for security reasons this may make sense but for performance reasons
you might want to use a vlan setup with Access Control List to secure
unwanted traffic."
So, if I understood u correctly: a router for uniting vlans is not
always needed? (Thought it IS needed).

Other question you said before, that you cannot get higher than Layer 4
on a switch. (Thought a switch could get higher to layer 2*), or in
other words, could implement filtering for MAC Address.

* considering this layers:
L5: Application
L4: TCP/UDP
L3: Network(IP)
L2: Link
L1: Physical

Regards,

--
Jose R. "Xous" Negreira
[ *xous*at*xouslab_dot_com* ]
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com




pizzy escribió:
> Hmmm VLANs, why bother? I think it depends if you want to segment your
> network logically. Depending on the features of the switch you buy,
> will determine the security options you have to choose from, although
> you're not going to get higher than Layer 4 on the switch for security.
> But if your internal network is trusted then why would you firewall the
> heck out it; these are business-to-business decisions, and are for
> another discussion at another time. Let's carry on, a switch like
> Extreme Networks will give you non-blocking, wire speed switching, but
> if you want all your traffic to go slow path then pick a router. A
> router in the middle will force all traffic to go slow path for routing
> decisions between networks; for security reasons this may make sense
> but for performance reasons you might want to use a vlan setup with
> Access Control List to secure unwanted traffic. Whatever setup you
> choose let the backbone have either a Cisco, Extreme, or Juniper Layer
> 3 switch...
>
> Have fun!
>

>So, if I understood u correctly: a router for uniting vlans is not
>always needed? (Thought it IS needed).
# I think the answer to your question is yes.


>Other question you said before, that you cannot get higher than Layer
4
>on a switch. (Thought a switch could get higher to layer 2*), or in
>other words, could implement filtering for MAC Address.
# A filter on a MAC Address only requires an Extreme Network switch to
map MAC to port at layer 2

At Tue, 29 Mar 2005 10:45:52 -0300 Xous - Jose R. Negreira wrote:
>
> Hello everyone, 1st. post on this group here! (hope it's the right place)
>
> Actually the network I administer, consists of actually 3 networks,
> INTERNAL, DMZ, and EXTERNAL, that may be a familiar scenario for most of
> you, simple and effective. The three networks, are interconnected with a
> firewall (on a linux box, using netfilter). I was asked to literally
> divide the network in two (phisically and/or logically), intending to
> improve security & performance.

Simply there are two solutions for your network to be secure:

1) Put 3 NIC cards into your router PC, set routing between them,
firewall, etc
2) Use switch with vlan feature and IP aliases on your NIC.

> 1) Put 3 NIC cards into your router PC, set routing between them,
> firewall, etc
> 2) Use switch with vlan feature and IP aliases on your NIC.

Yes, he is right. You might think of setting up zebra
[http://www.zebra.org/] for doing all kinds of routing. You might not
even need a expensive router for setuping up SOHO environment.

--
Raqueeb Hassan
Bangladesh

The only thing VLANs are good for is network segmentation. Period. They
don't really provide any added security in the standard sense.

Jon(Diversicom) escribió:
> The only thing VLANs are good for is network segmentation. Period. They
> don't really provide any added security in the standard sense.
>

Thank u all people!!
You made me understand things a bit better now!!

--
Jose R. "Xous" Negreira
[ *xous*at*xouslab_dot_com* ]
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com