To vlan or not to vlan, that's the question

Discussion in 'Linux Networking' started by Xous - Jose R. Negreira, Mar 29, 2005.

  1. Hello everyone, 1st. post on this group here! (hope it's the right place)

    Actually the network I administer, consists of actually 3 networks,
    INTERNAL, DMZ, and EXTERNAL, that may be a familiar scenario for most of
    you, simple and effective. The three networks, are interconnected with a
    firewall (on a linux box, using netfilter). I was asked to literally
    divide the network in two (phisically and/or logically), intending to
    improve security & performance.

    That's why we considered the option of a switch with VLAN support (but
    we haven't done it in a serious way yet). Notice that we're talking
    about a network with <100 hosts, counting servers and workstations.

    The 1st. question is:
    1) Why would I spend $$ on a switch that supports VLAN, among other
    features(*), if (IMHO) I can implement the same thing with 2 common
    switches (less money), and a firewall interconnecting them (managing
    security & routing) ?

    beside the -probable- answer is 'you just don't need vlan!!! Don't burn
    money!', please let me write some additional questions:

    2) in what environment is really worthy implement vlan?
    Google took me here:
    http://nislab.bu.edu/nislab/education/sc441/six/implementation.htm
    "Why implement Vlan?" but, It'd be nice to see comments about some
    real-life examples.

    3) What can I do with a vlan switch than I CANNOT DO with 2 switches?

    4) The firewall/router interconnecting both networks will have any
    special issues to consider if the interconnected networks are a vlan
    network, or are independient?


    (*) there may be other features, that I don't know, and even I may not
    need, but this can be gently answered in question 2 ;)

    Regards,

    pd: sorry for my eventual lack of knowledge, in that case, here go my
    apologies in advance, and I'd be glad to be pointed to some "FMs"...so I
    can RTFM :p
     
    Xous - Jose R. Negreira, Mar 29, 2005
    #1
    1. Advertisements

  2. Xous - Jose R. Negreira

    prg Guest

    Unless you will now or in the near future implement vlans there is no
    real reason to spend more $ to get more (unused) features. But many
    newer, high speed switches are vlan capable anyway -- little $
    difference.
    VLANs allow you to design/assign nodes by functional commonality
    without depending on _physical_ location. You will still require
    routers to route traffic _between_ different vlans as well as switches
    that support vlan trunking (to transport multiple vlan traffic across a
    common link). Thus print and file servers may be more "easily"
    positioned. This has given rise to greater centralized administration
    and server farms in the school district. The district has more than
    3000 nodes scattered across more than 30 campuses. Thus geography
    within and between campuses and the NOS servers are more easily
    "conquered". The logical network is more "logical";)
    Create vlans ;) It may be easier to control traffic/bandwidth to
    accommodate varyied requirements of nodes. Thus office/admin nodes are
    easier to accommodate _and_ isolate from student accessible nodes.
    Allows library nodes to incorporate outlying stations. Still debating
    whether to interconnect the high school libraries on a common vlan.
    For me the greatest vlan advantage is the way you can overcome
    goegraphical/physical location.
    Not generally if you design the vlans and IP network(s) properly.
    Unless you have a pressing need for vlans there is no reason to go that
    route, IMHO. They will not _inherently_ add to your security and
    performance that you could not achieve with conventional
    switching/routing.

    If your physical distribution of nodes makes managing network
    resources/access difficult, then I would seriously consider vlans as a
    possible solution.

    If you require more centralized control/administration of network
    resources, then again I mnight consider vlan switching.

    The "flexibility" and "ease of management" offered by vlans require
    proper up-front setup (eg., MAC tracking) and may require "management
    software" to keep a handle on everything.

    For a given amount of $ you may be able to get better throughput
    speeds/latencies with conventional switches and _good_ GigE (fiber)
    links.

    With only 100 nodes, I suspect that you don't really need vlans as
    opposed to conventional switching. In fact, vlans are usually combined
    with conventional switching. Could you substantially reduce the
    number/use of routers by implementing a switched vlan network?

    Much of the flexibility of vlans can be implemented with good use of
    DHCP and policy routing. At some point vlans are "easier" for carving
    up networks according to differing resource/bandwidth requirements, but
    for 100 nodes I'm not too sure. Are you expecting to implement VOIP?

    Cisco has some pretty good, somewhat dated, networking docs you may
    want to look at:
    http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/lanswtch.htm
    http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2012.htm
    http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/index.htm
    http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/index.htm
    http://www.cisco.com/univercd/cc/td/doc/cisintwk/index.htm

    hth,
    prg
     
    prg, Mar 29, 2005
    #2
    1. Advertisements

  3. Xous - Jose R. Negreira

    pizzy Guest

    Hmmm VLANs, why bother? I think it depends if you want to segment your
    network logically. Depending on the features of the switch you buy,
    will determine the security options you have to choose from, although
    you're not going to get higher than Layer 4 on the switch for security.
    But if your internal network is trusted then why would you firewall the
    heck out it; these are business-to-business decisions, and are for
    another discussion at another time. Let's carry on, a switch like
    Extreme Networks will give you non-blocking, wire speed switching, but
    if you want all your traffic to go slow path then pick a router. A
    router in the middle will force all traffic to go slow path for routing
    decisions between networks; for security reasons this may make sense
    but for performance reasons you might want to use a vlan setup with
    Access Control List to secure unwanted traffic. Whatever setup you
    choose let the backbone have either a Cisco, Extreme, or Juniper Layer
    3 switch...

    Have fun!
     
    pizzy, Mar 29, 2005
    #3
  4. prg, thanks for your kind and long answer.
    I *really* appreciated it, and just with a few words, I've learned a lot!!

    What you suspect were the same as mine. Now I completely realize that I
    don't need VLANS.

    "They (vlans) will not _inherently_ add to your security and performance
    that you could not achieve with conventional switching/routing.".

    So, a conventional switching-routing solution will be a better
    cost/benefit solution (and about cost i'm talking about money, and
    configuration administration), due to the current network size and
    structure, no VoIP plans, etc. The real life example network (3000
    nodes, 30 campus), are really outstanding numbers, we're talking
    definitively about different stuff. Thanks 4 showing me the way!

    Regards,

    --
    Jose R. "Xous" Negreira
    [ *xous*at*xouslab_dot_com* ]
    XousLAB - http://www.xouslab.com
    iptableslinux - http://www.iptableslinux.com




    prg escribió:
     
    Xous - Jose R. Negreira, Mar 31, 2005
    #4
  5. pizzy, thank you too, man. :). About what u said:
    "...for security reasons this may make sense but for performance reasons
    you might want to use a vlan setup with Access Control List to secure
    unwanted traffic."
    So, if I understood u correctly: a router for uniting vlans is not
    always needed? (Thought it IS needed).

    Other question you said before, that you cannot get higher than Layer 4
    on a switch. (Thought a switch could get higher to layer 2*), or in
    other words, could implement filtering for MAC Address.

    * considering this layers:
    L5: Application
    L4: TCP/UDP
    L3: Network(IP)
    L2: Link
    L1: Physical

    Regards,

    --
    Jose R. "Xous" Negreira
    [ *xous*at*xouslab_dot_com* ]
    XousLAB - http://www.xouslab.com
    iptableslinux - http://www.iptableslinux.com




    pizzy escribió:
     
    Xous - Jose R. Negreira, Mar 31, 2005
    #5
  6. Xous - Jose R. Negreira

    pizzy Guest

    So, if I understood u correctly: a router for uniting vlans is not
    # I think the answer to your question is yes.

    # A filter on a MAC Address only requires an Extreme Network switch to
    map MAC to port at layer 2
     
    pizzy, Apr 1, 2005
    #6
  7. Simply there are two solutions for your network to be secure:

    1) Put 3 NIC cards into your router PC, set routing between them,
    firewall, etc
    2) Use switch with vlan feature and IP aliases on your NIC.
     
    Marcin Szczepaniak, Apr 9, 2005
    #7
  8. 1) Put 3 NIC cards into your router PC, set routing between them,
    Yes, he is right. You might think of setting up zebra
    [http://www.zebra.org/] for doing all kinds of routing. You might not
    even need a expensive router for setuping up SOHO environment.
     
    Raqueeb Hassan, Apr 11, 2005
    #8
  9. The only thing VLANs are good for is network segmentation. Period. They
    don't really provide any added security in the standard sense.
     
    Jon(Diversicom), Apr 11, 2005
    #9
  10. Jon(Diversicom) escribió:
    Thank u all people!!
    You made me understand things a bit better now!! ;)
     
    Xous - Jose R. Negreira, Apr 20, 2005
    #10
  11. But cant you encrypt everything on a vlan?

    Isnt the encryption better than WEP at least?
     
    Coenraad Loubser, Apr 20, 2005
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.