1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What is VLAN

Discussion in 'Networking Issues' started by crawdaddy, Feb 5, 2006.

  1. crawdaddy

    crawdaddy Network Guru Member

    Now I consider myself to be a very proficient network engineer, having a ton of very succesful networks under my belt, but VLAN seems to be a concept that I can't completley wrap my brain around. From what I have read so far, VLANs are to break physical network segments into virtual network segments for some reason...why I can't fathom. It seems to be very handy and should be used with netowrks of any decent size, I just couldn't tell you when and how it should be done. Any thoughts that could help me understand how and why I should use VLANs would be very much appreicated. Thanks
     
  2. jcheung007

    jcheung007 Network Guru Member

    About VLAN



    Your concept is correct as far as the segmentation of the network goes.

    Let's say this, you work in a company where you have finance, HR, and admin departments, but you only have one physical class A network, so all of these people are in the same broadcast domain. Yet, you don't want they share or be able to access each other information, apparently, you don't want finance people to check out each other's salary from the HR's share drive, do you not? In this case, VLAN will come in handy.

    In this scenario, you can divide your class C networks into three seperate networks. For instance:

    VLAN1: Admin, with a network of 10.1.1.x
    VLAN2: HR, with a network of 10.2.1.x
    VLAN3: Finance, with a network of 10.3.1.x

    Since they are now all in a different subnet, they would not be able to access to other's resources regardless of the OS that you're running (Win 2003, 2000, I don't care, just doesn't matter). Simply because they are in the different networks. However, the challenge is, how do you logically sepearte them into different networks? Basically, you need a couple of things in place.

    1. You need to have routers to route the network traffic between networks, RIP, RIP2 must be in place.
    2. Your router must have FAST Ethernet to be able to do this. 10 mbps won't do you any good.
    3. You need to have a switch which is able to handle 802.11q protocol, capable of assigning VLANs into different ports, so those ports will route traffic to where they're supposed to go.

    So, what happens is:

    Router will assign VLAN1 to the a switch port (for example, port 1 to 3), so the Admin guys are in this group, and VLAN2 for HR and so forth.

    My suggestion to you is, if you're trying to implement this for business, forget about Linksys, go with Cisco. They have some cheap routers like SOHO 831 that would do the job beatifully. Even the older Cisco Catalysts can do VLAN with cheap price. They are incredibily reliable too. You want to have five 9s for business operation, do you not?

    Anyway, I hope this can help you a little bit to understand how VLAN works. Let me know if you need more help.

    Cheers.
     
  3. crawdaddy

    crawdaddy Network Guru Member

    makes sense, so that resourceful ppl that might know a little bit bout networking can't just change their ip addy and get into another department's resources. And then I'm guessing there's some way that you can then re-route it all through the same backbone trunk, like the net. Makes enough sense, still not sure where I would implement this, since I have not come across any netowrk where that amount of security and segmentation is required. Most of the time I find that even if the goal is for ppl to not have access to certain things, other resources in that section are needed for something, making VLANs impracticle in that situation. Like someone needing access to the accountant dept printer, since it's the only one that can print in A4 paper size, but noone needs access to accounting's data. I'll pick this concept up eventually. Right now I need to focus on radius and using it for accounting(for wireless users)
     
  4. RonWessels

    RonWessels Network Guru Member

    Umm, excuse me?

    I have absolutely no trouble mounting shares across different networks. It's a little trickier to set up, but it works just fine.

    In fact, the setup I have now is

    (Secure Network) <-> (NAT Router) <-> (Insecure & Wireless Network) <-> (NAT Router) <-> Internet

    I have specifically set it up this way because I need to mount one of the shares from the Insecure Network on one of the machines in the Secure Network. Yes it means that the Secure Network is double-NAT'ed to the Internet, but this has worked fine for several months now.
     
  5. Guyfromhe

    Guyfromhe Network Guru Member

    Usually when you setup a vlan your trying to completely seperate it from the rest of the networks on that physical wire...

    essentially every VLAN is like having a seperate switch with only ports participating in that VLAN being connected to that switch, usually you would implement this to trunk between switches.

    Let me give you my example.

    I have a PC based router thats handling my network, the computer itself only has 2 PCI slots. I need 1 NIC for lan and 1 NIC for WAN. I also have 2 ISP connections comming in and I want to be able to setup destinct firewall rules and NAT rules based on which interface it's comming in from. I am unable to add another NIC to the box and I don't need a full 100 mbit (only have about 15 mbit total worth of internet anyway) so I setup my WAN nic as a trunk port. I have a wrt54gs that has my 2 cable modems plugged into it, and I have those ports set to remove vlan tagging (so the cable modem only sees standard ethernet traffic) the switch on the linksys device adds the vlan tags based on what port it came in on (because that port is part of a particular vlan) and then all packets tagged come out the WAN interface on the router. My box then has several vlan interfaces setup on it and I can tell which ISP the packets are comming from.

    Another example is I have a class C routed to a box thats sitting on my LAN because it has to go through my router. This box is being used for testing and has some services open to the public, I don't want to allow this box to access anything on my LAN should it get comprimised and I don't want it to be able to view traffic on my LAN. I have it in it's own VLAN with it and it's upstream router only. The port on the router is configured to only be part of this particular vlan and the port is being untagged, so no traffic from outside will get in, and the router will not pay attention to any vlan requests from the box. This also prevents ARP cache poisoning which can happen on a non seperated layer 2 network.

    Theres also the example of having two or more different networks whcih need to go into a single output (a wireless bridge to another location) but you need to keep those two networks seperate when it gets to the other location.. You can use a vlan trunk to send these port distinctions to the remote site and have the switch on the other end decode and put it back into certian physical ports only.

    and in fact, the WRT54G uses vlans to seperate the LAN from the WAN ports, all 5 ports are on the same switch chip. The 4 LAN ports are put into 1 vlan, while the WAN port is put into another VLAN this keeps broadcast traffic from each network seperate from eachother and allows the router to route between interfaces.

    so if you use a WRT54G your using vlans and don't even know about it :)

    In the example described above you'd usually limit the traffic to a particular VLAN via a firewall on the routers to block traffic to specific resources based on IP... If the user is on VLAN1 and they try to use a IP they shouldn't be the firewall could see their comming from VLAN1 with an IP they shouldn't have and deny them access, if they were all just plugged into a switch the firewall couldn't tell the difference between someone in the acocunting dept and someone in the HR dept if they knew enough to change the IP on their computer.
     

Share This Page