Separation of Physical Networks via VLANs and Security Issues Therein

11330 pts.
Tags:
Network design
Network infrastructure
VLAN
VLAN configuration
VLAN management
Our company is looking to redo some networking infrastructure. Previous IT administrators created a daisy chain network topology and all information types, from APs to workstations aggregate on a single network. Lately we have seen some performance issues and wish to rewire much of our network into a star topology network. While doing so, we would like to separate our networks. Previous design considerations have included buying new switches and isolating the traffic on a per-type/per-switch basis. Recently however, I have been thinking about using the switches we already have, and setting up the different data types on the respective VLANS. What do you know about VLANs? How does their security rate? Are they a viable solution for data segragation? Thanks in advance for you help! -Schmidtw

Answer Wiki

Thanks. We'll let you know when a new response is added.

Keep in mind that when you put devices on VLANs you have to route between those VLANs so this can add some processing overhead that is not there in a simple flat switched network. So, if there are devices on VLANx that frequently talk to VLANy then there will be overhead on the routing device between those VLANs. There are some VLAN vulnerabilities out there so you should take some time to understand the risks for your environment. Unless your network is large, carrying lots of traffic or there is a security need, I would stay away from VLANs for the most part. Another time that you would need to implement VLAN’s would be to support IP telephony. This will permit QOS & COS to be placed on the traffic. See my blogs on some VOIP/IPT considerations.

Most switches today can handle a lot of load without VLANs – you should see what the traffic loads & traffic types are on your network to see if you get any return on a redesign using VLANs.

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Jmflanag
    Without going into too much detail, because I dont know you topology, VLAN should be used when you want to seperate traffic. If you have two networks, for example 10.1.1.0/24 and 10.1.2.0/24, and each of these networks have at least 100 hosts both, then you are going to have 200 hosts that will be sending broadcasts (esp if using windows) all the time. By creating a VLAN for each subnet, you limit the broadcast traffic to that paticular VLAN. If a subnet needs to communicate with another subnet, then a layer3 methodolgy needs to be in place, whether a router or layer3 switch. In all, if you have a small amount of hosts, then 1 VLAN is fine. If you have hosts on different floors that communicate with servers, then you want to look at VLAN's and layer3. As far as security goes, VLAN's only block broadcasts. If you have two differnet subnets, they will only be able to communicate via a layer 3 device. On that layer 3 device you will need access-lists to control traffic or implement a firewall
    230 pointsBadges:
    report
  • Kevin Beaver
    Once you design/deploy, make sure you check your work....I've seen many people assume their VLANs were in place and everything was "secure" only to find out the hard way (especially with VoIP) that exploits are still possible using free tools such as Cain & Abel.
    17,385 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following