Separation of Physical Networks via VLANs and Security Issues Therein
Home > IT Answers > Networking > Separation of Physical Networks via VLANs and...
Schmidtw
10505 pts.
0
Q:
Separation of Physical Networks via VLANs and Security Issues Therein
VLAN, Network infrastructure, Network design, VLAN configuration, VLAN management
Our company is looking to redo some networking infrastructure. Previous IT administrators created a daisy chain network topology and all information types, from APs to workstations aggregate on a single network. Lately we have seen some performance issues and wish to rewire much of our network into a star topology network. While doing so, we would like to separate our networks. Previous design considerations have included buying new switches and isolating the traffic on a per-type/per-switch basis. Recently however, I have been thinking about using the switches we already have, and setting up the different data types on the respective VLANS.

What do you know about VLANs?

How does their security rate?

Are they a viable solution for data segragation?

Thanks in advance for you help!

-Schmidtw
ASKED: Mar 24 2009  4:24 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Labnuke99
26290 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
Keep in mind that when you put devices on VLANs you have to route between those VLANs so this can add some processing overhead that is not there in a simple flat switched network. So, if there are devices on VLANx that frequently talk to VLANy then there will be overhead on the routing device between those VLANs. There are some VLAN vulnerabilities out there so you should take some time to understand the risks for your environment. Unless your network is large, carrying lots of traffic or there is a security need, I would stay away from VLANs for the most part. Another time that you would need to implement VLAN's would be to support IP telephony. This will permit QOS & COS to be placed on the traffic. See my blogs on some VOIP/IPT considerations.

Most switches today can handle a lot of load without VLANs - you should see what the traffic loads & traffic types are on your network to see if you get any return on a redesign using VLANs.
Last Answered: Mar 24 2009  5:23 PM GMT by Labnuke99   26290 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Jmflanag   230 pts.  |   Mar 25 2009  1:38AM GMT

Without going into too much detail, because I dont know you topology, VLAN should be used when you want to seperate traffic. If you have two networks, for example 10.1.1.0/24 and 10.1.2.0/24, and each of these networks have at least 100 hosts both, then you are going to have 200 hosts that will be sending broadcasts (esp if using windows) all the time. By creating a VLAN for each subnet, you limit the broadcast traffic to that paticular VLAN. If a subnet needs to communicate with another subnet, then a layer3 methodolgy needs to be in place, whether a router or layer3 switch. In all, if you have a small amount of hosts, then 1 VLAN is fine. If you have hosts on different floors that communicate with servers, then you want to look at VLAN’s and layer3. As far as security goes, VLAN’s only block broadcasts. If you have two differnet subnets, they will only be able to communicate via a layer 3 device. On that layer 3 device you will need access-lists to control traffic or implement a firewall

 

KevinBeaver   7610 pts.  |   Mar 31 2009  8:17PM GMT

Once you design/deploy, make sure you check your work….I’ve seen many people assume their VLANs were in place and everything was “secure” only to find out the hard way (especially with VoIP) that exploits are still possible using free tools such as Cain & Abel.

 
0