Separation of Physical Networks via VLANs and Security Issues Therein

Schmidtw

11330 pts.

Tags:

Network design

Network infrastructure

VLAN

VLAN configuration

VLAN management

Our company is looking to redo some networking infrastructure. Previous IT administrators created a daisy chain network topology and all information types, from APs to workstations aggregate on a single network. Lately we have seen some performance issues and wish to rewire much of our network into a star topology network. While doing so, we would like to separate our networks. Previous design considerations have included buying new switches and isolating the traffic on a per-type/per-switch basis. Recently however, I have been thinking about using the switches we already have, and setting up the different data types on the respective VLANS. What do you know about VLANs? How does their security rate? Are they a viable solution for data segragation? Thanks in advance for you help! -Schmidtw

Asked: March 24, 2009 4:24 PM Last updated: December 12, 2013 4:18 PM

Answer Wiki

Last updated: December 12, 2013 4:18 PM GMT

Michael Tidmarsh62,155 pts.
History
Contributors
- Ordered by most recent
- Michael Tidmarsh62,155 pts.
- Labnuke9932,960 pts.

Thanks. We'll let you know when a new response is added.

Keep in mind that when you put devices on VLANs you have to route between those VLANs so this can add some processing overhead that is not there in a simple flat switched network. So, if there are devices on VLANx that frequently talk to VLANy then there will be overhead on the routing device between those VLANs. There are some VLAN vulnerabilities out there so you should take some time to understand the risks for your environment. Unless your network is large, carrying lots of traffic or there is a security need, I would stay away from VLANs for the most part. Another time that you would need to implement VLAN’s would be to support IP telephony. This will permit QOS & COS to be placed on the traffic. See my blogs on some VOIP/IPT considerations.

Most switches today can handle a lot of load without VLANs – you should see what the traffic loads & traffic types are on your network to see if you get any return on a redesign using VLANs.

Discuss This Question: 2 Replies

Jmflanag Mar 25, 2009 1:38 AM GMT

Without going into too much detail, because I dont know you topology, VLAN should be used when you want to seperate traffic. If you have two networks, for example 10.1.1.0/24 and 10.1.2.0/24, and each of these networks have at least 100 hosts both, then you are going to have 200 hosts that will be sending broadcasts (esp if using windows) all the time. By creating a VLAN for each subnet, you limit the broadcast traffic to that paticular VLAN. If a subnet needs to communicate with another subnet, then a layer3 methodolgy needs to be in place, whether a router or layer3 switch. In all, if you have a small amount of hosts, then 1 VLAN is fine. If you have hosts on different floors that communicate with servers, then you want to look at VLAN's and layer3. As far as security goes, VLAN's only block broadcasts. If you have two differnet subnets, they will only be able to communicate via a layer 3 device. On that layer 3 device you will need access-lists to control traffic or implement a firewall

230 pointsBadges:

report
Kevin Beaver Mar 31, 2009 8:17 PM GMT

Once you design/deploy, make sure you check your work....I've seen many people assume their VLANs were in place and everything was "secure" only to find out the hard way (especially with VoIP) that exploits are still possible using free tools such as Cain & Abel.

25,745 pointsBadges:

report