To vlan or not to vlan, that's the question

From: Xous - Jose R. Negreira (xous_at_xouslab.com)
Date: 03/29/05 

Date: Tue, 29 Mar 2005 10:45:52 -0300

Hello everyone, 1st. post on this group here! (hope it's the right place)

Actually the network I administer, consists of actually 3 networks,
INTERNAL, DMZ, and EXTERNAL, that may be a familiar scenario for most of
you, simple and effective. The three networks, are interconnected with a
firewall (on a linux box, using netfilter). I was asked to literally
divide the network in two (phisically and/or logically), intending to
improve security & performance.

That's why we considered the option of a switch with VLAN support (but
we haven't done it in a serious way yet). Notice that we're talking
about a network with <100 hosts, counting servers and workstations.

The 1st. question is:
1) Why would I spend $$ on a switch that supports VLAN, among other
features(*), if (IMHO) I can implement the same thing with 2 common
switches (less money), and a firewall interconnecting them (managing
security & routing) ?

beside the -probable- answer is 'you just don't need vlan!!! Don't burn
money!', please let me write some additional questions:

2) in what environment is really worthy implement vlan?
Google took me here:
http://nislab.bu.edu/nislab/education/sc441/six/implementation.htm
"Why implement Vlan?" but, It'd be nice to see comments about some
real-life examples.

3) What can I do with a vlan switch than I CANNOT DO with 2 switches?

4) The firewall/router interconnecting both networks will have any
special issues to consider if the interconnected networks are a vlan
network, or are independient?

(*) there may be other features, that I don't know, and even I may not
need, but this can be gently answered in question 2 ;)

Regards,

pd: sorry for my eventual lack of knowledge, in that case, here go my
apologies in advance, and I'd be glad to be pointed to some "FMs"...so I
can RTFM :P 

-- 
Jose R. "Xous" Negreira
[ *xous*at*xouslab_dot_com* ]
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com

Relevant Pages

  • Re: Need guidance on Cisco 6513 install
    ... having this switch set up on Tuesday by noon, ... The switch itself (and other future network hardware) will be on the ... but you can always choose another vlan number and same ... In a two core environment, ...
    (comp.dcom.sys.cisco)
  • Strange results from a tcpdump, can anyone help?
    ... traffic was going ballistic on most ports in the network. ... other hosts went to normal (i.e. the only traffic you could see were ... packets from the same vlan destined to other hosts outside ... If it was simply a bad switch with a bad port that had lost it's mac ...
    (comp.dcom.lans.ethernet)
  • Re: Strange results from a tcpdump, can anyone help?
    ... traffic was going ballistic on most ports in the network. ... other hosts went to normal (i.e. the only traffic you could see were ... packets from the same vlan destined to other hosts outside ... If it was simply a bad switch with a bad port that had lost it's mac ...
    (comp.dcom.lans.ethernet)
  • Re: Help with IGMP
    ... By default it should forward multicast traffic to all port. ... good, it clog the network. ... It switch is has no VLAN or single VLAN and all ... the layer 2 protocol to allow switch interfaces to join multcast streams. ...
    (comp.dcom.sys.cisco)
  • Re: Locating switches in a multi-layer switching environment
    ... |switch| Main Computer Room ... MAC addresses are statically assigned to each port. ... but is only visible on the management VLAN. ... You could nmap the entire subnet and use trace route to find out the hope count and network path to the host you find in nmap.. ...
    (Pen-Test)