The VLAN Debate: Explaining Why They Aren't the Greatest Thing Since Sliced Bread
-
So this post is more for helping me than anything.
VLANs are a fairly hotly debated topic in IT and the networking field. So many IT admins feel you should VLAN every network, every time. Now, I've always held the impression that if you have properly sized DHCP scopes, good QoS, and a solid infrastructure, you have to get REALLY big, like thousands of devices, before you even start talking about VLANs. I loved @scottalanmiller 's article about "One Big, Flat Network"...
http://www.smbitjournal.com/2014/10/one-big-flat-network/I had a discussion come up with a couple of coworkers a few weeks ago where one of the guy said that he VLANed a bunch of stuff. He was talking about how this one printer was throwing "lots of dirty traffic", although I'm not entirely sure even he knew what he meant by that. They talked about how you should use VLANs when you have VoIP networks, and my response to that is just QoS.
I'd love to be better equipped to answer this question the next time it comes up. I'm not denying that VLANs have a place in IT, but that most people jump to VLANs as the answer without considering other options.
Thoughts?
Thanks,
A.J. -
What about security? That's the biggest benefit in my mind, having stuff on a separate VLAN. Yes, in theory you can secure everything on one big network, but I like having an additional layer of protection.
-
@Nic said:
What about security? That's the biggest benefit in my mind, having stuff on a separate VLAN. Yes, in theory you can secure everything on one big network, but I like having an additional layer of protection.
That's really the main advantage of VLANs in my opinion, which I failed to mention in the OP. If you need something to be networked, but separate from other devices on the network, etc, VLANs are ideal for that. I think a lot of people often feel, though, that you need VLANs for QoS. They think that if they put all the phones on one VLAN they can give that VLAN priority over the others. However, QoS accomplishes this without the added complexity.
-
@Nic said:
What about security? That's the biggest benefit in my mind, having stuff on a separate VLAN. Yes, in theory you can secure everything on one big network, but I like having an additional layer of protection.
Security and management are the reasons FOR VLANs. They are the reasons that big enterprise shops always have them - because they need the management flexibility at that scale.
Few SMBs have any security to perform at that level. It happens, but it is pretty rare. You never see an SMB designing a dedicated network for the finance or legal departments, for example. You need dedicated services to make those useful, like storage and apps unique to those networks. If you are big enough to have a lab or a dev environment you can justify VLANs normally, but always because of security or management reasons.
-
@thanksaj said:
If you need something to be networked, but separate from other devices on the network, etc, VLANs are ideal for that.
It's only one option. You don't use VLANs for SANs, for example. You give them their own physical hardware. In the SMB, it's often easier to segregate physically rather than virtually. Especially if you want PoE on your VoIP segment, then a VLAN probably makes no sense since you could get physically separate LANs for less effort. I've seen that just in the last few weeks.
-
Good point - you'll need a separate server for your financial apps, which most often a smaller shop won't have.
-
@scottalanmiller , do you have any idea what my co-worker could have meant by "dirty traffic"? He was saying something about it spending lots of time testing the connection, or trying the connection, or basically creating a lot of traffic that he said didn't need to be seen by the whole network.
-
@thanksaj said:
@scottalanmiller , do you have any idea what my co-worker could have meant by "dirty traffic"? He was saying something about it spending lots of time testing the connection, or trying the connection, or basically creating a lot of traffic that he said didn't need to be seen by the whole network.
Probably he's confused. I doubt that he looked closely at the traffic being generated. If the printer is blasting broadcasts out to the whole network he has a problem that needs to be addressed, there is no reason for a device to be doing that. Anything else doesn't fit his description unless his network uses a hub, not a switch. In a modern switched network, only broadcast traffic is seen "by the network", not normal traffic. Implementing VLANs and inter-LAN routing to deal with one messed up printer is pretty poor networking guidance.
-
@scottalanmiller said:
@thanksaj said:
@scottalanmiller , do you have any idea what my co-worker could have meant by "dirty traffic"? He was saying something about it spending lots of time testing the connection, or trying the connection, or basically creating a lot of traffic that he said didn't need to be seen by the whole network.
Probably he's confused. I doubt that he looked closely at the traffic being generated. If the printer is blasting broadcasts out to the whole network he has a problem that needs to be addressed, there is no reason for a device to be doing that. Anything else doesn't fit his description unless is network uses a hub, not a switch. In a modern switched network, only broadcast traffic is seen "by the network", not normal traffic. Implementing VLANs and inter-LAN routing to deal with one messed up printer is pretty poor networking guidance.
Well, in all fairness, this guy was mixing up correlation and aggregation on the SIEM. The guy likes to talk big but he's not as good as he thinks he is, and everyone but him in L1 knows it.
-
It's too bad that hubs disappeared fifteen years ago. If kids today had to grow up using those and then graduate up to switches they would understand so much more about basic networking. Jumping straight to L3 devices with no understanding of the underpinnings it just a mess.
-
@scottalanmiller said:
It's too bad that hubs disappeared fifteen years ago. If kids today had to grow up using those and then graduate up to switches they would understand so much more about basic networking. Jumping straight to L3 devices with no understanding of the underpinnings it just a mess.
We have a 10mb hub or two in our equipment room just sitting on a shelf
-
I used to have one at home. It was great back when I was just learning networking. So glad that I didn't have switches right away. And my first five or six firewalls were all things that I built myself. For the first six years, or so, that I had Internet at home (maybe ten years, now that I think about it) there were no firewalls on the market to use. You either went without one (and not NAT either) or you built your own. That I had NAT at home was unthinkable for the first many years that I had it.
-
@Nic said:
Good point - you'll need a separate server for your financial apps, which most often a smaller shop won't have.
Not true, you use VMs.
-
@Dashrender said:
@Nic said:
Good point - you'll need a separate server for your financial apps, which most often a smaller shop won't have.
Not true, you use VMs.
LOL In all fairness, he never said "separate physical server". He could have been implying it could be a separate VM. Just saying.
-
@thanksaj said:
@Dashrender said:
@Nic said:
Good point - you'll need a separate server for your financial apps, which most often a smaller shop won't have.
Not true, you use VMs.
LOL In all fairness, he never said "separate physical server". He could have been implying it could be a separate VM. Just saying.
I'll give you and Nick that
-
@Dashrender said:
@Nic said:
Good point - you'll need a separate server for your financial apps, which most often a smaller shop won't have.
Not true, you use VMs.
You might, but often SMBs don't. Depends on the apps. Remember it needs to be basically the whole infrastructure, not only the apps for those users.
-
@scottalanmiller said:
I used to have one at home. It was great back when I was just learning networking. So glad that I didn't have switches right away. And my first five or six firewalls were all things that I built myself. For the first six years, or so, that I had Internet at home (maybe ten years, now that I think about it) there were no firewalls on the market to use. You either went without one (and not NAT either) or you built your own. That I had NAT at home was unthinkable for the first many years that I had it.
Memories. I moved into a duplex with a friend in 1997 and brought in 2 phone lines, hooked to a pair of USR 56k modems on serial ports of a Windows NT server I had acquired. I setup routing on the server and we proceeded to kick ass on Battle.net. Mostly in Starcraft. We were sitting side by side and always joined as a team.
In 1998 I was one of the first people to get Charter's brand new Cable modem service. We were beta testers. The Cable guy came in to install it, looked at my setup and said "umm I do not know what to do with that." I told him to prove it to his laptop and go home.
-
@thanksaj said:
He was talking about how this one printer was throwing "lots of dirty traffic", although I'm not entirely sure even he knew what he meant by that.
When you have a device sending lots of chatty packets out for no reason, e.g. pinging broadcast when not necessary or pulling DHCP info at inappropriate times. For example, the original iPhone had lots of problems with 802.11b traffic, causing access points to go nuts due to their incessant chatter. I read of a few colleges just out right banning Apple MACs from accessing the point due to their excessive nature.
But the solution for a dirty device on a LAN isn't to VLAN it out but to get rid of the device.
Sounds like you work with some real "winners".
-
I, too, have some hubs in storage. They make a quick and dirty port mirror when you want to examine traffic on a network. That said, if a printer is emitting "dirty traffic", then it needs to be configured to eliminate all of the protocols not in use on that network, shut down NetBIOS traffic, and he would be surprised how clean the printer could be. As for VLANs, I have been prompted to put VLANs in for my voice traffic, but I prefer to separate my voice and data physically when possible because it eliminates sharing the network up to the router, and optimizes my PoE switches. This also eliminates the need for more expensive L3 switches. In our case some of the phones act as a switch for the user's computer, and traffic would be doubled on the wire if it had to go to the router before returning to the other devices.
-
@dengelhardt that's a good point that people often miss - there are cases where using VLANs unnecessarily can cause traffic to have to "loop" through a router to return to the same device. In the case of VoIP phones acting as small switches at the desk it's the switch inside the phone doing it.
I had to deal with a network just a few weeks ago that had five routers and three switches, one of which was still on FastEthernet (10/100.)
They managed to make nearly all traffic have to pass through the slow switch for nearly everything. And some things looped through routers that were attached on both ends to the same VLAN!! It was insane.
