Let's talk about VLANs!

[HCHTech]

First of all, my focus and experience is SMB clients. Most of my clients are too small to have servers (even more so now that M365 can fill that need for many small clients. I do have a few bigger clients with on-prem servers so I do have to deal with more-complicated networking on occasion. Also, 100% of my knowledge of networking comes from self-study and experience. I have no formal training, and never apprenticed under anyone who did.

Most of my experience with VLANs is with guest wifi networks. We set these up primarily for security so the guest traffic can be segregated and controlled. My biggest client has a VLAN setup for their backup traffic, and one of my smaller clients sublets a single office in his space,. so we setup a VLAN to segregate that traffic and avoid having to install separate internet service.

For large setups (multiple servers, many employees and multiple locations) beyond what I see with my clientele, I understand it's common to have VLANs for printers, VLANs for servers, VLANs for BMC, VLANs for backup traffic, etc. In addition to security benefits, these are done to minimize broadcast traffic which makes the regular LAN that workstations are on run more efficiently. As I understand it, anyway.

I've been thinking more about these kinds of setups and wondering where the "size line" is where it's best practice to have these multiple VLANs. How many workstations, how many users, how much traffic do you need where this makes sense and is worth the extra setup & maintenance?

Further, if you allow traffic between VLANs, like you have to do if you had printers on their own VLAN, for example; does this destroy the security advantages of having a VLAN? In other words, are you left with just the broadcast traffic and "organizational" benefits of a VLAN if you don't isolate the traffic?

Why? Mostly, I guess I'm trying to fine-tune my recognition of situations that call for VLANs so I don't under-serve clients in the desire for simplicity.

 

[YeOldeStonecat]

I never saw VLANs just for printers.....I've kept those on the same network as production.
Networks of over...eh, 50 computers...I start to think about it.
But I'll put cameras and other IOT things in vlans for security

 

[Markverhyden]

I've always looked at VLAN's as a security and traffic management tool. So I wouldn't populate VLANS with specific devices. Such as one for printers, one for ap's, etc. What I've always seen is groups functionality. One for staff including devices that they would use like printers, MFP's, etc. If it's a large enough organization then subdivide it by functionality like one for sales, one for warehouse etc. Unless it's a major security situation I wouldn't bother with VLANs, say for less than 75 devices.

 

[britechguy]

Unless it's a major security situation I wouldn't bother with VLANs, say for less than 75 devices.

And while I will not say that VLANs provide no security, I think that there are many false beliefs about the level of security they provide. But not nearly so many, or frequent, as those that surround VPNs these days. They're talked about as though they're the security panacea, and more often than not they're entirely unnecessary and don't provide the security supposed.

 

[HCHTech]

What about baseboard management on servers, do you put those on their own subnet & VLAN?

 

[NETWizz]

First of all, my focus and experience is SMB clients. Most of my clients are too small to have servers (even more so now that M365 can fill that need for many small clients. I do have a few bigger clients with on-prem servers so I do have to deal with more-complicated networking on occasion. Also, 100% of my knowledge of networking comes from self-study and experience. I have no formal training, and never apprenticed under anyone who did.

Nothing wrong with that. I started the same. My real reason to go to networking originally was that I was tired of dealing with users and their individual computer problems, and I certainly didn't want to be a programmer but had a propensity in IT. I actually initially thought networking was just dealing with a lot of blinking lights ... simple stuff (i.e. if a link light isn't present it needs to be plugged in)even though I knew about subnetting. I actually started as a server guy first then realized I would rather specialize in networking, and every day I am glad I made that choice. Now I just feel like I am getting too old and should focus on management and IT strategy.

Most of my experience with VLANs is with guest wifi networks. We set these up primarily for security so the guest traffic can be segregated and controlled. My biggest client has a VLAN setup for their backup traffic, and one of my smaller clients sublets a single office in his space,. so we setup a VLAN to segregate that traffic and avoid having to install separate internet service.

This sounds reasonable enough. I actually do two (2) VLANS for WiFi at every site. One VLAN is for WiFi data and the other VLAN is for WiFi management. Essentially, if I see untagged traffic from APs (Aruba), I put that on the management VLAN, so all the APs in a cluster see each other. Then for any given SSID I specify the traffic is tagged to a specific WiFi Data VLAN. The switch port the APs is connected to is a Cisco Trunk (allows tagged traffic in the WiFi VLAN), and there is a Native VLAN set to the WiFi Management VLAN, so ALL the APs see each other as if they are on the same Layer-2 network. The only thing I want to point out though is that VLANs are really not strictly for security (because they don't really accomplish that due to routing). The real reason is because you likely have multiple floors and closets in bigger buildings whereby you realistically do NOT have one (1) data VLAN on the wired side. Case and point, I have buildings many of which have 4 floors with as many as 400 computers per floor. I have one building with 11 different areas each with as many as 400 users each! No way would I EVER even remotely think about putting 1200+ ish computers into a VLAN with one data subnet. One major malfunction like an unmitigated loop or messed up NIC could take out the entire building. That said for wireless, ALL APs (sometimes about 80 of them) need the same SSID (network name) and need their roaming capabilities turned on, so someone can walk the entire building. My expectation is that an individual can join a Microsoft Teams or Zoom call and walk the entire building or campus without dropping the call! For this to work, properly I cannot have 11 different AP clusters or 4 different AP clusters with different VLANs and subnets. this is the real reason for WiFi VLANS. P.S. My personal number for how many computers I want on a VLAN before segmenting is no more than 500 at most, and I prefer half that many. Basically, I am comfortable with a network that could be serviced by a /24 subnet within a VLAN. That said if that is not enough IPs a /23 should be enough. However, in practice I actually use mostly /21s (that is 8 /24's) on the wired network side because I split it in half for DHCP to be the second half and have twice as much as any sane person should ever connect to a network 1022 hosts. The first half is 4 /24,s and my breakdown is: (Layer-3 Devices, Routers, WAN Accelerators), (Layer-2 Devices, Switches, WiFi), (Servers, Appliances, Door Controls, Access Controls, Instruments), and (Printing, Scanning, Copying, Faxing)... That said I probably have only about 200ish actual IPs in a /21 on average... It is a lot of wasted IP space but doesn't matter because there are LOTs of private IPs.

For large setups (multiple servers, many employees and multiple locations) beyond what I see with my clientele, I understand it's common to have VLANs for printers, VLANs for servers, VLANs for BMC, VLANs for backup traffic, etc. In addition to security benefits, these are done to minimize broadcast traffic which makes the regular LAN that workstations are on run more efficiently. As I understand it, anyway.

You are correct. It is mostly for protection of the network and broadcast traffic. Case and point a loop not mitigated by loop-protect, loop-detection, or some flavor of Spanning-Tree, or even a bad fiber transceiver can take out an entire VLAN easily! I have seen it! Typically on switch trunks (trunks are ports that allow 802.1q "tagged" layer-2 "frames" across), they carry only frames tagged for certain allowed VLANs. Frames contain packets, Frames is the layer-2 PDU where packets is the Layer-3 PDU. Frames do NOT have a TTL! If something goes wrong there is nothing to contain the storm of traffic. When something goes horribly wrong on a network the real idea is to contain it to a specific VLAN. There is generally very little real security benefit!

I do not personally create printer VLANs simply because if I do that then I need to then provision subnets to setup as directly-connected network subnets serviced by those VLANs by adding their default-gateway to the SVI (Software Virtual Interface) of the site's Layer-3 switch. If it is a BGP enabled site then it gets automatically added to the WAN VRF in teh provider otherwise, I need to contact the provider to add the subnet as a static route in the VRF pointing to the WAN IP on that site's Layer-3 switch stack (known as the CE Customer Edge router). Of course there needs to be the DHCP helpers configured for that SVI, and the DHCP scope needs to be configured unless each printer is going to be statically IPed. Then each trunk to each wiring closet needs to allow those VLANs to each downstream closet, then each switch stack needs that VLAN created (nobody in the right mind actually runs VTP). Lastly each printer switch port needs to be made an access port in that VLAN the printer plugs into. Yes, obviously I could use something like Cisco Identity Services Engine (ISE) and automatically detect a printer and change the switchport to that VLAN automatically, but still what is the point of doing all of this? It adds no meaningful security! Let me explain why this does not add security... You go to print to it as a direct TCP/IP printer, and your computer puts its source IP and the destination IP of the printer on the packets. The computer's network layer looks at it and says 1) this is NOT in my local subnet, so instead of ARPing for the MAC address of the printer to drop the packets into frames on the local network I will instead ARP for the MAC address of my default gateway. 2) It makes frames from its SOURCE MAC to the DESTINATION MAC of the default-gateway (in its subnet) and tosses the packet in the frame. 3) The switch receives the FRAME and takes the PACKET directly out of the FRAME entirely. The switch examines the packet and compares it to its routing table and realizes the destination IP belongs to a directly-connected subnet it services in a different VLAN. The switch then takes the same PACKET (without modifying it) and 4) creates a NEW FRAME sourced from the switches' SVI in the printer's VLAN. Essentially the new FRAME is has the SOURCE MAC of the SVI on of the swtich in the printer VLAN and the switch ARPs in that VLAN to get the DESTINATION MAC of the printer then tosses the PACKET and drops it in the VLAN for deliver to the printer.. 5) The printer gets the frame containing the packet from the switch as if it is your computer. The only thing the printer does not get is the MAC address of your computer. Regardless, this works instantly for bidirectional traffic. In short, you click print and it prints to an IP printer in another VLAN because of routing (VLANS aren't for security).

I've been thinking more about these kinds of setups and wondering where the "size line" is where it's best practice to have these multiple VLANs. How many workstations, how many users, how much traffic do you need where this makes sense and is worth the extra setup & maintenance?

It depends on what you want and your equipment. I hate having more than 200ish to 250 ish computers in a VLAN, BUT I have put as many as 500 in one from time to time. If it means anything to you modern Cisco switches like the 9300 series 48 port units allow 8 switches in a StackWise 480 stack. Hence, if you just opened 8 of those $10,000 switches and cabled them into a big stack, you would get about 400 switchports in VLAN 1. Not a great idea but a reasonable upper limit. Half that is a better number in particle.

Further, if you allow traffic between VLANs, like you have to do if you had printers on their own VLAN, for example; does this destroy the security advantages of having a VLAN? In other words, are you left with just the broadcast traffic and "organizational" benefits of a VLAN if you don't isolate the traffic?

Why? Mostly, I guess I'm trying to fine-tune my recognition of situations that call for VLANs so I don't under-serve clients in the desire for simplicity.

No because to understand the security advantage you need to look at the CIA triad. Having reliable or available networks is security, too... It is NOT only about confidentiality. The advantage of VLANS is solely layer-2 segmentation. It is like creating separate virtual switches. Routing, however, pretty much offsets any security advantage by default. Yes, you can put Layer-3 controls between VLANS simply by attaching an Access-Control-List at the Layer-3 interface (i.e. the Software Virtual Interface such as Interface Vlan 123). You can technically put layer-2 and layer-3 controls per-port anyway with Identity-Based Network-Services such as Cisco ISE or Aruba ClearPass.

If you want truly meaningful security between VLANS you need to add higher-layer network architecture. Specifically, that is what firewalls are intended to do. What you are looking for is called firewall zones not VLANs for adding security. And YES firewalls are also routers... hope that helps.

 

[NETWizz]

I never saw VLANs just for printers.....I've kept those on the same network as production.
Networks of over...eh, 50 computers...I start to think about it.
But I'll put cameras and other IOT things in vlans for security

That probably makes sense in your area. It is all a judgement call, but from experience you are good to over 200 easily with my personal guideline being anything not serviced by a /24 it likely makes sense to make another /24 and put it into another VLAN.

In practice people move stuff around and printers are often static IPed, and we hate phone calls ... and networks grow ... and my real number of comfort is up to 500. A single Cisco StackWise 480 stack can be 8 48 port switches. If you just opened 8 boxes with some 9300 series switches and cabled them all into a stack out of the box you would get 388 copper 1000BaseT ports all in VLAN 1. Not saying it would be good only that it would work well. Heck even if you had a network loop at 1 Gbit/Sec it would not come close to harming the performance of a 480 Gbit/Sec Cisco stack... though it could certainly mess up all 1 Gbit/sec links in the impacted VLAN.

In practice I actually do broadcast storm control, loop-detection, and use Rapid Per-VLAN Spanning-Tree+ all to suppress misbehaving devices.

In practice I look at things like are these different buildings on a campus? Are these different floors? Are they different business silos?

That is the kind of question I actually ask before creating different data VLANs, and I really do not go out of my way to look for ways to divide and segment and subnet unless we are >200 for sure.

 

[NETWizz]

And while I will not say that VLANs provide no security, I think that there are many false beliefs about the level of security they provide. But not nearly so many, or frequent, as those that surround VPNs these days. They're talked about as though they're the security panacea, and more often than not they're entirely unnecessary and don't provide the security supposed.

BINGO

This took all of 2 minutes to prove the point. I clean booted a switch (in Packet Tracer), added two VLANs, split the switch in half with half the ports in each VLAN. Attached a computer on each half. Look below you will see the directly-connected subnets one in each VLAN.

Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.2, RELEASE SOFTWARE (fc4)
Technical Support : http://www.cisco.com/techsupport
Copyright(c) 1986 - 2016 by Cisco Systems, Inc.
Compiled Tue 08 - Nov - 16 17:31 by pt_team


Cisco IOS-XE software, Copyright(c) 2005 - 2016 by cisco Systems, Inc.
All rights reserved.Certain components of Cisco IOS - XE software are
licensed under the GNU General Public License("GPL") Version 2.0.The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.You can redistribute and / or modify such
GPL code under the terms of GPL Version 2.0.For more details, see the
documentation or "License Notice" file accompanying the IOS - XE software,
or the applicable URL provided on the flyer accompanying the IOS - XE
software.



FIPS: Flash Key Check : Begin
FIPS: Flash Key Check : End, Not Found, FIPS Mode Not Enabled

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

PepdAngularApp

www.cisco.com

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3650-24PS (MIPS) processor (revision N0) with 865815K/6147K bytes of memory.
Processor board ID FDO2031E1Q6
2048K bytes of non - volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo : .
1609272K bytes of Flash at flash : .
0K bytes of at webui : .

Base ethernet MAC Address : 00:90:0C:BC:B3:C8
Motherboard assembly number : 73-15899-06
Motherboard serial number : FDO20311WHP
Model revision number : N0
Motherboard revision number : A0
Model number : WS-C3650-24PS
System serial number : FDO2031Q0TD





--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no


Press RETURN to get started!


Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 2
Switch(config-vlan)#name test2
Switch(config-vlan)#vlan 3
Switch(config-vlan)#name test3
Switch(config-vlan)#exit
Switch(config)#int range g 1/0/1 - 12
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 2
Switch(config-if-range)#exit
Switch(config)#int range g 1/0/13 - 24
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 3
Switch(config-if-range)#exit
Switch(config)#int vlan 2
Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan2, changed state to up
Switch(config-if)#ip add 192.168.2.1 255.255.255.0
Switch(config-if)#exit
Switch(config)#int vlan 3
Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan3, changed state to up
Switch(config-if)#ip add 192.168.3.1 255.255.255.0
Switch(config-if)#exit
Switch(config)#ip routing
Switch(config)#exit
Switch#
%SYS-5-CONFIG_I: Configured from console by console

Switch#
%LINK-5-CHANGED: Interface GigabitEthernet1/0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/18, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3, changed state to up

%LINK-5-CHANGED: Interface GigabitEthernet1/0/2, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up

Switch#
Switch#
Switch#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.2.0/24 is directly connected, Vlan2
C 192.168.3.0/24 is directly connected, Vlan3

Switch#

Here is the result pinging from an IP on a subnet in VLAN 2 to an IP in a subnet in VLAN 3.... The switch did the routing of the packets between the VLANS:

 

[YeOldeStonecat]

What about baseboard management on servers, do you put those on their own subnet & VLAN?

For clients that are under "compliance"...that's desirable. (like HIPAA, NIST/CMMC, etc). I lump those with IoT. Same with switch management if you can.

 

[YeOldeStonecat]

Also don't assume that just because devices are in a VLAN, that they can't cross pollinate with other networks. Because....it depends now the VLANs are set up (often just in the switches)....and when they come together at the firewall, the firewall also has to know to block traffic 'tween the VLANs. Depends what hardware you have in place for switches and the firewall....different approaches. Often some firewalls are monolithic, so...different internal interfaces may, by default, be able to cross communicate with each other due to default routing.

 

[YeOldeStonecat]

That probably makes sense in your area. It is all a judgement call, but from experience you are good to over 200 easily with my personal guideline being anything not serviced by a /24 it likely makes sense to make another /24 and put it into another VLAN.

Yeah once you get to more enterprise size networks, I'm sure that makes sense. From your prior posts you tend to fly in a higher stratosphere than the typical MSP here that caters to typical SMBs where networks are usually under 150 devices total.

 

[HCHTech]

Thanks, everyone. I think I'm comfortable with how I'm doing things in my little corner of the SMB market. For all but one of my clients, everything is done in the firewall with zones. I write the traffic rules there to allow or deny traffic between zones. I haven't been separating BMC connections, so that's the one thing I'll be changing. Almost always, I'm accessing those connections over the internet via a VPN into the firewall anyway, so I don't think I need to provide access from within the LAN. That would certainly be the exception to the rule. I only have one client big enough to have multiple hosts, so they will require a separate VLAN and some switch configuration. For all of the single-host setups, I can just dedicate a port on the firewall for that.

Good topic - I learned a lot!

 

[NETWizz]

My smallest sites have one (1) switch and sometimes it is to run a single Access point and/or service two people. I know you are going to balk at this, but I currently buy only Cisco Catalyst 9300-48P-E as my lowest rung of switch and have pallets of them. I **** you not that one of my sites has an AT&T AVPN link for over $2,000 per month and is getting a $10,000 switch which will run one (1) Aruba AP-515... The staff probably two or three of them probably come in a couple of times a week. Not everything I do is big and grandiose, but I try to keep everything standardized to facilitate ease of management. I am not saying everything makes sense, but I end up looking at things like purchasing. If I want to order a $12 console cable it takes probably 60 days to go through the purchasing process. It takes the same amount of time to order a pallet of 40 switches for $400,000. You end up in situations with low-hanging fruit where an MSP or SOHO grade solution would work, but you provide an enterprise solution because you are simply in that mindset.

Simply put, in short everything all of you are doing is correct because it works and every environment is going to have different judgement calls. I doubt if I was using 8 port switches that I would put more than 50 on a VLAN either... You would get to a point with 6 or more devices and network cable all over that you just want it to work, want to get out, and want to get paid. I completely understand that.

Henck my home has a crappy Linksys WiFi router because I am cheap. I am not buying a Palo Alto PA 220 and annual subscriptions just to have a home lab. I actually do want to fix my home Wifi and have no idea what to buy. I should probably do a WiFi Survey with my Ekahau and then do a Ubiquiti solution. I only wish I had network cable in the walls.

 

[HCHTech]

I should probably do a WiFi Survey with my Ekahau and then do a Ubiquiti solution. I only wish I had network cable in the walls.

I totally get the "shoemaker's children" effect - I've got a 1940 stone house with plaster & lath walls = death for wifi. It took me a full day to run a single cable to the first floor and a single cable to the 2nd floor. I had a couple of Unifi AC-Pros left over from a job just about the same time as I had had enough with lousy wifi. It's still not perfect, but it works pretty well.

 

[YeOldeStonecat]

I totally get the "shoemaker's children" effect - I've got a 1940 stone house with plaster & lath walls = death for wifi. It took me a full day to run a single cable to the first floor and a single cable to the 2nd floor. I had a couple of Unifi AC-Pros left over from a job just about the same time as I had had enough with lousy wifi. It's still not perfect, but it works pretty well.

PA...the land of stone homes! A friend of mine who does what we do...out of Chambersburg PA...I see pics of lots of his installs in homes 'n businesses, and pics of his home. A challenge for sure!

I'll be driving through PA in about 2 hours as I drive back to CT...been about 4 weeks since I've been home. Brr...back to the cold!

 

[HCHTech]

PA...the land of stone homes!

We do have a ton of brick & stone houses here for sure....and slate roofs. We have a slate guy out about once every couple of years to look for problems, replace failed tiles, etc. The universe of folks who work on slate is definitely shrinking. Last year, we called our guy in March and the earliest available slot was September! The roof should last 100 years if you take care of it, but the first rule is to STAY THE HECK OFF OF IT.

Another fun thing with brick & stone is pointing. You definitely have to keep an eye on that. We have a cape-cod style house, with a very tall chimney that needed to have the cap replaced and completely repointed last year - Our first bid was $25K!! We ended up getting it done for $9K but it took 4 bids (and 3 months) to find someone reasonable. Because we have a slate roof, they did the whole thing from a cherry picker. They did the original quote with a camera drone - haha.

 

[YeOldeStonecat]

Another fun thing with brick & stone is pointing.

Yup....our prior home was an old large colonial with 2x chimneys....fireplaces opposite ends, and dealing with the old bricks, mortar, and the "cap"....it's maintenance that has to be kept up with for sure!