VLAN versus Router

We have an industrial Ethernet network that is connected by one leg to a company wide network through a standard switch.

We require to segregate the industrial network from the rest of the network to avoid virus, broadcast, DoS attacks etc affecting the industrial network.

The industrial network doesn't need the rest of the network or the Internet etc.

We may want to VPN onto the industrial network occasionaly from one or two PCs on the rest of the network (We have a VPN server configured already).

Our network people want us to go VLAN, I would prefer a router to totally segregate us, either solution should be easy as we only have one leg connecting both networks.

What are the advantages/disadvantages of each solution.
LVL 10
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Rick HobbsConnect With a Mentor RETIREDCommented:
Totally acceptable solution.  Basically by adding two cards to a PC you have created a poor man's router.  In fact, if you decided to run Linux on that system, you can use iptables (similar to ACLs) and there are versions of free proxy software.
For Vpn you can use this software


What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

snerkelAuthor Commented:
ded9 maybe you should read the question a little more, your first answer is irrelivent we already have VPN.

Your second answer tells me what VLAN and router are, again not an answer to the question.

  Basically if you want to go for Vlan still you need a router to route the traffic if you want to route traffic between the 2 networks, which is something you DON'T want.

  So a simple solution would be to make the 2 networks into different subnets and then the communication won't happen between those 2 networks unless you have a router. To keep this still simple, why not  just unplug the connecting link between the main network and Industrial network ?

  I guess, you still need to have that for 'some' reason. Can you explain a little more on that front ?


Sorry for the above link

Advantages of VLAN

VLAN Advantages

Here are some common reasons why you may consider VLANs:

Separating systems that have sensitive data from the rest of the network decreases the chances that people will gain access to information they are not authorized to see.

Projects/Special applications
Managing a project or working with a specialized application can be simplified by the use of a VLAN that brings all of the required nodes together.

Careful monitoring of network use allows the network administrator to create VLANs that reduce the number of router hops and increase the apparent bandwidth for network users.

Broadcasts/Traffic flow
Since a principle element of a VLAN is the fact that it does not pass broadcast traffic to nodes that are not part of the VLAN, it automatically reduces broadcasts. Access lists provide the network administrator with a way to control who sees what network traffic. An access list is a table the network administrator creates that lists which addresses have access to that network.

Departments/Specific job types
Companies may want VLANs set up for departments that are heavy network users (such as multimedia or engineering), or a VLAN across departments that is dedicated to specific types of employees (such as managers or sales people).

Even though not all networking devices comply with the VLAN extension, there is a way to handle both:

    * Every section of the network that consists of only VLAN-unaware (untagged) devices is logically assumed to participate in only one VLAN.
    * All the VLAN-aware (tagged) devices can be configured to participate in any VLAN or several VLANs as well.
    * Connecting a tagged section to an untagged section will always be done with a tagged device that assumes the untagged section belongs to a certain VLAN. All the traffic from this section into the tagged network will be assigned a default VLAN, and all the traffic in the tagged network that carries this VLAN (the default one) will be forwarded into the untagged section - not before it is stripped from VLAN tags.

snerkelAuthor Commented:
>> I guess, you still need to have that for 'some' reason. Can you explain a little more on that front ?

Rajesh I need access on a virtually daily basis from my office in another part of the plant, this can be for fault finding and improvements to various pieces of equipment, all on the industrial network. Currently I just connect directly by IP address as can anyone else on our network (our network is global so someone 1000s of miles away could access it). I would like to use a router and just allow VPN access onto the industrial network (I know how to do this, our VPN server is already setup but not really used).

Sometimes we have to connect from the Industrial network to the main network to access the Internet for updates or for support staff. We can do this now, and would still be able to do it going out through a router, or if we had a VLAN.

I have control of the Industrial network, I don't have control of the main network. Anything we connect to the main network has to to go through an outside contractor who have control of this network. They are saying they want us to go VLAN, I want to go router so that we can add devices to our Industrial network without requesting IP addresses from the outside contractor. I will also be able to control the router settings to allow in only the traffic I want to allow in, I believe this will be more secure as a VLAN (from past experience) will be configured so that anyone can still access our industrial network from the main network (as long as they know the IP address).

I can force the issue, but I need to be certain of my facts before involving the big guns.

Reason this issue got raised is that some of my devices were subject to a DoS that stopped production and cost 10s of thousands of $ in the few minutes it lasted, I want to stop the situation arising again by segregating my industrial network. I can get support for this argument based purely on lost $ however I want to make sure it can't happen again by putting in the most robust system possible at reasonable cost.
Oh okay, that is a better picture now. So lets look at the options;

Industrial Network-----------Router------------Main Network

Make sure that you put them both in different subnets and then access to both sides can be controlled by you. How do you control it ? Well basically with access-lists you'll be able to achieve it. So the picture will now look like this;

Industrial Network (Call it 10.x.x.x Network)-------------Router--------------Main Network (192.168.1.x Network)

All what you are doing are 2 things;

1. Change the ip addressing scheme of *ONE* of the site so that it differs from the other.
2. Introduce a router in the Picture between these 2 networks.

Configure routing on the router and then apply access-lists (Specific) to get the other network.

Example would be; Say you have a machine in Industrial Network for which you want to allow Main Network access.

You could do that using an access-list for just that ip address. This could as well be time-based acl/or a configuration at the time when you need the connection. In your case, the need arises on occasions like you go to a particular location and need to do some maintenance and after that you don't need that connection etc. This can be achieved.

1. I am looking at a Cisco Router perspective, gotta be that :-) but once finalised you can go with anything.
2. Reconfiguring the other side network involves some time. Even though configuring DHCP will take care of it,it will take some time to sync. But it still can be done on the live production itself, step by step.

Now look at security; Yea, it is a pain but still you can get some good security using routers as well since most of the modern routers are built-in with security. In case of Cisco routers, you can define something called Content Based Access Control (CBAC) which is good.

Hopefully that covers some aspects, but still whoever says that you need a VLAN are correct, in a sense. But even if you want to do Vlan separation you'll be doing it using different subnets and routing using a router. Either this or that you achieve the same thing. But I don't think you need to really do the VLAN part as well with this, just make it 2 networks and you are good to go.


Also, how many machines are on this side and on other side ??

snerkelAuthor Commented:
Industrial network about 10

Main network thousands.

From what I have seen of our VLANs they are open as the route is configured from the multitude of gateways so I can't see much of a benefit from our point of view (except I think we will see a lot less broadcast traffic). If someone knows the IP they can get to our network from anywhere else, so for instance shares can be seen etc. In particular the industrial equipment has no real way of being protected from abuse.
You make sure you don't mention any of the ip address anywhere on the net, first tip :-) Can't even believe anybody...

If the industrial network is only 10, then reconfiguring the ip addressing scheme is walk in the park for you. May be you can even assign static ip for all of them but change them to a different private ip scheme that is not used in your network anywhere else. The rest you can proceed as in the previous post.

Another one I would do if I where you (Not related to the question though) is to get a security audit done by some *good consultants* and patch up your network for securitywise. Most Management seems to think that putting a firewall and antivirus softwares saves the network from everything. The funny part is, Firewall will be just doing routing with basic features.. When I did some vulnerability assessments for dot coms late in 2001, I was able to login to the domain and literally access everything inspite of they had all the *security technologies* in place. The crazy part is I'm not talking about ONE company :-)

You need a switch to separate the 2 segments of the network, and install on that switch the correct protocol assignments to the 2 segments so that only the ports or IP traffic that you want to pass between the two segments is actually passed between the segments.  Not a router, but a switch.
snerkelAuthor Commented:
I still don't seem to be getting an answer that helps me.

I need an argument that a VLAN is NOT the way to go (unless I am wrong, and a VLAN will provide the full protection we require), but instead I think the industrial network should be protected by a better system than a VLAN, I think this should be a router doing NAT with a built-in firewall. This will I feel give better protection than a VLAN that (anyone on the main network can access a VLAN).

I don't get to choose, and if it is a VLAN I won't get to set it up either. If it is a router doing NAT I will be provided with a WAN IP that connects the router to the main network, I would then have full control of the industrial network, as it would then be on it's own LAN. If we get a VLAN we will be stuck with whatever security the outside contractor decides (if any), and I will still need to wait ages to get any additional IP addresses I require.

I have a big argument on my side $$$$$$$$ but I need to understand why the outside contractor thinks a VLAN rather than a router with NAT is the way to go. The outside contractor looks after our network, and monitors the traffic on it, but I don't think they fully understand what we NEED to do to protect our industrial network.

We will get a VLAN unless I can convince management otherwise, maybe I am just a worried unnecessarily but I need to know if I should be fighting this one, or just walk away. Trouble is if it goes horribly wrong (eg production stops because of a virus or DoS on the main network affecting the industrial network) then I will be left to sort it out.

Splitting the industrial network from the main network fully is not an option nor is IP filtering, port filtering is an option.
Rick HobbsRETIREDCommented:
A VLAN is still going to require a router or a switch that supports VLANs., but, because the manufacturing area is accesible only from your network, security will not be enhanced significantly using a VLAN over using ACLs on a router.  For management purposes, it is obvious that a router between the two segments and putting the manufacturing area on a different segment will be the best bet.  If you use a Cisco router you can set up Access Control Lists (ACLs) that will allow only your managment PCs to connect to machines in the manufacturing area.  You can adjust the ACLs to allow only those machines you want very easily.

Also by bringing the management inside if any issues arrise in the future, having the knowledge in house to reolve the problem is always best.
snerkelAuthor Commented:
Didn't get any good arguments to put to management, decided to give one PC two ethernet cards and allow VPN into this from main network. This PC will also have a proxy server so other devices on industrial network can get to Internet if ever it is needed for updates etc.

End result is we can use an old Ethernet card (= free), we don't need to involve the outside contractor and we get a nice segregated network.

If anyone gave reasonable answers it was rickhobbs
snerkelAuthor Commented:
Linux is not usable for our requirements, lots of specialist equipment that only has Windows software. This PC runs some of this specialist software.

Yes it is the poor mans router but it is the only way I can get the job done without being forced down the VLAN path.
Rick HobbsRETIREDCommented:
By the way, if you don't assign the points from the question using an Accepted Answer button or by splitting the points using the Split Points link above the area where you type in comments, the EE Cleanup Volunteers will do it for you the way they decide.  Another option, if you feel your question wasn't answered or not answered correctly, its to enter a request in customer support asking for a refund of your points.
Rick HobbsRETIREDCommented:
I wasn't ragging on you, just saying that it was a tottally acceptable solution.  I have used it before for a number of clients. some that had $$$ to spend but it was just an easy and quickway to get the desired results.  Glad I could be of some assistance.  Thanks.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.