Subneting or VLAN?

IT_anglo used Ask the Experts™

I understand the general concept of LANs, VLANs and subneting (IP Address, how they consist of binary code, broadcast address (LAN), layers of the OSI model etc). I've studied networking at university about 3 years ago.
However I was never taught how to apply these things in practice.
I am involved in a project that requires implementing 3 networks using the same hardware, please see below for a brief explanation:
We have a network with a router/firewall SonicWall TZ 190 IP and DC IP (DHCP on), using 2x 4000 HP Procurve switches to connect the end nodes (around 60 PCs, which we call "the business" network).
1- We want to implement around 70 extra computers in the network. Which would need to be "separate" (not able to see the business network) but still able to access a server hosting a data base, where this specific server would still communicate with the business network in order to synchronize the data.
2- We want to implement around 20 extra computers to the network. Which would be the same case as above, where they won’t able to see business network or the second network, but would still  be able access the same database server, which is also still able to communicate with the business network.

What would be the easiest and manageable way of achieving this? Subneting? VLAN? Neither?
What sort of hardware would we need? (we have also a Draytek Vigor 2820n spare)
We are also concerned about security, so from what I understand subneting isn’t the most secure way. Is that correct?

I hope I was clear enough, If you need any extra info please let me know.
Please find attached 2 diagrams, current situation and ideal situation.

Thanks in advance.


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adrian CantrillSolutions Architect

Subnetting and VLanning are essentially the same thing, except with VLANs the separation is virtual rather than being something physical. I would always (assuming compatible hardware) go with VLANS as you can have access lists attached to each which allows you to be granular as to which servers you allow access to.

In your example you could define a VLAN which has an access list only allowing communication with say one server.

There is nothing to stop you putting a firewall inbetween the separate VLAN and the rest of the business network, one port could be in this secure vlan, another be in the business VLAN and have 2 NICS (or one with trunking) connecting to the firewall.

I'm not sure if this is what you wanted - do you simply want advise, or do you want us to provide a full solution for you ?
Adrian CantrillSolutions Architect

What hardware do you already have ? I'm a cisco man myself so would always recommend that brand, the extent that you can configure VLAN's depends a lot on the hardware you have - specifically if it can support VTP (to communicate vlan info between switches) and trunking (so devices can belong to multiple vlans).
Adrian CantrillSolutions Architect
looking at your 'ideal' pdf - you could have another switch, connect ALL the devices (business LAN, the new LAN, and the servers) to the same set of switches and use VLANS to segregate traffic. The sonicwall could be connected to one port which is in each VLAN and would control access between the VLANS... or you could have access lists on each VLAN which would do that filtering for you (i would suggest in your situation to go with the sonicwall doing the filtering).
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Dear IT_anglo

Your question is clear and i hope give you what exactly you need ....

First of all :

- Sure , you must implement VLANs ( Not Subnetting ) because VLANS give you high security , Easy to manage and better performance ...etc

- I am not familiar with your network Product ( koz i working with Cisco Product ) but i will give you Guidelines to do it /Check The Diagrams /

Note : Your Switches Should support VLANS and your Router Should Supports VLAN Access List to make restriction on VLAN

Best Regards
Your Brother
Muhammed Rummaneh

I am sure you have conisdered this but as it is not mentioned in the question in particular... You do realise that your 90 new machines will need static IP addresses as you don't want them accessing the DHCP server. Also, are they not a member of the domain at all?

As has already been said, VLANs are the more secure way to go if you are trying to use the same network for all your kit. There is no security like physical seperation though and going off your diagram, I would have thought your simplest option is to get a couple more NICs for the database server and just keep everything seperate.

I still suspect this is more likely a firewall problem than a VLAN problem though.
Adrian CantrillSolutions Architect

> I am sure you have conisdered this but as it is not mentioned in the question in particular... You do realise that your 90 new machines will need static IP addresses as you don't want them accessing the DHCP server. Also, are they not a member of the domain at all?

you can use a ip helper-address (or equivalent) in the VLAN configuration to allow communication with the DHCP server without actually exposing it - at least thats the why i'd suggest. I agree the poster didnt specify this in the list of accessible servers but i would assume that he wants some level of basic services, the same with a DNS server.


The new machines will not be part of the domain, they will each be on its own workgroup (2 networks).
woolnoir, responding your first question: "I'm not sure if this is what you wanted - do you simply want advise, or do you want us to provide a full solution for you ?"
We do want advice in which method would be the best, also what we really need is a practical example on how to achieve this goal. e.g.: 1- On your Draytek router webinterface find VLAN functions, set a list of IP addresses to be the VLAN A (business network), then VLAN B (network1) and VLAN C (network 2).
2- in VLAN functions you will find a VLAN permissions filed where you can allow VLAN A to access x and y, but forbid VALN B to access z and w.
3- You will need a switch for each separe fisical connections.
4- They all need to be on the same domain or they need to have a domain each.
5- Once you've done this you may be able to achieve what you need.
Obviouslly the instructions above are just an example.
At the moment we are not sure where to begin, buy hardware? start using static IP addresses?

Thanks for your coments so far.


Also, there is a list of the equipemnte we use (have as spare) in the first post.
Top Expert 2010
you can VLAN on your switches, but you'll need to move the traffic between the VLANs AND provide access control to the database.  your switches can do this if they are layer 3 (routing) switches.  if they are not, then you'll have to rely on your sonicwall for that.  i believe the tz190 has several ports that act as a switch, but using sonicwall's portshield you can segregate those ports for the different vlan's allowing your sonicwall to route traffic between the segregated networks.  you have a large number of hosts and i'm concerned about the load this might put on the tz190.

if you do go the sonicwall route, you really only need a couple of switches that would connect the two networks besides the business network.  you create your portshield ports and connect the switches to those ports respectively.  on the sonicwall, you can setup your firewall access lists to control access to the database that's on the business network.  using this method eliminates creating vlan's and puts the routing and access control within the sonicwall.

regarding DHCP, once you've created the portshield ports, you can go back into the sonicwall (network > dhcp server) and setup a dhcp scope for the portshield ports.  this will provide dhcp to the computers on the segregated networks.

what is the firmware of the sonicwall?  is it enhanced or standard?  you can find this information after logging onto the sonicwall and going to the system > status page.

you may be able to do all this with the Draytek, but i'm not familiar with that hardware.


Ok, I now have a good overall understanding of how it would work. Thanks everyone


I was looking for an example of a practical solution. However I was only able to have an overall understanding.
Top Expert 2010

sure...glad we could help and thanks for the points!
Top Expert 2010

Commented: example was a practical solution.  i would have been (and still would be) happy to dialog further my suggestion.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial