VLAN use

Posted on 2011-03-21
Medium Priority
Last Modified: 2012-06-21
Can I ask some basic questions about VLAN’s? Not a network admin myself, but is their main purpose for security, or if not what other benefits?  And is it typical you’d have a VLAN for your database servers to keep them separate from your workstations and who can potentially try and gain unauthorised access with say targeting a weak password/unpatched exploit in the OS tier?

And are there any commands or cheap/free tools to see how your VLAN’s have been configured and which hosts are within each VLAN?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 10

Accepted Solution

abbright earned 500 total points
ID: 35179409
Simply speaking: VLANs partition your big ethernet network into smaller virtual networks. Purposes for doing so is administrative partitioning, security (which certainly is one of the main reasons) and network traffic (the broadcast traffic is only visible within one vlan).
When you put your db-server in a separate vlan from your workstations you need a routing instance to connect these. This typically will be firewall server which can scan and filter the traffic between the two networks and thus increase security.

Assisted Solution

Red-King earned 500 total points
ID: 35179523

A VLAN segregates your network in a couple of different ways.
In a standard static configuration (i.e. no Auto vlaning) specific ports on your switch are configured to be in a VLAN, so you've essentially physically segregated your network. You must plug into a particular port to be in a particular VLAN.
A VLAN should generally coinside with a subnet i.e. one subnet per VLAN. This is not essential but it can help you avoid some headaches. When you do this you logically segregate your network at layer 2, you've broken up the broadcast domain. In order to talk to another VLAN you have to go through a device that can route between the VLANs. Typically a layer 3 switch or a router.

Lastly configuring your VLAN on the switches means that you move a lot of the processing from your Computers/Servers to the Switches. The result of this is obviously the (minor) benefits in processing power but it also means less data flowing across the wire to devices that don't need it. i.e. in a standard flat IP network the PC/Server receives all packets and decides whether or not the information is for it. In a VLAN network the Switch decides who should see the packet.

So a VLAN can be seen to provide more security but only in a physical sense really. If you're router is configured to allow traffic between VLANs then all you're doing is breaking up the broadcast domain.

I hope that helps somewhat,

Author Comment

ID: 35179528
Thanks, are tehre any free ways/tools/commands of seeing how the vlans are segmented at a top level, and which hosts are in which vlan?

Is it common to have a VLAN for all your sensitive database servers? Or is that pretty rare? When you lump all servers/workstations in the same domain so all can see/connect to all, is that the context of a "flat network"?
LVL 10

Expert Comment

ID: 35179545
In order to see which vlans are in use you need to check your switch-configuration.
It is common to have separate vlans for sensitive servers so that you can control the traffic to them using a firewalling router.
If you have all machines in one network this is called a flat network and it means you have no chance to control your network traffic using a firewall.

Expert Comment

ID: 35179572
As far as free tools go, if you have a network management tool such as Cisco's free Network Assistant you can get some of that information. If you've set up an IP subnet for each VLAN then Solarwinds free IP address tracker  could be useful.

Yeah, that would be a flat network. Generally a flat network is one which contains switches i.e. all at layer 2. When you add VLANs you need a router which works at layer 3 so you're no longer flat as you're working in multiple layers.

It would be quite normal to put sensitive servers on a seperate VLAN as it allows you to control who can access the devices using your layer 3 routing. If there is a firewall capability on the routing device you can also protect the sensitive servers by port but at this stage your security has gone far beyond the scope of a VLAN.

Featured Post

Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month8 days, 10 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question