VLAN use

Posted on 2011-03-21
Last Modified: 2012-06-21
Can I ask some basic questions about VLAN’s? Not a network admin myself, but is their main purpose for security, or if not what other benefits?  And is it typical you’d have a VLAN for your database servers to keep them separate from your workstations and who can potentially try and gain unauthorised access with say targeting a weak password/unpatched exploit in the OS tier?

And are there any commands or cheap/free tools to see how your VLAN’s have been configured and which hosts are within each VLAN?
Question by:pma111
  • 2
  • 2
LVL 10

Accepted Solution

abbright earned 125 total points
ID: 35179409
Simply speaking: VLANs partition your big ethernet network into smaller virtual networks. Purposes for doing so is administrative partitioning, security (which certainly is one of the main reasons) and network traffic (the broadcast traffic is only visible within one vlan).
When you put your db-server in a separate vlan from your workstations you need a routing instance to connect these. This typically will be firewall server which can scan and filter the traffic between the two networks and thus increase security.

Assisted Solution

Red-King earned 125 total points
ID: 35179523

A VLAN segregates your network in a couple of different ways.
In a standard static configuration (i.e. no Auto vlaning) specific ports on your switch are configured to be in a VLAN, so you've essentially physically segregated your network. You must plug into a particular port to be in a particular VLAN.
A VLAN should generally coinside with a subnet i.e. one subnet per VLAN. This is not essential but it can help you avoid some headaches. When you do this you logically segregate your network at layer 2, you've broken up the broadcast domain. In order to talk to another VLAN you have to go through a device that can route between the VLANs. Typically a layer 3 switch or a router.

Lastly configuring your VLAN on the switches means that you move a lot of the processing from your Computers/Servers to the Switches. The result of this is obviously the (minor) benefits in processing power but it also means less data flowing across the wire to devices that don't need it. i.e. in a standard flat IP network the PC/Server receives all packets and decides whether or not the information is for it. In a VLAN network the Switch decides who should see the packet.

So a VLAN can be seen to provide more security but only in a physical sense really. If you're router is configured to allow traffic between VLANs then all you're doing is breaking up the broadcast domain.

I hope that helps somewhat,

Author Comment

ID: 35179528
Thanks, are tehre any free ways/tools/commands of seeing how the vlans are segmented at a top level, and which hosts are in which vlan?

Is it common to have a VLAN for all your sensitive database servers? Or is that pretty rare? When you lump all servers/workstations in the same domain so all can see/connect to all, is that the context of a "flat network"?
LVL 10

Expert Comment

ID: 35179545
In order to see which vlans are in use you need to check your switch-configuration.
It is common to have separate vlans for sensitive servers so that you can control the traffic to them using a firewalling router.
If you have all machines in one network this is called a flat network and it means you have no chance to control your network traffic using a firewall.

Expert Comment

ID: 35179572
As far as free tools go, if you have a network management tool such as Cisco's free Network Assistant you can get some of that information. If you've set up an IP subnet for each VLAN then Solarwinds free IP address tracker  could be useful.

Yeah, that would be a flat network. Generally a flat network is one which contains switches i.e. all at layer 2. When you add VLANs you need a router which works at layer 3 so you're no longer flat as you're working in multiple layers.

It would be quite normal to put sensitive servers on a seperate VLAN as it allows you to control who can access the devices using your layer 3 routing. If there is a firewall capability on the routing device you can also protect the sensitive servers by port but at this stage your security has gone far beyond the scope of a VLAN.

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to Link NetGear wireless AC-1200 router to Sonicwall 3600 13 63
Changing password for HP switch 5 41
Need network only 1 user? 10 70
cannot view videos at msnbc 12 41
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question