Solved

VLAN use

Posted on 2011-03-21
5
267 Views
Last Modified: 2012-06-21
Can I ask some basic questions about VLAN’s? Not a network admin myself, but is their main purpose for security, or if not what other benefits?  And is it typical you’d have a VLAN for your database servers to keep them separate from your workstations and who can potentially try and gain unauthorised access with say targeting a weak password/unpatched exploit in the OS tier?

And are there any commands or cheap/free tools to see how your VLAN’s have been configured and which hosts are within each VLAN?
0
Comment
Question by:pma111
  • 2
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
abbright earned 125 total points
ID: 35179409
Simply speaking: VLANs partition your big ethernet network into smaller virtual networks. Purposes for doing so is administrative partitioning, security (which certainly is one of the main reasons) and network traffic (the broadcast traffic is only visible within one vlan).
When you put your db-server in a separate vlan from your workstations you need a routing instance to connect these. This typically will be firewall server which can scan and filter the traffic between the two networks and thus increase security.
0
 
LVL 9

Assisted Solution

by:Red-King
Red-King earned 125 total points
ID: 35179523
Hi,

A VLAN segregates your network in a couple of different ways.
In a standard static configuration (i.e. no Auto vlaning) specific ports on your switch are configured to be in a VLAN, so you've essentially physically segregated your network. You must plug into a particular port to be in a particular VLAN.
A VLAN should generally coinside with a subnet i.e. one subnet per VLAN. This is not essential but it can help you avoid some headaches. When you do this you logically segregate your network at layer 2, you've broken up the broadcast domain. In order to talk to another VLAN you have to go through a device that can route between the VLANs. Typically a layer 3 switch or a router.

Lastly configuring your VLAN on the switches means that you move a lot of the processing from your Computers/Servers to the Switches. The result of this is obviously the (minor) benefits in processing power but it also means less data flowing across the wire to devices that don't need it. i.e. in a standard flat IP network the PC/Server receives all packets and decides whether or not the information is for it. In a VLAN network the Switch decides who should see the packet.

So a VLAN can be seen to provide more security but only in a physical sense really. If you're router is configured to allow traffic between VLANs then all you're doing is breaking up the broadcast domain.

I hope that helps somewhat,
0
 
LVL 3

Author Comment

by:pma111
ID: 35179528
Thanks, are tehre any free ways/tools/commands of seeing how the vlans are segmented at a top level, and which hosts are in which vlan?

Is it common to have a VLAN for all your sensitive database servers? Or is that pretty rare? When you lump all servers/workstations in the same domain so all can see/connect to all, is that the context of a "flat network"?
0
 
LVL 10

Expert Comment

by:abbright
ID: 35179545
In order to see which vlans are in use you need to check your switch-configuration.
It is common to have separate vlans for sensitive servers so that you can control the traffic to them using a firewalling router.
If you have all machines in one network this is called a flat network and it means you have no chance to control your network traffic using a firewall.
0
 
LVL 9

Expert Comment

by:Red-King
ID: 35179572
As far as free tools go, if you have a network management tool such as Cisco's free Network Assistant you can get some of that information. If you've set up an IP subnet for each VLAN then Solarwinds free IP address tracker  could be useful.

Yeah, that would be a flat network. Generally a flat network is one which contains switches i.e. all at layer 2. When you add VLANs you need a router which works at layer 3 so you're no longer flat as you're working in multiple layers.

It would be quite normal to put sensitive servers on a seperate VLAN as it allows you to control who can access the devices using your layer 3 routing. If there is a firewall capability on the routing device you can also protect the sensitive servers by port but at this stage your security has gone far beyond the scope of a VLAN.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 2011 wireless nic? & dynamic VPN. 3 62
Martian Packets Unix 5 28
DHCP Server 14 61
Need help with VLAN issue 6 33
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now