Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


VLAN use

Posted on 2011-03-21
Medium Priority
Last Modified: 2012-06-21
Can I ask some basic questions about VLAN’s? Not a network admin myself, but is their main purpose for security, or if not what other benefits?  And is it typical you’d have a VLAN for your database servers to keep them separate from your workstations and who can potentially try and gain unauthorised access with say targeting a weak password/unpatched exploit in the OS tier?

And are there any commands or cheap/free tools to see how your VLAN’s have been configured and which hosts are within each VLAN?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 10

Accepted Solution

abbright earned 500 total points
ID: 35179409
Simply speaking: VLANs partition your big ethernet network into smaller virtual networks. Purposes for doing so is administrative partitioning, security (which certainly is one of the main reasons) and network traffic (the broadcast traffic is only visible within one vlan).
When you put your db-server in a separate vlan from your workstations you need a routing instance to connect these. This typically will be firewall server which can scan and filter the traffic between the two networks and thus increase security.

Assisted Solution

Red-King earned 500 total points
ID: 35179523

A VLAN segregates your network in a couple of different ways.
In a standard static configuration (i.e. no Auto vlaning) specific ports on your switch are configured to be in a VLAN, so you've essentially physically segregated your network. You must plug into a particular port to be in a particular VLAN.
A VLAN should generally coinside with a subnet i.e. one subnet per VLAN. This is not essential but it can help you avoid some headaches. When you do this you logically segregate your network at layer 2, you've broken up the broadcast domain. In order to talk to another VLAN you have to go through a device that can route between the VLANs. Typically a layer 3 switch or a router.

Lastly configuring your VLAN on the switches means that you move a lot of the processing from your Computers/Servers to the Switches. The result of this is obviously the (minor) benefits in processing power but it also means less data flowing across the wire to devices that don't need it. i.e. in a standard flat IP network the PC/Server receives all packets and decides whether or not the information is for it. In a VLAN network the Switch decides who should see the packet.

So a VLAN can be seen to provide more security but only in a physical sense really. If you're router is configured to allow traffic between VLANs then all you're doing is breaking up the broadcast domain.

I hope that helps somewhat,

Author Comment

ID: 35179528
Thanks, are tehre any free ways/tools/commands of seeing how the vlans are segmented at a top level, and which hosts are in which vlan?

Is it common to have a VLAN for all your sensitive database servers? Or is that pretty rare? When you lump all servers/workstations in the same domain so all can see/connect to all, is that the context of a "flat network"?
LVL 10

Expert Comment

ID: 35179545
In order to see which vlans are in use you need to check your switch-configuration.
It is common to have separate vlans for sensitive servers so that you can control the traffic to them using a firewalling router.
If you have all machines in one network this is called a flat network and it means you have no chance to control your network traffic using a firewall.

Expert Comment

ID: 35179572
As far as free tools go, if you have a network management tool such as Cisco's free Network Assistant you can get some of that information. If you've set up an IP subnet for each VLAN then Solarwinds free IP address tracker  could be useful.

Yeah, that would be a flat network. Generally a flat network is one which contains switches i.e. all at layer 2. When you add VLANs you need a router which works at layer 3 so you're no longer flat as you're working in multiple layers.

It would be quite normal to put sensitive servers on a seperate VLAN as it allows you to control who can access the devices using your layer 3 routing. If there is a firewall capability on the routing device you can also protect the sensitive servers by port but at this stage your security has gone far beyond the scope of a VLAN.

Featured Post

WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this article, we’ll look at how to deploy ProxySQL.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question