VLAN confusion

dave247

Hi guys. I'm hoping someone can help me more fully understand VLAN use and implementation in it's entirety.

Let me start off by saying that I am currently a (green) sysadmin with about two years experience, not so much on the networking aspect yet. I do however understand most networking basics like the OSI model, routing and switching, subnetting and so forth, though I'm a bit rusty.

I have actually already configured one VLAN for my company's wifi. I set up all our switches with a number of access ports for each wifi AP to be connected and then added trunk ports for that VLAN so that all our AP's can reach back to our Sonicwall appliance where they are managed. Then I used the Sonicwall firewall settings to create separate corporate and guest wifi. This all makes sense to me, but it's Sonicwall, so it's not really the "traditional" way VLANs would be set up and managed, etc.

I guess my confusion with VLANs is when it comes while trying to visualize how two different networks on two different VLANs need to communicate. I mean, I get that a VLAN is logically the same as having two separate switches and if there are devices on two different networks trying to communicate, then routing is necessary. And yes, I've heard of "router on a stick".

Like in a case where I have a VoIP set up, with phones on one VLAN and computers on another. The computers and VoIP systems should normally never need to communicate with each other (I assume) unless there is like some VoIP related application installed on a user's workstation. In that case, I assume that at some point, data is crossing over between the two networks, through the two VLAN's.

Also, my main reason for asking this: I am trying to set up a LAB network that will reside on it's own VLAN, completely separate from my company's production systems. But if it's 100% segregated, then I'm not going to be able to access it from my work pc, so I'll have to set up a separate computer that is connected to the lab VLAN. That is, unless I implement some kind of ACL..

Anyway, if someone could give me a bit of clarity or direction on this, I would appreciate it.

Dashrender

Good morning and welcome to MangoLassi.

Aww VLANs, the bane of any young generalist.

coliver

So go back to the beginning. Why are you using VLANs. What is the reason for that in your company?

Dashrender

VLANs in most cases aren't needed unless you have a security reason to do so, and must share hardware over these networks, i.e. one set of APs but two wifi networks - corporate and guest.
Switches perform their job which can easily allow thousands of devices to be on a single flat IP network without the need to break them down into smaller and smaller segments. So if you don't have a security related reason to keep them separate, then your life will be much simpler if you just have a /23 or /22 network instead of the typical /24 (limited to 256 devices).

Onto your current setup:
From the sounds of it, your Sonicwall is doing the routing between your VLANs at this point, assuming cross VLAN traffic is happening.

You mentioned that you made a VLAN for wifi - then you talk about a guest and corporate wifi - Does this mean your corporate wifi is on the default VLAN and the guest is exclusively on the new VLAN? What provides DHCP to the guest network? What provides DNS to the guest network?

As for your Lab network, you have choices, you can create a completely separate VLAN that only has access to itself and the internet via the sonicwall, or you can enable ACLs that allow the two networks to talk to each other and the Sonicwall will route information between the two.

JaredBusch

@coliver said in VLAN confusion:

So go back to the beginning. Why are you using VLANs. What is the reason for that in your company?

Because he wants a segregated LAB

coliver

@jaredbusch said in VLAN confusion:

@coliver said in VLAN confusion:

So go back to the beginning. Why are you using VLANs. What is the reason for that in your company?

Because he wants a segregated LAB

Ah wow completely missed that thank you for clarifying.

Dashrender

@jaredbusch said in VLAN confusion:

@coliver said in VLAN confusion:

So go back to the beginning. Why are you using VLANs. What is the reason for that in your company?

Because he wants a segregated LAB

That doesn't explain why he or someone created a VLAN for the wifi.

JaredBusch

Your router will should be the only point that connects traffic from one VLAN to another.

At a very basic level:

You will want to have rules in your router's firewall that allows new/established/related connections from the company LAN to the Lab LAN. But from the Lab LAN to the company LAN it should only allow established.

This will allow you to connect in and have the Lab thing respond but the Lab thing cannot initiate a connection to the company LAN.

coliver

@dashrender said in VLAN confusion:

As for your Lab network, you have choices, you can create a completely separate VLAN that only has access to itself and the internet via the sonicwall, or you can enable ACLs that allow the two networks to talk to each other and the Sonicwall will route information between the two.

He could setup an ACL that only allows the Lab VLAN to contact the internet, and his workstation. What kind of lab is this going to be though? You could easily do this virtually on a desktop with Hyper-v or KVM.

JaredBusch

@dashrender said in VLAN confusion:

@jaredbusch said in VLAN confusion:

@coliver said in VLAN confusion:

So go back to the beginning. Why are you using VLANs. What is the reason for that in your company?

Because he wants a segregated LAB

That doesn't explain why he or someone created a VLAN for the wifi.

You are in the weeds. This is not part of this conversation. We are not here to dissect the existing setup.

scottalanmiller

The easy way to visualize VLANs is creating completely separate network stacks, but cheaper. VLANs are all about "I wanted separate switches for this, but that was expensive and I can live with the VLAN limitations." So VLANs exist for security and management reasons, but not for performance ones.

So, if you had separate switch stacks, you need a router to talk between them. This creates a bottleneck, but it is your security control point. That's the core functionality of the VLANs: to keep everything completely separate. If you want VLANs to openly talk to each other, then you don't want VLANs at all. VLANs create bottlenecks in exchange for offering LAN based security mechanisms.

scottalanmiller

@dave247 said in VLAN confusion:

Like in a case where I have a VoIP set up, with phones on one VLAN and computers on another. The computers and VoIP systems should normally never need to communicate with each other (I assume) unless there is like some VoIP related application installed on a user's workstation. In that case, I assume that at some point, data is crossing over between the two networks, through the two VLAN's.

That would make VLANing crazy in that instance. If you want the networks to be able to talk, what's the purpose of the VLAN? Phones, specifically, are a really bad place to normally have VLANs.

scottalanmiller

@dave247 said in VLAN confusion:

Also, my main reason for asking this: I am trying to set up a LAB network that will reside on it's own VLAN, completely separate from my company's production systems. But if it's 100% segregated, then I'm not going to be able to access it from my work pc, so I'll have to set up a separate computer that is connected to the lab VLAN. That is, unless I implement some kind of ACL..

Right, just like a LAN somewhere remote on the Internet. You'll need a pinhole for management and/or a PC that sits on that network and not on the company one.

Dashrender

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

Like in a case where I have a VoIP set up, with phones on one VLAN and computers on another. The computers and VoIP systems should normally never need to communicate with each other (I assume) unless there is like some VoIP related application installed on a user's workstation. In that case, I assume that at some point, data is crossing over between the two networks, through the two VLAN's.

That would make VLANing crazy in that instance. If you want the networks to be able to talk, what's the purpose of the VLAN? Phones, specifically, are a really bad place to normally have VLANs.

The idea of VLANing phones comes from a misunderstanding of tech at worst and old days of hubs at best. As long as a switch port isn't at 100% utilization, the QoS rules don't apply - the switch will just keeping everything moving. If you have 100% utilization, you probably have other issues you need to resolve before you worry about QoS for phone calls, but phones would definitely feel this pinch faster than other things.

scottalanmiller

@dashrender said in VLAN confusion:

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

Like in a case where I have a VoIP set up, with phones on one VLAN and computers on another. The computers and VoIP systems should normally never need to communicate with each other (I assume) unless there is like some VoIP related application installed on a user's workstation. In that case, I assume that at some point, data is crossing over between the two networks, through the two VLAN's.

That would make VLANing crazy in that instance. If you want the networks to be able to talk, what's the purpose of the VLAN? Phones, specifically, are a really bad place to normally have VLANs.

The idea of VLANing phones comes from a misunderstanding of tech at worst and old days of hubs at best. As long as a switch port isn't at 100% utilization, the QoS rules don't apply - the switch will just keeping everything moving. If you have 100% utilization, you probably have other issues you need to resolve before you worry about QoS for phone calls, but phones would definitely feel this pinch faster than other things.

Which is a weird thought process, given that hubs didn't have QoS capabilities. So QoS only existed in the world where VLANing for QoS didn't make sense.

dave247

@dashrender said in VLAN confusion:

VLANs in most cases aren't needed unless you have a security reason to do so, and must share hardware over these networks, i.e. one set of APs but two wifi networks - corporate and guest.
Switches perform their job which can easily allow thousands of devices to be on a single flat IP network without the need to break them down into smaller and smaller segments. So if you don't have a security related reason to keep them separate, then your life will be much simpler if you just have a /23 or /22 network instead of the typical /24 (limited to 256 devices).

Onto your current setup:
From the sounds of it, your Sonicwall is doing the routing between your VLANs at this point, assuming cross VLAN traffic is happening.

You mentioned that you made a VLAN for wifi - then you talk about a guest and corporate wifi - Does this mean your corporate wifi is on the default VLAN and the guest is exclusively on the new VLAN? What provides DHCP to the guest network? What provides DNS to the guest network?

As for your Lab network, you have choices, you can create a completely separate VLAN that only has access to itself and the internet via the sonicwall, or you can enable ACLs that allow the two networks to talk to each other and the Sonicwall will route information between the two.

Ah, I'm an idiot. My brain sucks at recalling information.

So I set up two VLAN's: one for corporate wifi and one for guest wifi. Then Sonciwall handles the routing and DHCP for each network, plus the firewall functionality. DNS to corp is our DC and I just used google's DNS for the guest wifi. Guest wifi doesn't touch our internal systems at all.

scottalanmiller

@dave247 said in VLAN confusion:

@dashrender said in VLAN confusion:

VLANs in most cases aren't needed unless you have a security reason to do so, and must share hardware over these networks, i.e. one set of APs but two wifi networks - corporate and guest.
Switches perform their job which can easily allow thousands of devices to be on a single flat IP network without the need to break them down into smaller and smaller segments. So if you don't have a security related reason to keep them separate, then your life will be much simpler if you just have a /23 or /22 network instead of the typical /24 (limited to 256 devices).

Onto your current setup:
From the sounds of it, your Sonicwall is doing the routing between your VLANs at this point, assuming cross VLAN traffic is happening.

You mentioned that you made a VLAN for wifi - then you talk about a guest and corporate wifi - Does this mean your corporate wifi is on the default VLAN and the guest is exclusively on the new VLAN? What provides DHCP to the guest network? What provides DNS to the guest network?

As for your Lab network, you have choices, you can create a completely separate VLAN that only has access to itself and the internet via the sonicwall, or you can enable ACLs that allow the two networks to talk to each other and the Sonicwall will route information between the two.

Ah, I'm an idiot. My brain sucks at recalling information.

So I set up two VLAN's: one for corporate wifi and one for guest wifi. Then Sonciwall handles the routing and DHCP for each network, plus the firewall functionality. DNS to corp is our DC and I just used google's DNS for the guest wifi. Guest wifi doesn't touch our internal systems at all.

Yes, that's a good use of VLANs, total separation where separation is fully intended.

VLANs are often used for DMZs as well.

dave247

@jaredbusch said in VLAN confusion:

Your router will should be the only point that connects traffic from one VLAN to another.

At a very basic level:

You will want to have rules in your router's firewall that allows new/established/related connections from the company LAN to the Lab LAN. But from the Lab LAN to the company LAN it should only allow established.

This will allow you to connect in and have the Lab thing respond but the Lab thing cannot initiate a connection to the company LAN.

OOOOH yeah.. ok that seems obvious now. I can just allow myself access to that network through my Sonicwall via the firewall rules..

dave247

@dashrender said in VLAN confusion:

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

Like in a case where I have a VoIP set up, with phones on one VLAN and computers on another. The computers and VoIP systems should normally never need to communicate with each other (I assume) unless there is like some VoIP related application installed on a user's workstation. In that case, I assume that at some point, data is crossing over between the two networks, through the two VLAN's.

That would make VLANing crazy in that instance. If you want the networks to be able to talk, what's the purpose of the VLAN? Phones, specifically, are a really bad place to normally have VLANs.

The idea of VLANing phones comes from a misunderstanding of tech at worst and old days of hubs at best. As long as a switch port isn't at 100% utilization, the QoS rules don't apply - the switch will just keeping everything moving. If you have 100% utilization, you probably have other issues you need to resolve before you worry about QoS for phone calls, but phones would definitely feel this pinch faster than other things.

Well, actually, here's one thing I just thought of. We currently have a /23 network where I work, and our current phone system exists on the same network as our computers and servers. We have a lot of addresses taken up by phones right now, so it would be nice to have the phones on their own separate subnet, and my current understanding is that I would want a separate VLAN to use with that separate subnet. Also, in freeing up IP addresses on our company LAN, I've given myself more IP space for my fail over DHCP server should I ever need it.

dave247

@coliver said in VLAN confusion:

@dashrender said in VLAN confusion:

As for your Lab network, you have choices, you can create a completely separate VLAN that only has access to itself and the internet via the sonicwall, or you can enable ACLs that allow the two networks to talk to each other and the Sonicwall will route information between the two.

He could setup an ACL that only allows the Lab VLAN to contact the internet, and his workstation. What kind of lab is this going to be though? You could easily do this virtually on a desktop with Hyper-v or KVM.

I have a couple extra servers that I want to set up a Hyper-V lab environment with. That server's in the server room and so I wanted to just have it sitting on it's own VLAN with access to the internet and my workstation only. I could use my local workstation, but what's the fun in that when I have big fat juicy servers I can use?