What is the actual purpose for having a 1:1 ratio between VLANs and subnets?
I understand the technical difference between a subnet and a VLAN. After looking through questions related to this topic, including:
VRFs, VLANs and subnets: difference
VLANS vs. subnets for network security and segmentation
there doesn't seem to be an answer that really pinpoints this subtly. The communication issues and security implications of having multiple subnets on a single VLAN and vice versa, are clear.
But, subnets provide l3 separation. Okay. VLANs allow you to segment your l2. If the goal is separation -- why isn't subnetting (l3 separation) enough? I am not able to pull all of this together into a pretty picture that delineates the necessity, other than the router-on-a-stick situation where VLANs would allow subnets to share the physical infrastructure (e.g. a single switch). But in practice, do subnets really share any portion of the l2 infrastructure?
vlan subnet
asked Jan 3 at 4:46
bzznbzzn
183
add a comment |
I understand the technical difference between a subnet and a VLAN. After looking through questions related to this topic, including:
VRFs, VLANs and subnets: difference
VLANS vs. subnets for network security and segmentation
there doesn't seem to be an answer that really pinpoints this subtly. The communication issues and security implications of having multiple subnets on a single VLAN and vice versa, are clear.
But, subnets provide l3 separation. Okay. VLANs allow you to segment your l2. If the goal is separation -- why isn't subnetting (l3 separation) enough? I am not able to pull all of this together into a pretty picture that delineates the necessity, other than the router-on-a-stick situation where VLANs would allow subnets to share the physical infrastructure (e.g. a single switch). But in practice, do subnets really share any portion of the l2 infrastructure?
vlan subnet
asked Jan 3 at 4:46
bzznbzzn
183
add a comment |
I understand the technical difference between a subnet and a VLAN. After looking through questions related to this topic, including:
VRFs, VLANs and subnets: difference
VLANS vs. subnets for network security and segmentation
there doesn't seem to be an answer that really pinpoints this subtly. The communication issues and security implications of having multiple subnets on a single VLAN and vice versa, are clear.
But, subnets provide l3 separation. Okay. VLANs allow you to segment your l2. If the goal is separation -- why isn't subnetting (l3 separation) enough? I am not able to pull all of this together into a pretty picture that delineates the necessity, other than the router-on-a-stick situation where VLANs would allow subnets to share the physical infrastructure (e.g. a single switch). But in practice, do subnets really share any portion of the l2 infrastructure?
vlan subnet
asked Jan 3 at 4:46
bzznbzzn
183
I understand the technical difference between a subnet and a VLAN. After looking through questions related to this topic, including:
VRFs, VLANs and subnets: difference
VLANS vs. subnets for network security and segmentation
there doesn't seem to be an answer that really pinpoints this subtly. The communication issues and security implications of having multiple subnets on a single VLAN and vice versa, are clear.
But, subnets provide l3 separation. Okay. VLANs allow you to segment your l2. If the goal is separation -- why isn't subnetting (l3 separation) enough? I am not able to pull all of this together into a pretty picture that delineates the necessity, other than the router-on-a-stick situation where VLANs would allow subnets to share the physical infrastructure (e.g. a single switch). But in practice, do subnets really share any portion of the l2 infrastructure?
vlan subnet
vlan subnet
asked Jan 3 at 4:46
bzznbzzn
183
asked Jan 3 at 4:46
bzznbzzn
183
asked Jan 3 at 4:46
bzznbzzn
183
asked Jan 3 at 4:46
bzznbzzn
183
asked Jan 3 at 4:46
bzznbzzn
183
183
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
VLANs allow you to segment your l2. If the goal is separation -- why
isn't subnetting (l3 separation) enough?
I guess this:
The communication issues and security implications of having multiple
subnets on a single VLAN and vice versa, are clear.
isn't as clear as you seem to say.
From the perspective of a VLAN, a VLAN is a broadcast domain. When a host receives a layer-2 broadcast, which will be sent to every host in a broadcast domain, the host hardware must pass the frame to higher layers in the network stack for processing to see if the frame payload is destined for the host. This presents not only security concerns by hosts running capture software, but it can become a problem as more hosts on a VLAN means even more broadcasts on the VLAN than the number of added hosts, interrupting every host on the LAN.
VLANs will basically break a broadcast domain into multiple broadcast domains, just as if you had multiple, separate, unconnected switches. To get traffic from one VLAN to another VLAN requires a router. That is also true for getting traffic from one layer-3 network to another layer-3 network, which is why layer-2 VLANs and layer-3 network mesh so well.
Routers route layer-3 packets, not layer-2 frames, between layer-3 network, so each router interface is in a different layer-3 network. Since it takes a router to move traffic between VLANs, that means that each VLAN would need to use a different layer-3 network if it needs to communicate with a different VLAN.
You can also place router ACLs ,or a software firewall on a router, between the VLANs, but this requires a different layer-3 network on each VLAN because routers route packets between networks. This can be a real security feature or requirement.
But in practice, do subnets really share any portion of the l2
infrastructure?
Since VLANs can partition a single switch, then yes different layer-3 networks on VLANs will share the switch hardware, but will logically be on different switches, even on the same physical switch. The different layer-3 network can also share a physical interface on a switch or router by configuring the interface as a trunk that uses tags to separate the layer-2 frames with different layer-3 networks into separate VLANs.
What you are asking about is really for ethernet. There are many layer-2 protocols that do not use VLANs, and some can only use a one layer-3 network on one layer-2 LAN. Even Wi-Fi, which has displaced ethernet as the King of the LAN, does not really have VLANs. It does have separate SSIDs that can map to VLANs on the ethernet side of the WAP, but you are unlikely to be able to configure more than one layer-3 network per SSID.
answered Jan 3 at 5:13
Ron Maupin♦Ron Maupin
63.2k1366120
Great answer, thanks. This covers the question well. I think the key point learned is that with VLANs -- we have, for all intents and purposes, separate switches. Trunk interfaces make it possible for different l3 networks to share the interface. Is trunking really this common in practice? Or are VLANs really just a legacy concept that was used to save $ on new hardware? If we wanted more separation at l2, I presume we could just create a new subnet and adjust accordingly. But the benefits of VLAN allow much more flexibility by allowing you to do this in software. Is my thinking correct?
– bzzn
Jan 3 at 5:28
trunking on a switch/router to allow different l3 networks to share the interface*
– bzzn
Jan 3 at 5:35
Trunks are used all the time; they are very common. If you had separate switches, then you would need some more expensive router interfaces. The typical scenario is that routers have few physical interfaces, but you create logical subinterfaces that share the single physical interface by using VLAN tags as a trunk.
– Ron Maupin♦
Jan 3 at 5:35
Great, thanks for your help.
– bzzn
Jan 3 at 5:42
add a comment |
But, subnets provide l3 separation.
Kinda, sorta, not really.
If you put multiple subnets on the same "link" (for example an Ethernet VLAN, a wifi SSID or something similar for other protocols) then devices on different subnets will not by default send IPv4 unicast packets directly to each other. Instead they will send them via their default gateway where there is potential to filter them.
However:
- This behavior is only the default, it is perfectly possible to configure a device so that it can communicate directly with devices on both subnets.
- IPv4 unicast traffic is not the whole world, there is also Broadcast, Multicast and IPv6 traffic to consider, not to mention legacy protocols like IPX and Netbeui. Some of this may/will flow directly between the hosts even if they have different IPv4 subnets continued.
The result is that putting multiple subnets on the same L2 "link" will often result in the illusion of separation.
Putting multiple subnets on the same "link" can make sense in some scenarios, for example if you want some but not all machines to have public IPs or if an existing subnet has run out of addresses, but if you want to enforce seperation between machines then you really need them on separate (physical or virtual) links.
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense.
Right, the goal of VLANs is to allow physical infrastructure to be shared while keeping stuff logically seperate.
But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs?
Yeah, keeping your subnets physically separate up to the point they meet your router/firewall is an alternative to using VLANs. Some argue it's more secure, there have certainly been VLAN-hopping exploits in the past but OTOH it's easy for two networks that are supposed to be physically seperate to be accidentally interconnected.
You should also be aware that the term "VLAN" is a bit overloaded. Depending on the context it can refer to either the number used for tagging packets on the wire or to the virtual Ethernet network created by doing so. In a large network infrastructure the same VLAN number may be used for different virtual Ethernet networks in different places.
answered Jan 3 at 5:48
Peter GreenPeter Green
7,35121225
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense. But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs? I suppose, like mentioned above, this would require more hardware, whereas with VLANs that can be done entirely in software.
– bzzn
Jan 3 at 6:08
add a comment |
Layer-3 provides logical isolation between subnets. If you run them on the same layer-2 [ethernet or VLAN], they aren't actually isolated. They automatically see each others broadcast traffic. With the addition of a single route, they can talk directly to each other, bypassing any routers, firewalls, or acls -- because they're on the same wire. Very few switches can do layer-3 filtering on layer-2 ports.
answered Jan 3 at 6:39
Ricky BeamRicky Beam
21.5k22961
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "496"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55830%2fwhat-is-the-actual-purpose-for-having-a-11-ratio-between-vlans-and-subnets%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
VLANs allow you to segment your l2. If the goal is separation -- why
isn't subnetting (l3 separation) enough?
I guess this:
The communication issues and security implications of having multiple
subnets on a single VLAN and vice versa, are clear.
isn't as clear as you seem to say.
From the perspective of a VLAN, a VLAN is a broadcast domain. When a host receives a layer-2 broadcast, which will be sent to every host in a broadcast domain, the host hardware must pass the frame to higher layers in the network stack for processing to see if the frame payload is destined for the host. This presents not only security concerns by hosts running capture software, but it can become a problem as more hosts on a VLAN means even more broadcasts on the VLAN than the number of added hosts, interrupting every host on the LAN.
VLANs will basically break a broadcast domain into multiple broadcast domains, just as if you had multiple, separate, unconnected switches. To get traffic from one VLAN to another VLAN requires a router. That is also true for getting traffic from one layer-3 network to another layer-3 network, which is why layer-2 VLANs and layer-3 network mesh so well.
Routers route layer-3 packets, not layer-2 frames, between layer-3 network, so each router interface is in a different layer-3 network. Since it takes a router to move traffic between VLANs, that means that each VLAN would need to use a different layer-3 network if it needs to communicate with a different VLAN.
You can also place router ACLs ,or a software firewall on a router, between the VLANs, but this requires a different layer-3 network on each VLAN because routers route packets between networks. This can be a real security feature or requirement.
But in practice, do subnets really share any portion of the l2
infrastructure?
Since VLANs can partition a single switch, then yes different layer-3 networks on VLANs will share the switch hardware, but will logically be on different switches, even on the same physical switch. The different layer-3 network can also share a physical interface on a switch or router by configuring the interface as a trunk that uses tags to separate the layer-2 frames with different layer-3 networks into separate VLANs.
What you are asking about is really for ethernet. There are many layer-2 protocols that do not use VLANs, and some can only use a one layer-3 network on one layer-2 LAN. Even Wi-Fi, which has displaced ethernet as the King of the LAN, does not really have VLANs. It does have separate SSIDs that can map to VLANs on the ethernet side of the WAP, but you are unlikely to be able to configure more than one layer-3 network per SSID.
answered Jan 3 at 5:13
Ron Maupin♦Ron Maupin
63.2k1366120
Great answer, thanks. This covers the question well. I think the key point learned is that with VLANs -- we have, for all intents and purposes, separate switches. Trunk interfaces make it possible for different l3 networks to share the interface. Is trunking really this common in practice? Or are VLANs really just a legacy concept that was used to save $ on new hardware? If we wanted more separation at l2, I presume we could just create a new subnet and adjust accordingly. But the benefits of VLAN allow much more flexibility by allowing you to do this in software. Is my thinking correct?
– bzzn
Jan 3 at 5:28
trunking on a switch/router to allow different l3 networks to share the interface*
– bzzn
Jan 3 at 5:35
Trunks are used all the time; they are very common. If you had separate switches, then you would need some more expensive router interfaces. The typical scenario is that routers have few physical interfaces, but you create logical subinterfaces that share the single physical interface by using VLAN tags as a trunk.
– Ron Maupin♦
Jan 3 at 5:35
Great, thanks for your help.
– bzzn
Jan 3 at 5:42
add a comment |
VLANs allow you to segment your l2. If the goal is separation -- why
isn't subnetting (l3 separation) enough?
I guess this:
The communication issues and security implications of having multiple
subnets on a single VLAN and vice versa, are clear.
isn't as clear as you seem to say.
From the perspective of a VLAN, a VLAN is a broadcast domain. When a host receives a layer-2 broadcast, which will be sent to every host in a broadcast domain, the host hardware must pass the frame to higher layers in the network stack for processing to see if the frame payload is destined for the host. This presents not only security concerns by hosts running capture software, but it can become a problem as more hosts on a VLAN means even more broadcasts on the VLAN than the number of added hosts, interrupting every host on the LAN.
VLANs will basically break a broadcast domain into multiple broadcast domains, just as if you had multiple, separate, unconnected switches. To get traffic from one VLAN to another VLAN requires a router. That is also true for getting traffic from one layer-3 network to another layer-3 network, which is why layer-2 VLANs and layer-3 network mesh so well.
Routers route layer-3 packets, not layer-2 frames, between layer-3 network, so each router interface is in a different layer-3 network. Since it takes a router to move traffic between VLANs, that means that each VLAN would need to use a different layer-3 network if it needs to communicate with a different VLAN.
You can also place router ACLs ,or a software firewall on a router, between the VLANs, but this requires a different layer-3 network on each VLAN because routers route packets between networks. This can be a real security feature or requirement.
But in practice, do subnets really share any portion of the l2
infrastructure?
Since VLANs can partition a single switch, then yes different layer-3 networks on VLANs will share the switch hardware, but will logically be on different switches, even on the same physical switch. The different layer-3 network can also share a physical interface on a switch or router by configuring the interface as a trunk that uses tags to separate the layer-2 frames with different layer-3 networks into separate VLANs.
What you are asking about is really for ethernet. There are many layer-2 protocols that do not use VLANs, and some can only use a one layer-3 network on one layer-2 LAN. Even Wi-Fi, which has displaced ethernet as the King of the LAN, does not really have VLANs. It does have separate SSIDs that can map to VLANs on the ethernet side of the WAP, but you are unlikely to be able to configure more than one layer-3 network per SSID.
answered Jan 3 at 5:13
Ron Maupin♦Ron Maupin
63.2k1366120
Great answer, thanks. This covers the question well. I think the key point learned is that with VLANs -- we have, for all intents and purposes, separate switches. Trunk interfaces make it possible for different l3 networks to share the interface. Is trunking really this common in practice? Or are VLANs really just a legacy concept that was used to save $ on new hardware? If we wanted more separation at l2, I presume we could just create a new subnet and adjust accordingly. But the benefits of VLAN allow much more flexibility by allowing you to do this in software. Is my thinking correct?
– bzzn
Jan 3 at 5:28
trunking on a switch/router to allow different l3 networks to share the interface*
– bzzn
Jan 3 at 5:35
Trunks are used all the time; they are very common. If you had separate switches, then you would need some more expensive router interfaces. The typical scenario is that routers have few physical interfaces, but you create logical subinterfaces that share the single physical interface by using VLAN tags as a trunk.
– Ron Maupin♦
Jan 3 at 5:35
Great, thanks for your help.
– bzzn
Jan 3 at 5:42
add a comment |
VLANs allow you to segment your l2. If the goal is separation -- why
isn't subnetting (l3 separation) enough?
I guess this:
The communication issues and security implications of having multiple
subnets on a single VLAN and vice versa, are clear.
isn't as clear as you seem to say.
From the perspective of a VLAN, a VLAN is a broadcast domain. When a host receives a layer-2 broadcast, which will be sent to every host in a broadcast domain, the host hardware must pass the frame to higher layers in the network stack for processing to see if the frame payload is destined for the host. This presents not only security concerns by hosts running capture software, but it can become a problem as more hosts on a VLAN means even more broadcasts on the VLAN than the number of added hosts, interrupting every host on the LAN.
VLANs will basically break a broadcast domain into multiple broadcast domains, just as if you had multiple, separate, unconnected switches. To get traffic from one VLAN to another VLAN requires a router. That is also true for getting traffic from one layer-3 network to another layer-3 network, which is why layer-2 VLANs and layer-3 network mesh so well.
Routers route layer-3 packets, not layer-2 frames, between layer-3 network, so each router interface is in a different layer-3 network. Since it takes a router to move traffic between VLANs, that means that each VLAN would need to use a different layer-3 network if it needs to communicate with a different VLAN.
You can also place router ACLs ,or a software firewall on a router, between the VLANs, but this requires a different layer-3 network on each VLAN because routers route packets between networks. This can be a real security feature or requirement.
But in practice, do subnets really share any portion of the l2
infrastructure?
Since VLANs can partition a single switch, then yes different layer-3 networks on VLANs will share the switch hardware, but will logically be on different switches, even on the same physical switch. The different layer-3 network can also share a physical interface on a switch or router by configuring the interface as a trunk that uses tags to separate the layer-2 frames with different layer-3 networks into separate VLANs.
What you are asking about is really for ethernet. There are many layer-2 protocols that do not use VLANs, and some can only use a one layer-3 network on one layer-2 LAN. Even Wi-Fi, which has displaced ethernet as the King of the LAN, does not really have VLANs. It does have separate SSIDs that can map to VLANs on the ethernet side of the WAP, but you are unlikely to be able to configure more than one layer-3 network per SSID.
answered Jan 3 at 5:13
Ron Maupin♦Ron Maupin
63.2k1366120
VLANs allow you to segment your l2. If the goal is separation -- why
isn't subnetting (l3 separation) enough?
I guess this:
The communication issues and security implications of having multiple
subnets on a single VLAN and vice versa, are clear.
isn't as clear as you seem to say.
From the perspective of a VLAN, a VLAN is a broadcast domain. When a host receives a layer-2 broadcast, which will be sent to every host in a broadcast domain, the host hardware must pass the frame to higher layers in the network stack for processing to see if the frame payload is destined for the host. This presents not only security concerns by hosts running capture software, but it can become a problem as more hosts on a VLAN means even more broadcasts on the VLAN than the number of added hosts, interrupting every host on the LAN.
VLANs will basically break a broadcast domain into multiple broadcast domains, just as if you had multiple, separate, unconnected switches. To get traffic from one VLAN to another VLAN requires a router. That is also true for getting traffic from one layer-3 network to another layer-3 network, which is why layer-2 VLANs and layer-3 network mesh so well.
Routers route layer-3 packets, not layer-2 frames, between layer-3 network, so each router interface is in a different layer-3 network. Since it takes a router to move traffic between VLANs, that means that each VLAN would need to use a different layer-3 network if it needs to communicate with a different VLAN.
You can also place router ACLs ,or a software firewall on a router, between the VLANs, but this requires a different layer-3 network on each VLAN because routers route packets between networks. This can be a real security feature or requirement.
But in practice, do subnets really share any portion of the l2
infrastructure?
Since VLANs can partition a single switch, then yes different layer-3 networks on VLANs will share the switch hardware, but will logically be on different switches, even on the same physical switch. The different layer-3 network can also share a physical interface on a switch or router by configuring the interface as a trunk that uses tags to separate the layer-2 frames with different layer-3 networks into separate VLANs.
What you are asking about is really for ethernet. There are many layer-2 protocols that do not use VLANs, and some can only use a one layer-3 network on one layer-2 LAN. Even Wi-Fi, which has displaced ethernet as the King of the LAN, does not really have VLANs. It does have separate SSIDs that can map to VLANs on the ethernet side of the WAP, but you are unlikely to be able to configure more than one layer-3 network per SSID.
answered Jan 3 at 5:13
Ron Maupin♦Ron Maupin
63.2k1366120
edited Jan 3 at 5:24
answered Jan 3 at 5:13
Ron Maupin♦Ron Maupin
63.2k1366120
answered Jan 3 at 5:13
Ron Maupin♦Ron Maupin
63.2k1366120
answered Jan 3 at 5:13
Ron Maupin♦Ron Maupin
63.2k1366120
63.2k1366120
Great answer, thanks. This covers the question well. I think the key point learned is that with VLANs -- we have, for all intents and purposes, separate switches. Trunk interfaces make it possible for different l3 networks to share the interface. Is trunking really this common in practice? Or are VLANs really just a legacy concept that was used to save $ on new hardware? If we wanted more separation at l2, I presume we could just create a new subnet and adjust accordingly. But the benefits of VLAN allow much more flexibility by allowing you to do this in software. Is my thinking correct?
– bzzn
Jan 3 at 5:28
trunking on a switch/router to allow different l3 networks to share the interface*
– bzzn
Jan 3 at 5:35
Trunks are used all the time; they are very common. If you had separate switches, then you would need some more expensive router interfaces. The typical scenario is that routers have few physical interfaces, but you create logical subinterfaces that share the single physical interface by using VLAN tags as a trunk.
– Ron Maupin♦
Jan 3 at 5:35
Great, thanks for your help.
– bzzn
Jan 3 at 5:42
add a comment |
Great answer, thanks. This covers the question well. I think the key point learned is that with VLANs -- we have, for all intents and purposes, separate switches. Trunk interfaces make it possible for different l3 networks to share the interface. Is trunking really this common in practice? Or are VLANs really just a legacy concept that was used to save $ on new hardware? If we wanted more separation at l2, I presume we could just create a new subnet and adjust accordingly. But the benefits of VLAN allow much more flexibility by allowing you to do this in software. Is my thinking correct?
– bzzn
Jan 3 at 5:28
trunking on a switch/router to allow different l3 networks to share the interface*
– bzzn
Jan 3 at 5:35
Trunks are used all the time; they are very common. If you had separate switches, then you would need some more expensive router interfaces. The typical scenario is that routers have few physical interfaces, but you create logical subinterfaces that share the single physical interface by using VLAN tags as a trunk.
– Ron Maupin♦
Jan 3 at 5:35
Great, thanks for your help.
– bzzn
Jan 3 at 5:42
Great answer, thanks. This covers the question well. I think the key point learned is that with VLANs -- we have, for all intents and purposes, separate switches. Trunk interfaces make it possible for different l3 networks to share the interface. Is trunking really this common in practice? Or are VLANs really just a legacy concept that was used to save $ on new hardware? If we wanted more separation at l2, I presume we could just create a new subnet and adjust accordingly. But the benefits of VLAN allow much more flexibility by allowing you to do this in software. Is my thinking correct?
– bzzn
Jan 3 at 5:28
Great answer, thanks. This covers the question well. I think the key point learned is that with VLANs -- we have, for all intents and purposes, separate switches. Trunk interfaces make it possible for different l3 networks to share the interface. Is trunking really this common in practice? Or are VLANs really just a legacy concept that was used to save $ on new hardware? If we wanted more separation at l2, I presume we could just create a new subnet and adjust accordingly. But the benefits of VLAN allow much more flexibility by allowing you to do this in software. Is my thinking correct?
– bzzn
Jan 3 at 5:28
trunking on a switch/router to allow different l3 networks to share the interface*
– bzzn
Jan 3 at 5:35
trunking on a switch/router to allow different l3 networks to share the interface*
– bzzn
Jan 3 at 5:35
Trunks are used all the time; they are very common. If you had separate switches, then you would need some more expensive router interfaces. The typical scenario is that routers have few physical interfaces, but you create logical subinterfaces that share the single physical interface by using VLAN tags as a trunk.
– Ron Maupin♦
Jan 3 at 5:35
Trunks are used all the time; they are very common. If you had separate switches, then you would need some more expensive router interfaces. The typical scenario is that routers have few physical interfaces, but you create logical subinterfaces that share the single physical interface by using VLAN tags as a trunk.
– Ron Maupin♦
Jan 3 at 5:35
Great, thanks for your help.
– bzzn
Jan 3 at 5:42
Great, thanks for your help.
– bzzn
Jan 3 at 5:42
add a comment |
But, subnets provide l3 separation.
Kinda, sorta, not really.
If you put multiple subnets on the same "link" (for example an Ethernet VLAN, a wifi SSID or something similar for other protocols) then devices on different subnets will not by default send IPv4 unicast packets directly to each other. Instead they will send them via their default gateway where there is potential to filter them.
However:
- This behavior is only the default, it is perfectly possible to configure a device so that it can communicate directly with devices on both subnets.
- IPv4 unicast traffic is not the whole world, there is also Broadcast, Multicast and IPv6 traffic to consider, not to mention legacy protocols like IPX and Netbeui. Some of this may/will flow directly between the hosts even if they have different IPv4 subnets continued.
The result is that putting multiple subnets on the same L2 "link" will often result in the illusion of separation.
Putting multiple subnets on the same "link" can make sense in some scenarios, for example if you want some but not all machines to have public IPs or if an existing subnet has run out of addresses, but if you want to enforce seperation between machines then you really need them on separate (physical or virtual) links.
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense.
Right, the goal of VLANs is to allow physical infrastructure to be shared while keeping stuff logically seperate.
But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs?
Yeah, keeping your subnets physically separate up to the point they meet your router/firewall is an alternative to using VLANs. Some argue it's more secure, there have certainly been VLAN-hopping exploits in the past but OTOH it's easy for two networks that are supposed to be physically seperate to be accidentally interconnected.
You should also be aware that the term "VLAN" is a bit overloaded. Depending on the context it can refer to either the number used for tagging packets on the wire or to the virtual Ethernet network created by doing so. In a large network infrastructure the same VLAN number may be used for different virtual Ethernet networks in different places.
answered Jan 3 at 5:48
Peter GreenPeter Green
7,35121225
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense. But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs? I suppose, like mentioned above, this would require more hardware, whereas with VLANs that can be done entirely in software.
– bzzn
Jan 3 at 6:08
add a comment |
But, subnets provide l3 separation.
Kinda, sorta, not really.
If you put multiple subnets on the same "link" (for example an Ethernet VLAN, a wifi SSID or something similar for other protocols) then devices on different subnets will not by default send IPv4 unicast packets directly to each other. Instead they will send them via their default gateway where there is potential to filter them.
However:
- This behavior is only the default, it is perfectly possible to configure a device so that it can communicate directly with devices on both subnets.
- IPv4 unicast traffic is not the whole world, there is also Broadcast, Multicast and IPv6 traffic to consider, not to mention legacy protocols like IPX and Netbeui. Some of this may/will flow directly between the hosts even if they have different IPv4 subnets continued.
The result is that putting multiple subnets on the same L2 "link" will often result in the illusion of separation.
Putting multiple subnets on the same "link" can make sense in some scenarios, for example if you want some but not all machines to have public IPs or if an existing subnet has run out of addresses, but if you want to enforce seperation between machines then you really need them on separate (physical or virtual) links.
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense.
Right, the goal of VLANs is to allow physical infrastructure to be shared while keeping stuff logically seperate.
But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs?
Yeah, keeping your subnets physically separate up to the point they meet your router/firewall is an alternative to using VLANs. Some argue it's more secure, there have certainly been VLAN-hopping exploits in the past but OTOH it's easy for two networks that are supposed to be physically seperate to be accidentally interconnected.
You should also be aware that the term "VLAN" is a bit overloaded. Depending on the context it can refer to either the number used for tagging packets on the wire or to the virtual Ethernet network created by doing so. In a large network infrastructure the same VLAN number may be used for different virtual Ethernet networks in different places.
answered Jan 3 at 5:48
Peter GreenPeter Green
7,35121225
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense. But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs? I suppose, like mentioned above, this would require more hardware, whereas with VLANs that can be done entirely in software.
– bzzn
Jan 3 at 6:08
add a comment |
But, subnets provide l3 separation.
Kinda, sorta, not really.
If you put multiple subnets on the same "link" (for example an Ethernet VLAN, a wifi SSID or something similar for other protocols) then devices on different subnets will not by default send IPv4 unicast packets directly to each other. Instead they will send them via their default gateway where there is potential to filter them.
However:
- This behavior is only the default, it is perfectly possible to configure a device so that it can communicate directly with devices on both subnets.
- IPv4 unicast traffic is not the whole world, there is also Broadcast, Multicast and IPv6 traffic to consider, not to mention legacy protocols like IPX and Netbeui. Some of this may/will flow directly between the hosts even if they have different IPv4 subnets continued.
The result is that putting multiple subnets on the same L2 "link" will often result in the illusion of separation.
Putting multiple subnets on the same "link" can make sense in some scenarios, for example if you want some but not all machines to have public IPs or if an existing subnet has run out of addresses, but if you want to enforce seperation between machines then you really need them on separate (physical or virtual) links.
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense.
Right, the goal of VLANs is to allow physical infrastructure to be shared while keeping stuff logically seperate.
But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs?
Yeah, keeping your subnets physically separate up to the point they meet your router/firewall is an alternative to using VLANs. Some argue it's more secure, there have certainly been VLAN-hopping exploits in the past but OTOH it's easy for two networks that are supposed to be physically seperate to be accidentally interconnected.
You should also be aware that the term "VLAN" is a bit overloaded. Depending on the context it can refer to either the number used for tagging packets on the wire or to the virtual Ethernet network created by doing so. In a large network infrastructure the same VLAN number may be used for different virtual Ethernet networks in different places.
answered Jan 3 at 5:48
Peter GreenPeter Green
7,35121225
But, subnets provide l3 separation.
Kinda, sorta, not really.
If you put multiple subnets on the same "link" (for example an Ethernet VLAN, a wifi SSID or something similar for other protocols) then devices on different subnets will not by default send IPv4 unicast packets directly to each other. Instead they will send them via their default gateway where there is potential to filter them.
However:
- This behavior is only the default, it is perfectly possible to configure a device so that it can communicate directly with devices on both subnets.
- IPv4 unicast traffic is not the whole world, there is also Broadcast, Multicast and IPv6 traffic to consider, not to mention legacy protocols like IPX and Netbeui. Some of this may/will flow directly between the hosts even if they have different IPv4 subnets continued.
The result is that putting multiple subnets on the same L2 "link" will often result in the illusion of separation.
Putting multiple subnets on the same "link" can make sense in some scenarios, for example if you want some but not all machines to have public IPs or if an existing subnet has run out of addresses, but if you want to enforce seperation between machines then you really need them on separate (physical or virtual) links.
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense.
Right, the goal of VLANs is to allow physical infrastructure to be shared while keeping stuff logically seperate.
But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs?
Yeah, keeping your subnets physically separate up to the point they meet your router/firewall is an alternative to using VLANs. Some argue it's more secure, there have certainly been VLAN-hopping exploits in the past but OTOH it's easy for two networks that are supposed to be physically seperate to be accidentally interconnected.
You should also be aware that the term "VLAN" is a bit overloaded. Depending on the context it can refer to either the number used for tagging packets on the wire or to the virtual Ethernet network created by doing so. In a large network infrastructure the same VLAN number may be used for different virtual Ethernet networks in different places.
answered Jan 3 at 5:48
Peter GreenPeter Green
7,35121225
edited Jan 3 at 6:19
answered Jan 3 at 5:48
Peter GreenPeter Green
7,35121225
answered Jan 3 at 5:48
Peter GreenPeter Green
7,35121225
answered Jan 3 at 5:48
Peter GreenPeter Green
7,35121225
7,35121225
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense. But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs? I suppose, like mentioned above, this would require more hardware, whereas with VLANs that can be done entirely in software.
– bzzn
Jan 3 at 6:08
add a comment |
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense. But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs? I suppose, like mentioned above, this would require more hardware, whereas with VLANs that can be done entirely in software.
– bzzn
Jan 3 at 6:08
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense. But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs? I suppose, like mentioned above, this would require more hardware, whereas with VLANs that can be done entirely in software.
– bzzn
Jan 3 at 6:08
I see. I guess I was assuming subnets wouldn't typically be set up on the same link (at least for an Ethernet network). If this isn't the case, then VLANs make complete sense. But if they were on separate links, and you wanted more LAN segmentation, is creating another subnet a viable alternative to using VLANs? I suppose, like mentioned above, this would require more hardware, whereas with VLANs that can be done entirely in software.
– bzzn
Jan 3 at 6:08
add a comment |
Layer-3 provides logical isolation between subnets. If you run them on the same layer-2 [ethernet or VLAN], they aren't actually isolated. They automatically see each others broadcast traffic. With the addition of a single route, they can talk directly to each other, bypassing any routers, firewalls, or acls -- because they're on the same wire. Very few switches can do layer-3 filtering on layer-2 ports.
answered Jan 3 at 6:39
Ricky BeamRicky Beam
21.5k22961
add a comment |
Layer-3 provides logical isolation between subnets. If you run them on the same layer-2 [ethernet or VLAN], they aren't actually isolated. They automatically see each others broadcast traffic. With the addition of a single route, they can talk directly to each other, bypassing any routers, firewalls, or acls -- because they're on the same wire. Very few switches can do layer-3 filtering on layer-2 ports.
answered Jan 3 at 6:39
Ricky BeamRicky Beam
21.5k22961
add a comment |
Layer-3 provides logical isolation between subnets. If you run them on the same layer-2 [ethernet or VLAN], they aren't actually isolated. They automatically see each others broadcast traffic. With the addition of a single route, they can talk directly to each other, bypassing any routers, firewalls, or acls -- because they're on the same wire. Very few switches can do layer-3 filtering on layer-2 ports.
answered Jan 3 at 6:39
Ricky BeamRicky Beam
21.5k22961
Layer-3 provides logical isolation between subnets. If you run them on the same layer-2 [ethernet or VLAN], they aren't actually isolated. They automatically see each others broadcast traffic. With the addition of a single route, they can talk directly to each other, bypassing any routers, firewalls, or acls -- because they're on the same wire. Very few switches can do layer-3 filtering on layer-2 ports.
answered Jan 3 at 6:39
Ricky BeamRicky Beam
21.5k22961
answered Jan 3 at 6:39
Ricky BeamRicky Beam
21.5k22961
answered Jan 3 at 6:39
Ricky BeamRicky Beam
21.5k22961
answered Jan 3 at 6:39
Ricky BeamRicky Beam
21.5k22961
21.5k22961
add a comment |
add a comment |
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55830%2fwhat-is-the-actual-purpose-for-having-a-11-ratio-between-vlans-and-subnets%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
