vlans and IP subnetting

Networking and Vlan Reasons for using VLANs (and IP subnetting):

  • limit impact of abnormal broadcast traffic (malfunctioning Ghost server, chatty Microsoft devices still using WINS elections are two prime examples) and isolate any “dumb” stuff (user hubs double-linked to the net, inappropriate/unintentional DHCP servers, improperly connected XP Network Bridge setups) so that the only impact they have is on the department where these are located; related to this is the ability to have multiple spanning tree instances, based on VLAN groupings
  • isolation of functional groupings: both for non-routed subnets (utility devices that only need to speak to each other – such as parking gates and steam meters) and routed subnets (common ACL requirements across the entire VLAN – such as cash registers and research clusters)
  • related to the last point, ability to utilize in-line Intrusion Prevention Systems (such as Tipping Points) on specific VLANs (at the point at which Layer 2 meets Layer 3 for that VLAN), where the IPS rules would be different than for other VLANs
  • use of RFC1918 addresses – not necessarily due to lack of addresses, but not to waste public addresses on devices that have no need for off-campus connectivity (e.g. addresses on switches, UPSes, wireless access points, various utility systems, etc.)
  • allowing departments some measure of “network autonomy”, given the fact that we centrally manage the network campuswide from the wallplate out and not allowing any departmental owned network devices; the use of VLANs gives them some comfort that their traffic will be less disrupted by what other departments may do (particularly insofar as the “abnormal broadcast traffic and dumb stuff” alluded to in the first point comes in to play)

How we define VLANs/subnets:

  • has to be functional/organizational and not geographical: the very nature of the utility/auxiliary services VLANs where you have energy management devices that gag if they see more than one broadcast every decade requires that, as well as addressing the points noted above; we actually find that, because of those requirements, it’s actually much easier for us to support a functional/organizational subnet overlay across campus than it would be to support a geography-based architecture

Other questions about VLANs/subnets:

Is there a need for more than one class of service (within a given subnet)? e.g. one for “open” access, one for “closed”/firewalled access, one with NAC, one without, one for quarantine traffic, etc.

For those particular categories, we prefer to use separate VLANs/ subnets (and indeed to have VLANs for those); however, there is still a need to be able to differentiate service at an application layer within a given VLAN/subnet – within a “switch management” VLAN, for example, I want SNMP traffic to have higher priority than telnet; within a particular server VLAN, I may want backup applications to have a higher priority than other apps (we had to do this on one small subnet/VLAN, where even over night, the legitimate HTTP and FTP traffic to this server kept the backups from getting completed over a 24-hour period). With desktop video conferencing packages that would be on systems spread across a huge array of VLANs, we need to treat appropriate H.323/SIP traffic accordingly. Bottom line on that question, though, if you’re talking about specific “functional” requirements, particularly as it relates to security or policy issues – like quarantine traffic or HIPAA-impacted traffic, we’re going to use separate VLANs for those; if you’re talking about different application-related requirements, we do need to be able to provide different service classes within VLANs/subnets.

If there is a need for multiple service classes, which implies segregation of traffic, is that segregation best achieved at: L1 – separate fiber/copper, L2 – VLANs, L2.5 – MPLS, L3 – IPSEC etc, some hybrid?

Yes.

Seriously, though, the application requirement has to drive the technology chosen in that regard. None of those are mutually exclusive or are incompatible with the others, so I think any of them could be more appropriate than the others for given situations.