I found this question very illuminating about DMZs and when to place a server in one.

We’re re-organizing our internal company network (keeping the same external IPs and domains), our mainly Windows servers (we use WinAD heavily) will be kept on the LAN with firewalls and port forwarding to direct external traffic.

What are the security (dis)advantages setting a server (example: email) up on a different VLAN to the rest of the internal network rather than inside a DMZ?

That’s a bit of an apples and oranges comparison. A DMZ is a separate network segment for systems with a greater risk of compromise; a vlan is a mechanism for achieving logical separation between different logical networks on the same physical network.

The comparison you probably want to make instead is this one: Should I implement my DMZ through physical separation by using separate network infrastructure, or through logical separation on the same network infrastructure?

With physical separation, the main barrier is cost; you’ll be investing in dedicated network equipment for what sounds like a small number of DMZ systems. There’s also extra management time involved in setting up and maintaining that infrastructure.

With vlan separation, you’ll be essentially building the same logical infrastructure as with the physical separation; a dedicated vlan with its own subnet, the device doing the routing between the subnets will apply access controls, etc.

However, the concern is security; sharing the same physical infrastructure increases the number of potential attack surfaces for an attacker who has compromised a DMZ device to try to access the non-DMZ network.

When using just the logical separation, vlan hopping attacks, as well as direct remote exploits against the network devices accessible to the DMZ (but serving both networks) are potential risks, as well as a greater risk of a misconfiguration in a single device compromising the barrier between the networks.

Check more discussion of this question.

I haven’t worked with VLANs much in the past and I was hoping if I could get a good explanation of what I need to setup for this to work.

I have a Netgear WNR2000v2 router and a Netgear GS108T smart switch currently in my network. The fourth port on the router connects to port one on the switch. I would like to be able to isolated port 8 on the switch for use as a “guest port” when I bring home malware infested PCs for repair. I figured the VLAN capabilities of the GS108T would be able to do this for me, but I think I have a misunderstanding of how the VLAN actually works.

Port 8 needs internet access but should not be able to communicate with the rest of the PCs on the home network. The subnet for the home network is 192.168.1.0/24 and I would like the guest PC to have A) 192.168.1.64 or B) 192.168.2.2. I am reading a lot of stuff about port trunking and VLAN membership, but I am confused as to which setup needs to be in place to make this work.

Any help is greatly appreciated! Let me know if there is more information I need to provide. Definitely looking to learn something from this project.

Thanks!

This has been answered many times here, but I need practice so I’ll have another go at it.

VLANs themselves are pretty easy to understand. Basically, what you are doing is carving up a switch into one or more logical groupings of ports. As an example, let’s take an 8-port switch and assign ports 1-4 to VLAN10, and ports 5-8 to VLAN20.

Devices plugged into ports 1-4 can all communicate to each other using like networking configuration. So… 192.168.1.1 which is part of network 192.168.1.0/24 can talk to any IP 192.168.1.1 through 192.168.1.254 as long as those devices are on those ports. If you connected 192.168.1.2/24 to port 5, a device on port 1 would not see that traffic because it is on a different network segment. It would be no different than if you had connected the devices to two entirely separate physical switches.

So, moving forward, think of each VLAN as being a separate switch and with each VLAN should come a different subnet configuration. So… VLAN10 could be 192.168.1.0/24, and devices on VLAN20 could be 192.168.2.0/24. If you overlapped, you might as well just put everything on the same VLAN.

To communicate BETWEEN two VLANs (that can and should be on different subnets), you need a router. Layer 3 capable switches allow for this to be done right on the switch.

However, you have a problem. A consumer grade router like the Netgear is probably not going to support routing more than 2 networks together unless you use DDWRT on it. This is because it’s expecting to be connected to a WAN network, and a LAN network, and perhaps maybe a wireless network but they usually just bridge this to the LAN segment.

You need the router to route between two separate LAN segments, as well as perform NAT to the WAN, but it probably doesn’t support that.

Check more discussion of this question.

So this is the current setup – essentially I would like to get my DHCP server, serving DHCP requests for two seperate subnets.

Netgear DG834G acting as a modem connected to a Sonicwall Pro 2040.

X0 - LAN - 192.168.1.0/24

X1 - WAN - <WAN-IP>

X2 - WLAN - 192.168.10.0/24

At the moment, I have a 2008R2 server with DHCP installed, with an IP address on the 192.168.1.0/24 range handling DHCP fine for this subnet.

The Sonicwall is configured correctly – anything connected to the WLAN has Full Allow to anything in the LAN, and vice versa but it will not lease an IP from my Server.

I’ve also added another IP address to the server, so the physical NIC now has two IP’s:

192.168.1.2 and 192.168.10.2 with a DHCP scope configured for each.

Still no luck!

Any ideas?

Thanks!

The initial steps in a DHCP client communicating with a DHCP server uses broadcast messages (to the physical layer broadcast address of FF-FF-FF-FF-FF-FF). Because these messages are broadcasts they are typically blocked/dropped at the network partition (a firewall, a layer 3 switch or a router that separates the client network from the server network). In order for DHCP clients on a network that’s different from the server network to communicate with the DHCP server an intermediate host on the client network (usually the router, layer 3 switch or firewall) needs to act as a relay for these broadcast messages. The DHCP relay agent relays the client broadcast messages on behalf of the client to the server as unicast messages. The DHCP server then uses information in these unicast messages to determine what layer 3 network the client is on and assigns an ip address from the DHCP scope configured for that network.

So, long story short, here’s what you need to do:

1. Remove the additional ip address from the server.

2. Configure a DHCP scope for the WLAN network.

3. Configure the Sonicwall to act as a DHCP relay agent.

Check more discussion of this question.

Good day,

I need to configure two vlan on an AP connected with a Dell PowerConnect 2848.
The first one is up and running (let’s say vlan x) , the second one is a completely different network (vlan y) , provided by a Gateway-DHCP wich i have no access, directely Patched (via patch panel) at a secondo AP device.

So i cannot just plug this Gateway device on my switch without tagging traffic before, for DHCP collion .
I have to solve this problem.
I was thinking about tagging the traffic at the port wich I will connect the gateway device with vlan y and then set as trunk (vlanx+y) the AP port. In this way I hope to limit the vlan y traffic ONLY for the ports I selected avoiding the spread of unwanted dhcp calls.
But all other ports are Unassigned , so I am not sure they won’t forward dhcp (vlan y) traffic.

I cannot change the Unassigned state for the vlan x ports cause vlanx is native.

I’m not 100% sure I understand the question, but it sounds like you have an existing DHCP server/network setup on the native VLAN (“x”) on the PowerConnect and you’d like to create another VLAN (“y”) for strictly wireless use; on VLAN “y” I’m assuming you have a router that’s running a DHCP server for your wireless clients and will also be the wireless client’s gateway.

I’m not going to get into syntax/UI commands, but typically there will be a SSID-to-VLAN mapping where you’ll want to assign a VLAN (“y”) to the SSID in the AP’s management user interface (UI). This will tag VLAN “y” traffic that leaves the uplink (or “LAN” port) on your AP for any wireless station (client) traffic associated with that SSID.

Usually you can also tag the non-wireless traffic (for instance, access to the Web/SSH/telnet management UI of the AP) if you’d like, or leave it untagged, which will put the AP’s management interface onto the default/member VLAN that the port belongs to on the switch.

For the switch, you’ll want to enable tagging for VLAN “y” for the port where your AP will be plugged into.

Check more discussion of this question.

I’m changing my network from having every device on flat network to using VLans. My problem is that we already have a lot of devices on this network(192.168.20.0/24). From theory, I read that each Vlan has to be a different subnet and then I need to configure virtual interfaces on my Cisco router to cater for inter vlan routing.

1) How can I segment this network with minimum down time on the devices already on the network?

2) Can I just create Vlans and leave all these Vlans in the same layer 3 network so that they can go out of the network (I am not too concerned about inter-Vlan routing) or I have to create subnets which means reconfiguring the existing devices (something I do not want).

As Joeqwerty already noted, you’re approaching this with an inadequate fundamental understanding, combined with vaguely-defined goals. You are setting yourself up for failure, downtime, and security holes. Rather than just answering your questions as asked I’m going to indulge in a little “vLAN 101″ tutorial which might be a bit more useful for you.

You seem to have a few fundamental misconceptions about vLAN segmentation and how it fits into network architecture, so let’s roll ALLLLLLL the way back to the beginning for a minute:

From a network architecture level you can take the very simplistic view that a vLAN is nothing more than a separate switch, not connected to any other switch (vLAN).

If you look at vLANs in this way it becomes relatively clear how to use them: When you don’t want machines in Group A to be able to talk to machines in Group B you put them in separate vLANs, and force them to traverse a router (ideally one with firewall functionality) to talk to each other.
Under nearly all circumstances it’s better (and easier) to do this by also putting the machines in different IP networks (subnets) — Machines within a vLAN are in the same subnet, and can chat amongst themselves as much as they want, but if they want to talk to someone outside their vLAN it’s also going to be outside their subnet, so they get handed off to their default gateway, which can handle the security concern of who can talk to whom under what circumstances.

So vLAN architecture in 11 easy steps:

1. Figure out which machines form logical groups. These are your vLANs
   In a very simple environment this could be Web Servers and Database Servers.
   In more complex environments you may have lots of groups, and you may combine multiple groups in a single vLAN — This is an architecture decision you have to make.

2. Figure out an addressing scheme that suits your vLANs.
   If you’re supremely lucky every vLAN will fit into a /24 and you’ll be able to build a topology based around that. If you aren’t that lucky figure out which vLANs need bigger (or smaller) blocks.

3. Draw what you have done so far on paper.

4. Figure out which vLANs need to talk to each other.
   What ports/services should be open between vLANs/Networks?
   What other conditions need to exist for your environment to function?

5. Draw what you came up with on paper. Make sure it’s sane, then convert it into firewall/router policy.

6. Draft a firewall/router configuration. Ideally play with it in a test environment.

7. Draw your switch on paper and map which ports will go to which vLANs.
   It’s helpful to physically group connections so that they’re in the same logical vLAN,
   but this isn’t strictly necessary.

8. Turn your switch drawing into a switch configuration. Ideally play with it in a test environment.

9. Clean up your drawings on paper. The logical drawing should look somewhat like this:
   
   (The image has been shrunk to obscure stuff you don’t need to read)

10. Get someone else to look at your design.
    You can ask on Server Fault, but it’s better if someone familiar with your environment looks at it as they’re more likely to catch potential breakage.

11. Take a weekend and turn your logical design into a physical reality.
    (It should go without saying that you should have a rollback plan in case things go horribly wrong, but I’m saying it anyway.)

(If you are VERY good you might be able to skip some of the “Draw it on paper” steps above, but I don’t recommend skipping that your first time.)

Re: the two specific questions you asked:

1)How can I segment this network with minimum down time on the devices already on the network?

You can’t. Breaking your network into vLANs will require an outage window – you will have to reconfigure your switch, move machines into different logical networks, configure routing, probably move some cables around, etc. etc. etc.
Plan for an outage starting at 5PM Friday and extending over a weekend, ESPECIALLY if this is your first time designing a properly segmented network – you will spend some time debugging things that break.

2)Can I just create Vlans and leave all these Vlans in the same laye 3 network so that they can go out of the network (I am not not concerned about Vlan routing) or I have to create subnets which means reconfiguring the existing devices (something I do not want)

Can you? Yes.
Will it buy you anything in terms of security? Not really.
Will it make the entire project 10 times harder? Absolutely.
Should you design a network this way? NO.

Check more discussion of this question.

I have several managed switches at work that connect all computer within our office to the ADSL modem. However I would like enforce a VLAN policy to isolate traffic within the network. Through my previous studies of the CCNA certification it has come clear to me that I would require a router. The router would facilitate routing traffic back and forth between the different VLANs and the ADSL modem.

However I have a limited budget and was thinking to replace the router with a switch running a customized version of Linux or *BSD distro. Would this be viable? If anyone could provide me with guidelines for getting it set up I would be very grateful.

Grab a workstation with a couple of NICs on it (or buy an ALIX device) and setup a router-on-a-stick, or depending on how many VLANs you have, dedicate an interface for each one. If you’re doing a lot of inter-VLAN routing (i.e. workstations on VLAN 1, servers on VLAN 2) then you’ll want a layer 3 switch or a real router (or one of these).

Check more discussion of this question.

I created a vlan on Ubuntu with vconfig tool with 21 as id and eth1 as the host port. I connected eth1 to one of the ports on the swtich (GE23) as all ports trunk by default. In the webgui I created a vlan named test with the id 21 and I made GE2 are port as an access port. In port to vlan mapping I selected vlan 21 and added it port GE2 by selecting untagged option. I have assigned 192.168.1.1/24 as the ip of eth1.21 on Ubuntu. If I connect another cleint pc to GE2 port with a ip of 192.168.1.2/24 I cannot ping the server ip (192.168.1.1/24). Ping from server to client also does not work. I inspected packets that are sent out eth1 on the server and I could see the vlan 21 tag. And I connect the other end of the cable to a different Linux pc and inspected the packets but no vlan tags can be seen. What could be preventing me from getting vlans working?

Edit 1 screenshots:

After my initial comments and Mike’s suggestion (see above) I did a bit of fact checking. (I was going from memory.)
We have several dozen of SG200 switches lying around here. They have been causing issues in the past.

We found the following:
- Upgrade the SG200 to the latest firmware.
- For any port on the switch that you need to have as Trunk: Set it to Access and then back to Trunk.
Even though the web-gui shows “Trunk” the port will initially (or after factory-default reset) be in “General”.
This is an auto-negotiate mode that often only works properly if the other end of the connection is also a Cisco switch in “General” mode.
The setting to Access and then back to Trunk will insure it is really working as Trunk.

Disabling spanning-tree (STP) on the port is in this case probably also a good idea as the server is certainly not going to participate in STP elections.

Check more discussion of this question.

What are virtual LANS. And why we need them?

As far as i have understood them when switches are been used to create broadcast domain between two different LANS. Then a switch could be used to connect both of the LANS.
So they share the same broadcast domain. Because a switch forwards packets which are broadcasted to all of its interfaces.

Please elaborate more.
Many many thanx in advance

Virtual LANs are there to secure and segregate networks and overall make the network more manageable.

Manageability

With a VLAN you can create a logical broadcast domain. This means the physical layout doesn’t necessarily need to be the logical. For instance you might virtually have 3 servers attached in one VLAN. This would seem as if they were on the same switch. But physically they can be on 3 different switches.

This means that if you ever need to move the machines around physically, the logical design still can stay the same. This means you need to stress your routers less since there is no special route traversing necessary to get to the other machine.

secure and segregate networks

VLANs provide a certain level of security. If you have one switch to which all your machines are connected, but you do not want the other machines to reach each other, you can just use VLAN’s to devide the network. In practice this might be that you use ports 1-5 for your critical server machines, ports 6-10 for employee PC’s and 11-15 for a guest network. Each of them are put in a different VLAN and can’t reach eachother even though they are physically on the same device.

Inter VLAN routing

Now what if you want to let some VLAN’s talk to each other? Well then you need inter-vlan routing. This means you add a router (or use a level 3 switch) to provide this functionality. A common practice is to use a router on a stick:

You can see a trunk as an uplink, it can run between multiple switches/routers. A trunk is a special line over which a number of VLAN’s run. You can have multiple trunks on once device.

(I come from a cisco background)

Check more discussion of this question.

So I have a Juniper EX3300 Switch. One of its uplink ports (ge-0/1/0) is connected to my ISP’s router. ISP router’s port address is xx.xx.xx.109. My switch’s IP address is xx.xx.xx.110.

From the switch, I can ping to xx.xx.xx.109 and any other IP in the world. I mean its connected to the Internet.

I connected the port eth0 of a computer (running Ubuntu) to the port ge-0/0/0 of the switch (which in the same VLAN as ge-0/1/0). I configured the port eth0 as follows:

iface eth0 inet static
    address yy.yy.yy.208
    netmask 255.255.255.240
    gateway xx.xx.xx.110

yy.yy.yy.208 is assigned to me by the ISP. So, now I can ping to the switch (xx.xx.xx.110) from this computer. But I can not ping to either xx.xx.xx.109 (ISP router) or any other IP.

I want this computer to be connected to the Internet. What am I doing wrong?

Here are some of the configurations on my switch:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    .
    .
    .
    ge-0/1/0 {
        ether-options {
            no-auto-negotiation;
            link-mode full-duplex;
            speed {
                1g;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    .
    .
    .
    vlan {
        unit 0 {
            family inet {
                address 10.0.1.1/24;
            }
        }
        unit 1 {
            family inet {
                address xx.xx.xx.110/30;
            }
        }
    }
}
.
.
.
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop xx.xx.xx.109;
            retain;
        }
    }
}
vlans {
    Cogent {
        vlan-id 3;
        interface {
            ge-0/1/0.0;
            ge-0/0/0.0;
            ge-0/0/1.0;
            ge-0/0/2.0;
            ge-0/0/3.0;
        }
        l3-interface vlan.1;
    }
    TFLan {
        vlan-id 2;
        interface {
            ge-0/0/5.0;
            ge-0/0/6.0;
            ge-0/0/7.0;
            ge-0/0/8.0;
            ge-0/0/9.0;
            ge-0/0/10.0;
            ge-0/0/11.0;
            ge-0/0/12.0;
            ge-0/0/13.0;
            ge-0/0/14.0;
            ge-0/0/15.0;
            ge-0/0/16.0;
            ge-0/0/17.0;
            ge-0/0/18.0;
            ge-0/0/19.0;
            ge-0/0/20.0;
            ge-0/0/21.0;
            ge-0/0/22.0;
            ge-0/0/23.0;
            ge-0/0/4.0;
        }
        l3-interface vlan.0;
    }
}

I want this computer to be connected to the internet. What am I doing wrong?

Summary info

Recalling information from the discussion in Using the Juniper EX3300 as a router:

• ge-0/1/0 is assigned a public /30 address by Cogent. For sake of illustration, we will call EX3300′s address on this subnet 192.0.2.109/30. Your default gateway is 192.0.2.110/30. From the configuration above, you have assigned ge-0/1/0 to vlan.1 using vlan-id 3.
• ge-0/0/0 is also assigned a public IP address. For the sake of argument, this subnet is 192.0.2.208/28. ge-0/0/0‘s subnet is different than ge-0/1/0. The interface addressing (and a few other things) need to be fixed.

List of items to fix

1. You can’t assign 192.0.2.208/28 to the Ubuntu server. .208 is the subnet adddress, and .223 is the broadcast address. Valid host addresses in this subnet range from 192.0.2.209 to 192.0.2.222 (it doesn’t matter that I’m using RFC 5737 addresses here, the subnet math works out the same).
2. You need l3-interface vlan.1 for your /30 link to the Cogent router; however, you also have the Ubuntu machine in that same subnet on a /28. Now that we have established that the Ubuntu server is in a different subnet than ge-0/1/0, please follow standard internet engineering practices and assign a different vlan to that subnet. Let’s call it l3 interface vlan.100 with vlan-id 100 on your EX3300. Assign 192.0.2.209/28 to your vlan.100 on the EX3300 and use it as the default gateway for this new subnet.
3. Even if you assigned a valid host address to your Ubuntu server (see point 1., above), that server’s default gateway must be in the same subnet. Assign 192.0.2.210/28 to the Ubuntu server and make the default gateway 192.0.2.209.

Purely informational material

FYI, We also said that you cannot use private IP addresses (RFC 1918) without NAT (RFC 3022). I see that you have 10.0.1.1/24 assigned to vlan.0. Anything in 10.0.0.0/8 is RFC 1918 space. If these devices need to access the internet, you will need some form of NAT.

May I suggest:

• a good book on internet routing; it’s geared towards Cisco IOS, but the concepts are still very similar.
• a good book on TCP/IP

Best of luck to you in this endeavor.

Check more discussion of this question.

Given n (e.g. 200) clients in a /24 subnet and the following network structure:

client 1 \
.         \
.          switch -- firewall
.         / 
client n /

(in words: all clients connected to one switch and the switch connected to the firewall)

Now by default, e.g. client 1 and client n can communicate directly using the switch, without any packets ever arriving the firewall. Therefore none of those packets could be filtered. However I would like to filter the packets between the clients, therefore I want to disallow any direct communication between the clients.

I know this is possible using vlans, but then – according to my understanding – I would have to put all clients in their own network. However I don’t even have that much IP addresses: I have about 200 clients, only a /24 subnet and all clients shall have public ip addresses, therefore I can’t just create a private network for each of them (well, maybe using some NAT, but I’d like to avoid that).

So, is there any way to tell the switch: Forward all packets to the firewall, don’t allow direct communication between clients? Thanks for any hint!

You can separate clients within a VLANM if your switch supports PVLAN (private VLAN) which can be configured to allow any host to talk to the firewall while being unable to communicate with any other device. You can additionally configure your PVLAN to also allow communication amongst limited groups of servers.

What sort of switch are you using?

Check more discussion of this question.