Could Someone Help Me Settle an Argument?

bugzy3188

I posted a quote in another topic earlier in regards to this but I didn’t include all of the details. So here’s the deal, my boss and I got in to a heated argument today in regards to VLANS. I was asked to complete a deployment plan for a SonicWALL router/firewall for one of our clients, very small, less than 10 users. Part of the installation was going to be to configure to WLANs, a guest and one that has access to the switched network. So in the documentation I set up virtual interfaces for both wireless LANs and for the wired LAN, I also went in to detail on what ACLs needed to be created and which interfaces they needed to be assigned to in order to make sure users of each network were granted the access that they needed, but that is not important here, at least for the sake of this argument. Each LAN that was configured was configured with a /24 mask and a 10.10.x.0 address. So I finish up the documentation and turn it in for approval. My boss replies the next day with some notes, one of which mentioned that I forgot to add VLANs, I replied and said that from what I could tell VLANs weren’t needed. I tried to explain to him that because each LAN/WLAN was already on a separate subnet all on separate interfaces on the router and that the switch on the wired LAN isn’t capable of VLANs anyway that there would be no need. I proceeded to explain that all ACLs can be set to the interfaces/virtual interfaces and that would secure the network keeping folks (particularly on the guest wireless) from getting access to resources that they shouldn’t have access to.

After this I got a true to form condescending remark asking me to come out of my Cisco world (he is very condescending towards my Cisco studies in general), I was told that “I was applying my Cisco knowledge to a SonicWALL situation in a futile attempmt”. I was also told that creating virtual interfaces automatically creates VLANs and that these would need to be configured for the networks to communicate properly. I responded once more and stated that creating sub interfaces creates VLANs but creating virtual interfaces creates separate LANs entirely and that VLANs were simply not needed in this scenario. At this point he took the project from me and gave it to someone else as he likes to do when he wants to belittle someone.

So am I right here? Or am I missing something? I am just looking for self validation at this point but its been bugging me…lol

CodeBlox

Typically the separate subnets are segregated by VLANs. If you have a switch that does not support VLANs then that's another problem IMO. Creating sub interfaces does not create VLANs in itself. I'd have to side with your boss on this one.

shauncarter1

From what I'm gathering here you have a single router and are using virtual interfaces for your different LANs. If this is the case you are going to need VLANs. You could get away with it if you had physical interfaces perhaps, from what I understand in this case it won't work. I'm surprised the switch is not capable of VLANs.

thronetm

I'm siding with you on this one. What's the need for VLANs when you have X3,X4,X5 etc to configure separate LANs.

jibbajabba

thronetm wrote: »

I'm siding with you on this one. What's the need for VLANs when you have X3,X4,X5 etc to configure separate LANs.

I'd agree, however

bugzy3188 wrote: »

So in the documentation I set up virtual interfaces for both wireless LANs and for the wired LAN

Virtual interfaces without VLANs is bad design. If each network can use a physical port - then yes, I agree, no point. But virtual interface should really use VLANs.

bugzy3188

OK, I am going to give my argument one last push and if I still can’t convince the masses I will call this a loss. I would like to state here that I know that I am arguing semantics at this point but I feel strongly about my argument, and I’m a tad vein lol. My argument here is not against VLANs, I do think that VLANing would be a better way to go, my argument is given the current setup which is a variable that is not going to change, adding VLANs is completely pointless.

So we have 4 total interfaces in use on the router W1 and W2 which are the virtual wireless interfaces, X0 which is the LAN inter face and X1 which is the WAN interface. Each interface aside from the WAN interface has a simple 10.10.y.x/24 network where y is the subnet and x represents the hosts. When someone on the X0 network wants to send traffic to someone on the W2 network the router is going to take the packet, check the X0 interface for ACLs, see that it is directly connected to the W2 subnet and route traffic out that interface after checking it for ACLs as well. Pretty basic stuff.

Now let’s assume that we do add VLANs to the router. There can be no trunking here because the only physical line is attached to an unmanaged switch that wouldn’t know what to do with 802.1q encapsulation even if we wanted to. So what we have is VLANs configured on the router for LAN segments that are already physically separated? In this scenario I don’t see where the virtual separation of layer 2 traffic occurs as it is already physically separated by “physical” boundaries.

This is an atypical situation I know, even if we had a managed switch that could use VLANs I would agree that VLANs serve a purpose but in this particular situation I just don’t see where they fit in.

Thoughts?

networker050184

As you seem to know technically either way works so there is no point in arguing that. What the argument seems to come down to is preference. Your boss obviously has the preference for VLANs. Pick your battles. This one doesn't seem worth fighting to me.

bugzy3188

I know, I plan to let it die, I just really dislike the condescending attitude towards me at work, often times I don't feel like my opinion is valued or that I am respected as a contributing member of project discussions. I am going to be leaving this job for another very soon but I would prefer to not burn any bridges and won't. It's nice to know that I am at least partially correct though lol, keeps my ego from taking as big of a hit

jibbajabba

bugzy3188 wrote: »

Thoughts?

Tell him that if he wants to use VLANs, the physical switch needs changing ? Like networker says - if you argue against a wall, show off the limitations with the current network and let him decide

it_consultant

I know what is going on here, I think...

The sonicwall has an access point built in, right? If that is true, then the wireless should be in a separate security zone (which is effectively a different network, just call it a VLAN) and the wired ports should be in a separate security zone. Call that a different "VLAN" even though it isn't using 802.1Q tags you are logically separating the traffic with the firewall. I have noticed that people actually have a very poor understanding of what a "VLAN" actually is. Sometimes, if you don't expect them to actually check for VLAN tagging, it is enough to say that you have "VLANs" even though the traffic segmentation is truly done with segmentation and ACLs. A lot of people erroneously link network segmentation to VLANs (obviously VLANs is one way of handling that) and they don't really know that you can achieve traffic segmentation other ways. In this case, piping all the traffic through the firewall is the easiest and least expensive way to handle the requirement to have a separate guest WIFI network and an internal wired network.

MAC_Addy

In smaller offices with less than 10 people I wouldn't even bother with setting up different VLANs.

it_consultant

MAC_Addy wrote: »

In smaller offices with less than 10 people I wouldn't even bother with setting up different VLANs.

Not normally, but OP needed a separate network for public wifi. In that case a VLAN can be part of the possible solution.

darkerosxx

Actually, if you really want to get down to what's right and what's not, your boss is going to always be right. They pay your bills, so advise where you can, but do what they ask in the end.

However, if we want to get down to what's technically the most efficient manner to set up what you're talking about, VLANs would only add unnecessary encapsulation, which adds processing time, which makes your network less efficient, and therefore would NOT be a best case scenario in this very specific situation.