VLANs & Subnets
teancum144
Member Posts: 229 ■■■□□□□□□□
in Security+
It seems like VLANs and subnets are often used together in a 1-to-1 relationship. What about the following scenarios?
- A single subnet that is segmented with VLANs. Given that switch ports keep these separate, how are communications between two different VLANs handled? Even though they are on the same subnet, would they require a router to communicate? What are the security implications?
- A single VLAN (or LAN) with multiple subnets. This case is more obvious to me and I realize that communications between subnets would require a router or layer 3 device. In this case, is the security implication that a host could be configured to be on either subnet (or both with two NICs) and can't easily be locked out of one or the other?
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. 
Comments
-
teancum144
Member Posts: 229 ■■■□□□□□□□
After doing some research, here is some additional information on the first bullet in the original question:
Segmenting a single subnet into two separate VLANs is unlikely unless you don't want the segmented subnet parts to communicate with each other (if you do, why would you segment the subnet with VLANS?). More likely is the desire to join two separate networks that use the same address space. An example might be the merging of companies. However, you want to avoid having to re-address one of the networks. The two networks must be joined by a VLAN capable (via Multiple VLAN Registration Protocol) bridge or router. Proxy ARP is used to communicate between VLANs that are on the same subnet.
Source: Understanding and Configuring VLAN Routing and Bridging on a Router Using the IRB Feature - Cisco Systems
Source: Multiple Registration Protocol - Wikipedia, the free encyclopedia
Source: Inter-VLAN Routing vs multiple VLAN inside the same subnet vs private VLAN | HOWTO's and Tutorials
Here is an animated Proxy ARP Simulation that I found helpful:
http://www.youtube.com/watch?v=njDZPIFgYzQIf you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. -
saspro
Member Posts: 114
A VLAN= a subnet = a broadcast domain
1) You can't split a subnet across multiple vlans and have them communicate at all. You need a VLAN for each subnet (& a routing device to route between them)
2) If you put multiple subnets on one vlan then it's just messy as broadcast traffic for one subnet goes out of ports used by other subnets, the entire purpose of vlans is to separate broadcast domains -
panik
Member Posts: 61 ■■□□□□□□□□
Normally you use VLANs to split a subnet over multiple switches so that hosts are in the same broadcast domain, even though they are on different physical switches.