Why have VLANS if routers defeat the purpose?

gbdavidx

I am not grasping the purpose of vlans very well if you can still access the different networks w/ a router, besides having it more "secure" can someone explain like i'm 5 why vlan's are so important?

EdTheLad

Vlans breakup broadcast domains. Lets say you have no vlans, 100 pc's connected to a switch, 10 pc's per 10 different networks 192.168.1.0, 192168.2.0 ... 192.168.10.0; so within each network are he host pc's with addresses .1 -> .10 . Since these hosts are on different layer 3 networks they can only communicate with the other hosts on the same layer 3 network.

PC1 in subnet 1 wants to talk to PC2 in subnet 1 , it sends an arp request for the ip address of PC2, every PC in your domain will receive that arp request and process it. A hacker gets onto PC 3 subnet 4 and starts sending broadcasts, all 100 PCs are affected etc etc. By dividing the L2 domain into vlans, you reduce the broadcast scope.


Now if these PCs need to communicate with each other off subnet, i can connect each vlan to a router and have the router forward traffic between the vlans.

MrPuzzlez

I was thinking the same way as you a few years ago, but started to understand as I kept studying. They are also more economical as far as LAN segregation, especially when you only have one router and you execute what is called "Router on a Stick". Hopefully, this might make things clearer...

https://www.youtube.com/watch?v=g3c7kjDuEMU

Magic Johnson

It may be also worth mentioning that CISCO recommend no more than 500 devices in the same broadcast domain.

RouteMyPacket

VLANS provide for segmentation of networks, improve the security posture of the environment, limit broadcasts. VLANS are awesome and the concept is rather simple, once it clicks you will laugh how basic they are.

Router on A Stick is still used in some environments, I have customers who rely on it. Not the best design in 90% of the environments I see it in. I actually configured a site yesterday for dot1x (ISE) and saw it was using VLAN 1, hmmm..CDP showed what's up and yep a good 'ol 2900 serving as the VG, DHCP, Inter-VLAN routing for site as well as their WAN connectivity.

As Magic mentioned above, I never personally assign anything more than a /23 to one specific VLAN but for the most part you will see /24's in use.

gbdavidx

I doubt a 5 year old would understand but that makes a lot more sense they don't explain that in the book (at least I dont remember reading it)

theodoxa

1. VLANs allow you to assign users (ports) to a subnet without them having to be connected to the same switch. Just trunk all the switches together (STP takes care of loop prevention) and assign the ports to their respective VLANs.

2. Its easier to switch a user to a different subnet. Instead of having to move their cable to a different switch, just change the VLAN assigned to that port.

3. For VoIP you have a data and a voice VLAN to segregate the voice and data traffic.

4. You could break one large switch into multiple logical switches by creating multiple VLANs. This is particularly useful for remote labbing. You could just connect all your ethernet ports to one switch and then change the ethernet topology at will by just changing the VLAN assignments.

EdTheLad

Just playing devils advocate , looking in the eyes of noob.

theodoxa wrote: »

1. VLANs allow you to assign users (ports) to a subnet without them having to be connected to the same switch. Just trunk all the switches together (STP takes care of loop prevention) and assign the ports to their respective VLANs.

I don't need vlans for this, i could have 1 vlan spanning across multiple switches, groups of layer 3 devices configured with their appropriate subnet spread across the switches. STP will still be required, so as a noob, i'd still be wondering what's the point in vlans.

theodoxa wrote: »

2. Its easier to switch a user to a different subnet. Instead of having to move their cable to a different switch, just change the VLAN assigned to that port.

Again, if i had a single vlan i would just change the ip address on my end device to the appropriate subnet, no cable swapping required.

theodoxa wrote: »

3. For VoIP you have a data and a voice VLAN to segregate the voice and data traffic.

As a noob, i can't see what would be the point of segregating the different traffic, let it all share vlan 1, it will work.

theodoxa wrote: »

4. You could break one large switch into multiple logical switches by creating multiple VLANs. This is particularly useful for remote labbing. You could just connect all your ethernet ports to one switch and then change the ethernet topology at will by just changing the VLAN assignments.

That's a lab hack and nothing to do with why vlans were created.

I find it useful to try and think in the perspective of the noob when answering questions, i don't always, but i try .

HAMP

gbdavidx wrote: »

I am not grasping the purpose of vlans very well if you can still access the different networks w/ a router, besides having it more "secure" can someone explain like i'm 5 why vlan's are so important?

EdTheLad wrote: »

Vlans breakup broadcast domains. Lets say you have no vlans, 100 pc's connected to a switch, 10 pc's per 10 different networks 192.168.1.0, 192168.2.0 ... 192.168.10.0; so within each network are he host pc's with addresses .1 -> .10 . Since these hosts are on different layer 3 networks they can only communicate with the other hosts on the same layer 3 network.

PC1 in subnet 1 wants to talk to PC2 in subnet 1 , it sends an arp request for the ip address of PC2, every PC in your domain will receive that arp request and process it. A hacker gets onto PC 3 subnet 4 and starts sending broadcasts, all 100 PCs are affected etc etc. By dividing the L2 domain into vlans, you reduce the broadcast scope.


Now if these PCs need to communicate with each other off subnet, i can connect each vlan to a router and have the router forward traffic between the vlans.

gbdavidx wrote: »

I doubt a 5 year old would understand but that makes a lot more sense they don't explain that in the book (at least I dont remember reading it)

I will try and explain with a lot less technical explanation, and maybe that 5yr old will understand.

It is almost explaining it the same way a hub would work compared to the switch. On a hub, if someone yelled(broadcast) it would go out all the ports, and those PC that are listening makes the decision of, “Oh, that was for me, I will respond”, Or “Nope, they calling for someone else”

On the Switch, which has the VLANS, when someone yells(broadcast), the switch is making the decision of which PC/s is allowed to hear that noise.

On the same VLAN, the noise goes thru the port into the PC
On a different VLAN, Nobody is bothered with all that noise!!!! Lol

I hope I explained that correctly.

anywho

Cost - it's cheaper to use vlans than investing in multiple switches and routers

networker050184

Exactly anywho. Anything you can make logically happen without buying new hardware is always a good thing.