Friday, September 27, 2013

VLANs vs Subnetting

,
Subnet
is a range of IP addresses determined by part of an address (often called the network address) and a subnet mask (netmask). For example, if the netmask is 255.255.255.0 (or /24 for short), and the network address is 192.168.10.0, then that defines a range of IP addresses 192.168.10.0 through 192.168.10.255. Shorthand for writing that is 192.168.10.0/24, 255 is for the broadcast and 0 is for the network address.

VLAN
A good way to think of this is "switch partitioning." Let's say you have an 8 port switch that is VLAN-able. You can assign 4 ports to one VLAN (say VLAN 1) and 4 ports to another VLAN (say VLAN 2). VLAN 1 won't see any of VLAN 2's traffic and vice versa, logically, you now have two separate switches. Normally on a switch, if the switch hasn't seen a MAC address it will "flood" the traffic to all other ports. VLANs prevent this.




If two computers are going to talk using TCP/IP, then one of two conditions must be met:

They must belong to the same subnet. This means the network address must be the same and the netmask must be equal or smaller. So, a computer with an interface with an IP address of 192.168.10.4/24 can talk to a computer with an interface with an IP address of 192.168.10.8/24 with no issues, provided they are both connected to the same physical switch or VLAN. If the second computer's interface connected to that same physical switch or VLAN was 192.168.11.8/24, it would ignore the traffic (unless the interface was in promiscuous mode).

A router needs to exist between both computers that can forward traffic between subnets. Computer A and computer B need a route (or default gateway) to this router. Let's say a computer with an interface with an IP address of 192.168.10.4/24 wants to talk to a computer with an interface with an IP address of 192.168.20.4/24. Different subnets, so we must go through a router. Let's say there's a router with two interfaces (routers by definition have two interfaces), one on 192.168.10.254/24 and 192.168.20.254/24. If the route table or DHCP is setup correctly and both computer A and B can reach the router's interfaces on their respective subnets, then they can talk to each other indirectly via the router.

Forcing traffic to go through a router, even though it's not needed such as on our 8-port switch above, has security and performance benefits - it gives you an opportunity to filter traffic, an opportunity to optimally route traffic based on type, and routers do not forward broadcast traffic (unless unusually configured). VLANs are sometimes used as a "hack" to manage flows/visibility of IPv4 broadcast traffic.

VLANs are equivalent to switches. What comes in 1 port of a VLAN is replicated("flooded") to all other ports unless the VLAN has seen/learned the MAC address before, then it is directed to that port. There is no gateway to the VLAN proper. A "gateway" always means the IP address of a router.

For VLAN 1 to talk to VLAN 2, an interface in VLAN 1 must be connected to a router, an interface in VLAN 2 must be connected to a router, and that router must be configured to forward traffic between those subnets. In our 8 port example above, if we wanted to route traffic between those VLANs, we'd have to spend 1 port on each VLAN connecting to a router. Same with a switch.

When a computer gets its IP via DHCP, it also usually gets the "default gateway" from that same DHCP server. Someone has to configure the DHCP server correctly. Routing protocols such as RIP, IS-IS, OSPF, and BGP can also add routes. Of course you have the option of adding static routes.

I'm sure many high-end switches/hardware have a "VLAN router" "built-in" to them where spending an extra port within each VLAN connecting it to a physical router really isn't necessary if you want to route between VLANs in the same switch. This might be where the VLAN IP or "gateway" comes into play.
Read more →