VLAN philosophy - are VLANs necessary?

  • 25 March 2016
  • 7 replies

Hi everyone. I am just wondering what people think about the use of VLANs in a 100% Extreme network (B5 for wired and 5210 wireless)? I've heard things like VLANs are "old school" and there are better ways of doing things now with policy, NetSight, and NAC. I do believe policies are powerful tools for configuring and securing the network, but there is still that old idea of isolating traffic into separate broadcast domains for performance reasons. And dividing your network into subnets (VLANs) makes it easy to create policy and shape traffic on the firewall.

Are there any opinions out there? Should we be looking at a mix of both VLANs and policies? Are VLANS passé? I am new to Extreme Networks and policy-driven equipment so would very much welcome the feedback.

7 replies

Userlevel 7
In the past the VLAN was handled as security tool. Different VLAN goes to ip subnets and ACLs on the router. The above approach is old, the security tool can be policy = apply filtering and QoS on the ingress of the network. Policy approach is better. The VLAN can be part of policy also. The VLAN should be a broadcast container => absolutely valid approach... Hope it makes sense Regards
Thanks for the response. Makes good sense.

Any other opinions?
Userlevel 4
Basically VLANs are used to bring structure in a network.
The structure is a basic need for redundancy and traffic control.

VLANs also allow the scaling of a network. Without VLANs Networks are limited to a certain amount of participants.

I wouldn't see a VLAN as a security measure. Just implementing an ACL is not a security measure.

Policies give you the opportunity to have a security measure at the edge port.

VLANs give you the structure and are the foundation for a proper build network. Policies are an addon to make it more secure.

In regards to the limited number of participants, what would you say is a realistic limit on B5 switches (with APs attached) before you start subnetting for performance reasons? 1,000 hosts? 2,000? How would you determine when such limits had been reached?
Userlevel 6
We look at vlans as the basic conduit between groups that need either 100 % isolation or need to be in a separate group (broadcast domain) with specific connections or interactions to other groups. You can also apply rates and priorities to the whole vlan vs specific individuals or services in a broader scope. Not experienced on the B5 switches so can't help you there but a good rule is when will your broadcast chirps form nic cards and users start affecting the other users. Most switches handle this traffic much better than the individual nic cards. A single vlan with 2000 users each one sending our arps, ipv6 chirps, UPNP mcast hellos can get a bit chatty if you have cheaper p/c's or if there is a finicky application being used.... We like to see it broken up 500 or less as a rule if they are running dual stack IPV4 and IPV6... Good luck
Userlevel 4
I would even like to introduce another aspect to this topic: errors in the network.
In most cases these errors are caused by an individual system and affect a broadcast domain. If you make broadcast domains smaller (In several environments I have one subnet per switch and traffic group) you have two effects:
1. The misbehaving systems are easier to locate
2. The impact to your network is less.

So having several VLANs gives you a lot of advantages and only a little more work.
Thanks! This is great feedback, everyone - it helps a lot. Your response has lent assurance to the idea that both policy and VLANs are required in good network design.