Subnetting vs vlan confusion



  • Ok so say I have my router running at 192.168.1.x subnet, all it has is 2 nics, one for wan and one for lan. So say I add another one, and ran it on the subnet of say 10.10.10.x
    Like could a pc on the 10.10.10.x communicate somehow with the one on the 192.168.1.x subnet? It shouldn't right? So say if I had a pc on the 10.10.10.x pc and it got infected by like a sniffer, it couldn't sniff the data on the 192.168.1.x network right?

    I am fairly confused on this stuff, explanations would be nice :D

    Now I think what I just did was create a new subnet, and not a vlan. Since I believe when you have a vlan, they are physically seperated right? And communicate on say like a layer 3 switch?



  • Subnetting:
    All frames are (more or less) availlable on the whole braodcast-domain.
    If you have 10.10.10.x and 192.168.1.x on the same physical layer and the 192.168.1.x subnet gets infected, the malicious program can set the NIC of the infected computer into promiscuous mode, ARP poison the switch and sniff everything from the 10.10.10.x subnet.
    –> No physical separation of the subnets on the switch.

    VLANs:
    Different frames from different VLANs are only availlable on a correctly configured port.
    If you have 10.10.10.x on VLAN 10 and 192.168.1.x on VLAN 20, then no traffic from the VLAN10 ports can go to the VLAN20 ports.
    --> The subnets are physically separated on the switch.

    To be able to communicate between the two VLANs you now need a router which has an interface in VLAN10 and in VLAN20 (like a pfSense).



  • @GruensFroeschli:

    Subnetting:
    All frames are (more or less) availlable on the whole braodcast-domain.
    If you have 10.10.10.x and 192.168.1.x on the same physical layer and the 192.168.1.x subnet gets infected, the malicious program can set the NIC of the infected computer into promiscuous mode, ARP poison the switch and sniff everything from the 10.10.10.x subnet.
    –> No physical separation of the subnets on the switch.

    VLANs:
    Different frames from different VLANs are only availlable on a correctly configured port.
    If you have 10.10.10.x on VLAN 10 and 192.168.1.x on VLAN 20, then no traffic from the VLAN10 ports can go to the VLAN20 ports.
    --> The subnets are physically separated on the switch.

    To be able to communicate between the two VLANs you now need a router which has an interface in VLAN10 and in VLAN20 (like a pfSense).

    Could you give me an example of a VLAN being uses with pfsense, I don't quite understand them all that well.



  • http://en.wikipedia.org/wiki/Virtual_Local_Area_Network
    –> More important: http://en.wikipedia.org/wiki/IEEE_802.1Q

    So essentially it's another 32bit in a frame.
    The switch interpretates the 12bit VID.

    Each port of a switch has two modes it can be:
    Tagged, Untagged.
    Untagged is normal traffic.
    Tagged is so called "trunk" traffic.

    If you configure a VLAN capable switch, you define what the default PVID (port VID) of a given untagged port is.
    So if normal traffic comes into the switch on an untagged port, the switch addess the 32bit and sets the VID.
    Now the frame is in the switch. YOu have a table in the switch for each configured VLAN.
    This table defines to which ports frames which are member of a VLAN are allowed to.
    If the destination of a frame is on an allowed port, it will be sent out.

    Now before the frame is sent out, the switch checks the configuration of the port.
    If the port on which the frame is leaving is set as untagged, the switch will remove the internally added tag and send the frame as normal traffic.
    If the port is set as tagged, the frame will leave tagged.

    If you add a VLAN-interface on pfSense, this creates a virtual interface which only communicates via tagged frames.
    So for the pfSense to be able to receive frames on an interface, the port of the switch which is connected to the pfSense has to be set to tagged.

    Now the other direction: The switch has to be configured to accept tagged frames from the pfSense on its port.
    Since the arriving frame is already tagged, it wont add a new internal tag.
    In fact, usually you configure a tagged interface so, that untagged traffic will not be allowed on a tagged port.

    My screenshots under the following link might help you understand:
    http://forum.pfsense.org/index.php/topic,14918.msg78736.html#msg78736



  • Ok thanks, I'm just curious now, is there much of a point to just creating a new subnet?
    Also do I need a minimum of 2 layer 3 switches?



  • I dont understand your question.
    The point of having multiple subnets is, to be able to route.
    Otherwise you would have to set up afiltering bridge between the two VLANs.

    What is your definition of a layer3 switch?

    (for me a switch is ALWAYS layer2. As soon as it knows layer3 its no longer a switch, but a router)

    Why would you want to use more than one switch?
    The point of using VLANs is, that you only need one physical interface to one physical switch.
    The VLANs allow you to carry the traffic of multiple separate networks over one cable to the switch.
    The switch then internally separates these subnets/networks to different ports.
    Essentially the one physical switch becomes multiple logically separated switches.



  • @GruensFroeschli:

    I dont understand your question.
    The point of having multiple subnets is, to be able to route.
    Otherwise you would have to set up afiltering bridge between the two VLANs.

    What is your definition of a layer3 switch?

    (for me a switch is ALWAYS layer2. As soon as it knows layer3 its no longer a switch, but a router)

    Why would you want to use more than one switch?
    The point of using VLANs is, that you only need one physical interface to one physical switch.
    The VLANs allow you to carry the traffic of multiple separate networks over one cable to the switch.
    The switch then internally separates these subnets/networks to different ports.
    Essentially the one physical switch becomes multiple logically separated switches.

    Ok I got it, so now instead of buying a very expensive layer 3 switch, I could build another pfsense computer that acts as a vlan right? I am not too sure about this, someone just told me this.



  • This might help you further,

    If you look at this map of my network

    http://wan2.cheesyboofs.co.uk/home.htm

    you will see that I have three cable modems and various LAN devices all connected to the same switch. Logically the modems are outside my network and the LAN is inside, but physically they are all connected to the same switch. The modems are all in separate vlans and the router (pfsense) is policing the routes between all the separate networks. The beauty is you can achieve quite a sophisticated setup with just one switch and a half decent router. If I weren't using vlans all my LAN equipment would actually be  outside with only a bit of "sub-netting" to protect them.

    GruensFroeschli explanation is quite thorough, you'd do well to read it over a couple of times it will click eventually ;)



  • @cheesyboofs:

    This might help you further,

    If you look at this map of my network

    http://wan2.cheesyboofs.co.uk/home.htm

    you will see that I have three cable modems and various LAN devices all connected to the same switch. Logically the modems are outside my network and the LAN is inside, but physically they are all connected to the same switch. The modems are all in separate vlans and the router (pfsense) is policing the routes between all the separate networks. The beauty is you can achieve quite a sophisticated setup with just one switch and a half decent router. If I weren't using vlans all my LAN equipment would actually be  outside with only a bit of "sub-netting" to protect them.

    GruensFroeschli explanation is quite thorough, you'd do well to read it over a couple of times it will click eventually ;)

    :o That is one serious network setup.
    I'm still a bit confused, what is the pfsense router doing in your setup? It's in its own vlan with no devices connected to it, because it looks like your layer 3 switch is doing the job of the router and handling the vlans. Also what are the xbmc and mce connected to, directly into the switch? If so they're not part of any of the vlans right? (I am hella new to vlans :( don't scold me D: )



  • I think your confusing yourself about layer 2 & 3 switches!

    A layer 3 switch is a layer 2 switch witch some additional capabilities. vlans (802.1q) are part of the data link layer of the OSI model this is LAYER 2. Layer 3 is the networking layer where IP, OSPF, ICMP, IGMP, IPsec kick in, my switch has none or these capabilities.

    Please look at the bottom of this wiki page on the OSI model,
    http://en.wikipedia.org/wiki/OSI_model <-Google "layer 2 wiki"

    The only thing my switch is doing (with the help of vlans) is presenting 1 switch as several smaller switches, and giving my 1 port Gb router and extra 7 GB ports.

    It really is that simple…



  • @cheesyboofs:

    I think your confusing yourself about layer 2 & 3 switches!

    A layer 3 switch is a layer 2 switch witch some additional capabilities. vlans (802.1q) are part of the data link layer of the OSI model this is LAYER 2. Layer 3 is the networking layer where IP, OSPF, ICMP, IGMP, IPsec kick in, my switch has none or these capabilities.

    Please look at the bottom of this wiki page on the OSI model,
    http://en.wikipedia.org/wiki/OSI_model <-Google "layer 2 wiki"

    The only thing my switch is doing (with the help of vlans) is presenting 1 switch as several smaller switches, and giving my 1 port Gb router and extra 7 GB ports.

    It really is that simple…

    I thought you needed a layer 3 switch to create vlans?



  • You need a managed switch to create vlans.



  • @cheesyboofs:

    You need a managed switch to create vlans.

    Now I'm a bit confused, what would you use a layer 3 switch for then? Would you need a router if you had a layer 3 switch? Because from what I can see it can address ips and stuff.



  • The term "layer3 switch" was invented by marketing.
    In the past a router was, compared to a switch, a big box with lots of fans.
    Marketing people tried to prevent any association with these old big routers.

    A layer3 switch is nothing else than a (simple) router with a lot of ports.
    But in this case we have a layer2 device (a switch) which is not capable of routing, but manageable (you can create 802.1Q VLANs on it),
    –>We need the pfSense for the routing part.
    Most current switches offer a simple webinterface with some monitoring and configuration options.

    I try to put what cheesyboofs said into other words.
    With VLANs your able to connect the pfSense over a single port to the switch, and separate the single physical switch into multiple separated switches.
    Each of these "separated switches" is still contained within the physical switch.
    But they are not able to "talk" to each other.
    But each of these switches is connected to the pfSense.
    Each VLAN appears as a separate interface on the pfSense
    --> You can route between the VLANs.

    I'm not sure if we can describe it better to you.
    May i suggest you contact an university where you live, where they teach basic networking classes.



  • @GruensFroeschli:

    The term "layer3 switch" was invented by marketing.
    In the past a router was, compared to a switch, a big box with lots of fans.
    Marketing people tried to prevent any association with these old big routers.

    A layer3 switch is nothing else than a (simple) router with a lot of ports.
    But in this case we have a layer2 device (a switch) which is not capable of routing, but manageable (you can create 802.1Q VLANs on it),
    –>We need the pfSense for the routing part.
    Most current switches offer a simple webinterface with some monitoring and configuration options.

    I try to put what cheesyboofs said into other words.
    With VLANs your able to connect the pfSense over a single port to the switch, and separate the single physical switch into multiple separated switches.
    Each of these "separated switches" is still contained within the physical switch.
    But they are not able to "talk" to each other.
    But each of these switches is connected to the pfSense.
    Each VLAN appears as a separate interface on the pfSense
    --> You can route between the VLANs.

    I'm not sure if we can describe it better to you.
    May i suggest you contact an university where you live, where they teach basic networking classes.

    That made a lot more sense, I actually think I understand it, thanks  ;D



  • Switch = layer 2 = vlan
    Router = layer 3 = subnet

    A vlan is a "physical" separation between ports.  So if a 8-port switch had ports 1-4 on one vlan, and 5-8 on another, they could not talk to each other without going through a layer-3 device.  That could be pfSense or a router with two NIC's, for instance, in ports 1 and 5.  Or it could be a 802.1q trunk going to a trunked port, which can carry both vlans (although they both cross that port as ships in the night)

    A layer-3 network, which in TCP/IP is a subnet (192.168.1.x /24  or 10.10.10.x /24 in the above examples) is a logical delineation, not a physical one.  You need a router to go between different networks, not accounting for various hacks, etc.  It is possible to have two or more IP networks on the same vlan/switch, but it's not best practice.  There is nothing stopping you from creating a 192.168.1.0 and 10.10.10.0 network on your home switch, living together as roomates on the same switch.  However, for security it's best if they get their own house.   :D

    Ideally, you should setup one IP network per vlan, although in certain circumstances that's not always possible.

    You can have more than one IP network on a vlan or unmanaged switch, but you can't have a network in more than one vlan, unless don't want them to talk to each other.
    (This excludes two way NAT and the obvious point that another network somewhere else can have the same RFC1918 range)



  • I'm going to jump in here and ask if using one physical interface on your router (pfSense, or anything other router for that matter) for all your VLANs a performance bottleneck: i.e. is there an practical/theoretical limit to the number of VLANs/nodes per VLAN on a single physical interface?

    I'm asking because I had planned on using two of the interfaces (vr1 and vr2) for parent VLAN interfaces (a 1:1 ratio of VLANs to interfaces i.e. VLAN10 = vr1 and VLAN20 = vr2), simply because I don't have a VLAN-capable switch and assumed that all nodes physically linked to vr1 (via an unmanaged switch) would be tagged as VLAN10, ditto for vr2/VLAN20.  Is this incorrect?  Basically I'm hoping to make up for a lack of VLAN-capable switches by using my OPT1 port on my ALIX 2D3 for VLAN20 duties.



  • @gravyface:

    I'm going to jump in here and ask if using one physical interface on your router (pfSense, or anything other router for that matter) for all your VLANs a performance bottleneck: i.e. is there an practical/theoretical limit to the number of VLANs/nodes per VLAN on a single physical interface?

    You're limited by the bandwidth of the parent interface.



  • @gravyface:

    I'm going to jump in here and ask if using one physical interface on your router (pfSense, or anything other router for that matter) for all your VLANs a performance bottleneck: i.e. is there an practical/theoretical limit to the number of VLANs/nodes per VLAN on a single physical interface?

    This is why I'm waiting with baited breath for v2 so that I can BOND (Lagg) additional ports/links together between the router and the switch. ATM I have no real 'need' as the vlans serve between WAN/Wireless segments and the LAN.
    If I were routing between say three GB enabled vlans up just one GB enabled trunk and one vlan was being twatted the other two would obviously suffer. Saying that rarely is one network running at flat out for long but you would notice a performance hit.
    If however you could bond three 1GB links together for the vlan trunk from the switch back to the router you should see little impact on the three individual LAN segments, obviously subject to router horse power and configuration.



  • Hmm. Old thread but it gave me some insite to VLAN implimentation and such as i'm studying this.

    You talked about v2 ability to bond  VLANs which brings this thought into question.

    If a 1:1 Vlan was setup between two interfaces and a single computer hosting PFSense had 3 interfaces could it be possible to that each VLAN has it's own external connection to the internet and have those vlans bonded so that inteface 3 which is the phsical network, could take advantage of dual WAN/Internet speeds. I'm assuming that since bonding is in v2 (havnt confirmed it yet), that pfsense will be able to handle packets arriving at differnet times etc and put them all together again in the proper order?



  • I think I get where your going with this but I think the answer is no!
    Bonding only works if the device doing the 'packet splitting' is splitting them in such an 'ordered' fashion that the device doing the joining (switch/router) knows and expects how to re-join them.
    If the packets are coming from completely different souses they will arrive in a shot-gun fashion. bonding requires order and harmony and the internet is anything but.

    Cheers


Locked