vLANs

[ammo]

Originally posted here by Jazdaddy
I have some experience with vLANs. Unfortunately, we didn't purchase many L3 switches - only L2 for the workstations, and 2 L3's for the servers and backbone. My biggest concern here is that we have a good bit of our fileshares on a number of different servers, with no "departmental" isolation - the only real benefit we'll have with vLAN is isolating workstation traffic from other workstations. I realize I should be most worried about internal hacks, but I'm pretty good at sniffing 'em out.

Well, I have a similare situation at my place:
Two L3 switches (backbone/servers) and the rest are L2s, and all my servers (which serve many shares to diffrent groups) are in the same VLAN. While perhaps not ideal, I do make use of vlans to regroup workstations, but workstations on diffrent vlans can't talk to each other, only to the servers and to the gateway (internet/dmz through firewall/proxy...). The benefits are that diffrent departments are segregated; in case of a worm, it's traffic is limited at the vlan level and the server vlan, which can have filtered (ACLed) access or at a minimum, it's much easier to monitor, harden, patch a couple servers than making sure none of the other hundred-something workstations are vulnerable or that a user has unknowingly opened up an unprotected share or whatever. In effect, it's almost like firewalling (you can picture it in a true ("building") fire-wall) your internal network...


Ammo

[Jazdaddy]

Ya, I can see your point. Unfortunately, we do have a need to deal with workstation/workstation access, but we may be able to socially engineer that one. I've been more than willing to get more folks here trained in our systems, but we have a tight budget for training. Another thing I'm trying to work on - a well-trained employee who might leave is better than an untrained one without motivation...

[ammo]

Make them server shares that they can control access to, convince them to use them instead of local shares by telling them amongst other things that workstation files aren't backed up while servers are (eventhough it might not be true!);

Having company files only on the servers could/should possibly be policy too: 1- for backup reasons like I just said, 2- It's much easier to steal a workstation or it's hard drive than to break into the server room and steal a server.

(Seriously, there have been cases like that recently in Quebec where the Revenue Department had computers stolen that had confidential information on their hard drive. Had that info been on the server, it would have been much less of a worry for them.)

Ammo

[Networker]

I'm just a great fan of VLAN implementation for the following reasons

- It limits the broadcast domain to each VLAN (let's says 20 users each) thus mitigating ARP poisoning and spoofing attacks, and optimizing bdw utilization especially for GVRP applications...

- With a single ethernet backbone infrastructure you can force flows to be routed from one VLAN to another through a router and then have a low cost DMZ capability (paranoid would says that VLAN hopping attack but it's a blindf attack & I really think that threat is very low risk).

As a peronnal opinion VLAN backone coupled with 802.1x authentication is a real layer 2 secuerd solution...

[Jazdaddy]

I guess my concern is still that all users will need to be on the same vLAN to access the file shares, or there will need to be a lot of routing between vLANs for users to access all of the fileshares that they have access to today. Also, can anybody tell me what impact the inter-vLAN traffic will have on the router? Thanks for your help!

[ammo]

Having inter-vlan routing isn't a bad thing in itself, in fact this the only place you can really control traffic with ACLs...

As for the impact on the router, well, that depends on the router... In my case, I use a Cisco catalyst 3550-24pt which when reviewed by network fusion world showed near wire-speed (almost no latency) even with vlan routing and acls enabled thanks to its ASIC.

Considering your users are accessing only a couple servers and that these are probably using 100mbps adapters (guess?) and are handling the load appropriately (guess?!), meaning that the overall traffic isn't too overwhelming, I think the added burden on the router from the increase in routing shouldn't be too great. And if you're using an L3 switch with ASIC (Application Specific Integrated Circuitry) like the Cat3550, you should really be just fine.

Ammo

[Jazdaddy]

We'll probably be using a 2600 - I'll look and see if I can find any info. Thanks!

[Galdron]

Greetings:


Just a quick post to thank all of you who have been so helpful to Jazzman! His real name is Dan (sorry Dan).

He is a very good customer of mine at Iris (my resto.), and now a good friend as Rhoda and I think the world of him. (as well as my entire staff including the Giant BOOBS)

We got to talking over several drinks the 4th (estimate) time he came in to dinner, and to stare at the GIGANTIC boobs of my bartender. (hehe she is Hot though.)

We both found common ground regarding all things geeky, and he informed me he is SYS Admin. And very sharp.

I immediately encouraged him to check out AO.

After many proddings (after cruising the site he felt technically intimidated to post.)

He did so this past week and he told me tonight, as we pounded several drinks at my bar that he is glad to be a part of this forum! He has a lot to offer.

Thank you so much for helping him and creating another happy (maniacal), and valuable member.

You all make me proud!




Nicolas

[Galdron]

Originally posted here by D0pp139an93r
Hey Tiger, I think they've already been raped....
Dude, you need to get it into the IS manager's head how important it is to even have a basic external scan done....
You might consider finding a new job, one where you don't work for idiots?
EDIT: Tell the IS manager he caused an ID 10-T error...

This is just a plain silly ass statement. Not much help or encouragment to an "AO Noob", why do think the membership of quality ppl. is dwindling?


Well I guess your attitude does reflect your ID at times......................


"Meaning "double walker" a doppelganger is a shadow-self that accompanies every human. Only the owner of a doppelganger can see it, otherwise it is invisible to human eyes. Dogs and cats have been known to see doppelgangers. Providing sympathetic company, a doppelganger almost always stands behind a person, and they cast no reflection in a mirror. They are prepared to listen and give advice to humans, either implanting ideas in their heads, or a sort of osmosis. It is said to be bad luck if it is seen, and rarely a doppelganger will make itself visible to friends or family, often causing great confusion. Doppelgangers can be mischievous and malicious."

- Source: Google

[thread_killer]

Since Ammo is dropping product names, I will too.

For the last year or so, I've been buying almost exclusively Foundry switches, and I couldn't be much happier with them. Not only in terms of performance, but with the company as well. They've been immeasurably more supportive than any of the big vendors I deal with.

Depending on the use, I've been using their FES and Fast Iron line of switches for VLAN aggregation and distribution. The FES's are stackables, in 12, 24, 48, and 96 port form factors, and I buy them with base L3 code. Reasonably priced, easy to config, and they run like scalded dogs. Check them out. Foundry Switches


--edit: To fix my link.