Originally posted here by Jazdaddy
I have some experience with vLANs. Unfortunately, we didn't purchase many L3 switches - only L2 for the workstations, and 2 L3's for the servers and backbone. My biggest concern here is that we have a good bit of our fileshares on a number of different servers, with no "departmental" isolation - the only real benefit we'll have with vLAN is isolating workstation traffic from other workstations. I realize I should be most worried about internal hacks, but I'm pretty good at sniffing 'em out.
Well, I have a similare situation at my place:
Two L3 switches (backbone/servers) and the rest are L2s, and all my servers (which serve many shares to diffrent groups) are in the same VLAN. While perhaps not ideal, I do make use of vlans to regroup workstations, but workstations on diffrent vlans can't talk to each other, only to the servers and to the gateway (internet/dmz through firewall/proxy...). The benefits are that diffrent departments are segregated; in case of a worm, it's traffic is limited at the vlan level and the server vlan, which can have filtered (ACLed) access or at a minimum, it's much easier to monitor, harden, patch a couple servers than making sure none of the other hundred-something workstations are vulnerable or that a user has unknowingly opened up an unprotected share or whatever. In effect, it's almost like firewalling (you can picture it in a true ("building") fire-wall) your internal network...


Ammo