Understanding vlans, tags, subnets, firewalls and, permissions/acssess

Navek
Navek Member Posts: 11
First Anniversary Name Dropper 5 Likes Photogenic
✭✭✭

So I get what each off these things in my question is but I'm trying to understand

From what I gather, can I have multiple subnets /vlans and have some things/myself be able to see and communicate with and or migrate transition to any other sub/ vlan or interact with another devicennot in its current vlan,

Am I right thinking the tags have something to do with it like they are access permission tickets/keys or do I have it totally the wrong way.

VioletChepilRobin_from_FingCiaranCrantheman_77

Best Answer

  • Mirekmal
    Mirekmal Member, Beta Tester Posts: 68
    10 Comments 25 Likes First Anniversary 5 Awesomes
    ✭✭✭
    #2 Accepted Answer

    Well, VLANs and subnets can be confusing... In simple words these are different virtual networks running on the same physical infrastructure. Both, VLANs and subnets are ways of separating network traffic, but done on different levels. While subnets are matter of IP addressing configuration and exchanging information only between devices belonging to the same subnet (but underlying network is the same), VLANs are implemented on HW layer (switches, routers), allowing for physical separation of traffic. If several subnets are implemented on same infrastructure as security measure, it can easily be compromised just by overcoming DHCP and manual assignment of IP address to device from other subnet. VLANs on the contrary are implemented on HW level and reconfiguration of connected device will lead just to loosing of connection.
    VLANs can be implemented in different ways. We might have tagged VLANs, when each send IP packet from source is supplemented with information about VLAN it belongs to by switch (it is injected to packet by switch depending on port data is transferred through). In such case packets can be transferred across the entire network and only protocols allow it to be accessible on ports that are tagged for the same VLAN. Other way is to use port based VLANs, where each port on the switch is assigned to specific VLANs. Information (packets) is not modified in any way, just transferred as is to target port, that needs to be configured in the same VLAN. You can think of it as of hardwiring connections inside the switch to allow only specific ports to communicate with each other, while others are physically disconnected. Anyhow, in both cases it is up to infrastructure to allow only devices belonging to the same VLAN to communicate with each other. Benefits are two-fold; security (users from one VLAN cannot access systems on the other one) and performance (switches are separating traffic on different VLAN so it does not interfere with traffic from other VLANs, taking over available bandwidth). To make it more complex, these 2 methods can be combined.
    As mentioned, ports might belong to one VLAN  (the one that assigned to port or one that device connected to is tagged for) and block any other traffic. But it is also possible to have ports assigned to more VLANs and in such case connected device will be able to communicate with more VLANs (as long as belonging to the same subnet :-)). Such port is called trunk port. In majority of cases trunk ports are used to link HW components (switches) together, so multiple VLANs traffic can be carried across entire network. Again there might be some limitations applied to such ports, to carry either all the traffic or just belonging to specific subset of VLANs. 
    Carrying traffic between VLANs via trunk ports is one thing, but to allow communication between devices belonging to different VLANs there also need to be implemented inter-VLAN routing (either on router or advanced switch). So device that traffic is going through needs somehow to know which VLANs should be allowed to communicate with other ones.
    Navek, if you want to use such functionality - yes it is possible! Everything depends on capabilities of HW you have and to what extend you want to balance security vs. some hassle related to making more complex setup (not rocket science, but depending on HW capabilities might be confusing).

    VioletChepilNavekHronosneutropics

Answers

  • VioletChepil
    VioletChepil London, UKMember Posts: 2,471
    100 Answers 500 Likes 1000 Comments 100 Agrees
    ✭✭✭✭✭✭
    Thanks @Navek - just bumping this one and hopefully we can get some experts to help today with this! 

    Community Manager at Fing

    Navek
  • VioletChepil
    VioletChepil London, UKMember Posts: 2,471
    100 Answers 500 Likes 1000 Comments 100 Agrees
    ✭✭✭✭✭✭

    Community Manager at Fing

    Navek
  • Andrea
    Andrea Member, Beta Tester Posts: 43
    25 Likes 10 Comments Name Dropper Photogenic
    ✭✭
    hi @Navek i suggest you this search "What is the difference between tagged and untagged VLAN?" pick the best for you i think is the easy way to understand

    Hronos
  • VioletChepil
    VioletChepil London, UKMember Posts: 2,471
    100 Answers 500 Likes 1000 Comments 100 Agrees
    ✭✭✭✭✭✭
    Thanks @Andrea. Anyone have first hand experience/recommendation on this?


    Here are some more details I've found from the Cisco blog!
    https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Fundamentals_of_802.1Q_VLAN_Tagging
    Best Practices
    VLAN enabled ports are generally categorized in one of two ways, tagged or untagged. These may also be referred to as "trunk" or "access" respectively. The purpose of a tagged or "trunked" port is to pass traffic for multiple VLAN's, whereas an untagged or "access" port accepts traffic for only a single VLAN. Generally speaking, trunk ports will link switches, and access ports will link to end devices.
    Trunk ports require more steps to successfully negotiate as a trunk.
    Both ends of the link must have the following in common:
    Encapsulation
    Allowed VLAN's
    Native VLAN

    Community Manager at Fing

    HronosNavek
  • Navek
    Navek Member Posts: 11
    First Anniversary Name Dropper 5 Likes Photogenic
    ✭✭✭

    @Mirekmal thnx for that explanation had to read it twice to get the full jist but It makes alot more sence then before it dose seem like a little more hastle/effort then say the 3DR way [3 dumb router method] but seems like if done correctly more effective and and would accomplish just the same if not more with less hardware needing to be used as the 3DR setup thnx much appreciated.

    thankyou @VioletChepil I will check that out for sure you guys rock I'm really loving the Fing community been finding lots of info here on issues or questions iv had since I started on my DIY IOT GEEK journey and being self employed it definitely helps me be better at my buisness cheers guy your all amazing!!,

    VioletChepilNatro
  • VioletChepil
    VioletChepil London, UKMember Posts: 2,471
    100 Answers 500 Likes 1000 Comments 100 Agrees
    ✭✭✭✭✭✭
    That's amazing to hear @Navek - this is exactly the goal we're hoping for the Fing Community! 

    Community Manager at Fing