Results 1 to 3 of 3

Thread: vlan?

  1. #1

    vlan?

    Hello,

    I see that many companies offers vlan to your co-location or to your dedicated server.

    But why would i want to have my own vlan to the server?
    why don't i just share the 1 vlan with all the other server that is connected to the switch?
    Whats the point with having a own vlan?

  2. #2
    Join Date
    Feb 2003
    Location
    North Hollywood, CA
    Posts
    2,554
    Better IP management
    You can spot a ddos easy
    Physical topology independence
    Security

    Main points i think.
    Remote Hands and Your Local Tech for the Los Angeles area.

    (310) 573-8050 - LinkedIn

  3. #3
    Join Date
    Nov 2005
    Location
    Minneapolis, MN
    Posts
    1,648
    The key benefit is broadcast domain restriction -- you won't see browser elections from other Windows servers on the network or a flood of ARP requests. When I had a server with HiVelocity who used a single large network for their entire DC, I was seeing 12GB a month in ARP requests alone. Since most hosts bill by quantity of data transferred, having your own VLAN means that you're only going to get billed for your traffic.

    As for the other points:

    Better IP management - Not really. You actually waste 3 additional IP addresses per server with dedicated VLANs. (Network, Gateway, Broadcast) Given the crunch in IPv4 address space availability, this is a heavy penalty to pay for the benefits of isolated VLANs for hosting.

    You can spot a ddos easy - The big problem with (D)DoS attacks is that most people deploy switches without changing the default CAM table aging times (typically 300 seconds). For routers the standard ARP timeout is around 4 hours, so once the server falls over in the event of a DoS attack, the switch doesn't hear anything back from the server on its port, so it loses the mapping in the CAM table and the traffic gets flooded out to all ports on the VLAN. (Thus making isolation tougher from a MRTG perspective) This happens until the ARP entry times out, after that the traffic will get killed as undeliverable at the router. Adjusting the MAC aging timers to be greater than or equal to the ARP timeout will resolve this issue.

    Physical topology independence -- ?? Wouldn't it be more topology dependent? With one big broadcast domain I can plug in anywhere and it will work, but with multiple VLANs I'm limited to having to manually configure each access port to be in the right network.

    Security - Not really, especially not in the way most hosting companies are configured. There are many layer2 exploits, including the ability to VLAN hop on switches with trunks configured. VLANing is a function of network management, not of network security. In any case, it's not really a critical point since in a hosting context these boxes are on the public internet anyway...
    Eric Spaeth
    Enterprise Network Engineer :: Hosting Hobbyist :: Master of Procrastination
    "The really cool thing about facts is they remain true regardless of who states them."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •