network-programmingvlan

Various questions about vlan's


I have some questions about vlan's. I know that this forum is more for programming than for networking but this is the best forum that I could think of.

So all my questions are about vlan's. Here they come:

  1. Can one vlan have a different beginning of a ip adress as the other one's (e.g. vlan 1=192.168.2.xx, vlan 2=10.0.0.x)?
  2. Can devices have the same ipadress when they're in different vlan's?
  3. Can you make a "hole" between the vlan's so that a few devices (chosen by you, for example using static ip adresses) can still talk with each other (e.g. a file server on vlan 1 can still talk to the printer on vlan 2)?
  4. Can you have different dns servers for different vlan's?
  5. Can you have different firewall settings for different vlan's? How do you "choose" which firewall you want to change as an admin?
  6. Can you have wifi vlan's (like a vlan for your home wifi and a vlan for your guest wifi)
  7. Can you access the routers settings (192.168.1.1) from every vlan?
  8. When I connect to a network, how do I get assigned to a vlan? Is there like a "If someone connects to the network, it automatically goes to vlan 1 until the admin moves them to a different vlan"?
  9. Can you put a password on a vlan so that you have to put in a password to change vlan's?
  10. Can a user (so not a network admin) choose to change from vlan's (because then question 8 would be relevant)?
  11. How does portforwarding work with vlan's?
  12. If you access the network from outside (e.g. a hacker or just someone else), do you automatically get "redirected" to the standard vlan (1) or do you end up in a "intersection" where you first have to choose the vlan you want to go to?
  13. Can you make a port on a switch that has special access to every vlan at the same time (Only for the network admin)(So for that ethernet port, the network is just one big network instead of divided vlan's)(This would contradict question 2 as then you would have two devices with the same ip adress)?
  14. Can you have a network port with a device attached to it, that will be accessable to every vlan (e.g. a printer)? Is that dangerous because than a hacker could probably access that device and use it to jump between vlan's?

That's it. I know that there are alot of questions but I hope you can help with a few at least. The thing is, youtube video's always just explain that vlan's are separate networks, but I want to know: "How separate are they?" You see that almost every question is about "How separate are they exactly?"

I hope you can help!

Thanks


Solution

  • hopefully this will answer your questions

    VLANs are like separated cables inside cable and they do not mix or intefer between themselfs

    Answers:

    1. Yes. As mentioned above

    2. Yes but it's not good practice because you can make mistake durring VLANs settings causing sec flaws or IP collisions

    3. Not directly but this can be done via gateway/router between VLANs and all traffic have to go thru GW (easy way)

    4. Yes and usually you do. For example you have:

      VLAN 10: Subnet 192.168.10.0/24; GW 192.168.10.1; DNS 192.168.10.1

      VLAN 20: Subnet 192.168.20.0/24; GW 192.168.20.1; DNS 192.168.20.1

    5. Yes it is common/required behavior. It is done by filtering firewall rule by incoming interface (eg vnet7), incoming subnet or incoming IP

    6. Yes. But there are two ways setting VLANs:

      ACCESS (untag): VLAN is ended at output interface thus client device dont have to support/setup VLAN. Actualy client device even don't know that there is some VLAN

      TRUNK (tag): VLAN (or multiple VLANs) are routed thru access point and client device has to be configured same way on incoming interface

      Access is what you need in this case

    7. Yes if you setup firewall that way (routing between subnes)

    8. As explained in point 6

    9. No. VLAN is just number. To protect your vlans you have to setup network devices in way that every port (unless needed - eg switches bond interconnection) is set in ACCESS mode so only admin with access to network device can change VLAN for client device. Or implement NAC such as packetfence

    10. As points 6. and 8. Only when your setup allows

    11. Inside VLAN no portforward is needed because all devices in same VLAN are at same L2 network

    12. No simple answer here, it all depends on your VLAN and firewall settings

    13. Can not be done with VLANs only. Common practice is to setup specific VLAN (lets call it management VLAN) which is ended in ACCESS mode on some physicaly secured switch ethernet port and then using firewall and routings on GW to setup access across all VLANS (well .. not all but required ones)

    14. Yes you can as mentioned above but again using firewall and routing settings on gateway

    This one is long :) ... fell free to continue in chat