Tuesday, October 2, 2012

The Trouble with VLANs

VLANs are one of those networking technologies that are deceptively simple. You think you understand how they work, what they do, and implementing them seems like a basic task, but you can quickly find yourself staring at a non-functioning segment of your network asking yourself, "What the hell happened?"

I'm pretty familiar with VLANs. I know that end devices like PCs attach to access ports because they're not 802.1Q-aware, that you connect switches with trunk ports to allow multiple VLANs to pass through, and that you need a Layer 3 device to communicate between VLANs. I've done router-on-a-stick and sub-interfaces. When I worked for Large Retail Grocer, PCI came roaring onto the scene, gnashing its teeth and making demands. We had to segment out our store networks. Like most people at the time, we had flat classful networks in place. VLANs seemed like the logical way to separate out our point of sales traffic (POS) from the rest of the network. We invested in a bunch of HP ProCurves to replace our unmanaged switches, planned out how we wanted our VLANs to look, subnetted the class 24s, and went to work. Honestly, it was pretty simple work too...until we ran into difficulty that will be pretty familiar to a network admin. See, we were a Cisco shop and had a Layer 3 Catalyst switch at our regional office that all of the store HPs needed to hook back into. And that wasn't working at all.

After a lot of back and forth with our national office (during which time they gave us plenty of grief for using HP in the first place instead of Cisco at the access layer), we figured out it had to do with the tagged/untagged thing that HP uses for their VLANs. Do I remember exactly what the problem and solution was? Nope, and at the time I recall that not only did I not really understand, I didn't care about the details. I had been traveling all over our region, working overnights and much of the following days as well, and what I wanted was for this to simply work. When we figured out that untagging a VLAN on the the trunk port on the HP enabled it to talk to the Cisco, that was good enough for me.

VLANs are, for better or worse, the kind of thing that small businesses don't tend to bother with. No one cares if Accounting and HR have their resources available on the same subnet. They control access via domains and GPOs and ACLs and such. You can get to that folder labeled "Salaries", but you can't access it. Good enough. In my previous place of employment we had a couple of VLANs strictly for traffic control, not security. The communications between them wasn't all that complicated to understand or configure.

Fast-forward to my current position.