VLANs and Subnetting
Setup
Studying for the Network+ helped me build up a basic, conceptual understanding of subnets and VLANs. I might have even come away from the exam feeling like I was an expert…if I hadn’t had an infinite supply of confusing helpdesk tickets and unanswered questions to keep me humble.
Working helpdesk tickets frequently means making an awkward entrance into the middle of a conversation: I didn’t design the network. I didn’t configure the network. Often, I was blissfully unaware of the network’s very existence, right up until the moment the exhausted DHCP pool on the public WI-FI network manifests in irritating, inconsistent connection issues. And that in medias res introduction isn’t the most helpful to someone learning how it is supposed to work, in the first place.
So, I set up some basic network separation in my test lab, and got some answers to some questions. Examples focus on the brand of firewall I use the most at work (WatchGuard Firebox Products).
VLAN and Subnet concept review
VLANs
Virtual Local Area Networks operate at Layer 2 of the OSI model. They separate broadcast domains, in the same way two physical switches would.
Subnets
Sub-networks are chunks of Layer 3 address spaces. They define the borders between devices that can communicate directly, and devices that require routing to contact each other.
Why use them?
Both VLANs and subnetting are used for a variety of reasons, mostly boiling down to efficiency, organization, and security.
In a SOHO environment, Layer 2 separation isn’t really that important in terms of efficiency. It doesn’t hurt anything if my AP wants to constantly broadcast to 10 other devices on the LAN, like a helicopter parent checking in on their kids. At enterprise scale, however, thousands of devices constantly nudging each other slows everyone down.
In a similar way, organization isn’t hard to maintain when there are only a dozen devices to manage. But it still helps to be able to apply separate firewall policies to different groups, or to prioritize QoS wherever you want the best throughput.
In combination, VLANs and subnets improve security by limiting lateral movement. E.G. your compromised IoT smart-toaster can’t infect your PC with a worm, because it would need to get through the router first.
Takeaways
Combination convention
In terms of real-world application, VLANs and subnets almost always go together. But, technically speaking, they don’t have to.
I’ve definitely seen separate subnets without accompanying VLANs out in the wild. It can still provide organization. But multiple VLANs within the same subnet would, for lack of a better term, be whack.
90% of the time, there is a 1:1 relationship between the two.
Speaking of conventions…
Why you should NEVER use the Default VLAN
Answers vary. Since it is default, or VLAN 1, any open ports on a switch would use it, and it is also used for management, so that’s a lot of access to give an attacker if you forget to disable the unused ports. Still, this is mostly outdated “Common Knowledge” and not important.
Ping Tests and ARP Tables
I separated my access point and WI-FI devices from my wired devices. From the perspective of my router, not that much has changed. All the devices on the LAN still show up in its ARP table. But, since the VLANs separate broadcast domains, the AP no longer registers my computer or switch in its ARP table, and visa versa. That’s the Layer 2 separation.
The Layer 3 separation is more obvious at a glance - the computer and switch have IP addresses in an entirely different range than anything connected to WI-FI. If I turn on my WI-FI adapter, I get two IP addresses, one from each range. And, in my case, I can ping the AP from my computer, my computer from my mobile phone, and so on, back and forth, because my router automatically added routes to its IPv4 Route Table to connect the new subnets.
Since I’m using a router/firewall combo, the route itself wouldn’t be enough to allow this inter-subnet ping activity. The firewall has a policy allowing ICMP between those subnets. If I remove the ICMP policy, and fall back on an implicit deny, I can still ping other devices on the same subnet, but can’t ping outside the subnet.
Either way, interestingly enough, no ping tests within the same subnet show up on the WatchGuard’s Traffic Monitor . It only logs traffic going outside the local network, or at least as far as the nearest gateway.
Speaking of which, I have a lot more gateways now:
DHCP servers everywhere
I usually think of a LAN’s DHCP server as being a single, central, universal source. Instead, each VLAN (or even interface configured to use a separate subnet) acts as its own default gateway, with its own address pool inside the range of that subnet mask.
There’s probably more than one way to skin a cat, here. But my PC also got an APIPA address when I connected it to the VLAN interface, but hadn’t selected the option to use the DHCP server.
NAT all the way down
Feels obvious now, but if you don’t pay for a static public IP address from your ISP, then you are leasing your current address from yet another, larger scale DHCP server. Which would be a real pain in an actual corporate environment, when your public address changes and everyone’s VPN clients fail to connect. Not a big issue for a home lab.
Traffic tagging in practice
This one really threw me for a loop when I was getting my network configured. I knew that my router and switch could tag traffic with a PVID to assign it to a specific VLAN. But I didn’t realize that endpoints don’t typically tag traffic on their own.
Which does make sense; I’ve never seen a VLAN tag option in Control Panel. Maybe in Device Manager for a network adapter’s driver properties, but certainly not all the time. So, when I configured an interface on the router to use a separate VLAN, and plugged my PC into it, I got an APIPA address and no internet.
There were two solutions for my use case. Either 1) Change the WatchGuard interface setting to “Send and Receive untagged traffic for the selected VLAN” instead of the tagged option, which tells the router to assign the missing tag itself, or 2) Introduce the switch in between them, and tell it to add the tag.
Migration hot swap
Another big mystery that only occurred to me once I was in the middle of the project. If an endpoint is cheerfully going about its business, settled on its default gateway and the DNS and DHCP it provides, what exactly happens if you suddenly pull the rug out from under it by pushing a new configuration?
On a small scale, it turns out, not much. I changed the AP’s subnet several times, and each time all the connected endpoints just noticed the new gateway, asked for a new IP address lease, and connected back up with a barely noticeable interruption.
The AP itself, on the other hand, took a couple of minutes to think things through when I swapped it away from the default VLAN, and that took its clients down with it. My PC’s Ethernet adaptor had to be disabled and re-enabled between some changes.
If I was migrating over to a new VLAN/subnet combo for a client using WatchGuard, I’d use the Secondary Network IP Address feature to make for a smoother transition. Set the interface to the new range, set the secondary to the old range, and let the router connect the two until all the DHCP leases on the old range have expired, and all devices have claimed addresses in the new range.
Arbitrarily expand the network
I’ve worked on tickets involving exhausted DHCP pools. Common solutions include:
- Decreasing the lease time for guest WI-FI
- Expanding an address pool when no devices were utilizing the out of scope addresses
- Planning out a new VLAN to separate VoIP devices from workstations
Depending on the situation, those solutions all qualify as Best-Practices. So, I’d never really even considered the more obvious, knee-jerk / duct-tape solution: What about just slapping on a larger subnet mask?
For example, if a business has grown and is now using up all 254 available addresses in its /24 network, why not just change the DHCP server subnet over to a /23? Presto, you’ve got 510 usable host addresses.
Could work. I’m sure it has worked, countless times. But it also could get very sloppy. Sure, all endpoints in DHCP will just reach out to the same default gateway, learn that there are now twice as many available addresses, raise their eyebrows, accept a lease, and move along.
But what about devices, like some printers or the domain controller, with a static IP assignment? Whatever IP it had before will still be in the expanded scope, so, unless another device tries to grab it and creates a conflict, things might continue to function.
But the static device won’t be able to communicate with anything that grabs an IP from the expanded range. The printer still thinks it is limited to /24. Every workstation would be able to see the printer, ping it, request a job. But, depending on its lease, the printer might not have a way to respond.
