VPN Vs VLAN

I'm trying to read up on Virtual LAN's, and I keep coming across Virtual Private Networks.

Are these the same thing?

As far as I understand, the purpose of a VLAN server is to provide an outside host with a place on a LAN so it's as if the host in question is actually sitting on the LAN's hub.

Reply to
Tomás Ó hÉilidhe
Loading thread data ...

No. VPNs are done sort of at layer 3, or actually just under layer 2, where VLANs are done at layer 2.

The easiest way to differentiate them, although this is not 100 percent always the case, is to consider VPNs as being the product of Multi-Protocol Label Switching (MPLS, RFC 2917) whereas VLANs result from IEEE 802.1Q.

The effect is still to create differentiated pipes in a larger network, but the scale is different.

Bert

Reply to
Albert Manfredi

Sorry, I meant that the VPN is done just barely under Layer *3*, not Layer 2. Typo.

The MPLS label is a device that allows routing without having to look at IP addresses, once the path has been set up. It is a device that evolved from ATM's VC concept, I believe, although you'll probably find people who will dispute this vigorously.

Bert

Reply to
Albert Manfredi

I'm after setting up two completely separate LAN's in my house (let's call them LAN1 and LAN2). Each LAN has exactly one router which provides access to the internet (one has cable internet, the other has DSL).

I want to set up a VLAN server on LAN2 so that a machine on LAN1 can log on to LAN2 over the internet and act as if it's actually sitting on LAN2's ethernet cable, and therefore send frames such as ARP requests and so forth.

I've gone into the router settings for the router on LAN2 and attempted to set up a VLAN. First thing I haven't a clue about is whether to choose "by-port" or "global" in the settings. I'm using the Netopia 2247NWG wireless router that my ISP gave me.

On the LAN1 host I'm running Windows XP Pro SP2 and I've tired going into "Network Connections" and "Connect to a VPN" but I haven't had any look.

I still don't know the difference between a VPN and a VLAN so please dumb down your explanation til I know what I'm talking about :)

Reply to
Tomás Ó hÉilidhe

If you *want* the LAN1 and LAN2 hosts to have to use the Internet to communicate with each other, then they would never be using ARP to find each other directly. IEEE 802.1Q VLANs (or VPNs) do not change this reality.

In principle, even if the two in-house LANs are made into two VLANs on the same physical Ethernet, the same situation applies. To send packets between the VLANs, you have to go through the router that joins them. If the hosts in the two VLANs are on different IP subnets, they don't ARP one another directly.

There are oddball ways of creating single IP subnets across different routers, but I don't see that you'd have the option of using such odd schemes. Because there's no way the different ISPs you are using would support such tricks, I don't think.

A "possible" (not really) option would be to dual-home your in-house network, assigning two IP addresses to each host. Then the hosts themselves could decide how best to communicate with the each other. But again, I doubt the two different ISPs you use would appreciate such tricks. You'd have to know how to prevent you home net from becoming a path between the two ISPs.

Here's a summary of VLANs vs VPNs.

VLANs

Consider a mesh of L2 switches, all interconnected together, with routers to the Internet on the edges of this mesh. Think of a campus network, for example. VLANs permit the hosts connected to interfaces on many of these switches to be assigned to different IP subnets, therefore often to different default routers. Maybe different buildings want to belong to different IP subnets. Or maybe different departments in each building want to belong to different IP subnets.

For example, the hosts connected to L2 switches 1,5,13, and 24 all must belong to IP subnet 1. Hosts connected to L2 switches 2, 8, and

12 must belong to IP subnet 2. And so on. Or you can even differentiate IP subnets between interfaces of a single L2 switch, by assigning each L2 switch interface to a different VLAN.

VPNs

Consider a corporation with offices all over the country. These offices are interconnected via the Internet. But you want traffic within the corporation to remain separate from the greater Internet, as if it were sent over dedicated, leased T3 telco links, for example.

MPLS allows Internet routers between the various corporate sites to set up special "label-switched paths" to expedite traffic that remains withing the corporation. And it allows that traffic to ONLY reach the greater Internet by going through a specific subset of routers, so that whatever filters, firewalls, etc. can be installed in these few, well-known locations.

I just don't think either scheme can be used to do what you want, given the fact that you are using two different ISPs.

Bert

Reply to
Albert Manfredi

VPNs were around long before MPLS. MPLS is not needed (and is stilly relatively rare) in the deployment of VPNs. VPNs simply provide a means to send private information across a public network without (easy) eavesdropping. This is accomplished by a variety of technologies, including access control (restricting access to VPN data streams to specific pre-assigned entry/exit devices and encryption (across the public network).

MPLS *may* allow the backbone provider to optimize route selection for VPN traffic, but this generally requires a "closed" backbone (i.e., a single backbone service provider), since MPLS is not supported across the general Internet. I have been using VPNs for nearly a decade, without a hint of MPLS.

-- Rich Seifert Networks and Communications Consulting 21885 Bear Creek Way (408) 395-5700 Los Gatos, CA 95033 (408) 228-0803 FAX

Send replies to: usenet at richseifert dot com

Reply to
Rich Seifert

Interesting. I didn't think that "legitimate" VPNs consisted of such an open-ended variety of techniques, but checking the Wikipedia definition, they might perhaps be even more generic than what you describe. In the sense that they include layer 1 and layer 2 techniques, e.g. VPLS and even VLANs, among the possible VPNs.

formatting link
So, going by this broader definition, the difference between VLANs and VPNs is more simply that VLANs are one particular form of VPN, done at layer 2.

Learn something every day.

Bert

Reply to
Albert Manfredi

Not really. As noted in the wiki article you cite, VPNs are a means for tunneling private data across a common or public backbone, often employing access control, authentication, and encryption, to keep the private data private.

VLANs are not a "tunnel" in any sense; they provide a way to segment an (otherwise completely flat) Layer 2 switched catenet into administratively separate partitions, based on any of a number of criteria (switch ports, IP subnets, MAC address, etc.).

-- Rich Seifert Networks and Communications Consulting 21885 Bear Creek Way (408) 395-5700 Los Gatos, CA 95033 (408) 228-0803 FAX

Send replies to: usenet at richseifert dot com

Reply to
Rich Seifert

Accoding to Wikipedia, though, if you read beyond the introductory paragraph which implies that tunneling is a required component of VPNs, a VPN is more simply a network architecture overlaid over a larger network architecture. No limitation in flatness, and in principle no need to include tunneling.

"The distinguishing characteristic of VPNs are not security or performance, but that they overlay other network(s) to provide a certain functionality that is meaningful to a user community."

And then to further show just how broad and all-inclusive that definition is,

"Categorizing VPNs by User Administrative Relationships

"The Internet Engineering Task Force (IETF) categorized a variety of VPNs, some of which, such as Virtual LANs (VLAN) are the standardization responsibility of other organizations, such as the Institute of Electrical and Electronics Engineers (IEEE) Project 802, Workgroup 802.1 (architecture)."

The "tunneling" aspects of VPNs would explain why they also include techniques such as Virtual Wire, or I guess even Frame Realy leased service, in the VPN category.

Frankly, I don't find infinitely broad definitions to be very useful, but it's always good to know that other people might be using a much broader definition than I thought existed.

Bert

Reply to
Albert Manfredi

[snip]

Wikipedia: Reality decided by popular vote.

-- Rich Seifert Networks and Communications Consulting 21885 Bear Creek Way (408) 395-5700 Los Gatos, CA 95033 (408) 228-0803 FAX

Send replies to: usenet at richseifert dot com

Reply to
Rich Seifert

Rich Seifert wrote: (snip)

Not quite the same as VPN, but it still looks like a tunnel to me.

There is no encryption, but the original data is hidden with a VLAN header in front such that only VLAN devices will accept it. They may unencapsulate it (take it out of the tunnel), or send it through a different tunnel to another VLAN device.

The different tunnels having different VLAN tags.

-- glen

Reply to
glen herrmannsfeldt

On 23.12.2007 09:58 glen herrmannsfeldt wrote

Have a closer look *where* the Vlan tag is. There is *no* encapsulation.

Arnold

Reply to
Arnold Nipper

You mean, because there aren't two sets of MAC addresses?

Maybe so, but there are two sets of Ethertypes, or one Ethertype and one length format encapsulated frame. Maybe you could characterize it as tunneling (encapsulation) at the LLC layer, not at the MAC layer.

Bert

Reply to
Albert Manfredi

First of all, VLANs does not require the use of tags. VLANs provide a partitioning of a layer 2 catenet. Tags are a convenient way to avoid having every bridge in the catenet process the VLAN association for each frame.

While it is clearly *possible* to tunnel a VLAN across a common backbone, this is not a requirement, i.e., this behavior does not define the VLAN.

-- Rich Seifert Networks and Communications Consulting 21885 Bear Creek Way (408) 395-5700 Los Gatos, CA 95033 (408) 228-0803 FAX

Send replies to: usenet at richseifert dot com

Reply to
Rich Seifert

(snip)

It seems still possible to consider a tunnel inside a switch. That is, a path between certain ports that doesn't go directly to other ports. I agree that the word more obviously describes separate paths over a common backbone.

-- glen

Reply to
glen herrmannsfeldt

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.