I understand the technical difference between a subnet and a VLAN. After looking through questions related to this topic, including:
VRFs, VLANs and subnets: difference
VLANS vs. subnets for network security and segmentation
there doesn't seem to be an answer that really pinpoints this subtly. The communication issues and security implications of having multiple subnets on a single VLAN and vice versa, are clear.
But, subnets provide l3 separation. Okay. VLANs allow you to segment your l2. If the goal is separation — why isn't subnetting (l3 separation) enough? I am not able to pull all of this together into a pretty picture that delineates the necessity, other than the router-on-a-stick situation where VLANs would allow subnets to share the physical infrastructure (e.g. a single switch). But in practice, do subnets really share any portion of the l2 infrastructure?
Best Answer
I guess this:
isn't as clear as you seem to say.
From the perspective of a VLAN, a VLAN is a broadcast domain. When a host receives a layer-2 broadcast, which will be sent to every host in a broadcast domain, the host hardware must pass the frame to higher layers in the network stack for processing to see if the frame payload is destined for the host. This presents not only security concerns by hosts running capture software, but it can become a problem as more hosts on a VLAN means even more broadcasts on the VLAN than the number of added hosts, interrupting every host on the LAN.
VLANs will basically break a broadcast domain into multiple broadcast domains, just as if you had multiple, separate, unconnected switches. To get traffic from one VLAN to another VLAN requires a router. That is also true for getting traffic from one layer-3 network to another layer-3 network, which is why layer-2 VLANs and layer-3 network mesh so well.
Routers route layer-3 packets, not layer-2 frames, between layer-3 network, so each router interface is in a different layer-3 network. Since it takes a router to move traffic between VLANs, that means that each VLAN would need to use a different layer-3 network if it needs to communicate with a different VLAN.
You can also place router ACLs ,or a software firewall on a router, between the VLANs, but this requires a different layer-3 network on each VLAN because routers route packets between networks. This can be a real security feature or requirement.
Since VLANs can partition a single switch, then yes different layer-3 networks on VLANs will share the switch hardware, but will logically be on different switches, even on the same physical switch. The different layer-3 network can also share a physical interface on a switch or router by configuring the interface as a trunk that uses tags to separate the layer-2 frames with different layer-3 networks into separate VLANs.
What you are asking about is really for ethernet. There are many layer-2 protocols that do not use VLANs, and some can only use a one layer-3 network on one layer-2 LAN. Even Wi-Fi, which has displaced ethernet as the King of the LAN, does not really have VLANs. It does have separate SSIDs that can map to VLANs on the ethernet side of the WAP, but you are unlikely to be able to configure more than one layer-3 network per SSID.