VLANs vs Subnets – Pros and Cons

Each fills a different purpose and all three may be part of an overall solution. Lets start with the oldest concept first.

Subnets are the IP worlds way of determining what devices are "assumed to be on-link". Devices within the same subnet will send unicast traffic directly to each other by default while devices in different subnets will send unicast traffic via a router by default.

You could put each subnet on a separate physical network. This forces traffic to go via the router, which can act as a firewall. That works fine if your isolation domains match up with your physical network layout but gets to be a PITA if they don't.

You can have multiple subnets on the same "link", but doing so does not provide a high degree of isolation between the devices. IPv4 unicast traffic between different subnets will by default flow via your router where it can be filtered but broadcasts, IPv6 link local traffic and non-ip protocols will flow directly between the hosts. IPv6 global unicast traffic may or may not flow via the router depending on how the hosts are configured. Furthermore if someone wants to bypass the router they can trivially do so by adding an extra IP address to their NIC.

VLANs take an Ethernet network and split it up into multiple seperate Virtual Ethernet networks. This lets you ensure that traffic goes via the router without constraining your physical network layout.

VRFs let you build multiple virtual routers in one box. They are a relatively recent idea and are mostly useful in large complex networks. Essentially while VLANs let you build multiple independent virtual Ethernet networks on the same infrastructure VRFs (used in conjunction with an appropriate virtual link layer such as VLANs or MPLS) let you build multiple independent IP networks on the same infrastructure. Some examples of where they might be useful.

• If you are running a multi-tenant datacenter scenario each customer may have their own (possibly overlapping) set of subnets and want different routing and filtering rules.
• In a large network you may want to route between subnets/vlans in the same security domain locally while sending cross security domain traffic to a central firewall.
• If you are doing DDOS scrubbing you may want to separate unscrubbed traffic from scrubbed traffic.
• If you have multiple classes of customer you may want to apply different routing rules to their traffic. For example you could route "economy" traffic on the cheapest path while routing "premium" traffic on the fastest path.

VLANs can be many different sizes. The length of the mask you choose depends on how many hosts you have in a network, and how much room for growth you build in. A lot of companies have networks of varying sizes.

Many people automatically assume /24 because they are lazy, and really don't understand how to use masks which don't end on an octet boundary. Granted, /24 is a pretty convenient size for many user networks, but there are cases where it is overkill, e.g. a site with a server, a couple of printers, and 12 users with no real room for growth. There is also something to be said for consistency, where you can have the exact same configurations for the network devices at multiple sites, and /24 will allow for a pretty large range of site sizes.

The only real concern is for the number of IPv4 addresses which you have, whether or not you are wasting too many addresses of a limited number. It is often harder to try to steal addresses from networks which are too large than it is to combine addresses into a larger network. Either way, it is no fun.