It's the Wrong Trousers, Gromit!
A recent discussion inside Cisco which overflowed onto Twitter makes me wonder just how much money is being wasted out there in the name of Best Practice (meh).
This particular “Best Practice” (meh) is security-, architecture- and networking-related and it’s about the use or non-use of VLANs. See the note at the end about VLANs if you are in marketing or have lived in a cave in Afghanistan for the past ten years 
First let me get my beef out of the way: I detest the phrase Best Practice, though I’m a huge fan of building a living library of repeatable practices. Minor lexical gripe? Non, monsieur. Best Practices are like Listed Building status: once granted, it’s a bitch-if-not-impossible to remove. People believe in them: they become Gods. Their meme propagates around the industry and becomes Fact. People stop applying reason and instead blindly apply best practices producing architectures that make me want to cry out (in a Yorkshire accent): “It’s the Wrong Trousers, Gromit!”
Twitter quote of @tostaypuft: @jonisick In ref to best practices, Dr Neil Gunther said : http://perfdynamics.blogspot.com/search?q=best+practice
My beef is not technology religious: I don’t advocate VLANs in all cases (just most), and I certainly don’t wish to birch nor burn anyone who hasn’t or won’t deploy VLANs: I advocate reason, and reason includes understanding the thinking behind VLANs (which is the rest of this post) and the cost of not using VLANs, which is:
- Physically separate switches and cables for your single, flat, broadcast network costs tens of thousands of pounds per LAN if it is in a data center just for the CapEx. Add on the cost of managing it (management agent licenses, design/deployment/testing/maintenance/power/space etc). It’s serious money.
- Today, right now, everyone is consolidating, unifying and virtualizing. They are doing that for many reasons including money and the fact that things like VLAN technology has been around for a long time. Not using VLANs flies in the face of this industry movement, so you need a good reason to stick out like a sore thumb.
Possible reasons you MUST NOT use VLANs:
- Industry or governmental regulation where the cost of not complying exceeds the cost of complying, or you cannot change the regulation (or it isn’t due to change anytime soon).
- If you let any old dude breeze in to your data center where directions to your switches are posted on the wall, next to the admin passwords and a spare laptop with serial cable and pre-configured Putty session.
So, how do you find out more about VLANs in the data center?
1. Read the 2002 @Stake paper on their penetration tests, analysis and recommendations. Here’s a snippet of what they tested:
@Stake Testing
2. Read the Cisco SAFE LAYER 2 SECURITY IN-DEPTH— VERSION 2 paper. This describes eight attacks (• CAM table overflow • VLAN hopping • Spanning-Tree Protocol manipulation • Media Access Control (MAC) Address spoofing • Private VLAN • DHCP “starvation”) in detail and the actual switch configurations to mitigate these risks.
3.Read the Cisco SAFE for Medium Enterprise Networks paper. This describes a security framework and practices for deploying and securing networks.
4. Buy my team-mate’s book on LAN Switch Security: What Hackers Know About Your Switches. This book uniquely approaches the whole subject from the hackers point of view, showing tools to use.
What the hell is a VLAN (in layman’s terms)?
If you don’t know what a VLAN is then consider that life without VLANs means that all the physical bits connected together, switches and hosts via cables, are one big flat network. Sounds simple in theory, but in practice it’s awful (and the bad reasons are the causes of the development of VLANs).
This big flat physical network is bad because it’s a broadcast domain, which means all devices can see each other and after put up with loudmouths on the LAN. More devices means more noisy broadcast traffic which impacts network performance. It also means dodgy devices on the network can do naughty things like impersonate other devices. Tsk tsk.
What a VLAN does is allow you transform (improve performance and security) the physical bunch of stuff, switches and hosts via cables, by dividing the one LAN into multiple VLANs in the switch software (a.k.a. logically) so that one cable is on one LAN and another cable is on another LAN – ONE THE SAME SWITCH! So you divide one physical LAN to multiple virtual LANs and reduce the size of the broadcast domain, addressing the scalability and security issues.
No related posts.
Steve, to bring to your attention.
There is a new IT management group which has decided like yourself, that best practice is completely temporal; along with your rift here, its known as better practice group and has featured in the UK IT press. I’m sure you will find it.
Anyone long enough in the tooth will also tell you that all of IT is iterative as we all guessed many years ago; at least to mere mortals. In the essence of simple debate whats your take on Prince 2, 2009? As a recent tweet posted a OGC case study on the subject of its combination with your afronted ITIL. In my small however humble experience, I’d guess that it is the ‘tailored’ application of the methods and lack of method QA which is really and truly at fault. Your comments please.
I wish you hadn’t posted anonymously, but regardless I think that although there is value in the abstract (ITIL) there is much more value in applied practices. People shy away from these because they are likely to be context specific, such as business vertical and products involved: but it doesn’t take too much to modify the practice to suit different contexts. Given a choice: abstract vs. applied, where I have to modify both anyway, I’d take applied first time every time.
However, I want specific information in the applied practice: if it’s just anecdotal and incomplete, then it might as well be abstract. I want specific actions, timings, outcomes (planned vs. actual), tool versions, the lot. I also want this live library to be managed independently by practitioners for practitioners and not for profit.
I tried to do this, with little funding or support, at VMware but found that it’s hard to do this when it’s paid for by a vendor. Even though I work @ Cisco now, if I had the chance to do “VIOPS” again I would hope that Cisco would support it as an external, not-for-profit venture. It doesn’t need fancy websites it just needs people and their practices.
So who are you, anyway, Mr (or Miss!) Anonymous?
In response: I have a tendency to disagree, believing instead of a good enough abstracted approach is suitable and position the argument that of my small exposure that the rate of innovation would be hampered by highly specialised approaches and resulting in corralling, gaming and other factors e.g. standards skirmishes et al. Based simply on the accelerative rate, deltas and diversity that which you want is simply not suited and removes value from the individual and into a knowledge base. Working for one of the worlds largest network equipment vendors, I am sure these tools are readily available to you and are considered part of the value proposition to your clients and dependency management from a business perspective.
My preference is for M shaped generalist approaches (In reference to T shaped skilling)
apologies but I don’t mean to argue against abstraction: I’m a huge fan of it (do a search on viewyonder and you’ll see!). I just think there’s a dearth of applicable practices. Thanks for the great comment!
Good morning
I wish people would write in a format easier to read, brain hurts!
My view is that best practices are more like recommendations which should be read, understood and sometimes applied. Each scenario is different and by applying a strict set of “do this, do that” to every project could be doing more harm than good.
I use VLANs with nearly every deployment… mgmt core and network… at least.
I have a friend working at Green Prk . Which department do you work for with Cisco?
Cheers, Stefan
Hey Stefan… are you saying this post is hard to read? How so, and how can it be improved? Thanks for commenting!