It's the Wrong Trousers, Gromit!

A recent discussion inside Cisco which overflowed onto Twitter makes me wonder just how much money is being wasted out there in the name of Best Practice (meh).

This particular “Best Practice” (meh) is security-, architecture- and networking-related and it’s about the use or non-use of VLANs.  See the note at the end about VLANs if you are in marketing or have lived in a cave in Afghanistan for the past ten years :-)

First let me get my beef out of the way:  I detest the phrase Best Practice, though I’m a huge fan of building a living library of repeatable practices.  Minor lexical gripe?  Non, monsieur. Best Practices are like Listed Building status: once granted, it’s a bitch-if-not-impossible to remove.  People believe in them: they become Gods.  Their meme propagates around the industry and becomes Fact.  People stop applying reason and instead blindly apply best practices producing architectures that make me want to cry out (in a Yorkshire accent): “It’s the Wrong Trousers, Gromit!”

Twitter quote of @tostaypuft: @jonisick In ref to best practices, Dr Neil Gunther said : http://perfdynamics.blogspot.com/search?q=best+practice

My beef is not technology religious: I don’t advocate VLANs in all cases (just most), and I certainly don’t wish to birch nor burn anyone who hasn’t or won’t deploy VLANs: I advocate reason, and reason includes understanding the thinking behind VLANs (which is the rest of this post) and the cost of not using VLANs, which is:

  • Physically separate switches and cables for your single, flat, broadcast network costs tens of thousands of pounds per LAN if it is in a data center just for the CapEx.  Add on the cost of managing it (management agent licenses, design/deployment/testing/maintenance/power/space etc).  It’s serious money.
  • Today, right now, everyone is consolidating, unifying and virtualizing.  They are doing that for many reasons including money and the fact that things like VLAN technology has been around for a long time.  Not using VLANs flies in the face of this industry movement, so you need a good reason to stick out like a sore thumb.

Possible reasons you MUST NOT use VLANs:

  • Industry or governmental regulation where the cost of not complying exceeds the cost of complying, or you cannot change the regulation (or it isn’t due to change anytime soon).
  • If you let any old dude breeze in to your data center where directions to your switches are posted on the wall, next to the admin passwords and a spare laptop with serial cable and pre-configured Putty session.

So, how do you find out more about VLANs in the data center?

1. Read the 2002 @Stake paper on their penetration tests, analysis and recommendations.  Here’s a snippet of what they tested:

@Stake Testing

2. Read the Cisco SAFE LAYER 2 SECURITY IN-DEPTH— VERSION 2 paper.  This describes eight attacks (• CAM table overflow • VLAN hopping • Spanning-Tree Protocol manipulation • Media Access Control (MAC) Address spoofing • Private VLAN • DHCP “starvation”)  in detail and the actual switch configurations to mitigate these risks.

3.Read the Cisco SAFE for Medium Enterprise Networks paper.  This describes a security framework and practices for deploying and securing networks.

4. Buy my team-mate’s book on LAN Switch Security: What Hackers Know About Your Switches.  This book uniquely approaches the whole subject from the hackers point of view, showing tools to use.

What the hell is a VLAN (in layman’s terms)?

If you don’t know what a VLAN is then consider that life without VLANs means that all the physical bits connected together, switches and hosts via cables, are one big flat network.  Sounds simple in theory, but in practice it’s awful (and the bad reasons are the causes of the development of VLANs).

This big flat physical network is bad because it’s a broadcast domain, which means all devices can see each other and after put up with loudmouths on the LAN.  More devices means more noisy broadcast traffic which impacts network performance.  It also means dodgy devices on the network can do naughty things like impersonate other devices. Tsk tsk.

What a VLAN does is allow you transform (improve performance and security) the physical bunch of stuff, switches and hosts via cables, by dividing the one LAN into multiple VLANs in the switch software (a.k.a. logically) so that one cable is on one LAN and another cable is on another LAN – ONE THE SAME SWITCH!  So you divide one physical LAN to multiple virtual LANs and reduce the size of the broadcast domain, addressing the scalability and security issues.