Yes, and that is a problem. Usually because it is not granular enough and there are a lot of ways to get onto another VLAN (physical access and packet trickery). It is a pretty weak form of security policy. Now, if we assume that VLAN based security is weak and that most homes do not generate enough broadcast traffic to be an issue, what exactly is the reason that a residential customer needs a lot of VLANs? Answer, they probably don't. A lot of residential users have a CPE device that does wireless, routing, and DHCP assignments all in one. No need to create a guest VLAN on that type of device. You simply assign an ACL that keeps the guest from reaching any internal IP. Why would your refrigerator (or car, toaster, TV, whatever) need to be on a separate subnet when the whole point is to create a network where all of your stuff communicates? Us engineers need to make sure we don't generalize that a lot of residential users do to their networks what we do to ours. We MIGHT have a reason for several subnets to simulate different stuff. I am still waiting for a valid example of a residential situation where VLANs are a useful addition. Oh, and don't even try the QoS argument. I will tell you that LLDP identification of the device and applying QoS policy based on the identification is much more effective and transparent to the end user. Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Tyler Applebaum Sent: Thursday, July 9, 2015 3:38 PM To: Naslund, Steve Cc: nanog@nanog.org Subject: RE: Dual stack IPv6 for IPv4 depletion
Do people actually use VLANs for security? It's nice to implement them for organizational purposes and to prevent broadcast propagation.