VLAN vs Subnet - too many ambiguous answers online
 

I've been trying to get a feel for the difference between VLANs and Subnetting for a while now, but all of the discussions online are pretty similar and don't really get the the bottom of my questions...

First, does either provide any REAL security?

Second, how does each effect network performance? Does either minimize traffic for the router (or do they actually increase router traffic for inter vlan/subnet communication). Do they minimize the work done by the switch or increase it? I'm pretty sure they both remove significant broadcast traffic at individual computers.

Anything special about multiple subnets within a vlan?

Anything special about multiple vlans within a subnet?

I'm sure I'll come up with more questions, I'll append them as I think of them...

neither are about security, used inconjunction with layer 3 security devices, i.e. a firewall, then they are what defines the seperations, but they are not about security themselves.

in general you have a 1:1 mapping of subnets and vlans. they are used in compliment to each other in the vast majority of effectively designed networks. multiple subnets on a single vlan, or rather no vlan is very dumb, that's for sure. generally you'd probably have /24 subnets each with their own matching vlan, e.g. subnet 192.168.123.0/24 would quite likely be switched on vlan 123.

vlans allow isolated smaller subnets on a single (or mulitple) devices, so with a smaller subnet, you have fewer devices and therefore less broadcast traffic. by segregating traffic though, you do substantially increase unicast traffic volumes when going between networks, i.e. traffic goes from one pc to a router and then back to the destination pc, which would most likely be a more cpu intensive and further route than if they were on the same subnet and therefore not using a router in the middle.

Is it ever useful to use VLANs to span a single subnet across multiple switches? Or is that unnecessary because you can just connect the switches together?

So if I have a large office with a small web server used by the outside world, a data server, mail server, anti virus box, etc, and also ~300 workstations that mostly use the internet, data, and mail servers, which could probably be divided into vlans/subnets of ~20-50, would it make sense to have 5 or 6 workstation vlans, and a server vlan? Or should the data server be on the same subnet/vlan as the workstations?

a vlan would certainly span across multiple switches, that's one of the main points - a logical seperation of a network and the arbitrary pieces of hardware that do the switching. the connections between these switches would be a trunk - check out 802.1q on wikipedia or something like that.

in your example i'd probably have 1 server subnet with a /24 mask and a couple of workstation subnets, split by floor, building, department or something like that. no need to have too many for the sake of it.

Well, it's a county building which means there's extreme disorganization. I've helped out a little there and have been trying to come up with some simple solutions to their problems. The main problem is the way government purchasing works. But the equipment they have, even though the service agreements are running out, can still be salvaged. The internet connection itself is actually a T1, a dsl, and cable line (maybe other but I'm not sure). There are also T1 lines running to other satellite offices. I'm not sure but I think internet is provided through those T1's as well.

Luckily most people of similar positions are located in the same area of the building. Having "too many" network segments would help to find bandwidth hogs, etc. Basically each vlan/subnet would be scaled for its traffic to be handled by an old machine running Wireshark.

Also, what about DHCP servers. Do you need one per subnet/vlan or can one exist above all of the lans?

A single DHCP server can work for however many subnets you have.

You just have to make sure you have the proper command in place to allow the DHCP broadcast to reach those subnets. On Cisco equipment, this is attained with the "IP Helper" command on your VLAN Interface (or SVI).