RE: Dual stack IPv6 for IPv4 depletion

["Naslund, Steve" <SNaslund () medline com>]

Yes, and that is a problem.  Usually because it is not granular enough and there are a lot of ways to get onto another 
VLAN (physical access and packet trickery).  It is a pretty weak form of security policy.

Now, if we assume that VLAN based security is weak and that most homes do not generate enough broadcast traffic to be 
an issue, what exactly is the reason that a residential customer needs a lot of VLANs?  Answer, they probably don't.  A 
lot of residential users have a CPE device that does wireless, routing, and DHCP assignments all in one.  No need to 
create a guest VLAN on that type of device.  You simply assign an ACL that keeps the guest from reaching any internal 
IP.  Why would your refrigerator (or car, toaster, TV, whatever) need to be on a separate subnet when the whole point 
is to create a network where all of your stuff communicates?

Us engineers need to make sure we don't generalize that a lot of residential users do to their networks what we do to 
ours.  We MIGHT have a reason for several subnets to simulate different stuff.  I am still waiting for a valid example 
of a residential situation where VLANs are a useful addition.  Oh, and don't even try the QoS argument.  I will tell 
you that LLDP identification of the device and applying QoS policy based on the identification is much more effective 
and transparent to the end user.

Steven Naslund
Chicago IL

> -----Original Message-----
> From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Tyler Applebaum
> Sent: Thursday, July 9, 2015 3:38 PM
> To: Naslund, Steve
> Cc: nanog () nanog org
> Subject: RE: Dual stack IPv6 for IPv4 depletion
>
> Do people actually use VLANs for security? It's nice to implement them for organizational purposes and to prevent 
> broadcast propagation.