VLAN vs Subnet
---
Do you want to restrict traffic at layer 2 (switch - VLAN) or layer 3 (firewall - subnet) or both?
Do you need to cut down on broadcast noise (VLAN)?
How much overhead do you want to manage?
Most VLANs are tied to one subnet so you typically will see subnets with out VLANs but not the opposite.
So if, for example, you want to set up a guest portion of your network and an internal portion for a SOHO you ca set up subnet 1 on firewall and VLAN 1 on switch that only works on subnet 1 for guests. Repeat for subnet 2 and VLAN 2 for your internal network.
You could have a DMZ hanging off the firewall that isn't behind the switch or in any VLAN.
A shared printer could hang off the switch not in any subnet or VLAN. (Just one option ...if you want to share thee printer between subnets.
Typically you'd have device connected to net, then firewall, then switch if separate devices.
A larger company might have more firewalls between different network segments.
If an APT (hacker) can get onto a device that has permissions in different subnets and VLANs, you're not really segregated.
---
Related Links:
Extensive Q & A - says VLANs more secure because not based on IP.
http://superuser.com/questions/353664/what-is-the-difference-between-a-vlan-and-a-subnet
VLANS and Subnets - 10 things you need to know
http://www.industrial-ip.org/en/industrial-ip/convergence/vlans-and-subnets-10-things-you-need-to-know
VLAN vs Subnet - says VLAN can be hacked but does not expound. Includes configuration.
http://blog.router-switch.com/2014/03/vlan-vs-subnet/
Interesting discussion of segmenting traffic at Layer 2 and 3 - pros and cons of VLANs vs. subnets. Understand your network traffic.
http://serverfault.com/questions/54417/best-way-to-segment-traffic-vlan-or-subnet
