A VLAN is:
- LAN independent
- A broadcast domain
- A logical network
VLANs do/create:
- Network Segmentation
- Security
- Network Flexibility
On Cisco switches the way each individual port is configured determines how many VLANs the port is capable of supporting. If the port is configured as an access port it can support only one VLAN; if configured as a trunk port it can support as many VLANs as the device is capable of. Modes of the port in this regard are configured in the global configuration mode utilizing the 'switchport mode' command under each specific interface or a range of interfaces.
Enabling trunk mode and switching to access mode on an interface:
Layer 3 devices, your router, can only support one VLAN per logical interface. This means that if you have a trunk line from a switch with one end terminating at a router so you can enable inter-VLAN routing you simply configure sub-interfaces (create logical interfaces) on the physical port that the VLAN trunk is plugged into.
This picture is just creating logical subinterfaces on ethernet port 1/0 of router 3 not configuring them a show ip interface brief command will show the subinterfaces after doing this:
Why are VLANs helpful?
Simply put VLANs allow you to separate network traffic. In real world scenarios this can separate VoIP (voice over IP) networks from data networks that are traveling over the same physical infrastructure or it could allow POS (point of sale) traffic separation from other traffic.
The first example is important because VoIP traffic requires QoS (Quality of Service) to be implemented for traffic management so that your VoIP traffic gets the bandwidth and priority it needs; in this implementation of a VLAN your VoIP traffic is differentiated by its VLAN tag/association and it can be dealt with accordingly. Have you ever been a call from your office phone or to someones physical office phone and the audio either kept cutting out or sounded like it was improperly modulated? There could be many reasons for this, but the most common is in poor network implementation/planning when using VoIP systems.
Do you ever go to the coffee show down the street and sit there using their free WiFi? Do you think they process credit cards over the same internet connection? The truth of it is that they probably shouldn't for PCI compliance reasons and general network security, but most coffee shops probably do. If they do and the POS systems are not running on a separate VLAN I could go into the coffee shop, start my laptop, connect to the WiFi and then start sniffing network packets. Even if credit card data was encrypted I know enough about technology to know that I would not want those encrypted packets falling into a cyber criminal's hands.
VLANs can also allow large businesses to segment and organize their network traffic. For instance you could have a VLAN called Accounting and a VLAN called Sales. From this point everyone in Sales would be on the VLAN names Sales and everyone in Accounting would be on the Accounting VLAN. This ensures that accounting resources such as the MAS90 server are not accessible or even visible to those in Sales. This adds in a layer of security because if one of your field sales reps has a virus infected laptop that he puts on the work network it will be more difficult for that virus to migrate to your accounting servers it also keeps disgruntled employees from trying to manipulate the server since by and large they will not have access to it.
These are just a few scenarios and do not go into detail on any of the important concepts of bandwidth or security, but they give you a general idea of how VLANs can help improve network traffic management and security.
Keep in mind:
- You CANNOT communicate VLAN to VLAN without routing the traffic between them. This can be done in a router or even a multi-layer switch.
- The dot1q (802.1X) VLAN tag is added to the header so a router can route the packet.
No comments:
Post a Comment