-

 What are VLANs ?


 

Virtual Local Area Networks, or VLANs, are groups of devices on a LAN that are configured to communicate as if they were attached to the same wire. A VLAN is a broadcast domain, which is a group of devices that are able to communicate via a broadcast message. VLANs allow you to break up one physical switch into multiple virtual switches. Traffic is segmented from other traffic when it is placed in a VLAN. Traffic cannot communicate directly from one VLAN to another without a router or SVI(Switched Virtual Interfaces) on a layer 3 switch. Imagine your company, xyz inc., has three departments and your devices are spread out through multiple buildings. You don't want users in any one department to be able to communicate with the other departments. You can accomplish this with the use of three distinct VLANs. Without the use of VLANs, you would need to have a separate physical switch for each department to accomplish the same segmentation. 

VLANs are associated with IP networks. For example, all users associated with network 192.168.1.0/24 are a part of the same VLAN. In switched networks, VLANs get assigned to access ports to add it to the broadcast domain. In order for other switches to know how to forward traffic for the VLAN you need to tag traffic as it leaves one switch and enters the other switch. This tag is a 12-bit identifier known as the VLAN ID. This is why when you look in a switch there is only 4094 possible VLANs(2^12). The VLAN ID range is 1-4094. In order for VLANs to be extended to other switches you need to know the difference between access ports and trunk ports. Access ports are ports that belong to a single VLAN and trunk ports are ports that belong to multiple VLANs. Trunk ports have to tag each packet that leaves the port(unless its untagged). In order for this to work the switch has to keep a table that identifies the device(MAC address) and the VLAN/interface that the device is a part of. This is known as the TCAM table and contains MAC addresses, VLANs, Interfaces, etc. Each time you manually configure as an access port you associate that port with that VLAN.

#configure terminal

(config)# interface gi0/1

(config)# switchport mode access

(config)# switchport access vlan 25

(config)# interface gi0/2

(config)# switchport mode trunk

So what happens when the switch is sending traffic that does not belong to a VLAN ? This is the purpose of the native VLAN. The native VLAN is used for traffic that is sent or received that is untagged. To associate untagged traffic with a VLAN, configure the native VLAN on the trunk interface.

(config)# interface gi0/2

(config)# switchport trunk native vlan 10

I should mention that the standard for tagging traffic is 802.1q. Often called "dot1q" by those that live at the packet layer.



Comments

Post a Comment

Popular posts from this blog

AWS Identity and Access Management(IAM)

-
Image
 IAM   With the cloud becoming more and more prevalent, how do we secure who can access cloud resources and which resources can speak to each other. This very important problem is solved with AWS Identity and Access Management(IAM) resource.  IAM enables you to control who can access your AWS environment, what actions they can perform, and which resources they can interact with. It allows you to set fine-grained permissions and policies to meet your security and compliance requirements. So what are the parts that make up Identity and Access Management(IAM) ? - User groups - Users - Roles - Policies - Identity Provider Lets go into more detail about each resource that makes up IAM. User groups are groups you can define to logically group users together that perform similar functions in job. This is kind of like having different groups for different job roles. Users are just the manually configured users created for use on the management console. This is where you define all the diffe
Read more

AWS Virtual Private Clouds(VPCs)

-
Image
   In the spirit of my last blog on cloud computing, we will discuss VPC's in this blog.  What are VPC's ? Before I answer this question I need to explain this picture and the terms used. In AWS(and other cloud providers) we have several things that make up the global cloud infrastructure. Those things are Regions, Availability Zones, and Edge Locations(not pictured). A region is a geographical area around the world that consist of multiple availability zones. An availability zone can be thought of as multiple discrete data centers that have separate power, cooling, networking, and housed in separate buildings. Edge locations are places where CloudFront caches your content to provide ultra-low latency delivery of your content. According to AWS they currently have 32 regions, 102 availability zones, and more than 550 PoP's(points of presence). These things together make it possible to create global resources in minutes that serve millions of customers.  A VPC or Virtual Pri
Read more

IPSec VPN - Fundamentals

-
A VPN, or Virtual Private Network, is a way to establish a tunnel between two endpoints, like two routers or two endpoints. VPN’s are used to provide a way of secure communication over an unsecure medium. A simple example would be secure communication between two branch offices over the unsecure internet. This is important because we need secure communication so that people can’t eavesdrop and steal important company information. Oftentimes, people misunderstand VPN's and think just because "private" is in the name that it's secure. This is not always the case, especially in the service provider world where there are different types of VPN's that do not provide any sort of encryption. IPSec VPN's do however provide encryption and other features. There are several different types of VPN’s that can be deployed. The most common ones are Site-To-Site and Remote Access, although there are many more and depending on the use case, the most common could be differe
Read more