7

Every time i try reading about the configuration of a device and adding it to the network, i always face a problem. The problem is basically am not able to understand Vlan's, and how for example some companies use it: to move Voice over IP through Vlan (for ex)100, What comes to my head is, what is connected that Vlan (physically)? is it only phones that carry voice over ip traffic or other devices? And 1 more example is some companies use a single Vlan as a whole to move trunk traffic or management traffic. Am not able to understand how is that done, and i ask questions to my self again and again like what is connected to it (the vlan)? how can they only move trunk traffic ? (and my knowledge tells that a trunk port is a port (not a vlan) that carries tagged traffic between 2 switches (supposing that 2 switches are there only ones in a the network).

Saif Ahmed Yassen
  • 101
  • 1
  • 3

2 Answers2

8

A broadcast domain / L2 segment / VLAN has several weaknesses and is prone to a number of attack vectors, most importantly:

  • any host can directly talk to any other host
  • broadcasts from any host reach every other host
  • ARP spoofing / cache poisoning
  • a rogue DHCP server can disrupt, intercept or manipulate traffic

A network designer's goals include increasing network efficiency and limiting or even disabling those attack vectors by

  • reducing size of broadcast domains
  • reducing node count in a segment/broadcast domain
  • separating traffic zones for security reasons - nodes in one VLAN cannot simply communicate with nodes in another VLAN, they require a router where unwanted communication may be blocked
  • separating traffic for prioritization reasons (QoS)
  • utilizing redundant links in per-VLAN spanning tree scheme (MSTP or RPVST)

Communication between VLANs requires the use of a routable protocol like IP and of course, a router/gateway between the VLANs. The router is the point where you can control all inter-VLAN traffic.

VLANs work by logically partitioning a single physical infrastructure.

With port-based VLANs, think of each VLAN as a single switch (or switch group), without requiring extra hardware.

Each port is logically connected to one of the VLANs = one of the imaginary switches. Only devices connected to the same VLAN or virtual switch can talk to each other directly.

Instead of running a separate cable for each VLAN between two switches, you can use a VLAN trunk port: on the wire, each transmitted frame is tagged with its VLAN ID. The VLAN ID tells the receiving switch where the frame belongs. (One of the VLANs - the "native" one - can remain untagged but both switches need to agree on that).

Tagged VLANs are sometimes used on servers as well - that way a server that needs to attach to several VLANs can reduce its physical NIC count.

VLANs can be interfaced with in three ways:

  • without tags, using a port-based ("native") VLAN (used on hosts)
  • using tags, as a VLAN subinterface of a physical port (used on routers or sometimes servers)
  • using tags, as a switch virtual interface (SVI) independent of physical interfaces (used on switches)
Zac67
  • 84,333
  • 4
  • 69
  • 133
  • Okay, that is understood. But what does an admin mean when he says am moving all my VOIP over this Vlan? or when he says am moving my management traffic over this other specific Vlan ? can you please elaborate? It is confusing me, am not able to understand the end devices that they are talking about. – Saif Ahmed Yassen Mar 26 '18 at 11:06
  • I've expanded my answer above, hope that helps. – Zac67 Mar 26 '18 at 11:13
5

Before VLANs, we used to do it like this:

  • Use separate sets of switches for each area (servers, desktops, whatever)
  • Keep those LANs completely distinct (different IP address ranges and no wires in between)
  • Bundle several ethernet cables with cable ties, and plug all the LANs into separate interfaces of the router, which routes between the different LANs and distant networks

Now it's been virtualised

  • Switches can be partitioned so that given sockets are on particular VLANs
  • A bundle of cables is now a trunk, and the label on the cable has been replaced by a 'tag' on each ethernet frame

All the varieties of use you might imagine are possible:

  • (Some) switches are able to add the tag to a frame depending on the incoming ethernet address
  • (Some) switches use other information (such as Cisco discovery protocol) to decide a particular (ethernet) host is a phone, and put its frames onto a VLAN nominated for voice
  • There is complexity in deciding what to do if some frames arrive without a tag on an interface which expects them (they go in a default VLAN)
  • (Some) switches allow very complex rules for traffic on given ports and methods for assigning those permissions.
jonathanjo
  • 16,234
  • 2
  • 24
  • 54
  • Okay, that is understood. But what does an admin mean when he says am moving all my VOIP over this Vlan? or when he says am moving my management traffic over this other specific Vlan ? can you please elaborate? It is confusing me, am not able to understand the end devices that they are talking about. – Saif Ahmed Yassen Mar 26 '18 at 11:06
  • 2
    It's simply that there's a LAN which is used solely for voice, and a LAN which is solely for management traffic (ie ssh, snmp etc for configuration). Keeping traffic separate has performance benefits (notable for voice traffic) and security benefits (notable for management) – jonathanjo Mar 26 '18 at 11:13