I use one physical switch and I logically keep those customers isolated from one another.
VLANs are extremely useful when we build networks.
Its good for isolating different types of traffic.
Separate broadcast domain defined in software
A broadcast domain basically:
If I shout, who hears me?
I send a message to a broadcast address, an ethernet that's all Fs, an IPv4 that's all 255s (255.255.255.255), then that message is for everybody, everybody inside of my broadcast domain.
Once you get to a router, the router hears the broadcast but it doesn't forward it to another network. Broadcast don't get forwarded.
Each VLAN is a separate broadcast domain.
WE can eliminate excessive broadcast or multicast by creating different VLANs and putting different types of devices in each of those VLANs
Typically one subnet per VLAN
Almost all the time because in order to route from one network to another, we're doing it based on IP addresses.
VLAN Configuration Requirements
Requires a managed switch
Managed switch options:
Smart switch (GUI)
Low-cost simple switches usually have GUI only
Easy interface, manage it through a browser.
Command line interface (CLI)
Sit down and type what you want it to happen.
Experience required but more efficient/reliable and scalable
You can make things that are scriptable
Accessible via maybe telnet, SSH, or the physical console port
Software-Defined Networking (SDN)
Use of Application Programmable Interfaces (APIs), so that you can write an application on one hand that talks to network equipment on the other hand. All physical equipment will come back to a single controller, and that controller tells those devices what to do, through software.
Trunk ports and access ports
Access ports go to users, go to servers, or other devices.
Trunk ports go to other switches, routers, firewalls, WAPs, etc. depending on how our network is set up.
Trunk vs Access Ports
Access ports: can be defined as existing in different VLANs.
These hosts no longer talk to one another, they are all attached to the same switch, but the switch ports are assigned to different LANs, it's almost like if data was on a separate hard drive.
Trunk ports: When we want to pass the traffic from those 3 computers from the left to the other switch from the right we use a link called a trunk link.
A trunk link is a wire that goes from one switch to another
The idea of a trunk is that it carries ALL VLANs, so VLANs from the three hosts attached to the left switch (ex: VLAN 10, 20, 30) can all cross that wire at the same time.
The other switch to the right knows which one is which.
As frames comes in to the switch from the left, the switch looks at it and understands that it needs to send those frames to that other switch from the right. When this happens, the switch adds something called a Tag, which is just an additional layer on top of the frame, that says, for example, "this is from VLAN 10".
So when these tagged frames are crossing that trunk link to the other switch, that other switch receives it and understands which frames are from which VLAN, then it removes that tag and then allows the frame to communicate with the ports in VLAN 10 for example.
Maybe this second switch performs a routing function and allows them to talk to hosts inside of an entirely different network. For example the two host attached to that switch VLAN 40 and VLAN 50.
Normally you wouldn't be able to get from 10 to 50, you'd have to talk to your gateway, and your gateway is responsible for moving your traffic over to 50. And from 50 back to 10. Now, in order to do that, we would use a router or a layer 3 switch and that will provide connectivity within VLANs.
If you've got IP routing enabled and you've got IP addresses on the interfaces everybody can talk. If you want to prohibit it we can slow it down using an access control list or ACL.
Inter-VLAN Routing
Suppose we have VLANs 10, 20, 30
If they connect to a layer 2 switch (does not do any routing) we could then connect that switch to a router
The router is layer 3, its forwarding between IP addresses.
The switch is layer 2, is forwarding frames between MAC addresses.
What will happen is that for example host on VLAN 10 wants to get to VLAN 20, by looking at its IP address he goes: "oh VLAN 20 that's on a different network than I am, let me send the traffic to the gateway".
The gateway is going to see the destination and say, "oh, that destination? She is actually on VLAN 20, let's go ahead and forward that backout the trunk link". So when the traffic goes in it has a tag FROM VLAN 10, when it goes back out, it has a tag FOR VLAN 20. Again this is thanks to the trunk, it is a tagged link that carries all the VLANs from the switch over the router.
"Firewall on a stick"
Suppose:
Web Server: VLAN 11
Mail Server: VLAN 21
DNS Server: VLAN 31
At this point any server can't talk to each other (they are all isolated) but we can tell all of them to go to the firewall, so that would be their gateway
If you want them to talk to one another, for example: Your Web server does need to send out alerts using the Mail server, I can create a rule in my firewall, the rules that we create for traffic flow are typically Access Control List (ACL)
When you create your ACL, it is very restrictive, they say Deny all traffic
You configure it to permit the Web server to talk to the Mail server
The actual syntax for the ACL is gonna depend on your vendor, there are open source and proprietary firewall solutions.
Each of them have different rule sets for how Access List Work.
Typically a Deny is the default behavior. So you have to create explicit permit statements.
Through the use of VLANs on the switch, the traffic is isolated, If you want to route to other VLANs you can use a router or a firewall, firewalls can also do more granular control.
Layer 3 Switches
"This is really where most routing occurs"
If you want to go from one VLAN to another, you'll be able to do it in the same switch, you do not have to implement a router just to come back to the VLAN.
Layer 3 Forwarding = Routing
If I want to perform filtering using ACL, I can filter at layer 2, based on MAC addresses, at layer 3, based on IP addresses, and at layer 4, based on Port numbers.
Filtering can occur all the way up to layer 4.
Virtual Switches
Now instead of 3 different VLANs, we have 3 different Virtual Machines for example.
VMs will have rules about how they interact with the network, and those rules are implemented on a VSwitch.
It gives us the ability to take each of these VM hosts and put each of them on a different VLAN.
When the traffic leaves the switch, that switch is gonna do tagging, just like a physical switch.
These switches are typically gonna be defined by the hypervisor.
A hypervisor is installed on the host physical OS and serves to allocate/partition memory to each VM.
Examples of hypervisors: HyperV, VMware, Citrix, etc.
Some of them allow you to change the VSwitch to another companie's VSwitch like Cisco.
With this, Virtual Machines carry their levels of isolation just as physical hosts.
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241024125226.png)
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241024130644.jpg)
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241024133057.png)
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241024133306.png)
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241024135006.png)
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241025111003.png)