cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[WINNERS ANNOUNCED] Community Challenge: VLAN Explained

Community Manager

MerakiCommunity-CommunityChallenge


UPDATE Mon, June 24: Congratulations to the winners! Read the announcement.

 

UPDATE Mon, June 24: Voting is closed, stay tuned for the announcement of the winners!

 

UPDATE Weds, June 19: We have been blown away by the number of entries for this challenge, all of them showing such compassion for Carl and patience in helping him understand! Because we have so many entries to consider, we're extending the voting deadline until Monday June 24th at 10:59am. So be sure take a look at all of the entries and kudo your favorites before Monday! 

 

UPDATE Mon, June 17: Submissions have ended for this challenge! Now is your time to vote. Remember, we will have two winners — one chosen by the most kudos received and one selected by our panel of Meraki judges. So cast your vote by giving kudos to your favorite entries and we'll announce both winners on Friday, June 21st at 11am PDT.


Virtual local area networks, or VLANs if you ain’t got time for that, are critical components for simplifying network deployments through segmentation. Despite their abundant merits, it can be tricky to inspire appreciation in a lay-person, say, Carl from Finance.

 

For this month’s challenge, we’re asking you to explain, in the simplest possible terms, the concept of and benefits to utilizing VLANs. Your audience, let’s carry on with Carl, is intelligent, but non-technical and completely at sea when it comes to networking. You can use whatever media, analogies, or hyperbole necessary to help Carl understand.

 

The winners will receive stylish grey Cisco Meraki backpacks:

 

426ba5fc-2e96-41b6-9502-d55325d55224.png

 

How to enter

Submit your contest entry in a comment on this blog post before 11 a.m. PDT on Monday (June 17th, 2019). Entries won’t be made public until voting starts. After you submit your entry, you’ll see a message reading “Your post will appear as soon as it is approved.”

 

How to win

Voting begins when submissions close (at 11 a.m. PDT on Monday, June 17th, 2019), and continues to the end of the work week. Voting closes at 11 a.m. PDT on Friday, June 21st, 2019.

 

We will be selecting 2 winners:

 

  1. The Community Favorite — chosen by you, our Community members. Cast your vote by giving kudos to your favorite entries. The entry with the most kudos from community members who aren't Meraki employees will win!
  2. The Meraki Favorite — a panel of experts here at Meraki will select the Meraki Favorite prize.

 

The Fine Print

  • Limit one entry per community member.
  • Submission period: Tuesday, June 11th, 2019 at 11am PDT through Monday, June 17th, 2019 at 10:59am PDT
  • Voting period: Monday, June 17th, 2019 at 11am PDT through Friday, June 21st, 2019 at 11am PDT
  • Prize will be a selection of Meraki swag with value not exceeding USD 50.00
  • Official terms, conditions, and eligibility information
138 Comments
New here

Imagine you and I are going to share a milkshake. It just makes sense for us to each have our own straws. It’s clean, efficient and easy to see who is doing what. VLAN to Network = Straw to Milkshake 🙂

 

”I drink your milkshake! I drink it up!!!”

Here to help

The VLANS are like the rails of a train: once the train (client) is on its tracks it will go on its way.

It can cross the other rails (VLANS) only in a train station (L3 device).

Conversationalist

VLANS means virtual local area networks. They enable the logical separation of multiple networks on the same physical network hardware. VLANs can be configured untagged and tagged. If one can mean e.g. divide a switch in half. The first half is Network A (green) and the second is Network B (red). Instead of two physical switches. With untagged, all packets that do not have labels are routed to the VLAN which is configured as untagged on the network port.


However, several networks can use the same port (port 8 - green and red).
At tagged all packages get a sticker with the respective vlan. So the network hardware can use the sticker to see if the package is allowed for the VLAN or where it is allowed. 

 

 

So here you can see port 1-7 are configured as untagged and use the red or the green network. Port 8 are tagged. So port 8 are in used by both networks red and green.

PC A-1 can talk with PC B-1 (over port 😎 but not with PC A-5 or PC B-5.

PC B-6 can talk to PC B-5 but not to PC B-1 or PC A-1.

 

 

VLAN-Grundlagen-Beispiel-3.png

(License: CC BY-SA 3.0, see https://creativecommons.org/licenses/by-sa/3.0/)

 

VLANS simplify managing multiple separate networks in one environment. Separating networks provides greater security in the network environment because not all network clients can intervene in all networks. Thus, e.g. a guest network or production network is segregated from the normal corporated LAN.

Here to help

To explain VLANs in its simplest form. Compare the local area network(LAN) as a binder containing all the documents/data, we'll have to makebelive that this binder can be huge. Since a single binder with hundres or tousands of unsorted documents can be difficult to work with you usally place an index in the binder. Now compare each part of the index as virtual local area networks(VLANs) with the same capacity as the binder itself.

The index segments the documents/data from eachother to make it easier to find and work with, anyone can view any of the sorted documents/data in a quick and easy fashion..

Now with VLANs also comes the added security, compare this as a keylock per index. So if you dont have the key for that specific index you won't be able to view or work with its contents. This makes it easy for a CFO to have a single binder for all of the companies finance-staff to work with, but at the same time make sure that critical documents/data can only be accessed by authorized personell.

 

That ought to explain it to someone that isn't 20 at least... a CFO ought to be at least 40 i guess and hopefully knows what an indexed binder is... 🙂 ?

Just browsing

The concept of and benefits to utilizing VLANs

A VLAN is logically dividing a switch into multiple, independent switches at layer 2.
Each VLAN is its own broadcast domain that segment the broadcast domain among the different VLAN.
The difference is that with VLANs, you still connect all the PCs to a single switch but you make the switch behave as if it were multiple, independent switches.


The advantages of using VLANs are as follows:
•VLANs increase the number of broadcast domains while reducing their size; this is the same effect that routers have, but without the need to buy a lot of routers or a big router with a lot of ports, so it's less expensive and easier to administer.
•VLANs provide an additional layer of security: No device in any VLAN can communicate with a device in any other VLAN until you deliberately configure a way for it to do so. An example might be a server in VLAN 10 that holds sensitive employee files for HR; no PCs from other VLANs can access VLAN 10 (or the server in it), unless you specifically configure it to do so.
•VLANs are flexible in terms of how they are used in network equipment: Imagine a building that has LAN cabling and a single switch installed, but four different tenants. You can create four different VLANs, one for each tenant, and no tenant will see or hear from the other tenants on the other VLANs.
•VLANs can span across multiple switches using trunk links. This allows you to create a logical grouping of network users by function instead of location. If you want all the marketing people to be in their own broadcast domain and IP subnet, you can create a VLAN for them on the first switch; then, you can connect another switch using a trunk link, define the same VLAN on that switch, and the marketing users on the second switch are in the same VLAN and can communicate with the marketing users on the first switch, and are isolated from other VLANs on both switches. This capability can be extended across an enterprise network campus, so that marketing users in the Whitaker Pavilion could in theory be in a VLAN with other marketing users in the Valentine Pavilion.
•The ability to trunk VLANs across multiple switches makes adding users, moving users, and changing users' VLAN memberships much easier.

Comes here often

VLANs are a bit like paying pass the parcel.  Trunk ports are the same as when the music is playing.  You take the parcel (or packet) and pass it on leaving all the wrapping (or tags) alone with all the data from various networks inside the wrapping.  When you reach an access port the music stops, and you open the wrapper and see only the traffic for that network.

Different access ports in different VLANS will open the parcel to different wrappers and so see traffic from different virtual LANs.

Just browsing

Vlan is a networking concept to logically separate traffic in a network.

When connected to a network you can add a tag in front of the traffic coming from your device so you can communicate only with devices using the same tag.

If you want to communicate with devices using other tags you need to use a more "clever" device such as a router.

 

The benefits are that you can separate traffic at your will (e.g SSIDs, Services, Departments, Users etc) and apply specific addressing, routing and communication rules. 

 

Just browsing

VLAN is a  technology solution in which you are able to segment or separate users into different network segments for privacy, security and reduce errors/problems from being propagated to the whole network i.e you can contain issues arising from one portion of the network from affecting the whole network.

Here to help

Imagine this Carl.....

 

  • You work in a serviced office building. A building with managed IT and 3 different companies on your floor. Another 2 above and 1 below on different floors.
  • The serviced building provides an internet connection for all companies.
  • Your department is the finance department. Your company has a competitor within the same building.

 

Now at any point, anyone of these companies can increase or decrease the amount of office space they require. At some point this space could be split across multiple floors or areas.

 

If all the computers for all users within all companies in the building could see each other and potentially access each other's confidential data, would that be ok?

 

No you say?

 

So if your company could not be seen by other companies, and your department could access all the data on your servers that it needed to, and other company users could not see your computers, would that be ok?

 

Yes?

 

So how do we achieve this?

 

  • We separate each group of computers into their own network with a set of rules to say who can see them and what they can see. 
  • What does not matter is the physical location of each computer, they could be in a different room, and different floor.

 

The important thing is the security of your data and the ease of which you are able to carry out your work combined with the fact of being able to be mobile within the corporate environment and knowing that things simple just work.

 

People like us make that magic happen, we analyse the needs, we design the architecture, we implement and support a "Virtual Network" to make sure this happens and gives you peace of mind that you and your data is safe.

 

How does that make you feel? Happy? Cared for?

 

[Removed]

 

Conversationalist

VLAN's are the separation between the parts, thing you don't want to mix, just like water and oil, or the production department and the financial department, where none of the employees access to their separate parts, which in turn also may be the benefit of the separation. 

Comes here often
In order to understand a VLAN, you need to know what a LAN is.
 
A LAN is a network where all devices are in the same broadcast domain (broadcast address to all devices in a network, everyone hears everyone). In a LAN, each network element can communicate with the entire network without going through a router. Without VLAN, a switch considers all its interfaces as being in the same LAN and therefore in the same broadcast domain. While with VLANs, a switch can put some of its interfaces in one broadcast domain and others in another broadcast domain. The same switch then has several broadcast domains. So several logical separations on the same physical support.
 
It's actually like a school. You have a building (switch) with its students (network elements). If you don't use classroom (vlan) like an auditorium, a teacher will talk with his students and everyone will hear him, even if they are not concerned. Whereas if we use classroom, a specific teacher will be able to talk to particular students.
Getting noticed

VLANs are as the road and parking gate. When the motorcycles and cars on the road, they drive together on one road. It's called a VLAN trunk. When they go to the parking gate, they will be separated on each gate. It's called VLAN Access. Motorcycles and cars are the VLAN ID.

Conversationalist

Imagine a 'huge room' filled with lots of people, and they're all chatting. Pretty noisy right? Everyone's messages are broadcast in the entire room. What about security? You can overhear potential sensitive information. Now imagine taking all those people and grouping into their own respective 'rooms', within the 'huge room'. Now the chatter is contained within the room, improving security. Same people, but now in organised fashion. Now what if a message needed to be passed to another group in another room? No problem. A designated 'doorman' has the ability to pass messages between rooms. Each room is tagged so the door man knows which room is which.

 

Take this analogy and apply it to understanding VLANs. The huge room is the switch. All users are physically connected to the same switch, and more importantly the same VLAN by default.. Now take those users and place them in their own VLAN's by grouping specific ports into VLANs. Now users traffic is contained within their own VLAN, defining this as a broadcast domain. Now traffic is more secure and if a packet needs to be sent to another VLAN, the router (analogous to the doorman) is able to communicate between VLAN's. VLAN traffic is tagged so the router knows which VLAN to send the traffic to.

 

Apart from improving security, VLAN's allow for the creation of more flexible designs, and reduce the amount of work required on each device within a VLAN.

Conversationalist

Vlans are designed to help segregate network traffic which can be based simply on the administrative function of the user.

To explain how vlans are useful imagine one large conference hall with a large audience of people (hosts) located throughout the hall with multiple speakers and they are all speaking at once.

 

The audience will hear not only from the speaker they are trying to listen and talk too but they will unnecessarily hear from the other the speakers and people in that conference hall they don’t really need to hear from.

 

Although this one large room (vlan) is able to accommodate everyone it’s not really adequate for the conference given the amount of people trying to listen and talk with each other related to their own specific subject


So now the administrator of this conference has decided to partition/segregate the conference hall into smaller rooms (vlans) and each room having its own speaker and specific audience.

These rooms has now become single vlans , Independent domains allowing the speaker and audience members to converse (broadcast) to each other only in that room(vlan) without other people outside that room(vlan) from hearing.

Outside the door of each room (gateway) with have a sign showing a subject of the room and number (vlan number& name)

If people wish to speak/listen to others in different rooms (vlans) they can do so by going through their own room door (gateway) then they will be directed towards the other rooms. Providing these rooms (vlans) allow entrance a user(s) from each room will be able to speak freely with each other.

Access between these rooms (vlans) can be controlled or even prohibited on a room by room or even down to an individual hosts to host basis if desired.

So given that analogy, Vlans on a network can help greatly in controlling access between users(hosts) in different departments and to reduce unwarranted traffic on the office network at the same time provide great flexibility when/if the need arises to implement differing security/management polices to each vlan, And as these vlans can span a single/multiple network switches it will allow users to be connected to the network wherever they are located physically in office building but actually they are sharing the same virtual room (vlan) as their department colleagues located elsewhere.

Getting noticed
Imagine a school hall with students from different grades and everybody is shouting their agenda at the same time. Vlans are like classrooms for each grade. Only the relevant information for that grade will be shared 🙂 for different classroom grades to speak to each other they need a Principal (router on a stick/Layer 3 switch) to help facilitate comms
Just browsing

VLAN  combines one or many LAN's into a single network. The VLAN or now (single network) will be able to use each LAN's resources which increases network performance.

Comes here often
Here is how I explain VLANS to my new techs. VLANs are like social clubs for Ethernet Packets. Each ethernet packet gets a Tag which defines its club affiliation. Then, packets with the same tag group together and those with different tags do not acknowledge each others existence. Those with no tags are simply allowed to stay in the default and everyone in a club ignores them as well. The only way to get into a club if you did not start out in one is to go thru a routing device. So, VLAN 105 club only sees packets in 105 club and VLAN 99 only sees packets in 99 Club and they both ignore the packets in the default who are not in any club. Even though they are all on the same wire, they will not mix. Believe it or not, I have gotten farther with that explanation over the years than any other I have tried....
Here to help

A VLAN is like having a virtual switch inside of a real (hardware) switch.  The same as a virtual machine inside a bare metal host.

Conversationalist

A VLAN is like putting up concrete barriers along the lanes of a highway - all the cars (devices on the network) can move to/from their destination, but they can't crash (interact) with cars in other lanes.  You're a bit safer locked into the lane (from other traffic lanes), and each lane can have specific rules placed on them, like speed limits, forced exits, or who can even enter the lane in the first place.

 

Additionally, the concrete barriers are able to be configured with multiple lanes at once, so a 5 lane highway might have "3 lanes of cars & trucks at 55mph, exit at #37" and "2 lanes of cars-only at 75mph, exit at #42". 

 

Finally, the concrete barriers can raise/lower and rules applied via a central control station, without having to stop all traffic before making changes.

Comes here often

Carl think of VLANs in this way, you have a pack of wolves and flock of sheep, do you want the wolves to have access to the sheep?