cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[WINNERS ANNOUNCED] Community Challenge: VLAN Explained

Community Manager

MerakiCommunity-CommunityChallenge


UPDATE Mon, June 24: Congratulations to the winners! Read the announcement.

 

UPDATE Mon, June 24: Voting is closed, stay tuned for the announcement of the winners!

 

UPDATE Weds, June 19: We have been blown away by the number of entries for this challenge, all of them showing such compassion for Carl and patience in helping him understand! Because we have so many entries to consider, we're extending the voting deadline until Monday June 24th at 10:59am. So be sure take a look at all of the entries and kudo your favorites before Monday! 

 

UPDATE Mon, June 17: Submissions have ended for this challenge! Now is your time to vote. Remember, we will have two winners — one chosen by the most kudos received and one selected by our panel of Meraki judges. So cast your vote by giving kudos to your favorite entries and we'll announce both winners on Friday, June 21st at 11am PDT.


Virtual local area networks, or VLANs if you ain’t got time for that, are critical components for simplifying network deployments through segmentation. Despite their abundant merits, it can be tricky to inspire appreciation in a lay-person, say, Carl from Finance.

 

For this month’s challenge, we’re asking you to explain, in the simplest possible terms, the concept of and benefits to utilizing VLANs. Your audience, let’s carry on with Carl, is intelligent, but non-technical and completely at sea when it comes to networking. You can use whatever media, analogies, or hyperbole necessary to help Carl understand.

 

The winners will receive stylish grey Cisco Meraki backpacks:

 

426ba5fc-2e96-41b6-9502-d55325d55224.png

 

How to enter

Submit your contest entry in a comment on this blog post before 11 a.m. PDT on Monday (June 17th, 2019). Entries won’t be made public until voting starts. After you submit your entry, you’ll see a message reading “Your post will appear as soon as it is approved.”

 

How to win

Voting begins when submissions close (at 11 a.m. PDT on Monday, June 17th, 2019), and continues to the end of the work week. Voting closes at 11 a.m. PDT on Friday, June 21st, 2019.

 

We will be selecting 2 winners:

 

  1. The Community Favorite — chosen by you, our Community members. Cast your vote by giving kudos to your favorite entries. The entry with the most kudos from community members who aren't Meraki employees will win!
  2. The Meraki Favorite — a panel of experts here at Meraki will select the Meraki Favorite prize.

 

The Fine Print

  • Limit one entry per community member.
  • Submission period: Tuesday, June 11th, 2019 at 11am PDT through Monday, June 17th, 2019 at 10:59am PDT
  • Voting period: Monday, June 17th, 2019 at 11am PDT through Friday, June 21st, 2019 at 11am PDT
  • Prize will be a selection of Meraki swag with value not exceeding USD 50.00
  • Official terms, conditions, and eligibility information
138 Comments
Conversationalist

Hi Carl. How have you been? Awesome, good to hear. VLANs? Yeah, I can help you with that. Your network is like a field of sheep and a VLAN is like having a Border Collie that knows to pick out and gather certain sheep together. Add another sheep and the Border Collie looks at a tag on that sheep and figures out which group it goes into. Why would you do that? Well, maybe some sheep have great wool or know how to make a call on a VoIP phone. Others are more tasty and should only talk to file servers. Who knows, but the tag defines the group and the dog puts them where they belong and can't escape. No mixing! We good? Excellent. You buy. 

Building a reputation

Think of each VLAN as a separate physical network, each network is separated unless you make a connection between those networks with a cable. That is the basics of a VLAN, instead of separate physical networks each one is divided logically from one another in the same physical network. As long as you don't tie them together on the MX then they will never see one another. If you want them to have access to other VLAN's you can think of it as taking another cable and running it to the other network and gaining access to the resources made available via that connection. This would be done using various rules customized in the MX restricting or allowing varying amounts of access and restrictions.

Here to help

So, Carl, in basic terms, a VLAN, or Virtual Local Area Network, creates an environment where users on multiple networks, like yours (Finance), HR, Sales and IT, can coexist on the same network device without stomping each other.  These networks are invisible to one another even though the users' computers are plugged into directly adjacent ports, which makes it great because you don't want anyone else in the company seeing your data, do you? 

 

It also helps us in IT make the network operate more smoothly by reducing the effect of others' traffic on your network.  That means that when Mary in Sales is streaming Spotify (well, we'll put a stop to that...but you get my point!), your urgent email to the CEO regarding everyone's hefty bonuses will go through lickety split! 

 

Just like you use an HP-12c calculator as a tool to do your job, we use VLANs to help us help you do your job better and more efficiently.  I hope that answers your question.

Conversationalist

Vlans are a solution/ method that allow you to separate users or services into individual network segments for security and other reasons.

New here

VLANs are like cell blocks in prison. Each cell block is like a VLAN. Inmates (or devices on a switch port) inside the block(VLAN) can talk to each other, but not with others in different blocks(VLANs). They don't even know they exist. If inmates want to talk to others in different blocks, then they need to use a guard (think a router or firewall) to pass along the message.

 

We can even take this one step further. inside each cell block, each inmate has a cell. When inmates are inside their cell, they can't take to each other, even though they are in the same block. This is true for Private VLANs. You can have a devices be part of a VLAN, but when put inside a private VLAN, they can not talk to others in the VLAN without passing through a guard (in this case the guard is an access list).

 

Now lets all stay out of prison and away from the guards 🙂

Conversationalist

Imagine that a network cable would actually be a gigantic tunnel. Imagine that all network traffic going thru that cable (or tunnel) would be a bunch of little people carrying messages from one side of the cable to the other side.

 

Without VLAN, all the little people would see each others while traveling thru the tunnel, thus potentially having the risk that someone might see their message.

 

With VLAN the tunnel is full of smaller tunnels (or corridors) which each messenger has to go thru. While in this smaller tunnel, there's no visibility to the other guys messages, because they're all in separate tunnels (unless another message is being carried in the same tunnel in purpose.

 

At the end of the tunnel (or both ends) some tunnels might merge into one and others might just lead to a completely different place.

 

Magical, isn't it?

Just browsing

Imagine you are in a room with speakers that Are playing two radio stations, two talk shows and a simple how to instructional audiostream. Not only is it difficult to focus on the one thing you want, it might be that one of the radio stations has content that isn't appropriate for you to hear. That is what a network would sound like without vlans. Now if we put some head phones on you, we have put you on a vlan. We can allow you to access the radio station that is playing some easy listening music, while you also listen to that how to. You don't even know about all that other noise.

New here

Easy way to segment your networks and apply different subnets, virtual interfaces on your core.

Comes here often

With VLAN  you can split your switch in to man switches/Network.

Conversationalist

VLANs are like Condos.  There's a main doorway which is the WAN and VLANs would be the rooms inside this Condo.  Each room can access other rooms by going to the hallway.

Conversationalist

A VLAN is a method to create multiple secure LANs on a single physical infrastructure. 

Comes here often

VLANs are like having holiday meals with your family and then your spouses' family. Customs, recipes, politics, and the stories are that are shared differ at each. All enjoying the holiday meal (phyiscal network), but you control the conversation at both places(VLANs) . So Carl, that embarrassing story at your families' holiday doesn't always get retold at your spouse's.

Comes here often

Think of a network like a neighborhood and VLANs as the houses in the neighborhood. If you have no VLANs it's like having everyone in that neighborhood living in one giant house, or a sports stadium. There is no real privacy, your family can see and be seen at all times by all of the other families.This house would also be very loud with everyone trying to talk over one another all of the time.

 

Now if we add VLANs to this 'network', every family gets their own house but cannot leave it. These houses are like our VLANs; each family inside a house can talk to their family members very easily and see what their family is up to but they cannot leave their house. Now that each family has their own house, they no longer need to compete with as many other people's voices when trying to talk to other family members. Now lets say the only way to talk to people in another house is with a phone call and the HOA is able to control who can and cannot call who. This allows us to control communication to/from any of these houses so that no one can talk to anyone or everyone can talk to anyone, or something in the middle with some houses being able to talk to some but not all.

 

Would you rather live in a stadium with thousands of other people, no privacy and always having to shout, or would you prefer your own quiet house?

Comes here often
As similar to HOV lanes on highways, VLANs (Virtual LANs) are a means to reduce network congestion and vehicle safety through the restriction of access to those lanes based on a set of access requirements/rules, such as vehicle type/occupancy, or as in the case with networking device/traffic type.
Here to help

VLAN's are like a party where different groups of people each speak their very own cryptic language that the other groups cannot understand.  They know there is something being said but have no way of understanding it without the words first going through an interpreter (router) that would translate the language into the one they are speaking. 

 

Say the party has 20 people attending, there are 4 groups of 5 people in each group and each one of those groups speak their own cryptic language with a distinctive dialect which is like a VLAN tag.  That distinctive dialect is what the interpreter (router) would use to translate to the other groups or that a switch would use to keep that traffic within speakers of the same dialect.

 

That is VLAN's in a nutshell.

New here

First one: VLANs divide in to smaller broadcast domain.

 

Second: Increase security

 

 

Just browsing

VLANS allow you to share the same physical networking gear across your entire environment while keeping sensitive or dangerous communications segmented. Like keeping HR traffic separate from all other users for privacy or ensuring systems IT are testing in the lab won't effect the Finance Team. You can also group systems that communicate with each other a lot into the same VLAN so that those conversations don't interfere with the rest of the systems on the network. Much like putting all the "chatty kathys" in the same "virtual break room" to share gossip.

Comes here often

Vlan or virtual LAN is the method of micro-segmenting a layer2/layer3 topology for security or other reasons. By using VLANS, one can associate certain number of ports on a switch to a particular VLAN treating them as their own separate switch thereby isolating the ports to that specific VLAN and also saving money by avoiding a new hardware purchase. 

Conversationalist

It's a delicious Mexican custard-like dessert. 

Getting noticed

You may know that a Local Area Network (LAN) segment can address up to 254 end points or devices. You may have seen this noted in various ways such as:

 

192.1.1.1-254

192.1.1.0/24

192.1.1.1 - 192.9.1.1.254

or by the subnet mask 255.255.255.0

 

This limits communication between devices to 254 devices or fewer if we discount network devices that may be employed such as a firewall, a managed switch, and or a router. 254 devices sounds great for a small business which may have just a few phones, a smattering or laptops and desktops, some tablets and cellular phones, and perhaps some Internet of Things (IoT) devices such as cameras and thermostats.

 

But what if you have 100 employees in one building? Salespeople may have a desktop and a laptop in addition to their mobile devices which may also connect to Wi-Fi when in the office. If we have an IP phone on each desk and one in the breakroom, another in the kitchen, and one in each copy room, well, you may see how we quickly run out of addresses for our end-points!

 

We have a couple of ways to improve density. One would be to employ more network equipment to segment all those devices. We could use a router and more Wi-Fi access points to separate all those mobile devices into their own segment, for example. But as we do this, we add complexity to the physical network and cost, both in terms of initial cost as well as maintenance and support.

 

Another way to segment the network would be to use a Virtual LAN, or vLAN. A vLAN allows us to use the equipment we have in place and segment the network by using another address scheme "on top of" the same network cabling and equipment. In Meraki's MX80, for example, we can define a vLAN by telling the equipment that we'd like to use the address scheme of 10.10.10.0/24 (254 more addresses!) for all of the IP phones. Assuming there were, oh say, 110 phones on our network, we've just freed up 110 more addresses to use on our 192.1.1.0/24 network (YAY, Notebooks for everyone!).

 

But how does this work? Each vLAN is assigned a number. We can assign the number 23 to our IP phone vLAN. When we configure the addresses on our IP phones, we tell them to use vLAN 23. Assuming we've correctly set up our network devices (switches, firewall, etc.) for vLAN 23 to handle the traffic for our phones, all of that traffic will run over the same wires and equipment we've already got!

 

Segmenting networks also has a security bonus. vLAN 14 can (and probably should) be set up to never communicate with vLAN 27. Thus, you can have departments (IT, Accounting, C-level) separated form one another even though they are on the same physical network. A person working on a computer on the shop floor on vLAN 14 would never be able to glean accounting data from a computer on vLAN 27. Placing all IoT devices on a separate vLAN both frees up address space for computers and makes it harder for a would-be attacker to snag information from a database by gaining access through a device such as a thermostat, camera, or fish tank.

 

If you're a very small business with few visitors in your office, a vLAN may not be for you. It does add a bit of complexity to your setup. As your business, and your network, grows, segmenting your network via a vLAN may be a more secure, low-cost alternative to more equipment.