cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[WINNERS ANNOUNCED] Community Challenge: VLAN Explained

Community Manager

MerakiCommunity-CommunityChallenge


UPDATE Mon, June 24: Congratulations to the winners! Read the announcement.

 

UPDATE Mon, June 24: Voting is closed, stay tuned for the announcement of the winners!

 

UPDATE Weds, June 19: We have been blown away by the number of entries for this challenge, all of them showing such compassion for Carl and patience in helping him understand! Because we have so many entries to consider, we're extending the voting deadline until Monday June 24th at 10:59am. So be sure take a look at all of the entries and kudo your favorites before Monday! 

 

UPDATE Mon, June 17: Submissions have ended for this challenge! Now is your time to vote. Remember, we will have two winners — one chosen by the most kudos received and one selected by our panel of Meraki judges. So cast your vote by giving kudos to your favorite entries and we'll announce both winners on Friday, June 21st at 11am PDT.


Virtual local area networks, or VLANs if you ain’t got time for that, are critical components for simplifying network deployments through segmentation. Despite their abundant merits, it can be tricky to inspire appreciation in a lay-person, say, Carl from Finance.

 

For this month’s challenge, we’re asking you to explain, in the simplest possible terms, the concept of and benefits to utilizing VLANs. Your audience, let’s carry on with Carl, is intelligent, but non-technical and completely at sea when it comes to networking. You can use whatever media, analogies, or hyperbole necessary to help Carl understand.

 

The winners will receive stylish grey Cisco Meraki backpacks:

 

426ba5fc-2e96-41b6-9502-d55325d55224.png

 

How to enter

Submit your contest entry in a comment on this blog post before 11 a.m. PDT on Monday (June 17th, 2019). Entries won’t be made public until voting starts. After you submit your entry, you’ll see a message reading “Your post will appear as soon as it is approved.”

 

How to win

Voting begins when submissions close (at 11 a.m. PDT on Monday, June 17th, 2019), and continues to the end of the work week. Voting closes at 11 a.m. PDT on Friday, June 21st, 2019.

 

We will be selecting 2 winners:

 

  1. The Community Favorite — chosen by you, our Community members. Cast your vote by giving kudos to your favorite entries. The entry with the most kudos from community members who aren't Meraki employees will win!
  2. The Meraki Favorite — a panel of experts here at Meraki will select the Meraki Favorite prize.

 

The Fine Print

  • Limit one entry per community member.
  • Submission period: Tuesday, June 11th, 2019 at 11am PDT through Monday, June 17th, 2019 at 10:59am PDT
  • Voting period: Monday, June 17th, 2019 at 11am PDT through Friday, June 21st, 2019 at 11am PDT
  • Prize will be a selection of Meraki swag with value not exceeding USD 50.00
  • Official terms, conditions, and eligibility information
138 Comments
Conversationalist

Think of runways at an airport, Carl.

 

Lots of planes, carrying lots of passengers. It's important that those planes never get too close, right Carl? That's what we call segmentation, Carl. And, see, the passengers on flight OU812 don't need to concern themselves with what the passengers on flight 2112 are doing. But all of those planes, Carl, with all of those passengers, use the same runway and the same control tower on that particular airfield.  Let's say that the airfield is like a network switch, Carl.

 

You with me on this, Carl?

 

So then let's call the runways, network cables, Carl; and let's call the planes, VLAN's; and let's call -- Carl! Pay attention! -- and let's say that the people on the planes are like data. We put the data in the VLAN, like we put the people in the plane; and then we put the VLAN's on the network cables, like we put the planes on the runways. And then ATC tells the pilots -- Carl! Pay attention, Carl! -- ATC tell the pilots of each airplane where to go on the airfield, just like your network switch tells each VLAN where it can or can't go.  But ATC just cares about the planes, not about the individual passengers inside each plane.  So the planes (VLANs) come into / out of the airfield (switch) via runways (cables); and then when a plane (VLAN) gets to the gate (switchport), all of the people (data) hop off of the pla --- Carl! Carl what are you doing!? Get out of the cockpit, Carl! You're not a network engineer. D*mmit, Carl!

 

 

 

a051d6Z_460s[1].jpg

 

 

 

Building a reputation

First let’s take Carl back to the days before VLANS. In an office, lets say you wanted to separate the accounting department's network traffic from the creative department's network traffic. You’d have to buy and install a separate switch for each department because this was the only way to make sure someone in the opposite department couldn't see the others network traffic. Also, if you wanted to move one person from accounting to another building, there's no way to keep this separation of traffic from different physical locations.

 

The solution came in the form of VLANS. Technically speaking all a VLAN is, is a Tag added to each ethernet frame as it enters a port on a VLAN enabled switch. This Tag is removed at the egress port. The two standards for these Tags are 802.q and ISL although ISL has really fallen out of use because it's cisco proprietary. 

 

Having each piece of traffic marked allows a switch to direct where traffic is allowed to go and not allowed to go. So if we now want to make sure that accounting traffic stays separate from the creative department's traffic we can apply a VLAN tag to each departments traffic and tell the switch where everything is allowed to go. We can even expand this control beyond 1 physical location so if a single member of the accounting team moves to a new building all I have to do is find the port that person is connecting to and apply the accounting department's VLAN to it. That employee is now part of the accounting department's network without much effort or added cost of rewiring the network.

Just browsing

Broadcast Domain

Comes here often

A VLAN or Virtual Local Area Network is networking terminology constituted by a 12-bit field of an 802.1Q header sandwiched between the source MAC and EtherType fields of an Ethernet frame. Its is represented and configured in the range of 1 to 4094.

A VLAN provides Layer-2 segmentation by creating a security boundary and furnishing broadcast separation on a network.

A VLAN = 1 broadcast domain = 1 subnet

Comes here often

Imagine the data your computers and phones send and receive are vehicles. Well these email "cars" and video "trucks" travel through streets and highways called networks. While we could have everyone drive on the same road to get to their destinations you can imagine how rush hour would be a 24 hour occurance. So we obviously want multiple roads to help keep traffic manageable and more efficient but buying new equipment and running new cabling every time business needs evolve/grow is expensive and unrealistic. Instead, Dave invented the means to create software defined roads through the physical equipment and cabling. This means we can have a road that accounting will use to get to work and you won't get backed up by sales because they now have their own road to get to work. VLANs take the cabling and equipment, which was just a road, and transform it into a landmass where network engineers can build fast highways, redundant streets, and with a little skill, a safe place to conduct your work.

Here to help

Imagine that network devices are a bunch people of several different job roles in a big room talking.  Imagine the noise- it’s hard to hear and people have to repeat themselves often in order to be heard.  Worst of all, when someone is looking for a specific person that they haven’t yet met, everyone in the room has to stop talking and listen to the announcement: “John D- please raise your hand so that Jane C can find you.”.

 

Now - imagine that the huge group of people is separated out in a logical, orderly fashion- accountants here, engineers there, etc.  Then soundproof rooms are installed for each group.  Each room has just one single door.  Each person in each room is assigned to a specific spot in the room.  And each room has an assigned room attendant.

 

Now- when one accountant wants to talk another they know exactly where to go in the room and they can do so directly without having to speak over the engineers.

 

If however an accountant needs to send a message to someone in HR, it is much easier now for the accountant to figure out that the person they need to talk to isn’t in the room.  The accountant will simply hand the message off to their room attendant.

 

The room attendant knows how to reach every other group, so he will deliver the message to HR’s room attendant who will deliver the message to the specific person in HR.

 

The soundproof rooms are VLANs.  The assigned spots in each room are switch ports.  And the room attendants are routers.

Here to help
Everyone knows that a typical switch is used to forward traffic (or packets) from the router to endpoint devices (computers, phones, tablets, iOT, etc). Sometimes, it is useful or even necessary to isolate broadcast traffic in a large network. This can be useful to help manage bandwidth utilization (QoS) by isolating and prioritizing certain traffic for certain devices. A great example is VOIP. In a typical situation, there may be a mix of wired and wireless devices in the single subnet which might include all of the IP Phones for the site. We may want to keep all of the voice traffic isolated from the other data traffic. The first thing a VLAN does is to create a separate broadcast domain. By utilizing VLAN, we can assign all of the IP Phones as a group in a VLAN and other networked devices to a different VLAN. This is a virtual creation of separate subnets, the traffic for the IP Phones in a particular VLAN can talk directly to the IP Phones without incurring the overhead associated with non-VOIP traffic. The devices connected to a VLAN will only process traffic intended for them based on protocol. Also, other uses for separation can be for supporting multiple companies in shared office space, supporting surveillance cameras, separating NAS traffic from other print/file traffic, etc. In summary, the use of VLAN can help reduce overhead on large networks by reducing unnecessary broadcast traffic heard by each device.
New here

VLANs work like waterslides.

Kids (data packets) can get in a blue or green waterslides (vlans) at the top and exit at the bottom in the same color without crashing into each other.

 

 

Comes here often

A VLAN (virtual LAN) abstracts the idea of the local area network (LAN) by providing data link connectivity for a subnet. One or more network switches may support multiple, independent VLANs, creating Layer 2 (data link) implementations of subnets. A VLAN is associated with a broadcast domain. It is usually composed of one or more Ethernet switches.

Just browsing

Layer 2 Collision Domain !

Here to help

A LAN is like the interstate or highway. Making a LAN into a Virtual (VLAN) is like dividing the lanes up into separate types of traffic based off predefined addresses/subnets. It would be like taking a 4 lane interstate and saying all traffic that is a sports car driving 80+ mph is only allowed in the far left lane. Sedans, family vehicles are allowed in the left center lane driving 60-80 mph. The right center lane would be for utility trucks, company trucks, or delivery trucks driving 60 mph. The far right lane would be for heavy vehicles such as semi trucks, etc going 50 mph or under. This helps keep traffic flowing and no bottlenecks as all similar traffic and speed is required in each lane, and no lane hopping.

 

So for a network we would create a VLAN for security camera systems, VLAN for guest network, VLAN for internal PCs, VLAN for servers, etc. This opens up more space for more devices and keeps the network flowing smoothly at the given rate it should, much like the interstate example above.

Comes here often

Think of vLAN's like playing cards, where you can only play cards of the same suit. In the vLAN world, ports can only see network traffic of the same (or allowed) vLAN's. If you have multiple suits of cards in your hand, then you have access to play any of those suits. If a network port is set to allow access from multiple vLAN's, then it can see traffic from each of those specific vLAN's.

 

 

Getting noticed

VLAN (short for Virtual Local Area Network). A switch supporting VLAN's lets you logically seperate networks even when using the same physical switch / network infrastructure. 

 

Imagine if you had two physical switches which and you have not connected them together but rather have created two physically seperate networks (network A and network B). Using a layer 2 switch which supports  VLAN's  you are able to setup these two seperate networks on a single switch. This is not so amazing as it could all be done by using two seperate physical switches. It gets amazing when you have multiple networks on multiple switches in multiple locations and most importantly a significantly limited number of physical/virtual links between these locations. Using VLAN tagging, all those networks (VLANS) are able to run over the limited uplinks and all on the same switch hardware. The networks are still logically seperate (unless connected via layer 3 router) but these seperate networks are running on the shared switch / network infrastructure.

 

Basically, VLANS make management of multiple networks straight forward and you are able to utilise your resources more effectively because you have less hardware. This makes management and deployment much simpler  (less physical hardware). In particular, when using Meraki, all ports are tagged with all VLAN's by default. This makes things very straight forward to manage and setup.

 

Creating a seperate network (VLAN) is as simple as configuring two ports to be "access" ports on your network (other systems may use other names like untagged ports). For example. if you want to setup VLAN 50 (VLANS normally have numbers associated to identify them), then configuring two or more access ports as VLAN 50 will mean you now have a logically seperate network from the other ports on your switch(s) / network.

 

Honestly, I have never dealt with a system which handles VLANs as well as Meraki Dashboard. The process is so simple. See picture for the bits you need to change to make it all work on a port within the Meraki Dashboard.

 

Go on if you have not made Make a VLAN today, you only need to configure a couple of ports on a single switch and you are up and running. Don't delay try today. There is more to it all as you dive in but getting started is that simple.

 

The great thing about a VLAN, is that in a more advanced setup (multiple switches) it will allow you to expand a LAN to go beyond the way you may typically think of a LAN, for example, you can expand it to span between buildings or even different sites using the existing links you have in place, such private copper, fibre, VPN, etc.

 

Most importantly, because Meraki Dashboard allows configuration beyond switches and also covers MX gateways. If you are using Meraki Switches and also the MX gate ways, everything is configured from the dashboard.

 

pic.png

 

Comes here often

Imagine you have a company that has two networks. On one network you have all the workers, and on another you have all the servers. They're on separate networks so that you can enforce security on the router between the two networks. Now the company grows and you move into a second building. You need to add more servers to the network and they're going to live in the second building, with the new workers. You really want to keep the two networks separate, still, but you don't want to run two cables between the two buildings - you'd like to just run one. So, you come up with a solution - On the switches in each building you put all the workers machines into the first half of the switch, and all the servers into the second half of the swtich. You then have the switch add a tag to the beginning of each packet to tell you which network the packet has come from on the link between the two buildings, and when it gets to the other end of the link the switch removes the tag and only sends the packet on the network the tag told it to. Congratulations - you've invented VLANs.

VLANs can be tagged or untagged - when they're untagged, it's a method for using one piece of network equipment (such as a switch) as more than one smaller switch for more than one network. When they're tagged, they're adding an identifier to the beginning of the packet to say which network they're supposed to be on, so that several links can be combined but the traffic kept separate. Devices can do a combination of both, if they need to.

It also allows for neat things like a router or firewall with only one network cable plugged in, because it can send and receive packets on different networks by using different tagged VLANs.

Just browsing

In it's simplest terms, VLANS are a recommended practice in networks to segment data types and/or office departments, floors and buildings. It allows for easier management and troubleshooting in addition to facilitating a more secure network.

Comes here often

Networks are noisy, really noisy places and we us Vlans to limit the noise. The end device you connect too any network talks allot, think of them as being really sociable! But like the local gossip in the office everyone knows how distracting that can be. Imagine your at a concert with lots of others (this is the network your connected too) you know your friend Mandy that you want to find is somewhere in the room and you want to send Mandy a message, has she got any Cola? So the first thing you would do is to shout very loud, maybe using the performers microphone, where is Mandy? (this process is called Arp) In networking this is called a broadcast and broadcasts are limited to the network they are connected too, similar to a concert hall where you cant her the music outside, in a network you cant hear broadcasts outside of the network ( well under certain circumstances you can but we will cover this later). Assuming Mandy can hear you, she might reply ‘i am in section A row 22 seat 7’, in networking this process is called ARP where MANDY (the ip address) is mapped to Section A row 22 seat 7 (which is the mac address). Now we know where Mandy is siting, we can send her a message using the Seat number as Mandy is constantly listening for any messages that are for her. 

 

But now in the concert, the person next to you, and the person next to them are all trying to send messages to their friends who like you don't know where they are and they want to speak now, they wont wait! In fact everyone in the concert hall is now shouting for their friends. In our concert there might be 100’s or thousands of microphones and everyone is competing for microphone time, everyone is listening for messages destined for them. 

 

This is what a large flat network looks like and sounds like if you are a computer. To make things easier we break a logical chunk of devices into what we call subnets or Vlans.

 

So in our example above, you might break each row into a separate Vlan, to do this you will have one person in each row (lets call them the talker who is able to talk to other talkers in other rows as well as to everyone in their row). Now when I want to know where Mandy is, first I shout as above but this time my voice dosent carry outside of the row I am in, The Talker listens and if Mandy doesn't answer from within our row, the Talker goes out and repeats the ‘Where is mandy’ to the rest of the concert hall. Only the other Talkers hear the request and so the broadcast is limited to a smaller number of devices. The Talker in Mandys row says ‘I know where she is!!’ And so the message I send is now sent to Mandy via my talker and her talker. Now when next exchanging messages both Mandy and I know which Talker we need to use to exchange messages, but also our conversation is not overheard outside of the Rows we both sit in. 

 

That is why we create Vlans, to cut out the distractions of noisy messages, to segment the search into logical chunks and to ensure that when we do speak, everyone doesn't have to hear our voice listening in case we say something that includes them

Comes here often

VLANs are like a highway with Jersey barriers separating the lanes. Everyone's using the same road, but you're in your lane and you're staying there. You can interact with other cars in your lane, but you can't interact with cars in other lanes until you get to an intersection (aka router), probably with a traffic cop (firewall) deciding if you really need to visit those other lanes or not. 

Comes here often

VLANS are like gated communities, inside the gates everyone can move around freely and talk to their neighbours, you can’t get into the gated community without a tag or being allowed in.  None of your chit chat or gossip leaves the community, so what happens in the community stays in the community.

Comes here often

Concept of VLAN is pretty easy to explain to an intelligent like you Carl 🙂

 

For example, you are always close to your family irrespective of their location. While talking to them directly or through voice/video call, you have that special bond with them that can't form with everyone else.

 

Similarly, devices in a VLAN have that virtual bond irrespective of their physical location that can't be formed with devices in other VLANs.

 

Using VLANs, we can separate Printer family, Phone family, IoT Family and Access Point family with each other. This gives easy management and better security features.

Conversationalist

VLANs allow you to create and split up many networks within a single device, called a "Switch". For example, They would allow you to create up to 4000+ networks within just one Switch instead of buying 4000 Switches for each network. In essence, VLANs are essentially like tiny "Virtual Switches" all inside of one device.

 

VLANs operate as if they were private booths in a restaurant. They would allow you to seat a group of "guests" (which would be PC's, laptops, phones or printers in this case) within their own booth in order to eat privately and discretely instead of having all of the guests in one large open dining room. So there's some level of privacy there. You can also separate the "guests" (or devices) however you like, and move them around as needed. If you wanted to sit with members of your party from the same group either in that particular restaurant or other participating restaurants, you would need a "Tag" to identify you as a member. You can think of the "tag" as one of those cool vibrating restaurant pagers that you receive when you're waiting to be seated. (This is what we would call "Trunking").

 

You can also draw a comparison of VLANs to AOL Chat Rooms in the '90s 😉 Each chat room (or VLAN in this case) has its own purpose or "topic" and its own community of online members. The benefit here is, if one of the rooms gets too "chatty", it doesn't affect the other chat rooms. Similarly, network traffic (such as Broadcasts) in one VLAN cannot reach or affect other VLANs.