UPDATE Mon, June 24: Congratulations to the winners! Read the announcement.
UPDATE Mon, June 24: Voting is closed, stay tuned for the announcement of the winners!
UPDATE Weds, June 19: We have been blown away by the number of entries for this challenge, all of them showing such compassion for Carl and patience in helping him understand! Because we have so many entries to consider, we're extending the voting deadline until Monday June 24th at 10:59am. So be sure take a look at all of the entries and kudo your favorites before Monday!
UPDATE Mon, June 17: Submissions have ended for this challenge! Now is your time to vote. Remember, we will have two winners — one chosen by the most kudos received and one selected by our panel of Meraki judges. So cast your vote by giving kudos to your favorite entries and we'll announce both winners on Friday, June 21st at 11am PDT.
Virtual local area networks, or VLANs if you ain’t got time for that, are critical components for simplifying network deployments through segmentation. Despite their abundant merits, it can be tricky to inspire appreciation in a lay-person, say, Carl from Finance.
For this month’s challenge, we’re asking you to explain, in the simplest possible terms, the concept of and benefits to utilizing VLANs. Your audience, let’s carry on with Carl, is intelligent, but non-technical and completely at sea when it comes to networking. You can use whatever media, analogies, or hyperbole necessary to help Carl understand.
The winners will receive stylish grey Cisco Meraki backpacks:
Submit your contest entry in a comment on this blog post before 11 a.m. PDT on Monday (June 17th, 2019). Entries won’t be made public until voting starts. After you submit your entry, you’ll see a message reading “Your post will appear as soon as it is approved.”
Voting begins when submissions close (at 11 a.m. PDT on Monday, June 17th, 2019), and continues to the end of the work week. Voting closes at 11 a.m. PDT on Friday, June 21st, 2019.
We will be selecting 2 winners:
VLANs enable groups of devices from multiple networks (both wired and wireless) to be combined into a single logical network. The result is a virtual LAN that can be administered like a physical local area network.
VLAN 1 192.168.1.0 = LAN
VLAN 2 192.168.20.0 = Printers
VLAN 3 192.168.30.0 = Wifi
It's like a divider plate. All the food is on the same plate but nothing touches each other.
By definition, a Virtual Network. Basically, an isolated Layer2 broadcast domain where traffic outside of it requires a router (L3 switch) in order to get traffic across to other networks.
you speak French, the other person speaks Tagalog. The languages are the VLANs. You need a translator, i.e. "router" (or similar) to translate.
You are on a road with multiple tracks. Between these clues there is a wall that separates the type of traffic (trucks, cars, motorcycles) and what speed each one can travel. So is the VLAN, each type of traffic separated by characteristics such as: speed of each vehicle, its size, distance between each vehicle, whether or not tolls exist.
VLAN enabled ports are generally categorised in one of two ways, tagged or untagged. These may also be referred to as "trunk" or "access" respectively. The purpose of a tagged or "trunked" port is to pass traffic for multiple VLAN's, whereas an untagged or "access" port accepts traffic for only a single VLAN.
Trunk ports require more steps to successfully negotiate as a trunk.
Both ends of the link must have the following in common:
Administration & Segmentation
Concept: Virtual networks configured on a switch
Benefits: Good for testing and segmenting devices.
Logically separated LANs.
LANs separated at layer 2 of the OSI model.
It is like this...
imagine a switch is the Mercedes formula1 team
vlan 1 is Lewis hammilton
vlan 2 is valtteri bottas
they are on the same team, fly the same planes, live in the same garage. but they to NOT communicate across the garage, they just talk to their own part of the team
It’s Only when you put in a gateway, lets Call it toto wollf, that they talk to each other, and then only what Toto tells them to say to each other
Carl, VLANs are like bank accounts.
You can have multiple bank accounts to divide up your money (or debt!) in ways that make sense to you or helps you.
VLANs divide up a companies network in ways that make sense or helps the company.
It's not a big truck. It's a series of tubes
VLANs are like lanes on a freeway; everyone is using the same physical road, but there's lanes to split the traffic into various types, such as a truck lane for slower vehicles, a carpool lane for vehicles carrying multiple people, and an express lane for those willing to pay extra for priority access.
A network without VLANs would be like a freeway without lanes; it would be pure chaos because you'd have various types of traffic all fighting over the same access.
VLAN Stands for Virtual Local Area Network.
Think of it like this. A 24 port switch can be divided into 2 - 12 port switches. The first 12 ports can be on vlan 10 and the next 12 can be on vlan 20 and neither network knows of the other.
In other words, imagine driving down the road and there's a wall between you and the car next to you.
A VLAN is a logical LAN only made possible by a configuration feature available in the software running the switch, it is not physical.
VLAN's reduce broadcast traffic, facilitate the administration of networks by grouping physically dispersed computers on the same logical LAN, help enforce security policies.
A vlan is a solution that allows you to separate devices into individual network segments.
VLANs are like classrooms, where the size of the room is relative to the IP address block size. Anytime you try to send a message, like passing a paper note, you have to send it to everyone in the room before your message leaves the room, where the door is the default gateway and the closest person to it hands it off. People in other rooms (VLANs) will not see the note unless it was allowed and explicitly sent to them, in which case the hall monitor (router) will give it to that room. The note is then passed around in that room until it reaches the intended recipient.
What is a VLAN?
VLAN Stands for Virtual Local Area Network.
Let us imagine a footpath in a park. It has limited space and is say shared by pedestrians and cyclists. During busy periods, pedestrians and cyclists are constantly contending for space and accidents begin to happen. One day someone drew a line down the path and painted an image of a person along one lane and a picture of a cycle on the other.
This had an immediate effect. Cyclists only used the cycle lane and they all respected each other. Pedestrians used the pedestrian lane and they all
respected each other. Although both sets of traffic had to share the same path, it was now easy to manage the different types of traffic based on a category.
This is how a VLAN might work. One VLAN might carry voice traffic, and one VLAN might carry all the other data traffic. Still sharing the same connection, however ordered and managed.
A VLAN (Virtual Local Area Network) is an isolated network within an isolated network that only allows specific kinds of network traffic. For example, If you live in a community with roads, think of those roads as a network. They allow vehicles to travel from place to place, the same way that data does on a data network. Now, put a gated community within that community that only allows golf carts to travel within it. That's a VLAN.
Hi Carl. How have you been? Awesome, good to hear. VLANs? Yeah, I can help you with that. Your network is like a field of sheep and a VLAN is like having a Border Collie that knows to pick out and gather certain sheep together. Add another sheep and the Border Collie looks at a tag on that sheep and figures out which group it goes into. Why would you do that? Well, maybe some sheep have great wool or know how to make a call on a VoIP phone. Others are more tasty and should only talk to file servers. Who knows, but the tag defines the group and the dog puts them where they belong and can't escape. No mixing! We good? Excellent. You buy.
Think of each VLAN as a separate physical network, each network is separated unless you make a connection between those networks with a cable. That is the basics of a VLAN, instead of separate physical networks each one is divided logically from one another in the same physical network. As long as you don't tie them together on the MX then they will never see one another. If you want them to have access to other VLAN's you can think of it as taking another cable and running it to the other network and gaining access to the resources made available via that connection. This would be done using various rules customized in the MX restricting or allowing varying amounts of access and restrictions.
So, Carl, in basic terms, a VLAN, or Virtual Local Area Network, creates an environment where users on multiple networks, like yours (Finance), HR, Sales and IT, can coexist on the same network device without stomping each other. These networks are invisible to one another even though the users' computers are plugged into directly adjacent ports, which makes it great because you don't want anyone else in the company seeing your data, do you?
It also helps us in IT make the network operate more smoothly by reducing the effect of others' traffic on your network. That means that when Mary in Sales is streaming Spotify (well, we'll put a stop to that...but you get my point!), your urgent email to the CEO regarding everyone's hefty bonuses will go through lickety split!
Just like you use an HP-12c calculator as a tool to do your job, we use VLANs to help us help you do your job better and more efficiently. I hope that answers your question.
Vlans are a solution/ method that allow you to separate users or services into individual network segments for security and other reasons.
VLANs are like cell blocks in prison. Each cell block is like a VLAN. Inmates (or devices on a switch port) inside the block(VLAN) can talk to each other, but not with others in different blocks(VLANs). They don't even know they exist. If inmates want to talk to others in different blocks, then they need to use a guard (think a router or firewall) to pass along the message.
We can even take this one step further. inside each cell block, each inmate has a cell. When inmates are inside their cell, they can't take to each other, even though they are in the same block. This is true for Private VLANs. You can have a devices be part of a VLAN, but when put inside a private VLAN, they can not talk to others in the VLAN without passing through a guard (in this case the guard is an access list).
Now lets all stay out of prison and away from the guards 🙂
Imagine that a network cable would actually be a gigantic tunnel. Imagine that all network traffic going thru that cable (or tunnel) would be a bunch of little people carrying messages from one side of the cable to the other side.
Without VLAN, all the little people would see each others while traveling thru the tunnel, thus potentially having the risk that someone might see their message.
With VLAN the tunnel is full of smaller tunnels (or corridors) which each messenger has to go thru. While in this smaller tunnel, there's no visibility to the other guys messages, because they're all in separate tunnels (unless another message is being carried in the same tunnel in purpose.
At the end of the tunnel (or both ends) some tunnels might merge into one and others might just lead to a completely different place.
Magical, isn't it?
Imagine you are in a room with speakers that Are playing two radio stations, two talk shows and a simple how to instructional audiostream. Not only is it difficult to focus on the one thing you want, it might be that one of the radio stations has content that isn't appropriate for you to hear. That is what a network would sound like without vlans. Now if we put some head phones on you, we have put you on a vlan. We can allow you to access the radio station that is playing some easy listening music, while you also listen to that how to. You don't even know about all that other noise.
Easy way to segment your networks and apply different subnets, virtual interfaces on your core.
With VLAN you can split your switch in to man switches/Network.
VLANs are like Condos. There's a main doorway which is the WAN and VLANs would be the rooms inside this Condo. Each room can access other rooms by going to the hallway.
A VLAN is a method to create multiple secure LANs on a single physical infrastructure.
VLANs are like having holiday meals with your family and then your spouses' family. Customs, recipes, politics, and the stories are that are shared differ at each. All enjoying the holiday meal (phyiscal network), but you control the conversation at both places(VLANs) . So Carl, that embarrassing story at your families' holiday doesn't always get retold at your spouse's.
Think of a network like a neighborhood and VLANs as the houses in the neighborhood. If you have no VLANs it's like having everyone in that neighborhood living in one giant house, or a sports stadium. There is no real privacy, your family can see and be seen at all times by all of the other families.This house would also be very loud with everyone trying to talk over one another all of the time.
Now if we add VLANs to this 'network', every family gets their own house but cannot leave it. These houses are like our VLANs; each family inside a house can talk to their family members very easily and see what their family is up to but they cannot leave their house. Now that each family has their own house, they no longer need to compete with as many other people's voices when trying to talk to other family members. Now lets say the only way to talk to people in another house is with a phone call and the HOA is able to control who can and cannot call who. This allows us to control communication to/from any of these houses so that no one can talk to anyone or everyone can talk to anyone, or something in the middle with some houses being able to talk to some but not all.
Would you rather live in a stadium with thousands of other people, no privacy and always having to shout, or would you prefer your own quiet house?
VLAN's are like a party where different groups of people each speak their very own cryptic language that the other groups cannot understand. They know there is something being said but have no way of understanding it without the words first going through an interpreter (router) that would translate the language into the one they are speaking.
Say the party has 20 people attending, there are 4 groups of 5 people in each group and each one of those groups speak their own cryptic language with a distinctive dialect which is like a VLAN tag. That distinctive dialect is what the interpreter (router) would use to translate to the other groups or that a switch would use to keep that traffic within speakers of the same dialect.
That is VLAN's in a nutshell.
First one: VLANs divide in to smaller broadcast domain.
Second: Increase security
VLANS allow you to share the same physical networking gear across your entire environment while keeping sensitive or dangerous communications segmented. Like keeping HR traffic separate from all other users for privacy or ensuring systems IT are testing in the lab won't effect the Finance Team. You can also group systems that communicate with each other a lot into the same VLAN so that those conversations don't interfere with the rest of the systems on the network. Much like putting all the "chatty kathys" in the same "virtual break room" to share gossip.
Vlan or virtual LAN is the method of micro-segmenting a layer2/layer3 topology for security or other reasons. By using VLANS, one can associate certain number of ports on a switch to a particular VLAN treating them as their own separate switch thereby isolating the ports to that specific VLAN and also saving money by avoiding a new hardware purchase.
It's a delicious Mexican custard-like dessert.
You may know that a Local Area Network (LAN) segment can address up to 254 end points or devices. You may have seen this noted in various ways such as:
126.96.36.199 - 188.8.131.52.254
or by the subnet mask 255.255.255.0
This limits communication between devices to 254 devices or fewer if we discount network devices that may be employed such as a firewall, a managed switch, and or a router. 254 devices sounds great for a small business which may have just a few phones, a smattering or laptops and desktops, some tablets and cellular phones, and perhaps some Internet of Things (IoT) devices such as cameras and thermostats.
But what if you have 100 employees in one building? Salespeople may have a desktop and a laptop in addition to their mobile devices which may also connect to Wi-Fi when in the office. If we have an IP phone on each desk and one in the breakroom, another in the kitchen, and one in each copy room, well, you may see how we quickly run out of addresses for our end-points!
We have a couple of ways to improve density. One would be to employ more network equipment to segment all those devices. We could use a router and more Wi-Fi access points to separate all those mobile devices into their own segment, for example. But as we do this, we add complexity to the physical network and cost, both in terms of initial cost as well as maintenance and support.
Another way to segment the network would be to use a Virtual LAN, or vLAN. A vLAN allows us to use the equipment we have in place and segment the network by using another address scheme "on top of" the same network cabling and equipment. In Meraki's MX80, for example, we can define a vLAN by telling the equipment that we'd like to use the address scheme of 10.10.10.0/24 (254 more addresses!) for all of the IP phones. Assuming there were, oh say, 110 phones on our network, we've just freed up 110 more addresses to use on our 184.108.40.206/24 network (YAY, Notebooks for everyone!).
But how does this work? Each vLAN is assigned a number. We can assign the number 23 to our IP phone vLAN. When we configure the addresses on our IP phones, we tell them to use vLAN 23. Assuming we've correctly set up our network devices (switches, firewall, etc.) for vLAN 23 to handle the traffic for our phones, all of that traffic will run over the same wires and equipment we've already got!
Segmenting networks also has a security bonus. vLAN 14 can (and probably should) be set up to never communicate with vLAN 27. Thus, you can have departments (IT, Accounting, C-level) separated form one another even though they are on the same physical network. A person working on a computer on the shop floor on vLAN 14 would never be able to glean accounting data from a computer on vLAN 27. Placing all IoT devices on a separate vLAN both frees up address space for computers and makes it harder for a would-be attacker to snag information from a database by gaining access through a device such as a thermostat, camera, or fish tank.
If you're a very small business with few visitors in your office, a vLAN may not be for you. It does add a bit of complexity to your setup. As your business, and your network, grows, segmenting your network via a vLAN may be a more secure, low-cost alternative to more equipment.
Think of runways at an airport, Carl.
Lots of planes, carrying lots of passengers. It's important that those planes never get too close, right Carl? That's what we call segmentation, Carl. And, see, the passengers on flight OU812 don't need to concern themselves with what the passengers on flight 2112 are doing. But all of those planes, Carl, with all of those passengers, use the same runway and the same control tower on that particular airfield. Let's say that the airfield is like a network switch, Carl.
You with me on this, Carl?
So then let's call the runways, network cables, Carl; and let's call the planes, VLAN's; and let's call -- Carl! Pay attention! -- and let's say that the people on the planes are like data. We put the data in the VLAN, like we put the people in the plane; and then we put the VLAN's on the network cables, like we put the planes on the runways. And then ATC tells the pilots -- Carl! Pay attention, Carl! -- ATC tell the pilots of each airplane where to go on the airfield, just like your network switch tells each VLAN where it can or can't go. But ATC just cares about the planes, not about the individual passengers inside each plane. So the planes (VLANs) come into / out of the airfield (switch) via runways (cables); and then when a plane (VLAN) gets to the gate (switchport), all of the people (data) hop off of the pla --- Carl! Carl what are you doing!? Get out of the cockpit, Carl! You're not a network engineer. D*mmit, Carl!
First let’s take Carl back to the days before VLANS. In an office, lets say you wanted to separate the accounting department's network traffic from the creative department's network traffic. You’d have to buy and install a separate switch for each department because this was the only way to make sure someone in the opposite department couldn't see the others network traffic. Also, if you wanted to move one person from accounting to another building, there's no way to keep this separation of traffic from different physical locations.
The solution came in the form of VLANS. Technically speaking all a VLAN is, is a Tag added to each ethernet frame as it enters a port on a VLAN enabled switch. This Tag is removed at the egress port. The two standards for these Tags are 802.q and ISL although ISL has really fallen out of use because it's cisco proprietary.
Having each piece of traffic marked allows a switch to direct where traffic is allowed to go and not allowed to go. So if we now want to make sure that accounting traffic stays separate from the creative department's traffic we can apply a VLAN tag to each departments traffic and tell the switch where everything is allowed to go. We can even expand this control beyond 1 physical location so if a single member of the accounting team moves to a new building all I have to do is find the port that person is connecting to and apply the accounting department's VLAN to it. That employee is now part of the accounting department's network without much effort or added cost of rewiring the network.
A VLAN or Virtual Local Area Network is networking terminology constituted by a 12-bit field of an 802.1Q header sandwiched between the source MAC and EtherType fields of an Ethernet frame. Its is represented and configured in the range of 1 to 4094.
A VLAN provides Layer-2 segmentation by creating a security boundary and furnishing broadcast separation on a network.
A VLAN = 1 broadcast domain = 1 subnet
Imagine the data your computers and phones send and receive are vehicles. Well these email "cars" and video "trucks" travel through streets and highways called networks. While we could have everyone drive on the same road to get to their destinations you can imagine how rush hour would be a 24 hour occurance. So we obviously want multiple roads to help keep traffic manageable and more efficient but buying new equipment and running new cabling every time business needs evolve/grow is expensive and unrealistic. Instead, Dave invented the means to create software defined roads through the physical equipment and cabling. This means we can have a road that accounting will use to get to work and you won't get backed up by sales because they now have their own road to get to work. VLANs take the cabling and equipment, which was just a road, and transform it into a landmass where network engineers can build fast highways, redundant streets, and with a little skill, a safe place to conduct your work.
Imagine that network devices are a bunch people of several different job roles in a big room talking. Imagine the noise- it’s hard to hear and people have to repeat themselves often in order to be heard. Worst of all, when someone is looking for a specific person that they haven’t yet met, everyone in the room has to stop talking and listen to the announcement: “John D- please raise your hand so that Jane C can find you.”.
Now - imagine that the huge group of people is separated out in a logical, orderly fashion- accountants here, engineers there, etc. Then soundproof rooms are installed for each group. Each room has just one single door. Each person in each room is assigned to a specific spot in the room. And each room has an assigned room attendant.
Now- when one accountant wants to talk another they know exactly where to go in the room and they can do so directly without having to speak over the engineers.
If however an accountant needs to send a message to someone in HR, it is much easier now for the accountant to figure out that the person they need to talk to isn’t in the room. The accountant will simply hand the message off to their room attendant.
The room attendant knows how to reach every other group, so he will deliver the message to HR’s room attendant who will deliver the message to the specific person in HR.
The soundproof rooms are VLANs. The assigned spots in each room are switch ports. And the room attendants are routers.
VLANs work like waterslides.
Kids (data packets) can get in a blue or green waterslides (vlans) at the top and exit at the bottom in the same color without crashing into each other.
A VLAN (virtual LAN) abstracts the idea of the local area network (LAN) by providing data link connectivity for a subnet. One or more network switches may support multiple, independent VLANs, creating Layer 2 (data link) implementations of subnets. A VLAN is associated with a broadcast domain. It is usually composed of one or more Ethernet switches.
Layer 2 Collision Domain !
A LAN is like the interstate or highway. Making a LAN into a Virtual (VLAN) is like dividing the lanes up into separate types of traffic based off predefined addresses/subnets. It would be like taking a 4 lane interstate and saying all traffic that is a sports car driving 80+ mph is only allowed in the far left lane. Sedans, family vehicles are allowed in the left center lane driving 60-80 mph. The right center lane would be for utility trucks, company trucks, or delivery trucks driving 60 mph. The far right lane would be for heavy vehicles such as semi trucks, etc going 50 mph or under. This helps keep traffic flowing and no bottlenecks as all similar traffic and speed is required in each lane, and no lane hopping.
So for a network we would create a VLAN for security camera systems, VLAN for guest network, VLAN for internal PCs, VLAN for servers, etc. This opens up more space for more devices and keeps the network flowing smoothly at the given rate it should, much like the interstate example above.
Think of vLAN's like playing cards, where you can only play cards of the same suit. In the vLAN world, ports can only see network traffic of the same (or allowed) vLAN's. If you have multiple suits of cards in your hand, then you have access to play any of those suits. If a network port is set to allow access from multiple vLAN's, then it can see traffic from each of those specific vLAN's.
VLAN (short for Virtual Local Area Network). A switch supporting VLAN's lets you logically seperate networks even when using the same physical switch / network infrastructure.
Imagine if you had two physical switches which and you have not connected them together but rather have created two physically seperate networks (network A and network B). Using a layer 2 switch which supports VLAN's you are able to setup these two seperate networks on a single switch. This is not so amazing as it could all be done by using two seperate physical switches. It gets amazing when you have multiple networks on multiple switches in multiple locations and most importantly a significantly limited number of physical/virtual links between these locations. Using VLAN tagging, all those networks (VLANS) are able to run over the limited uplinks and all on the same switch hardware. The networks are still logically seperate (unless connected via layer 3 router) but these seperate networks are running on the shared switch / network infrastructure.
Basically, VLANS make management of multiple networks straight forward and you are able to utilise your resources more effectively because you have less hardware. This makes management and deployment much simpler (less physical hardware). In particular, when using Meraki, all ports are tagged with all VLAN's by default. This makes things very straight forward to manage and setup.
Creating a seperate network (VLAN) is as simple as configuring two ports to be "access" ports on your network (other systems may use other names like untagged ports). For example. if you want to setup VLAN 50 (VLANS normally have numbers associated to identify them), then configuring two or more access ports as VLAN 50 will mean you now have a logically seperate network from the other ports on your switch(s) / network.
Honestly, I have never dealt with a system which handles VLANs as well as Meraki Dashboard. The process is so simple. See picture for the bits you need to change to make it all work on a port within the Meraki Dashboard.
Go on if you have not made Make a VLAN today, you only need to configure a couple of ports on a single switch and you are up and running. Don't delay try today. There is more to it all as you dive in but getting started is that simple.
The great thing about a VLAN, is that in a more advanced setup (multiple switches) it will allow you to expand a LAN to go beyond the way you may typically think of a LAN, for example, you can expand it to span between buildings or even different sites using the existing links you have in place, such private copper, fibre, VPN, etc.
Most importantly, because Meraki Dashboard allows configuration beyond switches and also covers MX gateways. If you are using Meraki Switches and also the MX gate ways, everything is configured from the dashboard.
Imagine you have a company that has two networks. On one network you have all the workers, and on another you have all the servers. They're on separate networks so that you can enforce security on the router between the two networks. Now the company grows and you move into a second building. You need to add more servers to the network and they're going to live in the second building, with the new workers. You really want to keep the two networks separate, still, but you don't want to run two cables between the two buildings - you'd like to just run one. So, you come up with a solution - On the switches in each building you put all the workers machines into the first half of the switch, and all the servers into the second half of the swtich. You then have the switch add a tag to the beginning of each packet to tell you which network the packet has come from on the link between the two buildings, and when it gets to the other end of the link the switch removes the tag and only sends the packet on the network the tag told it to. Congratulations - you've invented VLANs.
VLANs can be tagged or untagged - when they're untagged, it's a method for using one piece of network equipment (such as a switch) as more than one smaller switch for more than one network. When they're tagged, they're adding an identifier to the beginning of the packet to say which network they're supposed to be on, so that several links can be combined but the traffic kept separate. Devices can do a combination of both, if they need to.
It also allows for neat things like a router or firewall with only one network cable plugged in, because it can send and receive packets on different networks by using different tagged VLANs.
In it's simplest terms, VLANS are a recommended practice in networks to segment data types and/or office departments, floors and buildings. It allows for easier management and troubleshooting in addition to facilitating a more secure network.
Networks are noisy, really noisy places and we us Vlans to limit the noise. The end device you connect too any network talks allot, think of them as being really sociable! But like the local gossip in the office everyone knows how distracting that can be. Imagine your at a concert with lots of others (this is the network your connected too) you know your friend Mandy that you want to find is somewhere in the room and you want to send Mandy a message, has she got any Cola? So the first thing you would do is to shout very loud, maybe using the performers microphone, where is Mandy? (this process is called Arp) In networking this is called a broadcast and broadcasts are limited to the network they are connected too, similar to a concert hall where you cant her the music outside, in a network you cant hear broadcasts outside of the network ( well under certain circumstances you can but we will cover this later). Assuming Mandy can hear you, she might reply ‘i am in section A row 22 seat 7’, in networking this process is called ARP where MANDY (the ip address) is mapped to Section A row 22 seat 7 (which is the mac address). Now we know where Mandy is siting, we can send her a message using the Seat number as Mandy is constantly listening for any messages that are for her.
But now in the concert, the person next to you, and the person next to them are all trying to send messages to their friends who like you don't know where they are and they want to speak now, they wont wait! In fact everyone in the concert hall is now shouting for their friends. In our concert there might be 100’s or thousands of microphones and everyone is competing for microphone time, everyone is listening for messages destined for them.
This is what a large flat network looks like and sounds like if you are a computer. To make things easier we break a logical chunk of devices into what we call subnets or Vlans.
So in our example above, you might break each row into a separate Vlan, to do this you will have one person in each row (lets call them the talker who is able to talk to other talkers in other rows as well as to everyone in their row). Now when I want to know where Mandy is, first I shout as above but this time my voice dosent carry outside of the row I am in, The Talker listens and if Mandy doesn't answer from within our row, the Talker goes out and repeats the ‘Where is mandy’ to the rest of the concert hall. Only the other Talkers hear the request and so the broadcast is limited to a smaller number of devices. The Talker in Mandys row says ‘I know where she is!!’ And so the message I send is now sent to Mandy via my talker and her talker. Now when next exchanging messages both Mandy and I know which Talker we need to use to exchange messages, but also our conversation is not overheard outside of the Rows we both sit in.
That is why we create Vlans, to cut out the distractions of noisy messages, to segment the search into logical chunks and to ensure that when we do speak, everyone doesn't have to hear our voice listening in case we say something that includes them
VLANs are like a highway with Jersey barriers separating the lanes. Everyone's using the same road, but you're in your lane and you're staying there. You can interact with other cars in your lane, but you can't interact with cars in other lanes until you get to an intersection (aka router), probably with a traffic cop (firewall) deciding if you really need to visit those other lanes or not.
VLANS are like gated communities, inside the gates everyone can move around freely and talk to their neighbours, you can’t get into the gated community without a tag or being allowed in. None of your chit chat or gossip leaves the community, so what happens in the community stays in the community.
Concept of VLAN is pretty easy to explain to an intelligent like you Carl 🙂
For example, you are always close to your family irrespective of their location. While talking to them directly or through voice/video call, you have that special bond with them that can't form with everyone else.
Similarly, devices in a VLAN have that virtual bond irrespective of their physical location that can't be formed with devices in other VLANs.
Using VLANs, we can separate Printer family, Phone family, IoT Family and Access Point family with each other. This gives easy management and better security features.
VLANs allow you to create and split up many networks within a single device, called a "Switch". For example, They would allow you to create up to 4000+ networks within just one Switch instead of buying 4000 Switches for each network. In essence, VLANs are essentially like tiny "Virtual Switches" all inside of one device.
VLANs operate as if they were private booths in a restaurant. They would allow you to seat a group of "guests" (which would be PC's, laptops, phones or printers in this case) within their own booth in order to eat privately and discretely instead of having all of the guests in one large open dining room. So there's some level of privacy there. You can also separate the "guests" (or devices) however you like, and move them around as needed. If you wanted to sit with members of your party from the same group either in that particular restaurant or other participating restaurants, you would need a "Tag" to identify you as a member. You can think of the "tag" as one of those cool vibrating restaurant pagers that you receive when you're waiting to be seated. (This is what we would call "Trunking").
You can also draw a comparison of VLANs to AOL Chat Rooms in the '90s 😉 Each chat room (or VLAN in this case) has its own purpose or "topic" and its own community of online members. The benefit here is, if one of the rooms gets too "chatty", it doesn't affect the other chat rooms. Similarly, network traffic (such as Broadcasts) in one VLAN cannot reach or affect other VLANs.
Carl, if you're like everyone else here, you're here because you believe data security is important. Ready for the "high speed-low drag" on one of the best ways to keep your network secure? VLANs and segmentation. VLANs are actually pretty simple. Networking is really simple. It's literally NOT rocket science.
Think of a network like your old house phone. Anyone in your house who picked up that phone could talk or listen in. If you're trying to keep someone else with another phone in the house from listening in.. Good luck. A VLAN is like a business phone system. Sales can only call other people in sales by extension only... Unless you call through the receptionist. They have to patch you into the Finance department... Or even a customer.
That way, the sales department can only talk to the sales department and they're not allowed to bother the Finance department unless Sheila at the front desk patches them through.
Boom. VLANs. Segmentation.
I explained it like this to a CEO once, and he loved it and understood.
Got my project Approved as well because of it!
Its like having two Rats in a Box, in that one box are two unique mazes that are made of clear walls
The rats can see each other, they know about each other, they move in their own maze going past the other rat on the other side of a clear wall.
But they never physically touch each other.
Unless that is, you open a gate to allow them to share a resource, for example if you only want to have one food spot, you open a gate so they share the food, but the gates are not big enough for them get all the way through into each others maze, just big enough to stick their head in and share the food.
Before starting with the concept of a VLAN, let's go a little further back, what is a LAN?
Well a LAN, is a network where we can share resources (files, printers, removable devices, etc) in a small space defined how its name says it: Local Area Network, an example of a LAN are all the desktops, laptops, printers, etc that are in the accounting department of a company, all will have access to resources that they share among them without having to leave their own network.
Now a VLAN, as its acronym says it is a Virtual Local Area Network, this means that it is a LAN that physically does not exist as such because it is a logical division of a physical device.
To understand this concept I leave this example:
We have a big room (physical switch) about 24 meters long and 24 meters wide (1 square meter = 1 port) will be occupied by one or more people (person = vlan), which means that each person will have their own space in the room of a size that will be defined by the boss (network administrator), each employee will have their personal space and will have divisions to isolate it from the rest, in spite of being part of the initial room, nobody will be able to use their workspace. The same happens when a vlan is created in a switch, even though everything is in a physical device, each vlan will have its own configuration, number of ports assigned and it will be isolated from the rest, so even if there are 5 people from different departments working In the same room, those 5 people will not be able to see or know anything about the other people in the room.
What benefits does it bring? Well I leave 2 of the benefits that personally seem more important:
As I mentioned before, it will give us more security because the devices that do not belong and do not have permits will not be able to see what is in other VLANs and also following the example of the room, in case some criminal (unauthorized person) enters the room, lounge can only see what is in the space that managed to enter and not what is in the other spaces, this also helps to have more confidentiality.
Another benefit is that the resource and network load is reduced (latency is reduced, CPU, memory, etc) because only what is to be output from the VLAN and not all traffic that is generated is processed.
I hope everything has been understood!!
First of all, thank you for the fantastic event that Meraki posting on this community.
well, to put it simply and in layman's term VLAN is similar to segrating a trash which puts them in order.
Think of cars as traffic in the network, and the road (and all of it's lanes) as the switch. A vlan allows the cars on that road to be separated from the rest of the traffic, so a vlan is like a toll road pass. The cars on Vlan1 toll road will be in a different separate lane that people on the vlan2 toll road. Even though they are all in the same road, each vlan has it own different lane for specific type of traffic.
The benefits, much like a toll road, it helps move traffic more efficiently from one point to another. Also toll roads, have barriers to keep other traffic from joining it, if you don't have the right tag, forget about joining that toll road.
Lets consider there is a big gathering and they are all talking. It will be impossible for them to communicate with each other.
Now if we move them into reasonable sized rooms. Say the rooms are named as Red-Room, Orange-Room, Green-Room. Now as the number of people in the rooms are reduced such that what ever they say can be heard by everyone in the room. In addition we have similar labelled rooms on every floor of the building and they are interconnected with same colored rooms i.e. Red-Room at all the floors are interconnected such that any one talking in Red-room at ground floor can be heard by all other Red-rooms on other floors and vice-versa. So we have created smaller rooms where people can communicate without yelling at each other. It offers security, such that you can keep like minded / security conscious discussions in a particular colored room.
Likewise VLAN provides a boundary around the network such that a computer which is part of VLAN can communicate with other computers on the same vlan irrespective of the floor it is at, it is its broadcast boundary. It offers security, so that you can keep all the servers in a vlan with similar security requirement and all the end users in another vlan with other security requirements.
A VLAN creates multiple networks without creating multiple networks.
By configuring your switch and routing equipment, you can designate and separate your wired and wireless connections to act as separate and distinct networks, all using the same infrastructure. In this way you can keep some equipment secure from others, some groups private from others, and easily manage resources, without additional equipment or wire.
You can tell Carl from Finance that VLANs are like pipes within pipes, but for computer networks. They make sure that the water from the toilet doesn't get mixed in with the water coming out of the tap.
There are 2 Squirrels running down a pipe, they get in each others way, slowing each other down one tries to steal the other ones food its just Chaos. Now if we tag each Squirrel with a Vlan, they are both still in the same pipe, but they can't see each other they don't get in each others way and they cannot hop in to each others path. The end up where they are supposed to go with out ever interacting with each other. The only way for them too cross paths is if I allow it in the Tree branch Router .
Does that Help you under stand vlans LOL.
A VLAN is a broadcast domain.
Performance. As mentioned above, routers that forward data in software become a bottleneck as LAN data rates increase. Doing away with the routers removes this bottleneck.
-it is relatively easy to put all the people working together on a particular project all into a single VLAN. They can then more easily share files and resources with each other.
-f users move their desks, or just move around the place with their laptops, then, if the VLANs are set up the right way, they can plug their PC in at the new location, and still be within the same VLAN. This is much harder when a network is physically divided up by routers.
-If there are servers or other equipment to which the network administrator wishes to limit access, then they can be put off into their own VLAN. Then users in other VLANs can be given access selectively
VLANs allow you to host separate & isolated networks on the same networking equipment by tagging packets with a VLAN ID corresponding to the network that device has been assigned to.
This is the first post to the Meraki Community.
I do network management conscious of vlan on a daily basis.
There is a lot of important information such as source code in the company.
Some sites have limited access to only some of their employees.
For such sites, we are operating to separate the privileges for each account, but are also controlled by VLANs.
As an example, engineers can view, but not others....
In addition, we prepared isolated VLAN network for customer who came to the company and protect company information.
Managing VLAN separately is very secure and I think it is important to protect important information.
As you are probably aware, computers can only communicate with other if they are on the same network, a network being a group of computers connected together. The problem is, when you have hundreds of people connected to the same network, you need a way to control who can talk to who, and where different information is sent. VLAN's, virtual local area networks, are the solution to this issue. VLAN's behave like seperate computer networks for the computers that use them, giving administrators more precise controls for network traffic.
In short, VLAN's are used in a network to create subnetworks to help control how information flows through the network as a whole.
VLAN is a single broadcast L2 domain wherein broadcast is seen by every node in the same domain.
VLAN segregates existing physical network into multiple logical networks.
Each VLAN creates its own broadcast domain.
All data or voice traffic between two VLANs can only traverse through a router or a layer 3 device.
VLAN is Virtual Local Network which allow multiple IP networks or subnets to exists on the same switched network (devices - switches).
The simplest way - you can imagine we create one "virtual" switch for IP network on one or also across multiple switches.
Hi Meraki Team,
Is India overqualified, to enter the Eligible Countries List?
VLAN's are the First level of Virtualization in a Network, which starts from a Switch.
It's a Network, inside another network.
It helps you segregate the traffic of different departments or entities in an organization.
The most commonly used Analogy:
We use VLAN's, to keep the Internal Employee traffic and Guest traffic on different VLAN's, to avoid giving Guest an access to our Internal Network.
Imagine you and I are going to share a milkshake. It just makes sense for us to each have our own straws. It’s clean, efficient and easy to see who is doing what. VLAN to Network = Straw to Milkshake 🙂
”I drink your milkshake! I drink it up!!!”
The VLANS are like the rails of a train: once the train (client) is on its tracks it will go on its way.
It can cross the other rails (VLANS) only in a train station (L3 device).
VLANS means virtual local area networks. They enable the logical separation of multiple networks on the same physical network hardware. VLANs can be configured untagged and tagged. If one can mean e.g. divide a switch in half. The first half is Network A (green) and the second is Network B (red). Instead of two physical switches. With untagged, all packets that do not have labels are routed to the VLAN which is configured as untagged on the network port.
However, several networks can use the same port (port 8 - green and red).
At tagged all packages get a sticker with the respective vlan. So the network hardware can use the sticker to see if the package is allowed for the VLAN or where it is allowed.
So here you can see port 1-7 are configured as untagged and use the red or the green network. Port 8 are tagged. So port 8 are in used by both networks red and green.
PC A-1 can talk with PC B-1 (over port 😎 but not with PC A-5 or PC B-5.
PC B-6 can talk to PC B-5 but not to PC B-1 or PC A-1.
(License: CC BY-SA 3.0, see https://creativecommons.org/licenses/by-sa/3.0/)
VLANS simplify managing multiple separate networks in one environment. Separating networks provides greater security in the network environment because not all network clients can intervene in all networks. Thus, e.g. a guest network or production network is segregated from the normal corporated LAN.
To explain VLANs in its simplest form. Compare the local area network(LAN) as a binder containing all the documents/data, we'll have to makebelive that this binder can be huge. Since a single binder with hundres or tousands of unsorted documents can be difficult to work with you usally place an index in the binder. Now compare each part of the index as virtual local area networks(VLANs) with the same capacity as the binder itself.
The index segments the documents/data from eachother to make it easier to find and work with, anyone can view any of the sorted documents/data in a quick and easy fashion..
Now with VLANs also comes the added security, compare this as a keylock per index. So if you dont have the key for that specific index you won't be able to view or work with its contents. This makes it easy for a CFO to have a single binder for all of the companies finance-staff to work with, but at the same time make sure that critical documents/data can only be accessed by authorized personell.
That ought to explain it to someone that isn't 20 at least... a CFO ought to be at least 40 i guess and hopefully knows what an indexed binder is... 🙂 ?
The concept of and benefits to utilizing VLANs
A VLAN is logically dividing a switch into multiple, independent switches at layer 2.
Each VLAN is its own broadcast domain that segment the broadcast domain among the different VLAN.
The difference is that with VLANs, you still connect all the PCs to a single switch but you make the switch behave as if it were multiple, independent switches.
The advantages of using VLANs are as follows:
•VLANs increase the number of broadcast domains while reducing their size; this is the same effect that routers have, but without the need to buy a lot of routers or a big router with a lot of ports, so it's less expensive and easier to administer.
•VLANs provide an additional layer of security: No device in any VLAN can communicate with a device in any other VLAN until you deliberately configure a way for it to do so. An example might be a server in VLAN 10 that holds sensitive employee files for HR; no PCs from other VLANs can access VLAN 10 (or the server in it), unless you specifically configure it to do so.
•VLANs are flexible in terms of how they are used in network equipment: Imagine a building that has LAN cabling and a single switch installed, but four different tenants. You can create four different VLANs, one for each tenant, and no tenant will see or hear from the other tenants on the other VLANs.
•VLANs can span across multiple switches using trunk links. This allows you to create a logical grouping of network users by function instead of location. If you want all the marketing people to be in their own broadcast domain and IP subnet, you can create a VLAN for them on the first switch; then, you can connect another switch using a trunk link, define the same VLAN on that switch, and the marketing users on the second switch are in the same VLAN and can communicate with the marketing users on the first switch, and are isolated from other VLANs on both switches. This capability can be extended across an enterprise network campus, so that marketing users in the Whitaker Pavilion could in theory be in a VLAN with other marketing users in the Valentine Pavilion.
•The ability to trunk VLANs across multiple switches makes adding users, moving users, and changing users' VLAN memberships much easier.
VLANs are a bit like paying pass the parcel. Trunk ports are the same as when the music is playing. You take the parcel (or packet) and pass it on leaving all the wrapping (or tags) alone with all the data from various networks inside the wrapping. When you reach an access port the music stops, and you open the wrapper and see only the traffic for that network.
Different access ports in different VLANS will open the parcel to different wrappers and so see traffic from different virtual LANs.
Vlan is a networking concept to logically separate traffic in a network.
When connected to a network you can add a tag in front of the traffic coming from your device so you can communicate only with devices using the same tag.
If you want to communicate with devices using other tags you need to use a more "clever" device such as a router.
The benefits are that you can separate traffic at your will (e.g SSIDs, Services, Departments, Users etc) and apply specific addressing, routing and communication rules.
VLAN is a technology solution in which you are able to segment or separate users into different network segments for privacy, security and reduce errors/problems from being propagated to the whole network i.e you can contain issues arising from one portion of the network from affecting the whole network.
Imagine this Carl.....
Now at any point, anyone of these companies can increase or decrease the amount of office space they require. At some point this space could be split across multiple floors or areas.
If all the computers for all users within all companies in the building could see each other and potentially access each other's confidential data, would that be ok?
No you say?
So if your company could not be seen by other companies, and your department could access all the data on your servers that it needed to, and other company users could not see your computers, would that be ok?
So how do we achieve this?
The important thing is the security of your data and the ease of which you are able to carry out your work combined with the fact of being able to be mobile within the corporate environment and knowing that things simple just work.
People like us make that magic happen, we analyse the needs, we design the architecture, we implement and support a "Virtual Network" to make sure this happens and gives you peace of mind that you and your data is safe.
How does that make you feel? Happy? Cared for?
VLAN's are the separation between the parts, thing you don't want to mix, just like water and oil, or the production department and the financial department, where none of the employees access to their separate parts, which in turn also may be the benefit of the separation.
VLANs are as the road and parking gate. When the motorcycles and cars on the road, they drive together on one road. It's called a VLAN trunk. When they go to the parking gate, they will be separated on each gate. It's called VLAN Access. Motorcycles and cars are the VLAN ID.
Imagine a 'huge room' filled with lots of people, and they're all chatting. Pretty noisy right? Everyone's messages are broadcast in the entire room. What about security? You can overhear potential sensitive information. Now imagine taking all those people and grouping into their own respective 'rooms', within the 'huge room'. Now the chatter is contained within the room, improving security. Same people, but now in organised fashion. Now what if a message needed to be passed to another group in another room? No problem. A designated 'doorman' has the ability to pass messages between rooms. Each room is tagged so the door man knows which room is which.
Take this analogy and apply it to understanding VLANs. The huge room is the switch. All users are physically connected to the same switch, and more importantly the same VLAN by default.. Now take those users and place them in their own VLAN's by grouping specific ports into VLANs. Now users traffic is contained within their own VLAN, defining this as a broadcast domain. Now traffic is more secure and if a packet needs to be sent to another VLAN, the router (analogous to the doorman) is able to communicate between VLAN's. VLAN traffic is tagged so the router knows which VLAN to send the traffic to.
Apart from improving security, VLAN's allow for the creation of more flexible designs, and reduce the amount of work required on each device within a VLAN.