Previous: Part 6.3: Layer 2 Switching – Loops, Spanning Tree and Topologies
I probably should have covered this a little earlier in the series, regardless we’ll do it now. Networks are loosely categorised by the area they cover. This is usually compacted into a useful xAN acronym where x stands for the scope, A stands for Area and N stands for Network. The following table lists the different scopes:
|LAN – Local Area Network||Usually restricted to a single building or even sub-parts of the building in some cases. This type of network is most relevant to everything we have discussed at Layer 2 of the OSI stack. Primarily related to wired network connectivity.|
|WLAN – Wireless Local Area Network||Very similar to LAN, but focussed on wireless connectivity as opposed to wired. Usually restricted to a single building or even sub-parts of the building in some cases. This type of network is most relevant to everything we have discussed at Layer 2 of the OSI stack.|
|WAN – Wide Area Network||The largest scope of network that could potential span the entire globe.|
|MAN – Metropolitan Area Network||Still large but restricted in size to Metropolitan area such as a city or large suburb.|
|CAN – Campus Area Network||Multibuilding networks deployed across educational or similar institutional campuses.|
|PAN – Personal Area Network||Used for devices in your immediate personal space or within a few meters. Smart phones and other Bluetooth driven devices sit in this category.|
One acronym missing from the above table is VLAN – Virtual Local Area Network. Let’s put some focus on it now.
VLAN – Virtual Local Area Network
The reason I’ve missed it from the table is because a VLAN doesn’t really fit into a physical scope. It’s actually a logical segmentation construct that sits inside an existing Local Area Network or LAN.
Remember the importance of the Port as a management entity as stated in the previous post? This comes into play again here with VLANs too. By assigning a VLAN to a port we effectively segment it from the rest of the ports in the environment that aren’t assigned to the same VLAN. Without VLANs, every device connected to every switch in the network sits in the same Broadcast domain. Once the switches have learned which ports are occupied by which MAC addresses, broadcasts are reduced, but they do still need to happen as network changes are made frequently. By assigning VLANs, we are logically splitting down the broadcast domain into multiple smaller broadcast domains. Another more dynamic way to establish VLAN membership is by MAC address. This means that whichever port in the network a device is plugged into, it will always be recognised as a member of the correct VLAN.
So why would we want segment at all? There are two reasons, Security and Network Efficiency. From a security perspective, by creating this logical segmentation we stop nodes from receiving frames that they do not need to receive, as all broadcast traffic is isolated to the ports that belong to the correct VLAN. This is can prevent an eavesdropping or any other unwanted visibility of frames outside of the VLAN. We might want to segment different departments in this way. For example, the payroll department might sit on its own VLAN, as the data it transmits is financially sensitive. Do all the nodes in the other departments need to see those broadcasts? Probably not. Network Efficiency is pretty straight forward too. By segmenting the traffic into VLAN we also reduce the amount of traffic each node receives. This reduces the amount of bandwidth used by the node and also the amount of processing the node has to do, to work out if the unwanted frames are intended for it, before discarding them.
While VLANs are an excellent tool for subdividing broadcast domains, we can take this even further if required using PVLANs (Private VLANs). A detailed description of the PVLANs is out of scope for this primer, but as a high level summary we can say that they are used to subdivide VLANs into even smaller broadcast domains. We create some secondary VLANs and then implement some rules to restrict which ports in the Primary VLAN each sub-division can communicate with. A good example use case for this might be a hotel network, where we want all devices to be able to communicate with the internet connected router, but not with each other. More details can be found here : Private VLANs.