Network Segmentation – CompTIA Network+ N10-007 – 1.3

We commonly use network segmentation technologies to provide security and separation between logical areas of the network. In this video, you’ll learn about physical segmentation, logical VLAN segmentation, and 802.1Q VLAN trunking.

<< Previous Video: Protocol Data Units Next: Spanning Tree Protocol >>

Here’s a common network configuration that involves two separate switches with two separate broadcast domains and devices and in each broadcast domain have no idea that the other switch exists. There’s no virtual LANs or VLANs involved in this configuration. And there’s a lot of good reasons to set up a network this way.

The network design is very simple because you have all of the segmentation on physical devices. It minimizes the effects of broadcasts because you’re splitting up the network into different pieces. And security is certainly improved because devices that are connected on one switch, can’t communicate with any of the devices that are connected on a physically separate switch.

One of the problems with this design, however, is that it’s difficult to scale when you have hundreds and thousands of different networks that all need to be separated. It’s difficult to manage hundreds or thousands of individual switches in a data center.

Instead, what’s commonly done is we provide the separation inside of the switch in a logical form, rather than providing the separation in a physical form. This is called a virtual LAN or a VLAN. We’re still able to segment the network. These devices are still in separate broadcast domains. And these devices still can’t communicate to each other because there is a logical separation between these VLANs.

It’s not uncommon to configure many different VLANs on a single physical switch. For example, we have three VLANs in this example. The red VLAN is the gate room, the blue VLAN is the dialing room, and the green VLAN is the infirmary. None of the devices on the red network can communicate to any of the others. The blue network cannot communicate to any of the other networks. And the green network is also segmented onto its own VLAN.

The only way that these VLANs could possibly communicate between each other is to route traffic between the different VLANs. We’ll talk about routing and routing between VLANs, in an upcoming video in this series.

What if you were spreading these VLANs across multiple switches? You might have an Ethernet switch with a VLAN 100 and a VLAN 200. And then, you might have a different physical switch, which also has the same VLAN 100 and the same VLAN 200.

One way that you could connect these VLANs to each other would be to run one cable for VLAN 100, between these two switches and another cable for VLAN 200, between these two switches. This obviously, would not scale very well once you have a larger number of VLANs.

What if there are 10 VLANs that are shared between these switches? Or 100? Or 1,000? You wouldn’t even have enough interfaces on the switch to be able to connect all of those VLANs to each other.

Instead, you would create what’s called a trunk. This trunk connection is a single physical connection between those two switches, but it’s able to transmit multiple VLANs across that trunk.

The standard for trunking is called IEEE 802.1Q. We often refer to it in the abbreviated form as, a dot1Q trunk. The way that this trunk information works is we take a perfectly normal Ethernet frame that has a preamble and a start frame delimiter and a couple of MAC addresses for the source and destination. And then, ultimately, a payload inside of that frame.

But we need to identify where this frame is coming from and where it’s going to. We need to fit the VLAN information somewhere in this frame. So when we send information over a trunk, we add an additional field called the VLAN field. That VLAN header is now going to specify what the destination VLAN will be, once this particular frame gets to the other end of this trunk.

If you’re to grab a packet capture and look at the VLAN field, you’d see that it’s 12 bits long. That gives us enough numbers to come up with 4,094 possible VLANs that we can use on this particular trunk. Some devices, like Cisco switches, will separate these into a normal range of VLANs, which would be one through 1,005. And an extended range of VLANs, which would VLANs numbered 1,006 through 4,094. Other devices will simply use all of the numbers inclusive, between one and 4,094.

You should also note that the very first number and the last number of this particular range– which would be zero and 4,095– are reserved VLAN numbers, and you’re not able to specify those as separate VLANs on your switch.

You may see in much older switches and older study materials that there’s a mention of a different type of trunking protocol called ISL, that stands for Inter-Switch Link. These days, ISL is no longer used, and if you’re doing any type of trunking in your environment, it’s always going to be a dot1Q trunk.

Let’s see how this trunking process might work, and let’s start with an Ethernet frame that’s starting on this device, on VLAN 200. This device needs to communicate with the device on the other Ethernet switch so that information is sent to the dot1Q trunk interface.

At that point, the frame has the VLAN information for 200 added into the frame and it’s sent across this particular trunk. At the other side, that VLAN tag is taken out of the Ethernet frame and it’s put back onto the network and sent to the appropriate VLAN.

So here’s an example of a well-segmented network, where you have multiple VLANs and all of these VLANs exist on multiple switches. You have a red, a blue, and green VLAN. And you have devices on each of these switches, that are members of those VLANs. These devices are able to communicate with other devices on their same VLAN, by communicating across one of these 802.1Q trunks.