Commit 148ec1
2025-03-07 22:37:20 R. Bishop: Initial Commit/dev/null .. networking/vlans.md | |
@@ 0,0 1,116 @@ | |
+ | # Understanding VLANs (Virtual Local Area Networks) |
+ | |
+ | ## What is a VLAN? |
+ | |
+ | A **VLAN (Virtual Local Area Network)** is a **logical network segmentation technique** that allows devices on different physical networks to communicate as if they were on the same LAN. VLANs improve **network efficiency, security, and scalability** by **isolating traffic** without requiring separate physical infrastructure. |
+ | |
+ | --- |
+ | |
+ | ## Why Use VLANs? |
+ | |
+ | ### **1. Improved Network Performance** |
+ | - Reduces **network congestion** by limiting broadcast domains. |
+ | - Enhances **data flow efficiency** in large networks. |
+ | |
+ | ### **2. Increased Security** |
+ | - Isolates sensitive data from unauthorized users. |
+ | - Prevents **broadcast storms and unauthorized access**. |
+ | |
+ | ### **3. Better Network Management & Scalability** |
+ | - Allows network administrators to **logically group devices**. |
+ | - Simplifies **adding or moving devices** without rewiring. |
+ | |
+ | ### **4. Enhanced Traffic Control** |
+ | - Enables **Quality of Service (QoS)** for prioritizing data traffic. |
+ | - Ensures **critical applications get priority bandwidth**. |
+ | |
+ | --- |
+ | |
+ | ## How VLANs Work |
+ | |
+ | VLANs function by tagging network traffic with an **identifier (VLAN ID)** to separate it from other traffic on the same physical switch. |
+ | |
+ | ### **1. VLAN Tagging (IEEE 802.1Q)** |
+ | - Adds a **4-byte VLAN header** to Ethernet frames. |
+ | - Helps switches identify **which VLAN traffic belongs to**. |
+ | |
+ | ### **2. VLAN Types** |
+ | | **VLAN Type** | **Function** | **Use Case** | |
+ | |--------------|------------|-------------| |
+ | | **Default VLAN** | All switch ports belong to this VLAN by default | General network traffic | |
+ | | **Data VLAN** | Segregates **user traffic** from management data | Corporate networks | |
+ | | **Voice VLAN** | Prioritizes **VoIP traffic** to reduce latency | IP Telephony | |
+ | | **Management VLAN** | Isolates **network control traffic** | Network administration | |
+ | | **Guest VLAN** | Provides internet-only access for **visitors** | Hotels, public Wi-Fi | |
+ | | **Native VLAN** | Unused VLAN assigned to untagged traffic | Interoperability between VLAN-capable devices | |
+ | |
+ | --- |
+ | |
+ | ## VLAN Configuration & Implementation |
+ | |
+ | ### **1. Port-Based VLANs** |
+ | - Assigns specific switch **ports to a VLAN**. |
+ | - Devices connected to the same VLAN **can communicate**. |
+ | - Common in **small business and enterprise networks**. |
+ | |
+ | ### **2. Tagged vs. Untagged VLANs** |
+ | | **VLAN Type** | **Tagging Method** | **Purpose** | |
+ | |--------------|----------------|-------------| |
+ | | **Tagged VLAN** | Uses **802.1Q tagging** to carry multiple VLANs on a trunk port | Used between switches | |
+ | | **Untagged VLAN** | Traffic is not tagged and belongs to a **single VLAN** | End-user devices | |
+ | |
+ | ### **3. Trunking & VLAN Propagation** |
+ | - **Trunk ports** allow multiple VLANs to pass between switches. |
+ | - Uses **VLAN tagging (802.1Q)** to differentiate traffic. |
+ | |
+ | ### **4. VLAN Routing (Inter-VLAN Communication)** |
+ | - **Layer 3 devices (routers or Layer 3 switches)** route traffic between VLANs. |
+ | - Requires **SVI (Switched Virtual Interface) configuration**. |
+ | |
+ | --- |
+ | |
+ | ## VLANs vs. Traditional LANs |
+ | |
+ | | **Feature** | **VLAN** | **Traditional LAN** | |
+ | |------------|------------|----------------| |
+ | | **Network Isolation** | Logical separation | Physical separation | |
+ | | **Scalability** | Highly scalable | Requires more cabling | |
+ | | **Security** | Stronger isolation | Less secure | |
+ | | **Traffic Control** | Supports QoS & bandwidth management | Limited control | |
+ | | **Flexibility** | Can be reconfigured via software | Requires hardware changes | |
+ | |
+ | --- |
+ | |
+ | ## VLAN Security Best Practices |
+ | |
+ | ### **1. Use VLANs for Network Segmentation** |
+ | - Separate **user, voice, and management traffic**. |
+ | - Prevents unauthorized access to **critical systems**. |
+ | |
+ | ### **2. Secure VLAN Trunks** |
+ | - Restrict **trunking to necessary ports only**. |
+ | - Use **Native VLAN pruning** to block unused VLAN traffic. |
+ | |
+ | ### **3. Enable VLAN Access Control** |
+ | - Use **MAC address filtering** and **802.1X authentication**. |
+ | - Implement **Access Control Lists (ACLs)** for additional security. |
+ | |
+ | ### **4. Prevent VLAN Hopping Attacks** |
+ | - Disable **Dynamic Trunking Protocol (DTP)**. |
+ | - Use **private VLANs (PVLANs) for sensitive devices**. |
+ | |
+ | --- |
+ | |
+ | ## VLANs in the Fire & Security Industry |
+ | |
+ | VLANs are widely used in **fire safety, security monitoring, and building automation**, enabling: |
+ | |
+ | - **Isolated CCTV traffic** for secure video surveillance. |
+ | - **Segregated access control systems** to prevent cyber threats. |
+ | - **Dedicated VLANs for fire alarms and emergency communication**. |
+ | - **QoS-enabled voice VLANs for critical communication systems**. |
+ | |
+ | --- |
+ | |
+ | ## Conclusion |
+ | VLANs provide a **cost-effective and scalable solution** for **network segmentation, security, and traffic optimization**. They are essential in **corporate networks, security infrastructure, and data centres**, ensuring **efficient, secure, and organized network management**. |