What is Network Segmentation?
Google defines Network Segmentation as the act or practice of splitting a computer network into subnetworks, each being a network segment. Segmentation in networks can be of two (2) types; Layer 2 and Layer 3 Segmentation. This article is a follow-up from our recent video entitled
Let’s Build it Together – Episode 3 – VLAN Creation, and it will only focus on Layer 2 Segmentation or more commonly referred to as VLANs. We will explain Layer 3 Segmentation in another article.
What is a VLAN?
VLAN is an acronym for Virtual Local Area Network, this technology can be used to separate an existing physical network into multiple logical networks. VLANs can be spread across multiple Ethernet Switches, with each VLAN being treated as its own broadcast domain. This means that frames broadcasted onto the network will be switched / passed only between the ports within the same VLAN. VLANs operate at layer two (2) on the OSI Model. Organization’s computer networks are often set up with VLANs to re-partition this network for improved traffic management. Each VLAN can be uniquely identified by a VLAN ID, which is transmitted & received as an IEEE 802.1Q tag in an Ethernet frame.
Let’s look at a simple analogy….. Think of a school that has multiple classrooms, the school is the entire network and each classroom can be considered a VLAN. The formulation or classrooms (VLANs)allows the school to better manage the student traffic and even the delivery to each separate set of students.
How are VLANs related to Subnets?
In summary, VLANs provide segmentation at Layer 2 and IP Subnets provide segmentation at Layer 3. Though they are separate and operate at physically different layers; good network design practice suggests that they are designed to support each other. Two different VLANs on a single Ethernet Switch or host are like two physically separate Ethernet Switches. They partition the Media Access Control (MAC) address space; this means that communications between two parties on a single VLAN or on a single physical Ethernet Switch don’t involve any other parties on the MAC-level ( Layer 2) network. The VLAN or physical switch limits the extent of MAC-level message propagation, keeping it as local as possible.
In contrast, IP Subnets exist at Layer 3 and partition the IP address space, not the MAC address space, but with a similar purpose; to limit the extent of message propagation. Any partitioning at the MAC-level / Layer 2 network below is entirely transparent to Layer 3, which means that VLANs and/or separate physical switches can be treated as one single continuous Layer 2 medium from the point of view of IP-level networking. Conversely, VLANs don’t even see IP addresses nor IP subnetting. Everything at Layer 3 and higher is just payload (traffic) to them at the Layer 2 / MAC level.
What are the benefits and advantages of VLANs?
VLANs are widely used in communications networks; they provide several benefits to an organization, such as:
- Ease of administration – segmentation of any type will allow for the reduction of a network into smaller manageable subsets. This will also aid in the reduction of overall administration overhead
- Traffic Management – broadcast traffic that is not managed can cripple networks; even rendering them inoperable. VLANs allows the flexibility to confine broadcast traffic by the creation of Layer 2 segments / broadcast domains.
- Enforcement of security policies – VLANs along with Layer / IP segmentation can be used to enforce security policies within a network. An example of this is the creation of a special VLAN and associated IP Subnet that will be used for Guest Wi-Fi. Since this traffic will be tied to a particular VLAN and all associated with an allocated IP addressing schema; the traffic can be easily identifiable to apply security policies to restrict traffic.
VLANs provide the following advantages:
- VLANs enable logical grouping of workstations that are physically dispersed on a network.
- When users on a VLAN move to a new physical location but continue to perform the same job function, the workstations of those users do not need to be reconfigured. Similarly, if users change their job functions, they need not physically moved.
- VLANs reduce the need to have routers deployed on a network to contain broadcast traffic.
- Flooding of a packet is limited to the switch ports that belong to a VLAN. This can used in design to mitigate against certain denial of service attacks.
- Confinement of broadcast domains on a network significantly reduces traffic.
This topic will always continue to be popular as long as communications networks are being built. There are lots of information on network segmentation and many certifications in networking contain these topics at the early stages. Let us know if the article was able to assist you in getting a better understanding of VLANs. Feel free to reach out to us at 1-868-223-1576 or you can email me at firstname.lastname@example.org