1
00:00:00,000 --> 00:00:01,020
In this lesson,

2
00:00:01,020 --> 00:00:03,930
we're going to discuss virtual local area networks.

3
00:00:03,930 --> 00:00:06,570
A virtual local area network, also known as a VLAN,

4
00:00:06,570 --> 00:00:08,730
is a logical subdivision of a given network

5
00:00:08,730 --> 00:00:11,610
that segments it into separate broadcast domains.

6
00:00:11,610 --> 00:00:13,123
Unlike traditional local area networks

7
00:00:13,123 --> 00:00:15,990
where the network is defined by its physical connections,

8
00:00:15,990 --> 00:00:17,619
a virtual local area network allows us

9
00:00:17,619 --> 00:00:19,410
to group our hosts together,

10
00:00:19,410 --> 00:00:21,000
even if they are not directly connected

11
00:00:21,000 --> 00:00:22,860
to the same network switch.

12
00:00:22,860 --> 00:00:24,480
This logical grouping of our devices

13
00:00:24,480 --> 00:00:25,890
across multiple switches

14
00:00:25,890 --> 00:00:27,870
is achieved through a software configuration

15
00:00:27,870 --> 00:00:30,030
rather than through hardware and cabling.

16
00:00:30,030 --> 00:00:32,549
So it's going to offer us a much more flexible experience

17
00:00:32,549 --> 00:00:34,530
when we're configuring our networks.

18
00:00:34,530 --> 00:00:37,170
Now, VLANs are not just a feature of our networks.

19
00:00:37,170 --> 00:00:38,141
They are a strategic tool

20
00:00:38,141 --> 00:00:40,979
that when you utilize them correctly and efficiently,

21
00:00:40,979 --> 00:00:43,440
they can transform the way your network resources

22
00:00:43,440 --> 00:00:45,630
are being allocated and managed.

23
00:00:45,630 --> 00:00:48,180
Now, before VLANs were used, our network administrators

24
00:00:48,180 --> 00:00:50,360
had to install additional routers and cables and switches

25
00:00:50,360 --> 00:00:53,430
to separate out each of the different network segments

26
00:00:53,430 --> 00:00:55,200
within our organizations.

27
00:00:55,200 --> 00:00:57,960
So if we wanted to have two different network segments,

28
00:00:57,960 --> 00:00:59,340
one for human resources,

29
00:00:59,340 --> 00:01:01,380
and another one for the information technology department,

30
00:01:01,380 --> 00:01:03,390
for example, I would have to have a network

31
00:01:03,390 --> 00:01:05,220
that looks something like this.

32
00:01:05,220 --> 00:01:06,630
Now, let's assume that I wanted to keep

33
00:01:06,630 --> 00:01:08,880
HR and IT departments' data separate

34
00:01:08,880 --> 00:01:10,350
as it goes across the network

35
00:01:10,350 --> 00:01:12,720
so I can maintain a higher level of security.

36
00:01:12,720 --> 00:01:15,120
Well, if I wanted to do that before VLANs,

37
00:01:15,120 --> 00:01:16,950
I would have to set up two sets of routers,

38
00:01:16,950 --> 00:01:19,230
two sets of switches, and all those cables

39
00:01:19,230 --> 00:01:21,360
to keep them physically and logically separated

40
00:01:21,360 --> 00:01:22,470
from each other.

41
00:01:22,470 --> 00:01:23,520
Now, this works really well

42
00:01:23,520 --> 00:01:25,890
when all of our department personnel work in the same room

43
00:01:25,890 --> 00:01:28,621
or the same floor, but as our departments grow in size,

44
00:01:28,621 --> 00:01:30,937
we may have people spread out across different rooms

45
00:01:30,937 --> 00:01:33,300
or different floors of the same building,

46
00:01:33,300 --> 00:01:35,610
and this can create a lot of extra expense for us

47
00:01:35,610 --> 00:01:37,230
because we now have to buy two sets

48
00:01:37,230 --> 00:01:38,790
of each of these devices.

49
00:01:38,790 --> 00:01:40,620
If you have four or six departments,

50
00:01:40,620 --> 00:01:42,960
this incrementally increases the amount of hardware

51
00:01:42,960 --> 00:01:44,061
you're going to have to buy.

52
00:01:44,061 --> 00:01:45,510
Now, let's say, for example,

53
00:01:45,510 --> 00:01:47,439
you have two departments like HR and IT,

54
00:01:47,439 --> 00:01:49,219
and you have both HR and IT employees

55
00:01:49,219 --> 00:01:51,660
working on both of your floors,

56
00:01:51,660 --> 00:01:53,490
floors one and two of your building.

57
00:01:53,490 --> 00:01:56,130
So now we're going to have to install four switches.

58
00:01:56,130 --> 00:01:58,350
Switch one and three are going to be on the second floor,

59
00:01:58,350 --> 00:02:00,690
and switch two and four are going to be on the first floor.

60
00:02:00,690 --> 00:02:02,850
And this will allow us to support both of these departments

61
00:02:02,850 --> 00:02:04,440
and their logical separation needs

62
00:02:04,440 --> 00:02:06,810
using traditional layer two switches.

63
00:02:06,810 --> 00:02:09,160
But if we can introduce VLANs into the equation

64
00:02:09,160 --> 00:02:11,821
and use layer three switching between those VLANs,

65
00:02:11,821 --> 00:02:14,190
we can now have different logical networks

66
00:02:14,190 --> 00:02:16,350
that share the same physical hardware.

67
00:02:16,350 --> 00:02:18,360
This provides us with all the additional security

68
00:02:18,360 --> 00:02:20,760
and efficiencies that we want for that logical separation

69
00:02:20,760 --> 00:02:23,536
because we're no longer using a single broadcast domain

70
00:02:23,536 --> 00:02:25,860
like we did on a standard layer two switch

71
00:02:25,860 --> 00:02:27,750
without using a VLAN.

72
00:02:27,750 --> 00:02:29,310
Now, when we use these VLANs,

73
00:02:29,310 --> 00:02:31,530
we can consolidate all four of those switches

74
00:02:31,530 --> 00:02:33,120
into just two switches,

75
00:02:33,120 --> 00:02:35,910
one for the first floor and one for the second floor.

76
00:02:35,910 --> 00:02:38,460
Then we can configure two different VLANs,

77
00:02:38,460 --> 00:02:40,680
one for HR and one for IT.

78
00:02:40,680 --> 00:02:42,150
And this will logically separate out

79
00:02:42,150 --> 00:02:44,801
each department's traffic into each of those VLANs.

80
00:02:44,801 --> 00:02:46,200
Now, in this configuration,

81
00:02:46,200 --> 00:02:49,200
the IT department has been cabled into the switch,

82
00:02:49,200 --> 00:02:51,180
and then it logically trunks the connection down

83
00:02:51,180 --> 00:02:53,310
from switch one into switch two,

84
00:02:53,310 --> 00:02:54,690
and then down into our router

85
00:02:54,690 --> 00:02:56,781
to keep everything logically separated.

86
00:02:56,781 --> 00:02:59,190
Now, similarly, we're going to do the same exact thing

87
00:02:59,190 --> 00:03:01,170
with the HR department configuration.

88
00:03:01,170 --> 00:03:02,880
And you can see here in the network diagram

89
00:03:02,880 --> 00:03:03,870
that we have the difference here

90
00:03:03,870 --> 00:03:05,220
because of that color coding

91
00:03:05,220 --> 00:03:07,260
for each of the logical connections being used

92
00:03:07,260 --> 00:03:09,379
by the HR or IT department.

93
00:03:09,379 --> 00:03:11,910
Now, using VLANs are different switch ports

94
00:03:11,910 --> 00:03:14,010
can be configured to use different VLANs,

95
00:03:14,010 --> 00:03:16,659
which are going to be these logical separation

96
00:03:16,659 --> 00:03:18,339
and segmentations that we're talking about,

97
00:03:18,339 --> 00:03:19,410
even though that data is still being transmitted

98
00:03:19,410 --> 00:03:23,310
using the same physical hardware and the exact same cable.

99
00:03:23,310 --> 00:03:25,110
Notice how there's a purple and blue cable

100
00:03:25,110 --> 00:03:27,030
going from switch down to the router,

101
00:03:27,030 --> 00:03:29,190
and this is just using one physical cable.

102
00:03:29,190 --> 00:03:30,180
But in the diagram,

103
00:03:30,180 --> 00:03:32,520
we're showing this as two logical cables.

104
00:03:32,520 --> 00:03:34,350
One is purple and one is blue.

105
00:03:34,350 --> 00:03:36,360
But in real life, if you walk over to this router

106
00:03:36,360 --> 00:03:38,280
and this switch, you're really going to see just a single cable

107
00:03:38,280 --> 00:03:40,177
going between those two devices.

108
00:03:40,177 --> 00:03:43,140
And that is the whole idea of using VLAN trunking.

109
00:03:43,140 --> 00:03:44,730
So I can transfer all the VLANs

110
00:03:44,730 --> 00:03:46,499
between the different network infrastructure devices

111
00:03:46,499 --> 00:03:48,840
using a single cable.

112
00:03:48,840 --> 00:03:51,630
So let's talk about how a VLAN works.

113
00:03:51,630 --> 00:03:53,160
Now, VLANs operate at layer two

114
00:03:53,160 --> 00:03:56,280
or the data link layer of your OSI model.

115
00:03:56,280 --> 00:03:58,520
Whenever a switch is configured to utilize a VLAN,

116
00:03:58,520 --> 00:04:01,860
it's going to tag each frame of the data with a VLAN identifier

117
00:04:01,860 --> 00:04:04,860
or ID as it passes through that switch.

118
00:04:04,860 --> 00:04:06,739
This VLAN tag will define which VLAN

119
00:04:06,739 --> 00:04:08,940
that frame is going to belong to.

120
00:04:08,940 --> 00:04:11,430
Then as the frames are forwarded between switches,

121
00:04:11,430 --> 00:04:13,020
these tags are going to be used to determine

122
00:04:13,020 --> 00:04:14,310
the path that they're going to take

123
00:04:14,310 --> 00:04:15,840
to ensure that yours is going to be confined

124
00:04:15,840 --> 00:04:17,220
to its respective VAN,

125
00:04:17,220 --> 00:04:19,350
which provides you with that effective segregation

126
00:04:19,350 --> 00:04:21,600
of the different segments of our networks.

127
00:04:21,600 --> 00:04:23,101
Now, there are many reasons for using a VLAN,

128
00:04:23,101 --> 00:04:26,340
including enhanced security, improved performance,

129
00:04:26,340 --> 00:04:29,340
increased management, and improved cost efficiency.

130
00:04:29,340 --> 00:04:32,221
First, VLANs are going to provide us with enhanced security.

131
00:04:32,221 --> 00:04:33,900
This enhanced security is achieved

132
00:04:33,900 --> 00:04:36,210
by segmenting our networks into VLANs

133
00:04:36,210 --> 00:04:38,010
that allows sensitive data to be isolated

134
00:04:38,010 --> 00:04:39,630
for other portions of the network,

135
00:04:39,630 --> 00:04:42,960
and this in turn helps reduce the risk of a data breach.

136
00:04:42,960 --> 00:04:44,520
Now, since each VLAN is treated

137
00:04:44,520 --> 00:04:46,140
as a separate network segment,

138
00:04:46,140 --> 00:04:48,520
a router three or a layer three switch must be used

139
00:04:48,520 --> 00:04:51,390
to let the traffic pass between those segments.

140
00:04:51,390 --> 00:04:52,830
At each of these choke points,

141
00:04:52,830 --> 00:04:54,900
we can configure access control list rules

142
00:04:54,900 --> 00:04:56,940
to dictate what types of traffic can enter

143
00:04:56,940 --> 00:04:59,760
or leave a given VLAN, which also gives us the ability

144
00:04:59,760 --> 00:05:02,130
to better secure those network segments.

145
00:05:02,130 --> 00:05:05,400
Second, VLANs provide us with improved performance.

146
00:05:05,400 --> 00:05:07,200
Now, a VLAN is used to reduce the size

147
00:05:07,200 --> 00:05:08,640
of a given broadcast domain,

148
00:05:08,640 --> 00:05:10,140
and this helps us to decrease the amount

149
00:05:10,140 --> 00:05:13,140
of unnecessary traffic being sent over that segment.

150
00:05:13,140 --> 00:05:15,510
This reduction in unnecessary traffic that we have

151
00:05:15,510 --> 00:05:17,302
by reducing our broadcast domain size

152
00:05:17,302 --> 00:05:18,810
is going to help us to enhance

153
00:05:18,810 --> 00:05:21,150
the overall performance of our networks.

154
00:05:21,150 --> 00:05:23,128
Third, we have increased management.

155
00:05:23,128 --> 00:05:25,200
VLANs provide us with greater control

156
00:05:25,200 --> 00:05:26,488
over the management of our networks

157
00:05:26,488 --> 00:05:28,890
by making it easier to implement policy changes

158
00:05:28,890 --> 00:05:30,540
and to troubleshoot issues.

159
00:05:30,540 --> 00:05:33,420
Since each VLAN is treated as a separate network segment,

160
00:05:33,420 --> 00:05:35,070
we can have separate management controls

161
00:05:35,070 --> 00:05:36,660
applied to the different VLANs

162
00:05:36,660 --> 00:05:38,280
based on our specific use cases

163
00:05:38,280 --> 00:05:40,350
and network administration needs.

164
00:05:40,350 --> 00:05:43,020
Fourth, we have improved cost efficiency.

165
00:05:43,020 --> 00:05:44,820
Now, VLANs allow us to better utilize

166
00:05:44,820 --> 00:05:46,225
our existing network infrastructure

167
00:05:46,225 --> 00:05:49,380
by breaking it up into smaller logical segments.

168
00:05:49,380 --> 00:05:51,360
This allows us to use fewer physical switches

169
00:05:51,360 --> 00:05:52,950
and other network infrastructure

170
00:05:52,950 --> 00:05:54,690
by combining multiple physical switches

171
00:05:54,690 --> 00:05:56,430
into a single physical switch

172
00:05:56,430 --> 00:05:58,920
that contains multiple virtual local area network segments

173
00:05:58,920 --> 00:05:59,970
inside of it

174
00:05:59,970 --> 00:06:02,245
without having to purchase additional hardware switches

175
00:06:02,245 --> 00:06:04,648
and other types of hardware infrastructure.

176
00:06:04,648 --> 00:06:07,080
Now, in order for our VLANs to be effective,

177
00:06:07,080 --> 00:06:08,910
our switches and our other network devices

178
00:06:08,910 --> 00:06:10,707
must maintain a VLAN database

179
00:06:10,707 --> 00:06:13,110
that's going to contain all the VLAN configurations

180
00:06:13,110 --> 00:06:14,880
for that particular switch.

181
00:06:14,880 --> 00:06:17,070
This VLAN database includes information

182
00:06:17,070 --> 00:06:19,448
like the VLAN identifier, the VLAN's name,

183
00:06:19,448 --> 00:06:23,106
and the maximum transmission unit size, known as the MTU.

184
00:06:23,106 --> 00:06:25,350
Now, if you're using a Cisco switch,

185
00:06:25,350 --> 00:06:27,780
you're going to find this VLAN database is actually stored

186
00:06:27,780 --> 00:06:30,765
in a flat file called VLAN.DAT.

187
00:06:30,765 --> 00:06:33,300
This VLAN database is critical

188
00:06:33,300 --> 00:06:35,400
to maintaining efficient network operations

189
00:06:35,400 --> 00:06:37,200
because it ensures that our VLAN configurations

190
00:06:37,200 --> 00:06:39,240
are going to remain consistent and they can be deployed

191
00:06:39,240 --> 00:06:42,420
across your entire network infrastructure quite easily.

192
00:06:42,420 --> 00:06:44,550
Another key concept that's used with a VLAN

193
00:06:44,550 --> 00:06:46,740
is the switch virtual interface.

194
00:06:46,740 --> 00:06:49,084
Now, a switch virtual interface, or SVI,

195
00:06:49,084 --> 00:06:51,270
is a virtual interface on a switch

196
00:06:51,270 --> 00:06:54,030
that provides layer three or network layer processing

197
00:06:54,030 --> 00:06:55,260
to your VLANs.

198
00:06:55,260 --> 00:06:57,420
Essentially, the switch virtual interface

199
00:06:57,420 --> 00:06:59,220
will allow your switch to route traffic

200
00:06:59,220 --> 00:07:00,540
between different VLANs

201
00:07:00,540 --> 00:07:03,360
without requiring you to buy a separate router.

202
00:07:03,360 --> 00:07:06,090
By configuring a switch virtual interface for your VLAN,

203
00:07:06,090 --> 00:07:07,800
your switch can handle the routing decisions

204
00:07:07,800 --> 00:07:10,260
for any kind of data within that VLAN.

205
00:07:10,260 --> 00:07:12,109
And this helps to enhance our network's efficiency

206
00:07:12,109 --> 00:07:13,470
by minimizing the need

207
00:07:13,470 --> 00:07:16,470
for installing additional routing devices into your network.

208
00:07:16,470 --> 00:07:19,260
So remember, a VLAN is a logical subdivision

209
00:07:19,260 --> 00:07:20,280
of a given network

210
00:07:20,280 --> 00:07:23,100
that segments it into separate broadcast domains.

211
00:07:23,100 --> 00:07:24,870
VLANs segment your layer two traffic

212
00:07:24,870 --> 00:07:27,000
into different logical areas of your network,

213
00:07:27,000 --> 00:07:28,620
and they rely on the VLAN database

214
00:07:28,620 --> 00:07:30,150
and the switch virtual interface

215
00:07:30,150 --> 00:07:32,070
to make routing decisions for your traffic

216
00:07:32,070 --> 00:07:35,010
as it crosses between different VLANs in your network.

217
00:07:35,010 --> 00:07:37,080
VLANs help us to enhance our security

218
00:07:37,080 --> 00:07:38,730
by logically separating network traffic

219
00:07:38,730 --> 00:07:41,370
to allow for the isolation of sensitive data and systems

220
00:07:41,370 --> 00:07:42,930
from the rest of your network.

221
00:07:42,930 --> 00:07:44,850
This in turn will help to reduce the risk

222
00:07:44,850 --> 00:07:47,040
of unauthorized access and data breaches,

223
00:07:47,040 --> 00:07:48,960
while also streamlining your network management

224
00:07:48,960 --> 00:07:50,730
and improving your network performance

225
00:07:50,730 --> 00:07:52,110
by dividing that larger network

226
00:07:52,110 --> 00:07:54,004
into smaller, more manageable sections

227
00:07:54,004 --> 00:07:56,207
by reducing the size of our broadcast domains

228
00:07:56,207 --> 00:07:59,190
and reducing any additional unnecessary traffic

229
00:07:59,190 --> 00:08:00,888
that's going to waste our valuable network resources

230
00:08:00,888 --> 00:08:02,133
and bandwidth.