3.2 Network Segmentation (VLANs)

Dividing the Physical World with Logical Walls

If you buy a 48-port network switch for your house and plug everything into it, every device can talk directly to every other device. In networking, this is called a "Flat Network," and it is one huge Broadcast Domain.

In an enterprise environment, a flat network is a security nightmare. If a guest connects their infected laptop to the lobby Wi-Fi, the virus can effortlessly scan the network and jump to the CEO's workstation or the payroll servers.

To solve this without buying a separate physical switch for every department, engineers use VLANs (Virtual Local Area Networks).

1. The Power of Isolation

A VLAN allows you to take one physical 48-port switch and digitally slice it into multiple, completely invisible miniature switches.

For example, an engineer might configure:

• Ports 1-10 (VLAN 10): Corporate Data

• Ports 11-20 (VLAN 20): Guest Wi-Fi

• Ports 21-30 (VLAN 30): Security Cameras

• Ports 31-40 (VLAN 99): IT Management

Even though the Corporate PCs and the Guest Laptops are plugged into the exact same metal box, they cannot see each other. If a guest PC sends out a broadcast shout asking "Who is on the network?", the switch intercepts that shout and physically prevents it from leaving VLAN 20. The Corporate PCs (VLAN 10) will hear nothing but silence.

2. The Mechanics: Access Ports vs. Trunk Ports

How does the switch know which data belongs to which network? It uses a protocol called 802.1Q Tagging.

• Access Ports (Untagged): These are the ports connected to end devices (PCs, printers, cameras). A standard Windows PC has no idea what a VLAN is. When a PC sends a standard data packet into an Access Port, the switch immediately slaps a digital sticky note (a Tag) on the packet that says "VLAN 10". When the switch sends data back out to the PC, it strips the tag off.

• Trunk Ports (Tagged): What happens if you have two switches on different floors? You do not want to run three separate cables between them just for VLANs 10, 20, and 30. Instead, you run one heavy-duty cable between the switches and configure the ports as Trunk Ports. A Trunk Port acts as a highway that carries traffic for all VLANs. When data crosses the Trunk Link, the switches leave the 802.1Q Tags attached so the receiving switch knows exactly which VLAN the data belongs to.

3. Native VLANs and Security

By default, every brand-new switch places all ports in VLAN 1. This is incredibly dangerous.

Hackers know this. If they can plug into an unsecured wall jack, they will immediately be on the default VLAN 1. A core tenet of enterprise networking is to immediately change the "Native" management VLAN to an obscure number (like VLAN 999), shut down all unused ports, and never leave active ports on VLAN 1.

4. (Addition) Inter-VLAN Routing (Router-on-a-Stick)

Stuff to add: If VLANs are perfectly isolated, how does a Guest on VLAN 20 get to the internet? They can't, unless a Router steps in.

Because switches operate at Layer 2 (MAC Addresses), they cannot route traffic between different networks. You must connect the switch to a Router (which operates at Layer 3 - IP Addresses).

• The connection between the switch and the router is configured as a Trunk Port.

• The router acts as the security guard. If PC-1 (VLAN 10) wants to talk to a Server (VLAN 30), the data must go up the Trunk link to the Router. The Router checks its firewall rules, sees that VLAN 10 is allowed to talk to VLAN 30, and routes the packet back down the Trunk link into the correct VLAN. This architecture is famously called "Router-on-a-Stick".