We can provide network protection and segmentation through the use of virtual local area networks (VLANs) and virtual private networks (VPNs). In this video, you’ll learn about separating broadcast domains into separate VLANs, and how remote connectivity can be protected through the use of encrypted client-to-site or site-to-site VPNs.
Let’s start our conversation referring to LANs, or Local Area Networks. This is a group of devices that are connected together into a single broadcast domain. That means if we send a broadcast out on one of these devices to this LAN, all of the other devices in this LAN will also see the broadcast.
Over on this side, we have a separate switch. And because it is a separate switch, it is a separate broadcast domain. Which means any device on this network that sends a broadcast would only be seen by other devices connected to that same broadcast domain.
That means if we send a broadcast over on the red network, no devices on the blue network will be able to see that broadcast, because this is a single broadcast domain that is separate from all of the other broadcast domains.
From a security and an organizational perspective, this is a very good design. Everyone on the red network is connected to the red network switch. And everybody on the blue network is connected to the blue network switch.
But one of the challenges with this is that it doesn’t make very efficient use of our switches. For example, we have a switch here with 24 interfaces, and only two devices are connected to that device. We have a separate 24-port switch on this side. And that switch also only has two devices on it.
If we wanted to save money and save space in our rack, we would put all of these devices on the same physical switch. But when we do that, we have a problem with all of these devices being on the same broadcast domain.
Fortunately, many of our modern switches have the ability to configure a Virtual Local Area Network, or a VLAN. A Virtual Local Area Network means that we can assign different interfaces on a switch to belong to a particular VLAN. This is a very good example of combining two separate switches into one single switch, but then assigning different interfaces to different VLANs.
That means we can have some interfaces on the switch on the red VLAN, and other interfaces on the switch on the blue VLAN. And because these VLANs are also separate broadcast domains, if we send a broadcast from any of these devices on the blue network, that broadcast is only seen by other devices on these blue network interfaces. The same thing applies for the red network. If we send a broadcast on a red network device, only devices that are part of that VLAN will be able to see that broadcast.
Now we have a single switch with a single power source taking up the space of a single switch in one rack. And we’re able to support multiple VLANs on that same physical device. This is obviously a much more efficient way to combine these network interfaces together. And it’s a way that we could take what used to be two physical devices and now have them running on one single device with logical separation between these different interfaces.
We can support many VLANs on a single switch. This particular switch has been configured with three separate VLANs, and we can have some devices connected to VLAN 1, which is the gate room. We have other devices that are connected to VLAN 2. That’s the dining room. And then VLAN 3 is the infirmary.
The devices on one VLAN are not able to communicate to devices on the other VLANs, because they have been put into a completely separate broadcast domain. From a networking perspective, there might be a good reason to allow these different VLANs to communicate to each other.
And in that particular case, we need a router to be able to route information from one VLAN to another. Some switches allow you to configure routing functionality within that switch itself. Or you may use an external router just to provide communication between these different VLANs.
Another important service that you’ll find on most people’s networks is a VPN, or Virtual Private Network. This allows devices to communicate to each other across a network, but it encrypts all of the data that’s being sent over the network.
If someone was to capture that data and view it in a packet capture program or something similar, they wouldn’t be able to understand anything that was being sent back and forth between those devices. There’s usually a specialized device that is able to encrypt and decrypt this information in real time. We refer to that device as a concentrator.
This is usually built into a firewall or some other type of purpose-built appliance. This allows everyone to connect to a central concentrator, which is then responsible for converting between the encrypted data coming across the network, decrypting that so that we can view it on the inside of our network, and reversing that process to send information back to the originating station.
This is commonly implemented as hardware, but there are VPN concentrator solutions that are provided as software only that we could run on an existing server. Many operating systems have VPN client software that’s built into the operating system itself. But you might also have third party VPN software that you would then install into an operating system.
If you’ve ever worked from home, then you’ve probably used a client-to-site VPN. The client would be you, the remote user at home, and the site would be a concentrator at a central point, usually at the edge of a much larger corporate network.
All of the users and devices that are outside the building would connect to that central concentrator across the internet, and that concentrator is obviously connected to the internal corporate network.
This means that all of the communication from the remote user to the concentrator are always encrypted. So we know that all of the data we’re sending over the network is completely protected.
The concentrator is responsible for taking that encrypted communication, decrypting it and sending it on its way to the resources that we’re accessing inside of our corporate network. This might also be configured as an always-on configuration. So the moment the remote user turns on and logs into their laptop, it automatically creates that link to the concentrator.
This means you don’t have to worry about manually starting your VPN software. If you are on your network and connected to the internet, then you always have an encrypted channel all the way back to your VPN concentrator.
For large organizations, you might have a corporate network at a central location, and then you might have other remote sites at other physical locations. One of the ways that you’re able to connect those sites together is through an existing internet link.
Of course, we’re always concerned about security and somebody being able to see the information we’re sending over the internet. So it’s very common for organizations to connect these sites together using a site-to-site VPN. This is usually implemented using firewalls. So you’d have a firewall connecting to the corporate network, the internet, and then a separate firewall that’s connecting to that remote site.
You would then configure a site-to-site VPN between these two sites, so that anytime you’re sending information from your remote site back to the corporate network, it will always be going through an encrypted channel. The firewalls act as your VPN concentrator. So anything on the inside of your network is in the clear. But anytime you have to send information across the internet to a remote site, it will always be encrypted using the site-to-site VPN.