VLANs and VPNs - CompTIA A+ 220-1101 - 2.6

A LAN is a Local Area Network.

We commonly define this as a group

of devices that are in the same broadcast domain.

In this example, we have two different switches.

One is the red switch and one is the blue switch.

On the red network, we have two devices that

are in one broadcast domain.

And on the blue switch, we have devices

that are on a completely different broadcast domain.

We might want this separation for security reasons.

Certainly this would have a separation

between these devices and these.

We might want to limit the number of broadcasts

that might be on a network.

So we might segment the network into smaller pieces.

And in many ways, this is a very straightforward way

to manage the network.

Because if somebody needs to be on the red network,

we connect them to the red switch.

And if someone needs to be on the blue network,

we connect them to the blue switch.

However, looking at this diagram,

we can immediately see a number of inefficiencies.

We've of course purchased two separate switches.

We are powering two separate switches,

and we're managing the configurations

on two separate switches.

All of these are duplicating the effort,

in some cases duplicating the cost we would need to maintain

both of these networks.

We can also see on these switches

that we're connecting two devices,

but we have a lot of empty interfaces on the switch.

So we've paid for a lot of switch

that ultimately we're not using.

It would be much more efficient and cost effective

if we could buy a single switch, maintain a single power

source for that switch and a single configuration,

and simply logically associate certain interfaces

on that switch to the red network

and logically associate other interfaces on that switch

to the blue network.

The switch itself would provide the separation

between the red network and the blue network,

and these devices still would not

be able to communicate directly to each other.

We refer to this virtualization of the local area network

as a VLAN.

This is grouping the devices still in their same broadcast

domain, but we're doing this across

the same physical device.

This means that we won't need separate switches.

We can instead have exactly the same functionality

on a single switch by implementing and configuring

VLANs for each of these individual interfaces.

Let's add even a third network.

So on this switch, we've configured

a red network, a blue network, and a green network.

And you can see that we've connected different devices

to these interfaces.

As the network administrator, we've

specifically configured the interfaces on the switch

to match a certain network.

So in this case, if you're connected to port one,

you're on the red network.

If you're connected to port nine,

you're on the blue network.

And if you're connected to port 17,

you're on the green network.

Of course, instead of using colors

we associate a VLAN with a number.

So the red network may be VLAN 1,

the blue network might be VLAN 2,

and the green network might be VLAN 3.

You can see that not only does this

make it easier to manage the network,

but now we can keep costs lower by having a single switch

instead of purchasing three separate switches

for these three VLANs.

A technology that has become rather commonplace

on our networks today is a VPN or a Virtual Private Network.

This is usually a combination of software and hardware

that allows us to securely send information

across a public network such as the internet.

Everything sent over that VPN connection is automatically

encrypted, which means if anyone in the middle

happens to capture this information,

they wouldn't be able to see or understand

anything in the conversation.

If you've used a VPN, then you certainly

are familiar with how that looks from the desktop

of your operating system.

But somewhere it's connecting to a separate device

and the device we're connecting to is a concentrator.

This can be a standalone device or it

may be integrated into a firewall

or some other multi-use device.

There are many different ways to deploy VPNs.

The example we have here is a hardware device

that may have specialized VPN or encryption hardware

inside of it.

But you can also configure VPN software that

might be running on a server.

Many VPN implementations have their own application

that can be installed in an operating system,

and you'll find that these days most modern operating

systems come included with some type of VPN client.

This means that you can still be secure when

using your laptop in a coffee shop

even if the wireless network in that coffee shop

is one that is open and not encrypted.

You would either use VPN software that's always

on and always connected or you would

have the option on your laptop to enable or turn

on the VPN capability.

When you do that, it creates an encrypted tunnel back

to the VPN concentrator, and now everything

sent from your laptop will be encrypted

across the wireless network of the coffee shop, the internet,

and any other links until it reaches that VPN concentrator.

At this point, the VPN concentrator

will receive that encrypted information.

It will decrypt the data and send that information

into the corporate network.

Any device that needs to send information back to the laptop

will send that information to the VPN concentrator.

The concentrator will encrypt that data,

send it over the encrypted tunnel,

and when it reaches your laptop, the laptop

will then decrypt that data so that it can be used locally.

This entire process happens behind the scenes

and is automatic when you enable your VPN software.