Hey everyone. I work in a data center, and I'm working on getting my CCNA. Now when I read articles on the idea of VLAN's it makes sense. Especially if you have multiple switches daisy chained in multiple locations. My two main questions though are that most of these examples use PC's as examples for using VLAN's. But in the environment I work in, we have clients who have 2 and 3u servers, with multiple hard drive bays in these vlans. I don't know what these machines are running, but what could they possibly need to communicate to each other for?
Even in regards to normal PC's like in the examples I read in the cisco book, what protocol or data is sent directly to another PC? If I'm using something like yahoo instant messenger, and I send a message to the person on the same VLAN, does that packet/frame ever leave the vlan? or is it send directly to the switch and the switch sends it to the receiver? Wouldn't something like that go to a Yahoo messaging server somewhere and then send back to the person sitting next to me?
I ask this because I can't think of information that is send directly from one computer to the next without it ever leaving a vlan. Except transfers files or something and the idea of separating broadcasts.
Hope this line of questioning makes sense! Thanks!
You can create VLANs,not for common communication, but to isolate layer-2 communication from other network objects. Security.
Example:
If I am on VLAN A I may not be able to ssh over to VLAN B. A lot of places will do this with development versus production servers. Code librarians work on VLAN C with access to A and B. DMZ's are another possible example of isolation at the layer-2 level. Layer-1 isolation is the same idea. If bad guys cannot see network object at all it cannot be attacked. Air gap attacks notwithstanding.
Like Jim says, the main purpose would be security enforcement. It is very typical for an application to make use of a web server, an application server, and a database server. The Web server is obviously open on ports 80 and 443, and accessible from the internet. Web server may talk to the application server via, say DCOM, which by default used UDP ports 1024-5000. Lastly, the application server may talk to the Database server using SQL on TCP port 1433.
Ideally these servers would all talk to each other through a firewall, which can perform L3 - L7 application filtering and enforcement. So your firewall would have a leg in all 3 VLANS, and all traffic between the servers would be forced through the firewall. With things like virtual firewalls becoming more common things are becoming more and more complex in the DC. For example, the web, application and db server may all reside on the same physical host in a virtualised environment, so then you need to start thinking about things like 802.1q trunking etc, but that's another discussion
