Understanding VLANs

A topic I'd like to cover with Networking is VLANs. To understand a VLAN is very good for getting into networking concepts looking towards it as a profession. Hopefully this article helps you understanding the basic concepts of a VLAN as well as some of the more technical terms related to a VLAN. Let's begin!

1. What is a VLAN?

Definition: Virtual Local Area Network (LAN)

A VLAN is a Virtual LAN that can be used to create a logical separation on network devices. This can allow multiple networks to ride on the same equipment, and even links, providing extra efficiency for networks and adding some extra security (not perfect, but it helps).

When we are talking about efficiency, this is because it helps to control the size of a broadcast domain. This can allow a single piece of equipment the ability to serve multiple requirements for networks without things getting to big that they begin to interfere with each other. This broadcast domain is on Layer 2 of the OSI model. This is where your Media Access Control Address, or MAC address comes into play. You may also see the term Hardware Address, or the least common term EUI-48 (Extended Unique Identifier) 

2. How VLANs Work

As mentioned a VLAN is Layer 2 on the OSI model. The protocols fall under the IEEE 802.1Q protocol. The VLAN is attached to the Ethernet Frame. Now a common misconception is that Ethernet is a cord. Ethernet is a Layer 2 protocol that defines how frames are formatted and transmitted over physical media. It's not just the cabling; it's the entire protocol standard used at Layer 2. The simplest way to put what happens, is we add a 4-byte identifier to the Ethernet frame. 

When devices on a network need to find one another within the same subnet or need to talk to all devices on the same subnet, they will send out broadcasts. On a large network, this can be a lot of traffic. To reduce this, when devices do not need to interact with one another, we use the segmentation methodology by utilizing VLANs. On the network, this traffic will be virtually isolated to devices within the same VLAN.

A quick overview into 802.1Q shows is will insert a 4 byte segment into the Ethernet Frame. The first 16 bits is the Tag Protocol Identifier (TPID), followed by 3 bits of Priority Code Point (PCP, part of 802.1P related to QoS), 1 bit Drop Eligible Indicator (DEI, indicates if frame can be dropped from congestion), and finally 12 bits of VLAN Identifier (VID) which gives 2^12 or 0-4095 of potential values.

3. Types of VLANs

Let's start with a very special VLAN. This is a special VLAN you can never truly get rid of because it is very important, VLAN 1. This VLAN is used for a lot of internal communication on the network such as CDP, LLDP, VTP, and many other protocols. It is also the VLAN used when you have no VLAN explicitly selected for a default VLAN.

Other special VLANs include some reserved VLANs.

• 0 and 4095 - Unusable, reserved for system
• 1 - Remember, you cannot delete this, it's a default
• 1002 through 1005 - Defaults for FDDI and Token Ring

Outside of the reserved VLANs, for best practice you can use any others for data. How you choose to use them is really up to you and however deemed best to setup the internal functions and really just configure them however you want.

Voice VLANs are used for VoIP services. If your equipment allows you to identify a VLAN for a voice function, I highly recommend you set that up. Aside from the optimization they will allow, it also allows the VoIP devices you plug in the chance to discover the VLAN they need if they support that kind of feature. This can help reduce a lot of headaches and even speed up a VoIP device configuring itself.

A Native VLAN is a VLAN on a trunk that is the default VLAN assigned should there not be a tagged VLAN. This is usually going to be the VLAN that is directly interfacing the user devices or anything that does not support tagging its own VLAN. Pay attention to your native VLAN when trunking as it will default to a native VLAN of 1. Also, if the native VLANs do not match, traffic will still pass.

Tagged VLANs are explicitly marked as being on a specific VLAN. By tagging a VLAN, you can have a single interface participate in multiple VLANs where it can be separated out to different segments.

4. Access vs. Trunk Ports

An access port is a port with a single native VLAN usually interfacing an end device. If you are on a Cisco device, you can have an "access" port that also has a voice VLAN. Other devices will use a trunk port with the voice VLAN tagged on that port. A trunk port will also facilitate communication between switches containing multiple VLANs. You will often hear the terms "access port" and "trunk port" when discussing higher level network design.

When it comes to 802.1Q, you will likely see no tagging on a native VLAN, but you need the tagging on the frame for a tagged VLAN. Some switches have an option to force a VLAN to be tagged even if it is a native VLAN.

5. VLAN Configuration

Instead of giving a specific brand example, I'm just going to go over what it needed to configure a VLAN. The reason is, I've worked with too many different brands and I know they can be a bit... too different, and I don't want people to copy-paste and then be confused when it doesn't work. Instead, here's the concepts and you can grab yourself a CLI reference for your brand and good luck!

When configuring a VLAN, the first thing you need to do is make the VLAN. Some devices will let you just apply it to a port, but if the VLAN is not in the global configuration, it does not work. Some devices will not let you add a VLAN unless it is configured.

With your VLANs created, you can then configure your ports. First you need to identify if it will be an access or a trunk port. Then you decide what VLAN(s) you want to assign to that port. Simple as that!

6. Benefits of Using VLANs

• Improved security with isolation.
• Reduced broadcast traffic through segmentation.
• Better organization by function or need or usage.
• Easier network management and scalability by running multiple virtual networks the same devices.

7. Common Mistakes and Gotchas

Always remember to configure your VLAN so it actually exists to be used! Seems simple, but I've seen too many people make that mistake in a rush.

Pay attention to your trunk links. If a tagged VLAN is missing, the traffic will not traverse. If the native VLAN is mismatched, traffic will pass unless you set the switch to force native tagging. This means you risk leaking traffic or hopping VLANs. A scary thought is I have seen this done on purpose, which may lead to traffic working when it should never have worked. Fixing this down the road could lead to a major lift, so do not do it or rely on it. Should also mention that a mismatch can cause issues with Spanning Tree Protocol (STP) and general security issues.

Make sure your VLAN covers the broadcast domain you need. It sounds simple, but that means also taking into consideration how it can affect routing, like when it will need to route on Layer 3 instead of switching on Layer 2.

8. Real-World Use Cases

In the world of technology, segregating traffic is necessary for being efficient and secure. Micro segmentation is even better, but let's start here. When it comes to networking, a VLAN may be used to separate departments, VoIP, Security devices, HVAC systems, fire alarms, IoT devices, WiFi traffic, etc.

If you have two departments in the same business, you may want to prevent departments from seeing and using a printer in a different department, a VLAN can help with this. If VoIP is having an issue with jitter or something about the quality, a VLAN can help you manage this. If you don't want people seeing very discoverable IoT devices, put it on its own VLAN. Security devices should be isolated, so put it on a VLAN. HVAC systems send out a ton of broadcasts, keep it under control on its own VLAN. Fire alarms are critical, secure them on a VLAN. Your WiFi system may need a lot to configure itself and pass traffic, keep it on its own VLAN to help manage it.

There are so many instances a VLAN can be used to make things better, so use them. Just remember to keep track of everything so you can keep traffic flowing and do not accidentally isolate it.

One other thing to consider is what some may call a "no hop" VLAN or an isolated network. All this means is a VLAN that goes nowhere. It's a way to make an isolated traffic segment and just means do not have it leave. I've used VLANs of that design for internal functions that need to move mass amount of data I do not want to interfere with anything. It's also fairly secure if there's no way in or out.

9. VLANs and Layer 3 Boundaries

As I have mentioned, a VLAN is a Layer 2 function. A VLAN is also used for a Layer 3 boundary. This can be achieved on a switch using a Switch Virtual Interface (SVI). I have heard people say it is still Layer 2, but it is not. It is just a virtual Layer 3 interface directly associated with a Layer 2 VLAN.

An SVI can be used as a gateway, for setting up point to points, an access IP to interact with the network device, or anything else you can think you want to use an IP for. If you need to extend your Layer 2 traffic to something outside, you can use the SVI with an IP helper address to facilitate that.

These are good to know, especially when getting more into Layer 3, but for now we can leave it at that.

10. Final Tips and Best Practices

Now the fun part.

Avoid using VLAN 1 in production for normal traffic. VLAN 1 does a lot with discovery, so for security and sanity, keep your traffic off of it. Also remember, even if the device does not show it in the config, it's there. I've been told to delete it before, it's not possible. Best we can do is pretend it isn't there by not passing normal traffic across it.

Management traffic should be on its own VLAN. This is things like your SSH for devices. I also recommend you keep it a flat Layer 2. By keeping your management traffic separate, that means as long as you have that traffic flowing, you can get to your devices remotely and keep it secure since it's virtually separated. By keeping it a flat Layer 2, then you can maintain traffic while working on Layer 3 configurations with less risk. Basically, give it as few chances to fail as possible.

Document your VLANs and use good descriptions. Keep in mind, if there is no Layer 2 connection, you can in theory re-use a VLAN ID without issues. However, once they touch, the traffic flows. So document well. The descriptions just help you keep your sanity.

All of that being said, VLANs are actually a very simple concept with a lot of utility. So keep it simple, obvious, and well documented. Do not overthink it or you may get lost in your own spaghetti mess.

Techs from the Crypt: OSPF Flood Wars!

 It's been a while since I posted anything, but I wanted to try to get back into posting stuff. What better way to start than another tech horror story! Currently I am working as a Senior Network Engineer, a recent promotion I am quite proud of. One of the reasons I earned my current title is due to my involvement in a lot of troubleshooting sessions and overall network improvement. With that, it makes sense strange issues tend to land in my lap. One of these issues that happened to land in my lap was an OSPF Flood War. Not my first one, so I figured easy enough. We had four devices showing up in logs with intermittent connectivity. With a bit of luck and some careful planning, I managed to get on each one and fixed what was showing as duplicates. With solid connectivity restored I closed out the tickets, only took me most of a day since it was a remote site.

The next day, I got a message about another OSPF Flood War message for the same four buildings. Connectivity was still solid. All four buildings had no errors, but the upstream did. I went over the same four buildings and the upstream device multiple times for most of the day. Still no luck what was making the messages show. Digging through everything I could find, I decided to ask around.

One of the new engineers I had helped earlier working on getting phones setup at the same remote site, but on a completely different building. This building did not show up in any of the logs. With no other ideas, I got into the device for the building. It finally revealed itself when I went into the switch. The voice network is on a separate VRF and the point to point VLAN on the uplink was in the voice VRF and the downstream one was on the default. Thus, two VRFs leaked into each other across one device that never showed up in any errors logs. Two days of staring at devices and it was that simple. It was a nice and easy fix of just moving things into the appropriate VRF.

With all that, moving forward I am hoping to work on some more technical posts focused on network, since I guess that's my life now. I may also consider enlisting the help of all the new fancy AI tools and if I do, I will disclose that on the post. Just a consideration because sometimes my thoughts are too boiled down and dry to make a coherent post as opposed to just like a bullet list of information. Just a thought. Hope you enjoyed my story!

Networks and Subnetting in IPv4

 Even though IPv4 is getting older, it's still in use in a lot of places right now. Understanding the basics is important. So let us explore the basics. First, let's check out the anatomy of an IPv4 address. An IPv4 address is a number sequence comprised of 4 octets. Octets is a fancy way of saying each number is one byte, which is made of 8 binary digits, thus octet. An octet means you have 256 possible values, 0 through 255. The values are broken down into 4 numbers connected by periods, like 192.168.1.1. There are some special addresses in that total list, so let's start with the two big ones.

An IP address of 0.0.0.0 is a special default of "everything goes." You may see this in a server configuration to accept connections from any host or on any address. Then you have 255.255.255.255, which is a broadcast address. This is basically a "send this to everyone."

Now let's talk about what all the other network information means.

An IP address is a specific address associated to a device on the network.

A Network ID is the information used to tell what is used to identify what is a part of the same network along side a Subnet Mask.

A CIDR (Classless inter-domain routing) is used as a way to represent a subnet usually as a / after the Network ID.

A Default Gateway is the address assigned to a device that usually handles how traffic is going in, out, and routing around a network.

A broadcast address is a special address used to notify everything within a specific network.

That being said, let's take a basic network:

192.168.1.0/24

With this, the following information can be seen immediately:

Network ID = 192.168.1.0

CIDR = 24

The CIDR is a handy number to have because it can tell us how many usable IP addresses exist in that network space. To understand how, let's explore the subnet mask. So as mentioned before, an IP address is 4 octets, an octet is 8 binary digits. This means 8 digits times 4, because it's 4 octets total is 32 binary digits. A CIDR is how many digits in the address are part of the Network ID. So a CIDR can be from 0 to 32. This means that the Network ID is the first 24 binary digits (bits) and the remaining for the network is 32-24, or 8 bits. To get the number of possible values, we keep in mind we are working with binary, use the equation:

2^(32-CIDR)

2^(32-24)

2^8

256

There are 256 possible values. However, this number is actually still technically wrong. Within that range, there are two special addresses I will explain why further down. Just know for now that those are the Network ID (192.168.1.0) and the Broadcast address (192.168.1.255). So the number of usable address equation in full is:

2^(32-CIDR) - 2

2^(32-24) - 2

2^8 - 2

256 - 2

254

There are 254 usable addresses you can assign to devices on the network. Let's turn the CIDR into what a subnet mask looks like. For this, you need to understand binary. There are 24 Network ID bits, they start at the beginning. We will divide it into octets with periods starting from the beginning with 1s until we hit the CIDR, then fill the rest of the 32 with 0s, like so:

11111111.1111111.11111111.00000000

You then can take each octet and convert it from binary to decimal, giving you the following:

255.255.255.0

A subnet mask is important for identifying the network compared to the Network ID. What needs to be understood at this point is that when we look at the network, all those 1s are what cannot change on the IP to be on the same network, and the 0s are the ones we can change an use. So how does this all work? Let's start with any 192.168.1.X address (192.168.1.100):

11000000.10101000.00000001.1100100

We then take that binary value and run it through a process called "Anding" with a subnet mask. This means we compare each bit, if both are 1 we get 1, otherwise we get 0.

11000000.10101000.00000001.01100100

11111111.11111111.11111111.00000000

-----------------------------------

11000000.10101000.00000001.00000000

Now that we have that answer, we would then compare it for equality against the Network ID, in which case the binary value there and the Network ID of 192.168.1.0 are the same. While we as people may be able to make the comparison a little faster without the anding, but a computer needs to do it for the comparison to be fast and easy. When it comes to computers, they can do binary operations far faster than looking at a number string arbitrarily like a human would do. This is also where we get the broadcast address from.

So now let's use the numbers to find the broadcast address. To get the broadcast address we need to take the binary of the network ID and fill in the remaining portion that would be 0 by the subnetmask with 1s. It would look as follows:

11000000.10101000.00000001.11111111

When we convert this back into a human readable form, it becomes 192.168.1.255. Keep in mind that not everything will all work out this cleanly, it's just that a /24 is very common because it is easier to work with. The main thing to keep in mind is that the numbers may appear strange, but that is because everything is working in binary. All of it really boils down to binary logic and understanding.

How to Count and Convert Numbers

Regardless of how old you are, there is a chance you do not actually know how to count correctly. I decided I would post my guide to proper counting. The reason I say you might not know how to count is because counting in anything should be universal. Whether it is base 10, what we use on a day to day, base 8, base 2, or even base 16, it all works the same. So to prove it, here is my counting method. So, let's begin.

When you count, you probably go one, two, three, four, five, six, seven, eight, nine, ten. When working with real numbers, that works fine. However, this undermines what is actually happening. We use "decimal" counting. This means base 10. But what does that really mean? The base refers to the number of possible values. The values are zero through nine. The number ten is actually not a unique value. It is two values. That is a 1 in the second place and a 0 in the first. Each number you see individually is a value in a specific spot. To show this further, let us take the number 1234. You have a 1 in the fourth place, 2 in the third, 3 in the second, and 4 in the first. Using this same model and some math, we can draw this out to there you get a basic equation where the individual number can be represented relative to the base numbering and its place. It would look like base^place*value. We can then get the actual number by obtaining the sum. So let's expand this further for the number 1234. To do so, we first need to establish what the place value is. The place value starts at 0, because we will take advantage of some special math properties. Thus the number 1234 would be expanded with the base being a constant, in this case 10.

(10^3*1) + (10^2*2) + (10^1*3) + (10^0*4)

The special rule to remember is anything to the power of zero is always one. We have 4 places, starting at zero and ending in 3.

(1000*1) + (100*2) + (10*3) + (1*4)

Hopefully at this point, you can now see the relation of the place with the base. Now we put in the values.

1000 + 200 + 30 + 4

With that we get 1234 as our total value. It may seem super convoluted, but this is the realistic way numbers work. Understanding this, we can use the exact same method to convert any number from any base to a number we humans of base 10 calculations can understand. So let's show the relation to binary, or base 2. Picking an arbitrary binary value, 10011010, let us calculate what that is in a number we can understand. To start out with, we have 8 place values, and a base of two. That should let us drop in all the information nice and easy.

(2^7*1) + (2^6*0) + (2^5*0) + (2^4*1) + (2^3*1) + (2^2*0) + (2^1*1) + (2^0*0)

There are ways to shorten it, which if you can't see you should momentarily, but I will go through all the steps to actually show what it all looks like. So the next step is as follows:

(128 * 1) + (64 * 0) + (32 * 0) + (16 * 1) + (8 * 1) + (4 * 0) + (2 * 1) + (1 * 0)

Since anything times zero would be zero, you could have technically just thrown out those sections from the equation, but we will continue on with them in there.

128 + 0 + 0 + 16 + 8 + 0 + 2 + 0

This then means our binary value was the number 154. Just to show it works for any base number, let's do an octal number. Since it is octal, that means the numbers can be anything with values 0 to 7. Let's try 651.

(8^2*6) + (8^1*5) + (8^0*1)

(64*6) + (8*5) + (1*1)

384 + 40 + 1

425

While the math itself may be hard, getting the equation makes it easy to just figure it out with any old calculator. Working with hexadecimal works a little differently, as we need to do some extra translation. Hexadecimal is base 16, which means the values are 0 to 15. Since we have only ten numbers, 0 to 9, we need to create more numbers. For this, we use letters. The letter values are as follows.

A=10

B=11

C=12

D=13

E=14

F=15

With this extra bit, we can translate a hexadecimal number to an understandable number. Let's use the number 1C3A. The numbers here will be much larger, but as long as we have the equations down, it should be easy.

(16^3*1) + (16^2*C) + (16^1*3) + (16^0*A)

Now, let's substitute any letters and we should be able to roll on through it.

(16^3*1) + (16^2*12) + (16^1*3) + (16^0*10)

(4096*1) + (256*12) + (16*3) + (1 * 10)

4096 + 3072 + 48 + 10

7226

As you can see, we can re-use the same pattern and adapt to anything we need. So long as we keep track of all the information necessary, it's easy enough. So to reiterate, the base is a constant for the whole equation. Each value number is actually two pieces of information, place and value. Common bases for number systems are binary (2), octal (8), decimal (10), and hexadecimal (16). Even so, you can pick any base you want, even lucky 13.

Now, how do we reverse it? The method is a little more obscure, however it is still doable. While the method mentioned before is not sensitive to the order since it is a sum, going backwards is. The good news is, we are worried about the same information of base, place, and value. So let's pick a number we did before, 154, and convert that back to binary. The way we do that is divide by the base and use remainder for the value and the quotient for the next step. We work our way through more or less as (total/base) -> 1 if remainder else 0 -> (quotient/base) ...

A bit more confusing, but let me show how that goes.

154/2 = 77 -> 0

Now the quotient is 77.

77/2 = 38.4 -> 1

The quotient is 38, remainder is 4, so we have a 1.

38/2 = 19 -> 0

19/2 = 9.5 -> 1

9/2 = 4.5 -> 1

4/2 = 2 -> 0

2/2 = 1 -> 0

1/2 = 1.5 -> 1

Now we take all of what is at the end and reverse it to get 10011010, what we started with. Numbers other than binary are a little easier if you know the modulo operator. With an equation, it would be more along the lines of using modulo(%) and integer division for the quotient to look like (value % base) -> (quotient % base)... Making this a little easier with a calculator. However, the structure is the same. So let's use 425 and go back to octal.

425/8 = 53.125 -> 0.125 = 1/8 giving us a modulo 1

53/8 = 6.625 -> 0.625 = 5/8 giving us a modulo 5

6/8 = 0.75 -> 6/8 giving us a modulo of 6

We take that and reverse the order and you get the original we started with in octal, 651. Now let's tackle the one last number, 7224, and get it back to the original hexadecimal. As before it will require the extra step of substitution to get the letters in there. Let's roll through this.

7224/16 = 451.625 -> 0.625 = 10/16 gives us a modulo 10 which is A

451/16 = 28.1875 -> 0.1875 = 3/16 gives us a modulo of 3

26/16 = 1.75 -> 0.75 = 3/4 = 12/16 gives us a modulo 12 which is C

1/16 = 1 gives us a modulo 1

Now we take those values, run them backwards and we get 1C3A. With that, you can hopefully see that converting around different base numbers is actually a simple process and hopefully reveals enough information to truly understand what counting is really representative of.

I also want to talk about some bonus information. Number Order. So the way numbers get processed can be in relation to either the smallest to largest value, which is called little endian, or largest to smallest, called big endian. When you get deep into computer programming or number processing, this becomes very important as to preserving the significant figures we want to be concerned with. As I mentioned before, since converting numbers into decimal was a sum that the order did not matter. That means you can process the numbers in reverse order similar, just like when you convert them off into other bases.

That's all there is to it! With any old calculator you should now be able to do conversions of binary, hex, octal, or whatever else you fancy. Hope it helps someone.

Web Design: Make Duplicate Forms And Remove/Reset Them

 I don't know if anyone else would ever need or want something like this, but here we go. If you want to be able to create multiple forms on demand on the same page along with maintaining the ability to remove them or interact with them, then this is for you. First thing first, we need to make an HTML document.

<!DOCTYPE html>

<html>

<head>

<title>Some Stupid Form Thing</title>

Now let's get our Javascript on! I know I add some stuff that is not needed, but I'm weird.

<script type="application/javascript">//<[CDATA[

"use strict";

//I like to do a global storage object

var storage = {

    "formdata": "",

    "fid": 1

}

// function to store original form setup

function getformdata() {

    storage["formdata"] = document.getElementById("form0").innerHTML;

}

//Creating new forms

function addform() {

    var newform = document.createElement("form");

    newform.id = "form" + storage["fid"]++;

    newform.innerHTML = storage["formdata"];

    document.getElementById("formlist").append(newform);

}

// Removing forms, or reset the last form

function removeform(b) {

    b.parentElement.remove();

    if (document.getElementById("formlist").children.length < 1) {

        storage["fid"] = 0;

        addform();

    }

}

//]]></script>

</head>

Now that all the delicious code is out of the way, we need to create the body that this will interact with. It's actually fairly simple.

<body onload="getformdata()">

<div id="formlist">

<form id="form0" action="#">

Employee ID: <input type="text" value="" class="eid" /><button type="button">Do a thing</button><br />

<button type="button" onclick="removeform(this)">Remove</button>

/form>

</div>

<button onclick="addform()">Add Form</button>

</body>

</html>

Summary time. I am using a div as a container to create and remove forms in. Using the DOM we can isolate what we need inside of whatever container and use that to modify whatever with minimal navigation, no extra overhead of frameworks needed. I don't know why anyone would need this, other than the reason I made it that I'm not going to say. But there you go.