[MUSIC] Next I'm going to tell you about a very important development in networking which has been applied to Ethernet, vastly improves a lot of properties in Ethernet and other kinds of networking. It is this notion of applying virtualization to networking. Now I don't know if you've heard of virtual machines. So virtual machines are something we use in the context of operating systems. If you have a computer and you want to kind of be virtualized, there's this ability to kind of take a computer, take a physical machine, and run multiple virtual machines on top of it. You can do all sorts of powerful things with it. You can kind of have multiple operating systems run on top of your physical machine. You can kind of control how they communicate. So the notion of virtualization has also been applied to networking. So we have the ability to kind of create networks, create physical networks, and then run multiple virtual networks on top of them. And there's different variants of this. At layer 3, there's VRFs, there's VPNs. And at layer 2, we use something called VLANs. So I'm going to be talking about that next, VLANs. So VLANs stands for virtual LANs, virtual local area networks. And it's an approach that's has a lot of benefits. And one of the benefits is that it can be used to scale Ethernet. So what we do here is we take our network and we kind of divide it up. We take the physical networking, we create slices on top of it. In each of these slices is a VLAN. And what these VLANs do is they isolate traffic at layer 2. So they're like multiple layer 2 slices of your network. So for example, suppose you have a network, you have a bunch of switches and they're connected by links, these little subnets. And suppose you're building a smart building. So you have your HVAC controls on there, your heating, ventilation, air conditioning. You have some kind of manual controls where users can kind of control their temperatures and some various sensors. You have occupancy sensors and temperature sensors kind of distributed throughout the building. So there's your HVAC system. That's one thing. And then suppose in addition to that, you have your payment network. You have your point of sale systems where users can come in and swipe their credit cards. You have your PCI server, your payment card infrastructure server where you store your users' credit card information. And suppose, you have all that, and that's kind of a separate thing. You have these two separate functions on your network. So if you're using VLANs, one really smart thing to do when you're building these networks is to kind of segment these things off. You can use VLANS to do that. So what you would do with VLANs is you would create an HVAC VLAN. And you would create a payment card infrastructure VLAN and these would be separate. And the way this is implemented is switches have these ports and you tell the switch which port is on which VLAN. And a single port can be on multiple VLANs. That's okay. And with these VLANs you have isolation. Suddenly, you can't send a packet from your HVAC VLAN to your PCI VLAN. So this is great for scalability, because your HVAC VLAN can send broadcasts, communicate all the temperature data at really high speeds and that's fine. It won't interfere with your PCI network. Another reason to do this is security. So I don't know if you heard about the Target breach several years ago, but this is exactly what happened. They had an HVAC system and there was some insecurity in it. There's a piece of malware. And that malware was able to infiltrate into their credit card servers and pull data out of that. And you might have gotten one of these letters in the mail where it was kind of like your credit card information was compromised, here's some free credit check service. Target had to send out a lot of that stuff. And it's not just Target, this happens to all sorts of companies all the time. And the way you protect against this stuff is you use VLANs. You take your network and you divide it up in part. And this is something that's really important. So whenever you build a network, if you have some stuff that's secure and some stuff that's insecure, then you want to divide it up with VLANs. And this happens all the time with IoT. So a good practice is, if you have a network and you're deploying IoT on it, you want to segment off that IoT onto a separate VLAN. So you'd use VLANs for that. So VLANs are LANs in any sense of the word. Each of these VLANs corresponds to a single subnet. So when I create a LAN, when I create a single broadcast domain, I assign an IP subnet or an IP prefix to it, a block of IP addresses to it. And then to reach an IP address in that block I broadcast. So each VLAN is the same thing. I'll have one physical network. But each of these VLANs will have a single IP subnet associated with it because each one is an individual broadcast domain. And the way VLANs are implemented is we modify Ethernet. So there's a modification to Ethernet that supports VLANs. And the VLAN number, each of these VLANs is associated with a number is identify it in a tag in the VLAN packet. So it's embedded in the header. So when a switch receives a packet or a frame with a certain VLAN ID in it, it'll only forward out ports associated with that VLAN ID. So this constrains the broadcast to be within a single area. So virtual LANs or VLANs they have some pros and cons. And to be honest, you're going to use VLANs. I mean, they have downsides, but they're used everywhere. There's so many advantages to using them, but there are some downsides you have to be careful about. So usually VLANs are manually configured. I mean, networks today are not artificially intelligent. They can't read your mind. They don't know what you want. And so you have to tell your network, you have to say, hey, network, these are my private credit card servers, they're on these ports. And I want these separate from my guest wireless network or my IoT devices. You have to tell the network where things are. So that is a manual process. So VLANs are often manually configured. There are supporting protocols. A lot of companies will write their own scripts to configure VLANs or there's also dynamic trunking protocol. And these other protocols that can automatically set up VLANs. But people often don't use these automatic protocols for security reasons. And even with scripts, you kind of have to tell them what to do. So bottom line is when you use VLANs, there's manual configuration involve. It's not like you can just kind of set things up and plug things together and they just work. And so this introduces additional work for network management. Another issue with VLANs is you have to remember that they are LANs, they're individual broadcast domains. So if you have a host in a VLAN, and it moves to another VLAN, well, you have to renumber it. You have to give it a new IP address. So that's going to break connections if it has connections open. And so it's hard to seamlessly migrate across VLAN boundaries. So this happens all the time in data centers. You have your data center, you have a bunch of VMs, virtual machines, on different VLANs, you want to move them between VLANs, then you have to renumber them. So you want your VLANs big enough, if you're running a data center, to contain all your VMs that you need to be within that one area. However, VLANs also have some pretty significant upsides. VLANs limit scope broadcast and this allows us to build a huge layer 2 networks because we can just kind of scope broadcast. We can have a huge physical layer 2 network and then a bunch of little VLANs on it, great for scalability. They also improve isolation and security. When people talk about segmentation and micro-segmentation, you hear about this in the news all the time and data breaches and cyber attacks. They're really talking about VLANs. They're talking about VLANs and related techniques to kind of segment networks. And all these problems you read about in the news because somebody had some private systems and then there's the Internet, or malware on the network or IoT devices and there's a connection that got through. With VLANs you can provide very rigorous segmentation of your network to isolate these various things. And they can still be connected together, but you connect them together with layer 3. Where you put access controls and things to apply your security policies at just that one point, much better security practices. Another benefit of VLANs is you have a lot of flexibility in changing your topology. It's not like a physical network where you say I need to connect some guests wireless users in this region. So I'm going to have to run a cable from my guest wireless network switch over to there. You don't have to do that anymore. All you have to do is create a VLAN trunk, extend your VLAN out. And that's that's a configuration change. That's something you log into the switch and type commands to do as opposed to go out and messing around with cables. So you have a lot of flexibility in terms of changing your virtual topology without changing your physical topology. And this is great for data centers where you can deploy very homogeneous infrastructure, lots of servers, very similar network deployed across them and then you can set up what you need. You can create a big VLAN for a customer and you have another tenant and shut them down and do all sorts of things. And so this is what's used behind Amazon Web Services and Google Compute all these things because it's very automated. So these are some kind of trade-offs with virtual LANs. There's some pros and cons, but they're things that are really used all over the place and they're very important to know about
