On 29/01/2016 14:34, The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
The Natural Philosopher wrote:
On 29/01/16 00:33, Theo wrote:
Also multiple ethernet ports mean you can segment the network: not
put the
doorbell on the same network as the banking data. You can do that on a
switch with VLANs, but to do that you need a more expensive switch.

Theo
Can you put that in simple English that a a mere professional IT network
engineer can understand?

What are 'multiple Ethernet ports' in this context, please, and how do
they differ from what a switch has anyway?

Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

For instance, you might trust the doorbell network (physically exposed on
the outside of your building) less than the one handling credit card
data,
and don't want them able to communicate. But your site topology might
mean
you have to use the same physical link for connecting them.

Let's assume you have one ethernet cable you want to send both traffic
down.
You do this by using VLAN-enabled switches. You put a VLAN-enabled
switch
at each end. You then decide on a VLAN numbering scheme, for instance:

VLAN 123 = doorbell
VLAN 456 = accounting

You then configure switch A for port 1 to be on VLAN 123 and port 2 to
be on
VLAN 456. You do the same for switch B. You plug in the doorbell kit to
port 1 and credit card kit to port 2.

You select port 3 to carry all 'tagged' frames, and link the switches
with
your one cable between their port 3s.

+-------------------------------+
| Switch A |
doorbell -|-port 1--[tag=123?]-+ |
| X--port 3 -|-- VLAN tagged frames on
one link
accounts -|-port 2--[tag=456?]-+ |
| |
+-------------------------------+
[and the same at the other end]

The switches 'tag' packets going out on port 3, in other words the packet
over the link looks like:

[VLAN tag=123][Ethernet header][IP header][IP payload][checksums]

and then route based on the tag, rather than routing to all ports.
Because
the tag says VLAN 123, each switch now conveys this only between port 1.
For this traffic, it's as if the other ports didn't exist.
Effectively you
have two isolated networks running over a single cable.

The downside is that you need a management interface on each switch to
configure this, that means the switch having a webserver, CPU, etc. This
makes the switches more expensive. It's also more work to configure and
maintain.

This is fairly standard enterprise networking, and not uncommon if your
business is large enough to buy switches from Cisco rather than Belkin.

(Some cheapo switches support it too - for instance there's a 10 pound
TP-Link gigabit 8-port. I haven't tried it)

Theo

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

I don't think you know what you are talking about.

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!