Thread: Cat5e or what?
View Single Post
  #99   Report Post  
Posted to uk.d-i-y
The Natural Philosopher[_2_] The Natural Philosopher[_2_] is offline
external usenet poster
  
Posts: 39,563
Default Cat5e or what?
On 29/01/16 18:04, dennis@home wrote:
On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
The Natural Philosopher wrote:
On 29/01/16 00:33, Theo wrote:
Also multiple ethernet ports mean you can segment the network: not
put the
doorbell on the same network as the banking data. You can do that
on a
switch with VLANs, but to do that you need a more expensive switch.

Theo
Can you put that in simple English that a a mere professional IT
network
engineer can understand?

What are 'multiple Ethernet ports' in this context, please, and
how do
they differ from what a switch has anyway?

Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

For instance, you might trust the doorbell network (physically
exposed on
the outside of your building) less than the one handling credit card
data,
and don't want them able to communicate. But your site topology might
mean
you have to use the same physical link for connecting them.

Let's assume you have one ethernet cable you want to send both traffic
down.
You do this by using VLAN-enabled switches. You put a VLAN-enabled
switch
at each end. You then decide on a VLAN numbering scheme, for
instance:

VLAN 123 = doorbell
VLAN 456 = accounting

You then configure switch A for port 1 to be on VLAN 123 and port 2 to
be on
VLAN 456. You do the same for switch B. You plug in the doorbell
kit to
port 1 and credit card kit to port 2.

You select port 3 to carry all 'tagged' frames, and link the switches
with
your one cable between their port 3s.

+-------------------------------+
| Switch A |
doorbell -|-port 1--[tag=123?]-+ |
| X--port 3 -|-- VLAN tagged frames on
one link
accounts -|-port 2--[tag=456?]-+ |
| |
+-------------------------------+
[and the same at the other end]

The switches 'tag' packets going out on port 3, in other words the
packet
over the link looks like:

[VLAN tag=123][Ethernet header][IP header][IP payload][checksums]

and then route based on the tag, rather than routing to all ports.
Because
the tag says VLAN 123, each switch now conveys this only between
port 1.
For this traffic, it's as if the other ports didn't exist.
Effectively you
have two isolated networks running over a single cable.

The downside is that you need a management interface on each switch to
configure this, that means the switch having a webserver, CPU, etc.
This
makes the switches more expensive. It's also more work to configure
and
maintain.

This is fairly standard enterprise networking, and not uncommon if
your
business is large enough to buy switches from Cisco rather than
Belkin.

(Some cheapo switches support it too - for instance there's a 10 pound
TP-Link gigabit 8-port. I haven't tried it)

Theo

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

I don't think you know what you are talking about.

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Actually it will.

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.

Dennis. PLEASES read up about how a switch works, and why we HAVE
switches instead of repeaters. And why the little blinken lights on your
switch do not all blink at the same time but in pairs, because packets
are not on all segments simultaneously.


And just because its perfectly possible to send a broadcast and get a
response back from every ethernet devices on a given network, doesnt
means that all those devices receive traffic OTHER than broadcasts on a
routine basiss.

On a VLAN it won't.

VLAN is a security issue. It is not about traffic.

So first of all, you need to understand the basics

Of why we use switches rather than repeaters

http://cnp3book.info.ucl.ac.be/protocols/ethernet.html
"From a performance perspective, it would be more interesting to have
devices that operate in the datalink layer and can analyse the
destination address of each frame and forward the frames selectively on
the link that leads to the destination. Such devices are usually called
*Ethernet switches* [7]. An Ethernet switch is a relay that operates in
the datalink layer as is illustrated in the figure below."

See that? The switch learns where each destination is, and doesn't send
all traffic to all devices.

You cant hear a conversation on one wire that is between devices on two
other wires, because the switch is a mac level ROUTER.

Obviously you can discover by doing an ARP requests, or an Ethernet
broadcast what other devices are on that Network, but you cant tell
where they are connected unless you can probe the switches MAC address
to port map tables.


All a VLAN is, is a layer on top of that that disallows broadcasts
between pre defined VLANS, that's all.

"A switch can support several VLANs and it runs one MAC learning
algorithm for each Virtual LAN. When a switch receives a frame with an
*unknown or a multicast destination*, it forwards it over all the ports
that belong to the same Virtual LAN but not over the ports that belong
to other Virtual LANs. Similarly, when a switch learns a source address
on a port, it associates it to the Virtual LAN of this port and uses
this information only when forwarding frames on this Virtual LAN."

http://cnp3book.info.ucl.ac.be/protocols/ethernet.html

So devices on other VLANS won't respond to a broadcast on a given VLAN.
But beyond that they have no impact on performance or routine routing of
packets.

So all this nonsense about 'separating traffic' is just that. Nonsense.

If you route tow Vlans over the same piece of wire, they will compete
with each other VLAN or not. And if you have two devices on two
different bits of wire, the traffic fr9m one will not go down the wire
to the other irrespective if whether they are on Vlans or not.

And Vlans therefore have zero use in a domestic environment.

ALL they really do is stop people on a given set of wires representing
themselves as belonging to a network they have no rights to join.

I repeat (sic!) VLANS are for security, not performance.

--
He who ****s in the road, will meet flies on his return.

"Mr Natural"
Reply With QuoteReply With Quote