Routing & Switching: Network Segmentation | Network+ N10-007 | 1.3b

In this video you will learn about network segmentation such as: VLANs, trunking, tagging & untagging ports, port mirroring, switching loops, spanning tree protocol, PoE & PoE+, DMZ, MAC address tables, and ARP tables.

Segmentation & Interface Properties

VLANs (Virtual Local Area Networks)

A virtual LAN is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2).  LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by additional logic.  VLANs work by applying tags to network frames and handling these tags in networking systems — creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks.  In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

VLANs allow network administrators to group hosts together even if the hosts are not directly connected to the same network switch.  Because VLAN membership can be configured through software, this can greatly simplify network design and deployment.  Without VLANs, grouping hosts according to their resource needs the labor of relocating nodes or rewiring data links.  VLANs allow devices that must be kept separate to share the cabling of a physical network and yet be prevented from directly interacting with one another.  This managed sharing yields gains in simplicity, security, traffic management, and economy.  For example, a VLAN can be used to separate traffic within a business based on individual users or groups of users or their roles, or based on traffic characteristics.  Many Internet hosting services use VLANs to separate customers’ private zones from one another, allowing each customer’s servers to be grouped in a single network segment no matter where the individual servers are located in the data center.  Some precautions are needed to prevent traffic “escaping” from a given VLAN, an exploit known as VLAN hopping.


Trunking (802.1q)

Trunking is a technology for providing network access to multiple clients simultaneously by sharing a set of circuits, carriers, channels, or frequencies, instead of providing individual circuits or channels for each client.  Trunking is a technique used in data communications transmission systems to provide many users with access to a network by sharing multiple lines or frequencies.  As the name implies, the system is like a tree with one trunk and many branches.  The data transmitted through trunking can be audio, video, controlling signals or images.  Trunking is the mechanism used to form an internetwork, or Internet, composed of LANs, VLANs, or WANs.  The switches are interconnected to establish these networks using trunking.  Trunking is not limited to any medium since its main purpose is to maximize the bandwidth available in any type of network.


802.1q is a VLAN tagging protocol developed by the IEEE (Institute of Electrical & Electronics Engineering).  Since it is an open standard, it can be used between switches from different vendors, so if you’re trunking between a Cisco switch and a different brand of a switch, you can use 802.1q for the trunk to work.

Tagging & Untagging Ports

VLAN tagging is performed by putting the VLAN ID into a header to identify which network it is present in.  This helps in determining which interface or broadcast area the information packet needs to be sent to in order to receive the right information.  The switches need to be configured beforehand for working properly with the process of VLAN tagging.  With this system, multiple broadcast systems can be segregated into individual domains.  Bridging traffic can be forwarded with the use of this system.  Clients and information can be organized, configured and grouped logically.  Overall, the functionality of the system is optimized.

An untagged port, or access port on a switch, connects to hosts.  The host is unaware of any VLAN configuration which causes the host to send its traffic without any VLAN tag on the frames.  When the frame reaches the switch port, the switch will add a VLAN tag.  The switch port is configured with a VLAN ID that it will put into the tag.  Most switch ports will use this mode by default, with VLAN ID 1.  When a frame leaves an untagged port, the switch strips the VLAN tag from the frame and then the traffic is then forwarded as normal.

VLAN tag

Port Mirroring

Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.  This is commonly used for network appliances that require monitoring of network traffic such as an intrusion detection system (IDS), passive probe or real user monitoring (RUM) technology that is used to support application performance management (APM).  Network engineers or administrators use port mirroring to analyze and debug data or diagnose errors on a network.  It helps administrators keep a close eye on network performance and alerts them when problems occur.  It can be used to mirror either inbound or outbound traffic (or both) on single or multiple interfaces.

Port Mirroring

Switching Loops

A switching loop (or bridge loop) occurs in computer networks when there is more than one layer 2 path between two endpoints (e.g. multiple connections between 2 network switches or 2 ports on the same switch connected to each other).  The loop creates broadcast storms as broadcasts and multicasts are forwarded by switches out every port, the switch or switches will repeatedly rebroadcast messages flooding the network.  Since the layer-2 header does not include a time-to-live (TTL) field, if a frame is sent into a looped topology, it can loop forever.

Switching Loops

Spanning Tree Protocol (STP)

The Spanning Tree Protocol is a network protocol that builds a loop-free logical topology for Ethernet networks.  The basic function of STP is to prevent switching loops (bridge loops) and the broadcast radiation that results from them.  Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails.  As the name suggests, STP creates a spanning tree that characterizes the relationship of nodes within a network of connected layer-2 bridges, and disables those links that are not part of the spanning tree, leaving a single active path between any two network nodes.

PoE (802.3af) & PoE+ (802.3at)

PoE (Power over Ethernet) is a networking feature that lets Ethernet cables supply power to network devices over the existing data connection.  PoE-capable devices can be power sourcing equipment (PSE), powered devices (PD), or a combination.  The device that transmits power is a PSE, while the device that is powered is a PD.  Most PSEs are either network switches or PoE injectors intended for use with non-PoE switches.  Common examples of PDs include VoIP phones, wireless access points, and IP cameras.

PoE+ is the update to PoE.  The major difference between PoE and PoE+ is that PoE+ power sourcing equipment (PSE) can provide almost twice as much power over a single Ethernet cable.  PoE+ PSEs can supply power to both PoE and PoE+ powered devices (PDs), but PoE PSEs can only supply power to PoE PDs.  Also, PoE+ PDs require more power than PoE PSEs can provide.

PoE & PoE+

DMZ (Demilitarized Zone)

A demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the internet. The purpose of a DMZ is to add an additional layer of security to an organization’s LAN to where an external node can access only what is exposed in the DMZ, while the rest of the organization’s network is firewalled. The DMZ functions as a small, isolated network positioned between the internet and the private network and, if its design is effective, allows the organization extra time to detect and address breaches before they would further penetrate into the internal networks.


MAC Address Table

A MAC address table, sometimes called a Content Addressable Memory (CAM) table, is used on Ethernet switches to determine where to forward traffic on a LAN.  MAC address tables map each port to a MAC address.  When a switch receives a frame, it associates the MAC address of the sending device with the interface on which it was received.  The table that stores such associations is known as the MAC address table.  This makes it efficient to forward traffic directly to a host.  Without a MAC address table, traffic would be forwarded out each port, like a hub.  This table is stored in the volatile memory, so associations will be erased after the switch is restarted.

MAC Address Table

ARP Table

Address Resolution Protocol is a communication protocol used for discovering the link layers address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address.  This mapping is a critical function in the Internet protocol (IP) suite.  An ARP table is simply a method for storing the information discovered through ARP.  It is used to record the discovered MAC & IP address pairs of devices connected to a network.  ARP allows for pairs of MAC & IP addresses to not have to be discovered or rediscovered for every data packet sent across the network.  Once a MAC & IP pair is learned, it’s kept in the ARP table for a specified period of time.

ARP Table