I love the fact that in the bottom topology, the switch chip is quite likely using VLANs internally to separate the traffic.
For example MikroTik CRS1xx/CRS2xx switches would definitely just create vlans internally (correct me if I’m wrong though, but I don’t believe there’s someone on earth who actually understands these switches), if you try to separate a port group.
In fact even without any configuration they will create a vlan (4095 I think) that is shared amongst all the ports, so you’re kinda fucked if you want to avoid vlans for ideological reasons lol.
@maengooen@lemmy.world@196@lemmy.blahaj.zone honestly, using VLAN is just out of my budget for my home network. Especially since I don't really have a managed switch to put it all with
Managed switches aren't too much more than their unmanaged counterparts.
More importantly, you'd need a firewall that supports it. Doesn't do you any good to have vlans if you don't have a firewall to enforce traffic between those zones. Getting a firewall is the expensive bit, unless you use an old computer and toss pfsense/opnsense on it, or you buy a baby soho firewall (~$150-$200)
VLANs are just a way to separate machines on a network, without having to buy all the hardware infrastructure to build a second network. It's a super useful tool to have, but it makes everything a little more complicated.
The post itself is just a take on the "STOP DOING MATH" meme
A virtual local area network, or vlan, is a logically defined subset of a computer network that are used to control, from an administrator/system level, which computers are 'connected' to others. There can be an unbroken, physical connection between two devices, but they won't be able to communicate because network hardware is stepping in and segregating the network.
This is good because it can increase security- rather than having your sensitive information on your company network with a password, which can be cracked or stolen, being the only thing controlling access to it, with a vlan you can limit access to even attempt to use a password to only the parts of your network that actually require it.
It also controls traffic and congestion on the network, because some data is 'broadcast', effectively addressed "to whom it may concern,". A vlan places a wall around parts of the network that keeps these broadcasts inside, i.e. splits broadcast domains. Ordinarily, this would require different hardware and physical design, which can increase cost and complexity.
But on the other hand, the physical network structure encouraged by this design is very flat, with all devices physically connected to each other. It is only inside configuration on the network hardware that things are broken up and divided, which means if whoever set it up didn't document it, you are required to not only figure out where all the cables go, but also how the network systems are controlling the data.
It's also another "thing" that can break. If there were physical segmentation, you could follow a cable and see where its gone wrong, and if something were plugged into the wrong port, it would be plugged into the wrong device entirely, and you would just move the connection to the correct device. With a vlan, you'll have a switch with dozens of ports, each having its own independent configuration defined on a table, which means it can be plugged into the correct device, but the wrong individual port out of dozens. The configuration could also become corrupt, or be broken by an accidental change or hardware failure, and you would now need to rebuild the table, going through each individual port and configuring which vlan was supposed to be on it.