Local computer network segmentation

A physical computer network can be divided into logical segments where the traffic is separated and possible only inside one segment. Port assignment to respective virtual local networks takes place through the switch config and is only possible for manageable devices. Switches transfer unicast, multicast, and broadcast traffic only within one LAN network segment. Except for the network segment isolation such an approach enables to limit the flooding of switch ports with the ARP and DHCP protocol broadcasts that never exceed the VLAN network boarders. The traffic transmission between VLAN networks is possible thanks to using additional network devices such as routers and firewalls where the traffic can be monitored and filtered. There is a possibility of using the so-called L3 network switches of the third layer. In such case when using appropriate rules the switch can transfer the traffic between the segments according to a certain policy similarly to a router.

Using segmentation while designing a computer network for business brings a series of profits. The most common practice includes:

  • for safety's sake some of the workstation belonging to certain departments, i.e. accounting should be separated from the remaining part of the computer network,
  • our company's guests' computers should belong to a separate VLAN without the internal resource access. Modern switches can authorize workstations based on the MAC addresses or EAP protocols and assign them to adequate segments according to the certain policy,
  • a separated VLAN is also a crucial element of every DMZ area and the internal traffic should not be connected with the external traffic,
  • a separate administration segment for manageable IT infrastructure devices such as managing cards for the ILO servers, iDrac, disk array management ports, switches, and wireless network controllers,
  • a separated NFS traffic segment – in case of using virtualization and arrays that support the above-mentioned protocol – the possibility of using the jumboframes increasing the data transfer efficiency,
  • separating the VoIP telephony segment – in view of the need to deploy QoS mechanisms,
  • virtualization – virtual machines hosted on one physical server often have to have a separate network address and be assigned to separate network segments. The local network virtualization is used on the level of the virtual machine host and the host itself can be linked with the switch with one wire. The network traffic is transferred in the so-called trunk.

The technical aspects of segmentation were described in the 802.1q standard.

