In 1999, IEEE promulgated the 802.1Q protocol standard draft for standardized VLAN implementation. The emergence of VLAN technology allows administrators to logically divide different users in the same physical LAN into different broadcast domains according to actual application requirements. Each VLAN contains a group of computer workstations with the same requirements, and a physical LAN. Have the same attributes. Because it is divided logically, not physically, each workstation in the same VLAN is not restricted to the same physical range, that is, these workstations can be in different physical LAN network segments. It can be seen from the characteristics of VLAN that broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs, which helps to control traffic, reduce equipment investment, simplify network management, and improve network security.
The development of switching technology has also accelerated the application of new switching technology (VLAN). By dividing the enterprise network into virtual network VLAN network segments, network management and network security can be strengthened, and unnecessary data broadcasting can be controlled. In a shared network, a physical network segment is a broadcast domain. In a switched network, the broadcast domain can be a virtual network segment composed of a group of arbitrarily selected second-layer network addresses (MAC addresses). In this way, the division of working groups in the network can break through the geographical restrictions in the shared network, and is completely divided according to management functions. This grouping mode based on workflow greatly improves the management functions of network planning and reorganization. Workstations in the same VLAN, no matter which switch they are actually connected to, the communication between them is as if they are on separate switches. The broadcast in the same VLAN can only be heard by members in the VLAN, and will not be transmitted to other VLANs, so that unnecessary broadcast storms can be well controlled. At the same time, if there is no routing, different VLANs cannot communicate with each other, which increases the security between different departments in the enterprise network. Network administrators can comprehensively manage the exchange of information between different management units within the enterprise by configuring routes between VLANs. The switch divides VLAN according to the MAC address of the workstation. Therefore, the user can freely move and work in the corporate network, no matter where he accesses the switching network, he can communicate freely with other users in the VLAN.
VLAN network can be composed of mixed network type equipment, such as: 10M Ethernet, 100M Ethernet, token network, FDDI, CDDI, etc., can be workstations, servers, hubs, network uplink backbone Etc.
In addition to dividing the network into multiple broadcast domains, VLAN can effectively control the occurrence of broadcast storms and make the network topology very flexible. It can also be used to control different networks in the network. Mutual access between departments and different sites.
If multiple hosts with different physical locations belong to the same VLAN, these hosts can communicate with each other. If multiple hosts with the same physical location belong to different VLANs, these hosts cannot communicate directly. VLANs are usually implemented on switches or routers. VLAN tags are added to Ethernet frames to classify Ethernet frames. Ethernet frames with the same VLAN tag are transmitted in the same broadcast domain.
VLAN is a protocol proposed to solve the broadcast problem and security of Ethernet. It adds a VLAN header to the Ethernet frame, and uses VLAN ID to divide users into smaller tasks. Group, restrict the user's mutual access between different working groups, each working group is a virtual local area network. The advantage of a virtual local area network is that it can limit the broadcast range and form a virtual work group to dynamically manage the network.
Purpose of Virtual Local Area Network
VLAN (Virtual Local Area Network, virtual local area network) has many purposes. By understanding the nature of VLAN, you will be able to understand where it is useful.
1. You must know that 192.168.1.2/30 and 192.168.2.6/30 belong to different network segments, and they must be accessed through a router. If different network segments need to access each other, they must pass Router.
2. VLAN essentially refers to a network segment. The reason why it is called a virtual local area network is that it is a network segment created under the interface of a virtual router.
Next, give instructions. For example, a router has only one port for terminal connection (of course, this situation is basically impossible, just to simplify the example), this port is assigned the address of 192.168.1.1/24. However, since the company has two departments, a sales department and a planning department, each department requires a separate subnet and a separate server. Then of course it can be divided into 192.168.1.0--127/25 and 192.168.1.128--255/25. But the physical port of the router should only be able to assign one IP address, so how to distinguish different network segments? This allows two sub-interfaces to be created under this physical port-logical interface implementation.
For example, the logical interface F0/0.1 allocates the IP address 192.168.1.1/25 for the sales department, while F0/0.2 allocates the IP address 192.168.1.129/25 for the planning department. This is equivalent to using one physical port to achieve the function of two logical interfaces, which expands the situation that can only be divided into one network segment to the situation that can be divided into two or more network segments. Because these network segments are created under logical interfaces, they are called virtual local area network VLANs. This is to illustrate the purpose of VLAN at the router level.
3. The purpose of VLAN will be explained at the switch level.
In reality, different network segments must be divided for many reasons. For example, there are only two network segments, the sales department and the planning department. Then you can simply connect all the sales department to a switch, and then connect to a port of the router, and connect all the planning department to a switch, and then connect to a router port. This situation is LAN. However, as mentioned above, if the router is an interface for the terminal, then the two switches must be connected to the same router interface. At this time, if you want to maintain the original network segment division, then you must use The sub-interface of the router, create a VLAN.
Similarly, for two switches, if you want the ports on each switch to belong to different network segments, then if you have several network segments, provide several router interfaces. At this time , Although the physical interface of the router can define which network segment this interface can connect to, but at the switch level, it cannot distinguish which port belongs to which network segment, so the only way to realize that can be distinguished is to divide VLANs. VLAN can distinguish which network segment the terminal of a certain switch port belongs to.
To sum up, when at least one of all ports on a switch belongs to different network segments, when a physical port of the router is connected to two or more network segments, it is VLAN. When it works, this is the purpose of VLAN.
Broadcast storm prevention
Limiting the broadcast on the network, dividing the network into multiple VLANs can reduce the number of devices participating in the broadcast storm. VLAN segmentation can prevent broadcast storms from spreading across the entire network. VLAN can provide a mechanism to establish a firewall to prevent excessive broadcast in the switching network. Using VLAN, you can assign a switch port or user to a specific VLAN group. The VLAN group can be in a switched network or span multiple switches, and broadcasts in a VLAN will not be sent outside the VLAN. Similarly, adjacent ports will not receive broadcasts generated by other VLANs. This can reduce broadcast traffic, release bandwidth for user applications, and reduce broadcast generation.
Enhance the security of the local area network’ user groups containing sensitive data can be isolated from the rest of the network, thereby reducing the possibility of leaking confidential information. Packets in different VLANs are isolated from each other during transmission, that is, users in one VLAN cannot directly communicate with users in other VLANs. If communication between different VLANs is to be carried out, they need to pass through a three-tier device such as a router or a three-tier switch.
The need for costly network upgrades is reduced, and the utilization of existing bandwidth and uplink is higher, which can save costs.
Dividing the second-layer flat network into multiple logical working groups (broadcast domains) can reduce unnecessary traffic on the network and improve performance.
Improve staff efficiency
VLAN brings convenience to network management, because users with similar network requirements will share the same VLAN.
Simplify project management or application management
VLAN aggregates users and network devices to support business needs or geographic needs. Through the division of functions, project management or processing of special applications becomes very convenient, for example, an e-learning development platform that can easily manage teachers. In addition, it is easy to determine the scope of impact of upgrading network services.
Increased network connection flexibility
With VLAN technology, different locations, different networks, and different users can be combined to form a virtual network environment, just like using local VLAN is just as convenient, flexible and effective. VLAN can reduce the management cost of moving or changing the geographic location of the workstation, especially after some companies with frequent changes in business conditions use VLAN, this part of the management cost is greatly reduced.
Routing and access control lists implement inter-VLAN access control
VLAN is a logical subnet based on the physical network, so it is established VLAN requires corresponding network equipment that supports VLAN technology. When the different VLANs in the network communicate with each other, the support of routing can be adopted. At this time, routing equipment needs to be added. To realize the routing function, either a router or a three-layer switch can be used.
Use VLAN technology itself to construct access control
VLAN technology itself is Ethernet technology, and it can directly use VLAN to construct access control, and it can be realized without borrowing routing The VLAN logical topology of the complete Ethernet network and the design of inter-VLAN access control enable the IT system to run on its dedicated virtual local area network to achieve reliable isolation of the IT system and, at the same time, to realize the secure access control of the IT system.
Divide VLAN by port
Many VLAN manufacturers use switch ports to divide VLAN members. The configured ports are all in the same broadcast domain. For example, ports 1, 2, 3, 4, and 5 of a switch are defined as virtual network AAA, and ports 6, 7, and 8 of the same switch form virtual network BBB. Doing so allows communication between the ports and allows the upgrade of shared networks. However, this division mode restricts the virtual network to one switch.
The second-generation port VLAN technology allows VLANs to be divided across multiple different ports of multiple switches, and several ports on different switches can form the same virtual network.
The network members are divided by switch ports, and the configuration process is simple and clear. Therefore, from the current point of view, this method of dividing VLANs according to ports is still the most commonly used method.
Divide VLAN by MAC address
This method of dividing VLAN is based on the MAC address of each host, that is, each host with MAC address is configured to which group it belongs to . The biggest advantage of this method of dividing VLANs is that when the user's physical location moves, that is, when changing from one switch to another, the VLAN does not need to be reconfigured. Therefore, it can be considered that this method of dividing based on the MAC address is based on the user's VLAN. The disadvantage of this method is that during initialization, all users must be configured. If there are hundreds or even thousands of users, the configuration is very tiring. Moreover, this method of division also leads to a reduction in the efficiency of the switch, because there may be many members of the VLAN group on each switch port, so that broadcast packets cannot be restricted. In addition, for users of laptop computers, their network cards may be replaced frequently, so VLANs must be continuously configured.
Divided by network layer
This method of dividing VLANs is based on each host’s network layer address or protocol type (if multiple protocols are supported), although this method of dividing It is based on a network address, such as an IP address, but it is not a route and has nothing to do with routing at the network layer.
The advantage of this method is that the user’s physical location is changed, there is no need to reconfigure the VLAN to which they belong, and VLANs can be divided according to the protocol type, which is very important for network administrators, and, This method does not require additional frame tags to identify VLANs, which can reduce network traffic.
The disadvantage of this method is low efficiency, because it takes processing time to check the network layer address of each data packet (compared to the previous two methods), and the general switch chip can automatically check the network The Ethernet frame header of the upper data packet, but for the chip to check the IP frame header, higher technology is required, and it is also more time-consuming. Of course, this is related to the implementation methods of various vendors.
Divided by IP multicast
IP multicast is actually a definition of VLAN, that is, a multicast group is considered to be a VLAN. This division method expands the VLAN to Wide area network, so this method has greater flexibility, and it is also easy to expand through routers. Of course, this method is not suitable for local area networks, mainly because of inefficiency.
Also known as policy-based VLAN. This is the most flexible method of VLAN division. It has the capability of automatic configuration and can connect related users into one. It is called "relational network" in logical division. The network administrator only needs to determine the rules (or attributes) for dividing VLANs in the network management software, then when a site joins the network, it will be "perceived" and automatically included in the correct VLAN. At the same time, movement and changes to the site can also be automatically identified and tracked.
Using this method, the entire network can be easily expanded through the router. Some products also support that hosts on a port belong to different VLANs, which is particularly important in an environment where switches and shared hubs coexist. When VLAN is automatically configured, the software in the switch automatically checks the IP source address of the broadcast information entering the switch port, and then the software automatically assigns this port to a VLAN mapped from an IP subnet.
Divided by user-defined and non-user authorization
Dividing VLAN based on user-defined and non-user authorization means to adapt to a special VLAN network and according to the special requirements of specific network users To define and design a VLAN, and allow non-VLAN group users to access the VLAN, but you need to provide a user password, and you can join a VLAN only after obtaining the authentication of the VLAN management.
In the above method of dividing VLAN, the port-based VLAN port method is established on the physical layer; the MAC method is established on the data link layer; the network layer and the IP broadcast method are established on the third layer.
Virtual Local Area Network Standard
(1) IEEE 802.1Q
IEEE 802. 1Q is a VLAN standard developed by the IEEE 802 committee. Whether to support the 1EEE 802. 1Q standard is one of the important indicators for measuring LAN switches. Currently, the new generation of LAN switches all support IEEE 802.1Q, while older devices do not.
(2) Cisco’s ISL protocol
ISL (Inter Switch Link) protocol was developed by Cisco and it supports the realization of VLANs across multiple switches. This protocol uses 10bit addressing technology, and data packets are only transmitted to those switches and links with the same 10bit address, so as to carry out logical grouping and control the broadcast and transmission traffic between switches and routers.
Communication between VLANs
Although about 80% of the communication traffic occurs within a VLAN, about 20% of the communication traffic still has to cross different VLANs. At present, the router technology is mainly used to solve the communication between VLANs.
Communications between VLANs generally use two routing strategies, namely centralized routing and distributed routing, or access control technology by the VLAN itself.
(1) Centralized routing
The centralized routing strategy means that all VLANs are interconnected through a central router. For two ports on the same switch (generally referred to as a Layer 2 switch), if they belong to two different VLANs, even though they are on the same switch, they must be routed through the central router during data exchange.
The advantage of this method is simplicity and clarity. The disadvantage is that due to the limited forwarding speed of the router, it will increase the network delay and prone to congestion. Therefore, this requires the central router to provide high processing power and fault tolerance.
(2) Distributed routing
The distributed routing strategy is to appropriately distribute the routing function on the switch with routing function (referring to the three-layer switch), on the same switch Different VLANs can directly communicate with each other. The advantage of this routing method is that it has extremely high routing speed and good scalability.