Shulou(Shulou.com)06/01 Report--

Advanced-small and medium-sized network construction-detailed experimental steps of layer 2 VLAN technology

Why VLAN?

In the traditional switched network, in order to isolate the collision domain, we introduce the switch.

Each port of the switch is a different isolated domain.

But the switch cannot isolate the broadcast domain

So, if there is a malicious host in the network sending broadcast malicious traffic

Then all devices in the same switching network will be affected.

At this point, if we want to locate the failed host or control malicious broadcast traffic

The scope of influence is very difficult.

In order to solve this problem, our solution is to isolate the broadcast domain.

That is to say, a large broadcast domain is divided into many different small broadcast domains through "technology".

Then malicious broadcast traffic will only be controlled within a limited range.

In this way, the impact on the location of the failed host and malicious traffic can be realized.

Good control.

This technology, we call it-- vlan, virtual lan virtual local area network.

Definition of VLAN:

VLAN refers to the broadcast domain / network segment in which some devices with the same function are in the same broadcast domain.

However, devices in the same VLAN have nothing to do with the physical location.

That is, the member hosts belonging to the same VLAN can be located in the same physical location.

It can also be located in different physical locations.

The so-called "virtual" refers to the "virtual" of "physical location".

It is relative to "traditional LAN". In traditional LAN, it only belongs to the same physics.

The devices within the scope belong to the same LAN.

And VLAN breaks this limitation of physical location.

The isolation of broadcast domain is realized by VLAN technology on the switch. A technology that belongs to layer 2 of OSI.

The role of VLAN:

Divide different broadcast domains on the switch

Each VLAN belongs to a different broadcast domain

[different VLAN belongs to different network segment;]

The representation of VLAN:

# is represented by ID, such as vlan 1, vlan 2.

Value range: 0-4095 for ID

The difference between Access and Trunk links:

# different devices are connected

Access, usually connected to terminal devices.

Trunk, which is usually connected to switch equipment.

# different supported VLAN

Access can only belong to one VLAN forever.

Trunk, which can support multiple VLAN simultaneously

# different operations on data

Access:

For outgoing data, it is untagged.

For incoming data, it is untagged.

Trunk:

For outgoing data, it definitely needs to be tagged.

For incoming data

# if the data received is tagged

& if the receiving port allows the vlan, receive it directly

& if the vlan is not allowed by the receiving port, it will be discarded directly

# if the data received does not carry a label

Will be represented by the PVID on the trunk port

Vlan number to label the data

Note:

The default PVID on the trunk link is 1

Understanding of the operation of tag tags through the above access and trunk links

In the future, when we are troubleshooting problems in the switching network,

On each switch on the path where the data is forwarded, use the following command in turn to troubleshoot:

1. When the switch receives a data frame, we use the following command to view:

Display port vlan-> to determine the PVID of the ingress port of the data frame

two。 View the MAC-address table of VLAN represented by the PVID of the ingress port on the switch

Display mac-address vlan {pvid}

# in the display of the mac-address table of the vlan, there is a corresponding mac-address

Entry, the data frame is sent out the corresponding port

# in the display of the mac-address table of the vlan, there is no corresponding mac-address

Entry, proceed to "step 3"

3. Further determine the "egress port of the data frame" with the following command:

Display vlan [pvid]-- > first check the "egress port" corresponding to the vlan.

At the same time, make sure that when the data goes out on the port

Processing actions for tags:

UT-untagged

TG-tagging

In fact, the value of the label

It's PVID.

Here is a set of experiments to verify it.

Lab name: interworking between hosts in the same VLAN

Lab requirements:

PC-1/PC-2/PC-5 belongs to VLAN 10, IP address: 192.168.10.X _ X is the PC number.

PC-3/PC-4 belongs to VLAN 30, IP address: 192.168.30.X _ X is the PC number.

Hosts within the same VLAN communicate with each other through ping

The steps of the experiment:

1. Configure the end host

PC-1: 192.168.10.1/24

PC-2: 192.168.10.2/24

PC-5: 192.168.30.5/24

PC-3: 192.168.30.3/24

PC-4: 192.168.30.4/24

two。 Configure network Devic

# create VLAN and verify VLAN information

SW1:

[SW1] vlan 10-- > create VLAN 10

[SW1-vlan 10] quit

[SW1] vlan 30-- > create VLAN 30

[SW1-vlan 30] quit

[SW1] display vlan-- > View the vlan 10 and 30 created on the switch

SW2:

[SW1] vlan 10

[SW1-vlan 10] quit

[SW1] vlan 30

[SW1-vlan 30] quit

[SW1] display vlan-- > View the vlan 10 and 30 created on the switch

# configure the port connected to PC as Acess and put it into a specific VLAN

SW1

Interface gi0/0/1-- > this port is connected to PC-1

Port link-type access-- > set the port mode to access

Port default vlan 10-- > device port belongs to vlan 10

Interface gi0/0/2-- > this port is connected to PC-2

Port link-type access-- > set the port mode to access

Port default vlan 10-- > device port belongs to vlan 10

Interface gi0/0/3-- > this port is connected to PC-3

Port link-type access-- > set the port mode to access

Port default vlan 30-- > device port belongs to vlan 30

SW2

Interface gi0/0/4-- > this port is connected to PC-4

Port link-type access-- > set the port mode to access

Port default vlan 30-- > device port belongs to vlan 30

Interface gi0/0/5-- > this port is connected to PC-5

Port link-type access-- > set the port mode to access

Port default vlan 10-- > device port belongs to vlan 10

Verify the VLAN dependency to the port:

[SW1] display vlan-- > View the associated ports behind the corresponding VLAN

[SW2] display vlan-- > View the associated ports behind the corresponding VLAN

# configure the interconnection link between switches as Trunk, and allow all VLAN to pass through

SW1:

Interface gi0/0/24-- > Connect SW2

Port link-type trunk-- > set the port to trunk mode

Port trunk allow-pass vlan all-- > configure the port to allow all VLAN

SW2:

Interface gi0/0/24-- > Connect SW1

Port link-type trunk-- > set the port to trunk mode

Port trunk allow-pass vlan all-- > configure the port to allow all VLAN

Verify the Trunk mode of the link and the VLAN allowed by the Trunk port:

[SW1] display port vlan-- > View port mode and allowed VLAN

[SW2] display port vlan-- > View port mode and allowed VLAN

Trunk: the main road

In order to save the interconnection links between switch devices

We have developed Trunk technology, so that we can greatly save money between devices.

Connect the port. Why? Because:

A link / port that can transmit data from multiple VLAN simultaneously

Generally applied to the interconnection link between switch and switch

Configuration commands:

Interface gi0/0/24

Port link-type trunk-- > configure the port in Trunk mode

Port trunk allow-pass vlan all-> allow all VLAN on this port

Pass through

By default, only VLAN 1 is allowed

If there is a mismatch, the command can also be deleted.

Delete VLAN:

[SW1] undo vlan 10-- > once belonged to vlan 10 after deleting VLAN 10

The port automatically returns to vlan 1

Configure the port from access to hybrid:

1. First delete the "configure vlan" command on the port

two。 Secondly, modify the link-type of the port directly.

Configure the port from trunk to access:

1. First delete: port trunk allow-pass vlan all on the trunk port

two。 Second, configure the port to allow only VLAN 1 to pass:

Port trunk allow-pass vlan 1

3. Secondly, modify the link-type of the port directly.

Note:

"port trunk allow-pass vlan x" used before and after on the same trunk link

Commands are superimposed on each other, not covering each other

For security reasons, in the enterprise, we recommend that only Trunk links between switches

Allow "those VLAN that exist in the enterprise" on the.

Finally, I give an explanation to GVRP.

GVRP: generic vlan register protocol, Universal vlan Registration Protocol

The function of this protocol is to automatically synchronize VLAN information between different switches.

Note:

In order to ensure the interoperability of the entire switching network, we must ensure that all switches in the network

Have "exactly the same VLAN database".

And GVRP is off by default on Huawei devices. The agreement is a "public standard agreement".

[the protocol that implements the same function on Cisco is called VTP, which is proprietary to Cisco]

Configuration:

Display gvrp status-- > View the running status of GVRP on the current switch

1. Enable the GVRP function in system mode:

[SW1] gvrp-> enable the GVRP function for the entire device

two。 Turn on GVRP on the interconnection between switches, that is, on Trunk

[SW1] interface gi0/0/24

[SW1-gi0/0/24] gvrp-- > enable the GVRP function on the port

So that the port can send and receive normally.

The message of GVRP

Note:

The GVRP command must be configured on the Trunk link. If it is another type of link, this command

Unable to enter

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.