Shulou(Shulou.com)06/01 Report--

The emergence of VLAN (Virtual Local Area Network, virtual local area network) technology is mainly to solve the problem that the switch is unable to restrict broadcasting when the local area network is interconnected. This technology can divide a physical local area network into multiple virtual Lans-VLAN, each VLAN is a broadcast domain, and the communication between hosts in VLAN is the same as in a LAN, while hosts between VLAN can not communicate directly, so broadcast data frames are limited to one VLAN.

Brief introduction of VLAN Technology

Broadcast storm

After the emergence of switched Ethernet, different ports under the same switch are in different collision domains, and the efficiency of switched Ethernet is greatly increased. However, in switched Ethernet, because all the ports of the switch are in a broadcast domain, the broadcast frame sent by one computer can be received by all computers in the local area network. The limited network resources in the local area network are occupied by useless broadcast information.

In the figure above, broadcast frames sent by four end hosts are broadcast throughout the local area network. If the broadcast frame traffic for each host is 100kbps, the four hosts reach 400 kbps; if the link is 100Mbps bandwidth, the broadcast frame occupies 0.4% of the bandwidth. However, if the number of hosts in the network reaches 400, the broadcast traffic will reach 40Mbps, occupying 40% of the bandwidth. The network is full of broadcast streams, and the network bandwidth resources are greatly wasted. In addition, too much broadcast traffic will cause heavy CPU burden on network equipment and hosts, slow system response and even crash.

How to reduce the scope of broadcast domain and improve the performance of local area network is an urgent problem to be solved.

Use routers to isolate broadcasts

Each interface of the router is in a separate broadcast domain, and the broadcast frame sent by the end host is terminated at the interface. Therefore, the use of routers in the local area network can isolate broadcasts and reduce the broadcast range.

However, the price of the router is higher than that of the switch, and the use of the router increases the deployment cost of the LAN. In addition, most of the middle and low-end routers use software forwarding, the forwarding performance is not high, and it is easy to cause performance bottleneck in the network. Therefore, using routers to isolate broadcasts in the local area network is a high-cost and low-performance solution.

Isolate broadcasts with VLAN

The emergence of VLAN technology is to solve the problem that the switch is unable to restrict broadcasting when interconnecting the local area network. This technology can divide a LAN into multiple logical LAN-VLAN, and each VLAN is a broadcast domain. Devices between different VLAN can not directly communicate with each other, but can only communicate with each other through three-layer devices such as routers. In this way, the broadcast data frame is limited to one VLAN.

At present, most Ethernet switches can support VLAN. Using VLAN to reduce the scope of broadcast domain and reduce the broadcast traffic within LAN is an efficient and low-cost solution.

Advantages of VLAN

The division of VLAN is not limited by physical location. Hosts that are not in the same physical location range can belong to the same VLAN: a VLAN contains users who can be connected to the same switch, across switches, or even routers.

The advantages of VLAN technology are as follows:

Effectively control the scope of the broadcast domain: the broadcast domain is limited to one VLAN, and the broadcast traffic is only propagated in the VLAN, which saves bandwidth and improves the network processing capacity.

Enhance the security of the local area network: messages in different VLAN are isolated from each other during transmission, that is, users in one VLAN cannot communicate directly with users in other VLAN. If different VLAN want to communicate, they need to communicate through devices such as routers or layer 3 switches.

Flexible construction of virtual workgroups: different users can be divided into different workgroups with VLAN, and users of the same workgroup do not have to be limited to a fixed physical scope, so network construction and maintenance are more convenient and flexible.

VLAN Typ

Port-based VLAN

Port-based VLAN is the simplest and most efficient method of VLAN partition, which defines VLAN members by port. After the designated port is added to the specified VLAN, the port can forward the data frames of the specified VLAN.

In the figure above, the switch ports E1Accord 0Accord 1 and E1Accord 0Accord 2 are divided into VLAN10, while the ports E1UniAccord 3 and E1Accord 0Accord 4 are divided into VLAN20, then PCA and PCB are in VLAN10 and can be interconnected; PCC and PCD are in VLAN20 and can be interoperable. But PCA and PCC are in different VLAN, so they can't communicate with each other.

VLAN based on MAC address

This method of dividing VLAN is based on the MAC address of each host. The switch maintains a VLAN mapping table that records the correspondence between MAC addresses and VLAN. The biggest advantage of this method of dividing VLAN is that when the physical location of the user moves, that is, when switching from one switch to another, the VLAN does not need to be reconfigured, so it can be considered that this method of dividing according to the MAC address is based on the user's VLAN.

The disadvantage of this method is that during the initial configuration, the MAC addresses of all users need to be collected and configured one by one, and if there are many users, the configuration workload is very large. In addition, this partition method also leads to a reduction in the efficiency of the switch, because there may be many members of the VLAN group on the port of each switch, so broadcast frames cannot be restricted.

Protocol-based VLAN

Protocol-based VLAN allocates different VLAN ID to messages according to the type of protocol (family) that the message received by the port belongs to. The protocol families that can be used to divide VLAN are IP and IPX.

After the switch receives the Ethernet frame from the port, it determines the VLAN to which the message belongs according to the type of protocol encapsulated in the frame, and then automatically divides the data frame into the specified VLAN for transmission.

This feature is mainly used to bind the protocol types provided in the network to VLAN for easy management and maintenance.

Subnet-based VLAN

The VLAN based on IP subnet is divided according to the message source IP address and subnet mask. After receiving the message from the port, the device finds the corresponding relationship with the existing IP according to the source VLAN address in the message, and then automatically divides it into the designated VLAN for forwarding.

This feature is mainly used to transmit data from a specific network segment or IP address in a specified VLAN.

Principle of VLAN technology

VLAN tag

We know that Ethernet switches forward data frames according to the MAC address table. The MAC address table contains the mapping between the port and the MAC address of the end host to which the port is connected. After the switch receives the Ethernet frame from the port, it looks at the MAC address table to decide which port to forward out. If the port receives a broadcast frame, the switch forwards the broadcast frame out all ports except the source port.

In VLAN, to mark the VLAN in which an Ethernet frame can be propagated by attaching a Tag to the Ethernet frame. In this way, when forwarding a data frame, the switch not only looks up the MAC address to determine which port to forward to, but also checks whether the VLAN label on the port matches.

In the figure above, the switch appends the VLAN10 tag to the Ethernet sent by the hosts PCA and PCB, the VLAN20 tag to the Ethernet frame sent by PCC and PCD, and adds a record of the VLAN tag to the MAC address table. In this way, when the switch performs a MAC address table lookup and forwarding operation, it checks to see if the VLAN identity matches; if not, the switch does not forward out the port. This is equivalent to using VLAN tags to distinguish the entries in the MAC address table, and only ports with the same VLAN tag can forward data frames to each other.

IEEE defines the format of tags attached to Ethernet frames in 802.1Q.

802.1Q frame format

After adding 4 bytes of 802.1Q tag to the traditional Ethernet frame, it becomes the frame with VLAN tag (Tagged Frame). Traditional data frames that do not carry 802.1Q tags are called untagged frames (untagged Frame).

The 802.1Q tag header contains 2 bytes of label protocol identification (TPID) and 2 bytes of label control information (TCI).

TPID (Tag Protocol Indentifer) is a new type defined by IEEE, indicating that this is a frame that encapsulates an 802.1Q tag. TPID contains a fixed value 0x8100.

TCI (Tag control Information) contains frame control information, which contains the following elements:

Priority: these three bits indicate the priority of the data frame. There are eight priorities, 0-7.

CFI (Canonical Fromat Indicator): a CFI value of 0 indicates a canonical format and 1 is a non-canonical format.

It is used in the token ring / source routing FDDI media access method to encapsulate the bit order information of the address in the frame.

VLAN ID (VLAN Identifier): a total of 12 bits, indicating the number of the VLAN. There are 4096 VLAN numbers, and each data frame sent by a switch that supports 802.1Q contains this domain to indicate which VLAN it belongs to.

Single switch VLAN label operation

The switch determines which VLAN the data frame belongs to based on the label in the data frame, so where does the label come from? The VLAN tag is added by the switch port when the data frame enters the switch. The advantage of this is that the VLAN is transparent to the end host, and the end host does not need to know how the VLAN is divided in the network, nor does it need to identify Ethernet frames with 802.1Q tags, and the switch is responsible for all related matters.

When the Ethernet frame sent by the end host arrives at the switch port, the switch checks the VLAN to which the port belongs and then tags the frame entering the port with the appropriate 802.1Q tag. The VLAN to which the port belongs is called the port default VLAN, also known as PVID (Port VLAN ID).

Similarly, to keep the VLAN technology transparent to the host, the switch is responsible for stripping the 802.1Q tag of the Ethernet frame out of the port.

Access link type port

This port that only allows Ethernet frames of the default VLAN to pass through is called an Access link type port. The Access port is tagged with VLAN after receiving the Ethernet frame, and strips off the VLAN tag when forwarding out the port, which is transparent to the end host, so it is usually used to connect devices that do not need to identify 802.1Q protocol, such as end hosts, routers and so on.

Operation of VLAN tags across switches

The very important function of VLAN technology is to build virtual workgroups in the network, dividing different users to different workgroups, and the users of the same workgroup do not have to be limited to a fixed physical scope. Virtual workgroups can be implemented by implementing VLAN across switches in the network.

When VLAN spans a switch, Ethernet data frames that need to be passed between switches are tagged with 802.1Q. In this way, the VLAN information to which the data frame belongs will not be lost.

In the figure above, the data frames emitted by PCA and PCB are tagged with VLAN10 and VLAN20, respectively. The port E1UniUniBand24 of SWA is responsible for forwarding these 802.1Q tagged data frames without stripping the tags.

Trunk link type port

A port that allows multiple VLAN frames to pass through is called a Trunk link type port. The Trunk port can receive and send multiple VLAN data frames and does not do anything to the tags in the frames during the receiving and sending process.

However, the default VLAN frame is an exception. When sending a frame, the Trunk port strips the label in the default VLAN frame; similarly, when the switch receives an untagged frame from the Trunk port, it is labeled with the default VLAN.

Trunk ports are typically used to interconnect switches.

The figure shows the label operation process from PCA to PCC and PCB to PCD. PCA sends out an Ethernet frame and arrives at port E1 VLAN 0 of SWA, so the Ethernet frame is tagged with VLAN10; when port E1 is labeled with Trunk, the frame of VLAN10 tag is sent to SWB;SWB from the port and knows that it belongs to VLAN10 from the label in the frame, then it is forwarded to port E1UniUnix1, and after stripping the tag, it arrives at PCC. The frame sent by PCB is tagged with VLAN20 on E1Placer 2 port; the Trunk port and the default VLAN is 20 when E1Unipedia 24 port, so the data frame is stripped and forwarded; when the untagged data frame arrives at SWB's E1Compact 24 port, the port labels it with VLAN20 and forwards it to PCD after it is stripped off the label.

Hybrid link type port

In addition to Access link type and Trunk link type ports, the switch supports a third link type port, called Hybrid link type port. The Hybrid port can receive and send multiple VLAN data frames, and can also specify any VLAN frame to be stripped and tagged.

When most hosts in the network need to be isolated, but these isolated hosts need to communicate with another, the Hybrid port can be used.

In the figure above, the Ethernet frame sent by PCA is labeled VLAN10 when it enters the port. When it arrives at the port connected to PCC, the port strips off the label in the data frame according to the setting (Untag:10,20,30) and sends it to PCC, so PCA and PCC can communicate; similarly, PCB can also communicate with PCC. However, when the Ethernet frame sent by PCA arrives at the port connected to PCB, the port setting (Untag:20,30) indicates that only the data frame of VLAN20 and VLAN30 is forwarded and stripped of the label, but the frame of VLAN10 is not allowed to pass through, so PCA and PCB cannot be interconnected.

Basic configuration of VLAN

By default, the switch has only VLAN1, and all ports belong to VLAN1 and are Access link type ports. The basic steps for VLAN configuration are as follows.

Step 1: create a VLAN under the system view and enter the VLAN view. The configuration command is:

Vlan vlan-id

Step 2: add the designated port to the VLAN in the VLAN view. The configuration command is:

Port interface-list

Configure Trunk Port

The Trunk port allows multiple VLAN data frames to pass through, and is usually used to interconnect switches. The steps to configure a port to become a Trunk port are as follows.

Step 1: under the Ethernet port view, specify the port link type as Trunk. The configuration command is:

Port link-type trunk

Step 2: by default, the Trunk port only allows data frames of the default VLAN, VLAN1, to pass through. Therefore, you need to specify which VLAN frames can pass through the current Trunk port under the Ethernet port view. The configuration command is:

Port trunk permit vlan {vlan-id-list | all}

Step 3: if necessary, you can set the default VLAN for the Trunk port under the Ethernet port view. The configuration command is:

Port trunk pvid vlan vlan-id

Be careful

By default, the default VLAN for Trunk ports is VLAN1. The default VLAN can be modified according to the actual situation to ensure that the default VLAN of both switches is the same, otherwise hosts in the same VLAN will not be able to communicate across the switch.

Configure Hybrid Port

In some cases, the Hybrid port is required. The Hybrid port can also allow multiple VLAN frames to pass through, and you can also specify which VLAN data frames are stripped from the label. The steps to configure a port to become a Hybrid port are as follows.

Step 1: under the Ethernet port view, specify the port link type as Hybrid. The configuration command is:

Port link-type Hybrid

Step 2: by default, all Hybrid ports only allow VLAN1 to pass. Therefore, you need to specify which VLAN data frames can pass through the Hybrid port under the Ethernet port view, and specify whether to split the label. The configuration command is:

Port Hybrid vlan vlan-id-list {tagged | untagged}

Step 3: set the default VLAN for the Hybrid port under the Ethernet port view. The configuration command is:

Port Hybrid pvid vlan vlan-id

Be careful

The Trunk port cannot be set directly as the Hybrid port. Can only be set to Access port, and then set to Hybrid port.

VLAN configuration instance

The figure above is an example of a basic configuration of VLAN. In the figure, PCA and PCC belong to VLAN10,PCB and PCD belong to VLAN20, the switches are connected by a Trunk port, and the default VLAN of the port is VLAN1.

Configure SWA:

[SWA] vlan 10

[SWA-vlan10] port Ethernet1/0/1

[SWA] vlan 20

[SWA-vlan20] port Ethernet1/0/2

[SWA] interface Ethernet10/24

[SWA-Ethernet1/0/24] port link-type trunk

[SWA-Ethernet1/0/24] port trunk permit vlan 10 20

Configure SWB:

[SWB] vlan 10

[SWB-vlan10] port Ethernet1/0/1

[SWB] vlan 20

[SWB-vlan20] port Ethernet1/0/2

[SWB] interface Ethernet10/24

[SWB-Ethernet1/0/24] port link-type trunk

[SWB-Ethernet1/0/24] port trunk permit vlan 10 20

After configuration, PCA and PCC can be interconnected, PCB and PCD can be interconnected, but PCA and PCB,PCC and PCD cannot be interconnected.

VLAN display and maintenance

You can use the display vlan command in any view to view the VLAN currently enabled on the switch.

Display vlan

As you can see in the figure, there are VLAN1, VLAN2 and VLAN10 on the switch, and VALN1 is the default VLAN.

If you want to see the ports contained in a specific VLAN, you can use the display vlan vlan-id command.

Display vlan vlan-id

As you can see in the figure, the VLAN2 contains three ports, namely Ethernet1/0/1, Ethernet1/0/3, and Ethernet1/0/4, and the VLAN data frame needs to be stripped off the label when it leaves these ports.

If you want to see VLAN information for a specific port, you can use the display interface command.

Display interface interface-type interface-number

As you can see in the figure, the port link type of port Ethernet1/0/1 is Access, and the default VLAN (Pvid) is VLAN1. If it is a Trunk or Hybrid port, it also shows which VLAN frames carry the tag through and which VLAN frames need to be stripped.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.