Shulou(Shulou.com)06/01 Report--

In general, the company's use of the internal network is much higher than that of the external network. The company's internal network is built by the layer 2 switching network, so the design of the layer 2 network directly affects the normal business of the company. Good design can not only reflect the function, but also deal with some unknown hidden dangers, such as line damage, equipment damage and so on. Below we mainly understand the layer 2 equipment of Huawei, but the first thing to understand is that the layer 2 equipment (switch) is mainly VLAN.

1. The basic concept of VLAN

In the traditional switch Ethernet, all users are in the same broadcast domain, when the network scale is large, the number of broadcast packets will increase sharply, and when the number of broadcast packets accounts for 30% of the total, the efficiency of network transmission will decline significantly, especially when a network equipment fails, it will also keep sending broadcasts to the network, resulting in a broadcast storm, which is the paralysis of network communication. So how to solve this problem?

We can solve this problem by separating broadcast domains, which can be done in two ways:

Physical separation: physically divide the network into several small networks, and then use routing devices that can isolate broadcasts to connect different networks to achieve communication; logical separation, the network is logically divided into several small virtual networks, namely VLAN. VLAN works at the data link layer, and an VLAN is a switching network in which all users are in the same broadcast domain, enabling each VLAN to communicate through routing devices.

The use of physical separation has many disadvantages, which makes the design of the local area network inflexible. For example, users connected to the same switch can only be divided into the same network, not in multiple different networks.

The emergence of VLAN adds flexibility to the design of the local area network, so that the network administrator is no longer limited to the geographical location of the user when dividing the working group. VLAN can be implemented on one switch or across switches. It can be divided according to the location, role, or department of network users, as shown in the figure:

VLAN has the characteristics of flexibility and expansibility, and using VLAN technology has the following benefits:

(1) Control broadcasts:

Each VLAN is an independent broadcast domain, which reduces the occupation of network bandwidth by broadcasting, improves the efficiency of network transmission, and the broadcast storm in each VLAN will not affect other VLAN.

(2) enhance network security:

Because data can only be exchanged between ports within the same VLAN, and there is no direct access between ports of different VLAN, VLAN can restrict individual hosts from accessing resources such as servers. Therefore, the security of the network can be improved by dividing VLAN.

(3) simplify network management:

For switched Ethernet, if some users are assigned network segments, network administrators are required to re-adjust the physical structure of the network system, and even need additional network equipment, which will increase the workload of network management. For the network using VLAN technology, a VLAN can divide users in different geographical locations into a logical network segment according to department functions and object group applications, and can arbitrarily move workstations between workgroups or subnets without changing the network physical connection. By using VLAN technology, the burden of network management and maintenance is greatly reduced, and the cost of network maintenance is reduced.

Depending on how VLAN is used and managed, there are two types of VLAN:

(1) static VLAN

Static VLAN, also known as port-based VLAN, is the most common VLAN implementation.

Static VLAN specifies which VLAN the switch port belongs to, which needs to be manually configured by the network administrator. When the user host connects to the switch port, it is assigned to the corresponding VLAN.

(2) dynamic VLAN

There are many ways to implement dynamic VLAN, and the most common one is dynamic VLAN based on MAC address.

Dynamic VLAN based on MAC address is automatically assigned to the corresponding VLNA according to the host's MAC address. The advantage of this VLAN division method is that when the user's physical location moves, the VLAN will not be reassigned. Disadvantages: all users must be configured during initialization, and the configuration task is very onerous!

The scope of VLAN, as shown in the figure:

There are also some VLAN packaging process, which will not be described in detail here!

Second, the characteristics of Hybrid interface

According to the VLAN interface encapsulation type, there are three main interface modes of Huawei switch: Access, Trunk and Hybrid. Among them, there is no difference among Access, Trunk interface and Cisco technology. Hybrid interface is the unique interface mode of Huawei equipment. The similarity between Hybrid interface and Trunk interface is that traffic from multiple VLAN is allowed to pass and tagged. The difference is that Hybrid interface allows messages from multiple VLAN to be sent without tagging. Mainly introduces the Hybrid interface of Huawei switch!

As a unique attribute interface of Huawei switch, Hybrid interface has the following main features:

Huawei switch interface defaults to Hybrid mode; it can realize not only the function of Access interface, but also the function of Trunk interface; it can realize cross-VLAN communication and access control without the help of three-layer devices; it has higher flexibility and controllability than Access interface and Trunk interface.

The functions of Hybrid interface are mainly reflected in:

Traffic isolation: the Hybrid interface itself has powerful access control capabilities. By configuring the interface, you can isolate traffic from the same VLAN or from different VLAN. Traffic interoperability: Hybrid interface enables communication between different VLAN at layer 2.

Note: a two-tier solution is always better than a three-tier solution, because the second-tier solution is more efficient than the third-tier solution. In fact, the higher the level involved, the lower the efficiency!

Third, the working principle of Hybrid interface

The Hybrid interface can flexibly control the addition and removal of VLAN tags for data frames on an interface. For example, when the device at the opposite end of the interface is a switch, you can configure the interface to allow some VLAN data frames to carry VLAN tags through the interface, while other VLAN do not carry VLAN tags. In cases where the end-to-end device of the interface is a host, you can configure that data frames sent to these interfaces do not carry any VLAN tags.

The operation of the Hybrid interface involves three properties of the interface, which are:

Untag list: works only when the interface sends data frames. If the VLAN tag of the data to be sent is in the untag list of the interface, the tag will be removed to send data. Tag list: works with receiving tagged data frames and sending data frames. It works like a list of allowed VLAN identities. When an interface receives a data frame with a VLAN tag, the tag list of the interface is equivalent to the allowed list of VLAN, and the data frames that are not in the list will be discarded; when the interface sends data, the VLAN tag of the data is in the tag list of the interface. The label will be kept to send data frames, otherwise the data frames will be discarded. PVID: the default PVID of the interface is VLAN1,PVID. It works only when untagged frames are received. PVID is used to mark the data frame with the current PVID identity when it receives an untagged data frame

Functionally, the untag list and PVID in the Hybrid interface are used to implement the Access feature, while the tag list is used to implement the Trunk feature. But it's not just that, because the Hybrid interface can be more flexible than the Access interface and the Trunk interface and can be applied to a variety of scenarios.

(1) encapsulate 802.1Q according to PVID

When the network is isolated by VLAN, traffic can be divided into two types:

One is tagged traffic, that is, data frames tagged by 802.1Q, and the other is untagged traffic, the original Ethernet frame.

How PVID works: typically, the traffic sent and received by end devices is untagged traffic. When a switch receives a tagged traffic, its VLAN ID is identified by its 802.1Q tag, but when the switch receives an untagged traffic, the traffic is encapsulated by 802.1Q based on the interface PVID.

In Huawei devices, various types of interfaces have default PVID, as shown in the figure:

Any traffic entering the switch should be marked. If the traffic entering the switch carries a VLAN tag, then it can identify the VLAN information. If the traffic entering the switch is not tagged, it will be marked by the PVID through the interface, and the purpose of tagging is for subsequent forwarding.

The schematic diagram of the data frame marked by PVID into the switch is as follows:

(2) forward according to untag list and tag list

The Hybrid interface of the switch receives or sends data based on untag lists and tag lists, and works as follows:

Each Hybrid API has a untag list by default, which contains one or more VLAN numbers. The default value is VLAN1;. Each interface has a tag list. The default value is empty, or you can set it to include one or more VLAN numbers. After receiving a data frame, the Hybrid API first checks whether the data frame carries a tag. If it does, check the tag list of this API. If the VLAN ID encapsulated by the data frame exists in the tag list, it will be received, otherwise it will be discarded; if it does not carry the tag, it will be marked according to the PVID of the Hybrid interface; before sending the data frame, check the untag and tag list of this interface. If the encapsulated VLAN ID of the data frame exists in the untag list, remove the 802.1Q encapsulation and send the original data frame; if it exists in the tag list, keep the 802.1Q encapsulation and send the tagged data frame. If both lists have the VLAN ID of numerous data frames, they are not sent.

The role of untag list when sending data, as shown in the figure:

The role of tag list when sending data, as shown in the figure:

The basic principle of sending data frames via Hybrid interface, and the corresponding processing flow chart is as follows:

Both Hybrid and Trunk interfaces can tag different VLAN and transmit traffic from multiple VLAN. However, API Hybrid allows messages from multiple different VLAN to be sent without tagging, while API Trunk only allows messages from the default VLAN to be sent without tagging.

Three types of interfaces can coexist on an Ethernet switch, but there is no direct switching between the Trunk interface and the Hybrid interface, which means that it can be set to the Access interface and then to other types of interfaces.

Fourth, the application scenario of Hybrid interface

The Hybrid interface sends and receives data based on three attributes, and analyzes its working process on the basis of understanding its working principle. Through the configuration of the Hybrid interface, the following requirements are achieved:

PC1 and PC2 can access each other, and can only access PC4;PC3. They can not communicate with PC1 and PC2. They can only access PC5.

The experimental diagram is as follows:

When you see the experimental requirements and experimental extension diagrams, you should first plan what VLAN information should be added to the untag list and tag list to achieve the function!

If you understand the work of PVID, untag list, and tag list, you can add which VLAN is filled in the untag list and tag list. This is one of the ways.

Note: in general, the default PVID of an interface is 1, and the default untag list contains VLAN1. If you set an additional PVID number to the interface, be sure to put the number in the tag list or the untag list at the same time, otherwise you will not be able to communicate.

(1) configuration of Hybrid. Configure the IP address of the end device

A little!

two。 Create VLAN2, VLAN3 and VLAN10 [S1] vlan batch 23 10 [S2] vlan batch 23 103 on switch S1 and switch S2, respectively. Configure Hybrid interfaces on switches S1 and S2

The S1 switch is configured as follows:

[S1] int g0 S1-GigabitEthernet0/0/2 2 [S1-GigabitEthernet0/0/2] port link-type hybrid / / configure interface mode is Hybrid (default is Hybrid interface) [S1-GigabitEthernet0/0/2] port hybrid pvid vlan 1 PVID is 1 (default is also) [S1-GigabitEthernet0/0/2] port hybrid untagged vlan 1 2 picks / sets VLAN1, VLAN2 joins the untag list [S1-GigabitEthernet0/0/2] int g0 int 0 Universe 3 [S1-GigabitEthernet0/0/3] port link-type hybrid [S1-GigabitEthernet0/0/3] port hybrid pvid vlan 1 [S1-GigabitEthernet0/0/3] port hybrid untagged vlan 1 2 [S1-GigabitEthernet0/0/3] int g0 Lexus 4 [S1-GigabitEthernet0/0/4] port link-type hybrid [S1-GigabitEthernet0/0/4] port hybrid pvid vlan 10 [S1-GigabitEthernet0/0/4] port hybrid untagged vlan 3 10 [S1-GigabitEthernet0/0/4] int g0amp 0Acer 1 [S1-GigabitEthernet0/0/1] port link-type hybrid [S1-GigabitEthernet0/0/1] port hybrid pvid vlan 1 [S1-GigabitEthernet0/0/1] port hybrid untagged vlan 1 2 [S1-GigabitEthernet0/0/1] port hybrid tagged vlan 3 10 Universe / will VLAN3, VLAN10 is added to the tag list

The S2 switch is configured as follows:

[S2-GigabitEthernet0/0/3] int g0/0/1 [S2-GigabitEthernet0/0/1] port link-type hybrid [S2-GigabitEthernet0/0/1] port hybrid pvid vlan 1 [S2-GigabitEthernet0/0/1] port hybrid untagged vlan 1 2 [S2-GigabitEthernet0/0/1] port hybrid tagged vlan 3 10 [S2] int g0/0/2 [S2-GigabitEthernet0/0/2] port link-type hybrid [S2-GigabitEthernet0/0/2] port hybrid pvid vlan 2 [S2-GigabitEthernet0/0/2] port Hybrid untagged vlan 1 2 [S2-GigabitEthernet0/0/2] int g0/0/3 [S2-GigabitEthernet0/0/3] port link-type hybrid [S2-GigabitEthernet0/0/3] port hybrid pvid vlan 3 [S2-GigabitEthernet0/0/3] port hybrid untagged vlan 3 104. Verify network communication

The tests for PC1 are as follows:

The tests for PC3 are as follows:

The needs of the experiment have been met!

There are many other ways to achieve such requirements, such as:

The first kind:

You can configure yourself according to the method in the figure.

The second kind:

You can also configure it yourself according to the figure. But only if there are no special requirements for the interface between the switches!

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.