Shulou(Shulou.com)06/01 Report--

The so-called VLAN means that nodes in different physical locations form different logical subnets according to their needs, that is, a VLAN is a logical broadcast domain, which can cover multiple network devices. VLAN allows network users in different geographical locations to join in a logical subnet and share a broadcast domain. Through the creation of VLAN, the generation of broadcast storms can be controlled, thus improving the overall performance and security of the switched network. Ports in the same VLAN can accept broadcast packets in VLAN, while ports in other VLAN cannot.

VLAN (Virtual Local area Network) is the logical segmentation of the network users connected to the second layer switch port, which is not limited by the physical location of the network users, but according to the needs of the users. A VLAN can be implemented on one switch or across switches. VLAN can be grouped according to the location, role, and department of network users, or according to the applications and protocols used by network users. Virtual local area network based on switch can solve the problems of collision domain, broadcast domain and bandwidth for local area network.

In the traditional shared media Ethernet and switched Ethernet, all users in the same broadcast domain will cause the decline of network performance and waste valuable bandwidth; and the control of broadcast storm and network security can only be realized on the router of layer 3.

VLAN is equivalent to the broadcast domain of the second layer of the OSI reference model, which can control the broadcast storm within an VLAN. After dividing the VLAN, due to the reduction of the broadcast domain, the proportion of bandwidth consumed by broadcast packets in the network is greatly reduced, and the performance of the network is significantly improved. The data transmission between different VLAN is realized through the routing of the third layer (network layer), so using VLAN technology, combined with the switching equipment of the data link layer and the network layer, we can build a secure and reliable network. The network administrator controls the access of network users to network resources by controlling each port of the switch. at the same time, the combination of VLAN and layer 3 and layer 4 can provide better security measures for the network. With the increasing improvement of VLAN technology, VLAN technology is more and more used in switched Ethernet, which has become a method to segment the network flexibly and improve network security.

First, the division of VLAN:

The division of VLAN is very important. When designing and building VLAN and implementing VLAN applications, we must first decide how to divide VLAN, that is, according to what criteria to organize VLAN members. Here are five common partitioning methods, which represent different VLAN implementation types.

1. Divide VLAN by port

Some ports in the switch are defined as a separate area, forming a VLAN. Computers in the same VLAN belong to the same network segment, and communication between different VLAN needs to be through a router. The advantage of port-based VLAN is that it is very convenient to configure, as long as the relevant settings are made on the switch, which is suitable for the situation where the network environment is relatively fixed. The disadvantage is that when a computer needs to move from one port to another new port, and the new port does not belong to the same VLAN as the old port, modify the VLAN settings of the port or reconfigure the network address on the user's computer so that it can be added to the new VLAN. Otherwise, this computer will not be able to communicate on the network.

Port-based partitioning is the simplest and most commonly used. In this way, the physical network segments belonging to different switch ports are divided into a VLAN, and through the network management software, the different ports are divided into the corresponding packets (VLAN) according to the VLAN identifier. For example, ports 1, 2, 6, and 7 of a switch are defined as VLAN A, and ports 3, 4, and 5 of the same switch constitute VLAN 8. This division allows communication between ports and allows the upgrade of shared networks. Unfortunately, this partition mode limits the virtual network to one switch.

The second generation port VLAN technology allows VLAN to be divided across multiple different ports of multiple switches, and several ports on different switches can form the same VLAN. All sites assigned to each segment of the same VLAN are in the same broadcast domain and can communicate directly; communication between different VLAN locations is through a router or layer 3 switch.

The switch port is divided into VLAN, and the configuration process is simple and clear. By far, this is still the most common method, but it does not allow multiple VLAN to share a physical network segment or switch port. If a user moves from the VLAN where one port is located to the VLAN where another port is located, the network administrator needs to reconfigure it, which is unthinkable for a network with many mobile users.

2. Divide VLAN by MAC address

Each network card has a unique hardware physical address, this address is the MAC address, commonly known as the "network card number". You can use the "ipconfig/all" command in Windows to view this address.

MAC address is the physical address of each device network card connected in the network, which is controlled by IEEE. There are no two network cards with the same MAC address in the world. MAC address belongs to the data link layer, which can be used as the basis for dividing VLAN, which can be very independent of various applications on the network layer. The VLAN constructed in this way is a collection of MAC addresses, which solves the problem of the movement of network processing sites. For workstations connected to switch ports, when they are initialized, the corresponding switch checks the MAC address in the management information base of VLAN to dynamically match the port to the corresponding VLAN.

VLAN by MAC address allows network users to move from one physical location to another and automatically retain membership of the VLAN network segment to which they belong. At the same time, this method is independent of the high-level protocols of the network (such as TCP/IP, IP, IPX, etc.). In a sense, using MAC address to define VLAN can be regarded as a means of network division based on users.

One drawback of this approach is that all users must be explicitly assigned to a VLAN. After this initialization work is completed, automatic tracking of users becomes possible. In a large network with a large number of nodes, it is too difficult to require administrators to divide each user into a certain VLAN.

3. Divide VLAN based on network layer.

VLAN can be divided based on the network layer, and there are two schemes, one by protocol (if there are multiple protocols in the network), and the other by network layer address (the most common is the subnet segment address in TCP/IP).

Establishing a VLAN can also use the same policy as managing routes. VLAN is divided according to IP subnets, IPX network numbers, and other protocols. The workstation of the same protocol is divided into a VLAN, and the switch checks the Ethernet frame title field of the broadcast frame, looks at its protocol type, and joins the source port if the VLAN of the protocol already exists, otherwise, create a new VLAN. The VLAN constructed in this way not only greatly reduces the workload of manual configuration of VLAN, but also ensures that users are free to add, move and modify. Sites on different VLAN segments can belong to the same VLAN, and sites on different VLAN can be on the same physical segment.

There are also disadvantages of using the network layer to define VLAN. Compared with using the form of MAC address, VLAN based on network layer needs to analyze the address format of various protocols and translate accordingly. As a result, switches that use network layer information to define VLAN have a speed disadvantage over switches that use data link layer information.

4. Division of broadcast groups based on IP

Any computer that belongs to the same IP broadcast group can be divided into the same VLAN. When an IP packet is broadcast to the network, it is delivered to a set of trustees of IP addresses. The broadcast group that is clearly defined is dynamically generated during the operation of the network. Any workstation has the opportunity to become a member of a broadcast group, as long as it gives an affirmative answer to the broadcast confirmation message of that broadcast group. All workstations that join the same broadcast group are regarded as members of the same VLAN, and their membership can be retained for a certain period of time according to the actual needs. Therefore, the method of using IP broadcast domain to divide VLAN brings great flexibility and extensibility to users. In this way, the whole network can be easily expanded through routers.

5. Rule-based VLAN

Also known as policy-based VLAN. This is the most flexible VLAN partition method, which has the ability of automatic configuration, can connect related users into one, and is called "relational network" in logical division. The network administrator only needs to determine the rules (or attributes) for dividing the VLAN in the network management software, and when a site joins the network, it will be "perceived" and automatically included in the correct VLAN. At the same time, the movement and change of the site can also be automatically identified and tracked.

In this way, the entire network can easily expand the size of the network through routers. Some products also support that the hosts on one port belong to different VLAN, which is particularly important in the environment where the switch coexists with the shared Hub. When VLAN is automatically configured, the software in the switch automatically checks the IP source address of the broadcast information entering the switch port, and then the software automatically assigns the port to a VLAN mapped by the IP subnet.

Second, the advantages of VLAN

The advantages of VLAN are mainly reflected in the following three aspects:

1. Control the broadcast storm

Network management must solve the problem of bandwidth consumption caused by a large amount of broadcast information. As a network segmentation technology, VLAN can limit broadcast storms to one VLAN and avoid affecting other network segments. Compared with the traditional local area network, VLAN can use the bandwidth more efficiently. In VLAN, the network is logically divided into broadcast domains, and the information frames or packets sent by VLAN members are transmitted only between members within the VLAN, not to all workstations on the network. This can reduce the traffic of the backbone and improve the speed of the network.

2. Enhance the security of the network

Broadcasting on shared LAN will inevitably cause security problems, because all users on the network can monitor the traffic flowing through, and users can access the broadcast packets on the network segment as long as they plug into any active port. Using the security mechanism provided by VLAN, we can restrict the access of specific users, control the size and location of broadcast groups, and even lock the MAC addresses of network members, thus restricting the use of the network by users and network members without security permission.

3. Strengthen network management

Using VLAN technology and VLAN management program, the whole network can be managed centrally, and the manageability of the network can be realized more easily. Users can quickly build and adjust VLAN according to business needs. When the link is congested, the hypervisor can be used to redistribute the service. The management process can also provide detailed reports on the volume of business, broadcasting behaviour and statistical characteristics of the working group. For network administrators, all of this network configuration and management is transparent. When the VLAN changes, the user does not need to know the connection of the network and how the protocol is reset.

VLAN can also reduce the overhead caused by changes in network membership. When you add, delete, and move network members, you do not have to rewire or configure the members directly. If the traditional local area network technology is adopted, then when the network reaches a certain scale, this kind of overhead will often become a heavy burden for administrators.

Through the use of VLAN partition technology, the local area network has been greatly improved in security and stability, which provides a reliable guarantee for the development of various businesses. in short, the importance of VLAN technology in the network management of the group company can not be ignored.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.