Shulou(Shulou.com)06/01 Report--

1. Why do you need VLAN

What is VLAN?

VLAN (Virtual LAN), translated into Chinese, is "virtual local area network". LAN can be a network of a few home computers or an enterprise network of hundreds of computers. The LAN that VLAN refers to specifically refers to a network that is divided by a router-- that is, a broadcast domain.

Let's review the concept of broadcast domain first. Broadcast domain refers to the range to which broadcast frames (destination MAC addresses are all 1) can be delivered, that is, the range to which direct communication can be made. Strictly speaking, it is not only broadcast frames, but also multicast frames (Multicast Frame) and unicast frames with unknown targets (Unknown Unicast Frame) can travel freely in the same broadcast domain.

Originally, layer 2 switches can only build a single broadcast domain, but with the VLAN function, it can divide the network into multiple broadcast domains.

When the broadcast domain is not segmented...

So why do you need to split the broadcast domain? That is because if there is only one broadcast domain, it may affect the overall transmission performance of the network. For specific reasons, please refer to the attached picture to deepen your understanding.

In the figure, there is a network of five layer 2 switches (switch 1x5) connected to a large number of customer organizations. Suppose that at this point, computer A needs to communicate with computer B. In Ethernet-based communication, the destination MAC address must be specified in the data frame to communicate properly, so computer A must first broadcast the ARP request (ARP Request) message to try to obtain the MAC address of computer B.

When switch 1 receives the broadcast frame (ARP request), it forwards it to all ports except the receiving port, that is, Flooding. Next, switch 2 will also Flooding when it receives the broadcast frame. Switches 3, 4, and 5 also Flooding. Eventually the ARP request is forwarded to all clients on the same network.

Please note that this ARP request was originally made to obtain the MAC address of computer B. In other words: as long as computer B can receive it, everything will be all right. But in fact, the data frame spread all over the network, causing all computers to receive it. In this way, on the one hand, the broadcast information consumes the overall bandwidth of the network, on the other hand, the computer that receives the broadcast information also consumes part of the CPU time to process it. It results in a large amount of unnecessary consumption of network bandwidth and CPU computing power.

Are radio messages sent out so often?

After reading this, you may ask: is broadcast information really that frequent?

The answer is: yes! In fact, broadcast frames appear very frequently. When using the TCP/IP protocol stack to communicate, in addition to the previous ARP, it is possible to send out many other types of broadcast messages, such as DHCP, RIP, and so on.

ARP broadcasts are sent when you need to communicate with other hosts. When the client requests the DHCP server to assign an IP address

A DHCP broadcast must be sent. When using RIP as the routing protocol, the router broadcasts routing information to neighboring routers every 30 seconds. Routing protocols other than RIP use multicast to transmit routing information, which is also forwarded (Flooding) by the switch. In addition to TCP/IP, broadcasts are often required for protocols such as NetBEUI, IPX and Apple Talk. For example, a broadcast (multicast) message will be sent when you double-click to open the Network computer under Windows. (except for Windows XP. )

In short, the radio is all around us. Here are some common broadcast communications:

ARP request: establish the mapping relationship between IP address and MAC address.

RIP: a routing protocol.

DHCP: a protocol used to automatically set IP addresses.

The network protocol used under NetBEUI:Windows.

The network protocol used by IPX:Novell Netware.

Apple Talk: the network protocol used by Apple's Macintosh computers.

If there is only one broadcast domain in the whole network, once the broadcast message is sent, it will spread throughout the network and impose an additional burden on the hosts in the network. Therefore, when designing LAN, we need to pay attention to how to effectively segment the broadcast domain.

The Division of broadcast Domain and the necessity of VLAN

When segmenting broadcast domains, routers are generally required. After using the router, the broadcast domain can be divided by the network interface (LAN Interface) on the router.

However, usually there are not too many network interfaces on the router, and the number is about 1 to 4. With the popularity of broadband connections, broadband routers (or IP sharers) have become more common, but it should be noted that although they have multiple (usually about 4) network interfaces on the LAN side, they are actually switches built into the router and cannot split the broadcast domain.

Moreover, if the router is used to divide the broadcast domain, the number that can be divided depends entirely on the number of network interfaces of the router, which makes it impossible for users to divide the broadcast domain freely according to the actual needs.

Compared with routers, layer 2 switches generally have multiple network interfaces. Therefore, if it can be used to divide the broadcast domain, there is no doubt that the flexibility of application will be greatly improved.

The technology used to segment broadcast domains on layer 2 switches is VLAN. By using VLAN, we can freely design the composition of broadcast domain and improve the degree of freedom of network design.

two。 The mechanism of implementing VLAN

The mechanism of implementing VLAN

After understanding why VLAN is needed, let's take a look at how the switch uses VLAN to split the broadcast domain.

First, on a layer 2 switch without any VLAN, any broadcast frame is forwarded to all ports except the receiving port (Flooding). For example, after computer A sends a broadcast message, it is forwarded to ports 2, 3, 4.

At this time, if red and blue VLAN; are generated on the switch, ports 1 and 2 are set to belong to red VLAN, and ports 3 and 4 belong to blue VLAN. If you send a broadcast frame from A, the switch will only forward it to another port that belongs to the same VLAN-that is, port 2, which also belongs to the red VLAN, and will no longer forward it to the port that belongs to the blue VLAN.

Similarly, when C sends a broadcast message, it will only be forwarded to other ports belonging to the blue VLAN, not to the ports belonging to the red VLAN.

In this way, VLAN divides the broadcast domain by limiting the range of broadcast frame forwarding. In the above picture, for ease of illustration, red and blue are used to identify different VLAN, while in practice, "VLAN ID" is used to distinguish them.

Intuitive description of VLAN

If we want to describe VLAN more intuitively, we can think of it as logically dividing a switch into several switches. Generating red and blue VLAN on a switch can also be regarded as replacing one switch with one red and one blue virtual switch.

When you generate a new VLAN in addition to the red and blue VLAN, you can imagine adding a new switch.

However, the logical switches generated by VLAN are not interconnected. Therefore, after setting up VLAN on the switch, if no other processing is done, there is no way to communicate between VLAN.

It may be hard to accept the fact that you can't communicate when you are connected to the same switch. But it is not only the easy-to-use feature of VLAN, but also the reason that makes VLAN difficult to understand.

What to do when communication between VLAN is needed

So what do we do when we need to communicate between different VLAN?

Please recall that VLAN is a broadcast domain. Usually, the two broadcast domains are connected by the router, and the packets between the broadcast domains are relayed by the router. Therefore, the communication between VLAN also requires the router to provide relay service, which is called "inter-VLAN routing".

Inter-VLAN routing can use either a normal router or a layer 3 switch.

Access links to 3.VLAN

Port of the switch

Switch ports can be divided into the following two types:

Access Link (Access Link)

Aggregation Link (Trunk Link)

Next, let's explore the characteristics of these two different ports in turn.

Access link

An access link refers to a port that "belongs to only one VLAN and forwards data frames to that VLAN only". In most cases, the access link is connected to the client.

Generally speaking, the order in which VLAN is set is:

Generate VLAN

Set the access link (determine which VLAN each port belongs to)

The method of setting the access link can be fixed in advance or dynamically change the setting according to the connected computer. The former is called "static VLAN", while the latter is naturally "dynamic VLAN".

Static VLAN

Static VLAN is also known as port-based VLAN (Port Based VLAN). As the name implies, it is the setting method to specify which VLAN each port belongs to.

Because it needs to be specified port by port, when the number of computers in the network exceeds a certain number (such as hundreds), the setting operation will become extremely cumbersome. Also, every time the client changes the connected port, it must also change the settings of the VLAN to which the port belongs-- which is obviously not suitable for networks that need to change the topology frequently.

Dynamic VLAN

On the other hand, dynamic VLAN changes the VLAN to which each port belongs at any time according to the computer connected to each port. This avoids the above operations such as changing settings. Dynamic VLAN can be roughly divided into three categories:

VLAN based on MAC address (MAC Based VLAN)

Subnet-based VLAN (Subnet Based VLAN)

User-based VLAN (User Based VLAN)

The main difference between them is that the VLAN to which the port belongs is determined according to the information of which layer of the OSI reference model.

The VLAN based on the MAC address determines the ownership of the port by querying and recording the MAC address of the network card on the computer to which the port is connected. Assuming that a MAC address "A" is set by the switch to belong to VLAN "10", no matter which port the computer with the MAC address "A" is connected to the switch, the port will be divided into VLAN10. When the computer is connected to port 1, port 1 belongs to VLAN10;, and when the computer is connected to port 2, port 2 belongs to VLAN10.

Since the VLAN is determined based on the MAC address, it can be understood that this is a way to set the access link at the second layer of the OSI.

However, VLAN based on MAC addresses must be set up to investigate the MAC addresses of all connected computers and log in. And if the computer swaps the network card, you still need to change the settings.

The subnet-based VLAN determines the VLAN to which the port belongs by the IP address of the computer to which it is connected. Unlike VLAN based on MAC address, even if the computer changes its MAC address due to the exchange of network cards or other reasons, as long as its IP address remains the same, it can still join the previously set VLAN.

Therefore, compared with the VLAN based on MAC address, the network structure can be changed more easily. The IP address is the information of the third layer of the OSI reference model, so we can understand that the subnet-based VLAN is a way to set the access link at the third layer of the OSI.

Based on the user's VLAN, it is based on the user who is currently logged in on the computer connected to each port of the switch to determine which VLAN the port belongs to. The user identification information here is generally the user who logs in to the computer operating system, such as the user name used in the Windows domain. These user name information belong to the information above the fourth layer of OSI.

In general, the higher the level of information used to determine the VLAN of a port in the OSI, the more suitable it is to build a flexible network.

Access the summary of the link

To sum up, there are two methods to set access links: static VLAN and dynamic VLAN, in which dynamic VLAN can be subdivided into several subcategories.

Among them, subnet-based VLAN and user-based VLAN may be realized by network equipment manufacturers using unique protocols, and there may be compatibility problems between devices from different manufacturers, so we must pay attention to prior confirmation when selecting switches.

The following table summarizes information about static VLAN and dynamic VLAN.

Category explanation

Static VLAN (port-based VLAN) permanently assigns each port of the switch to the VLAN

Dynamic VLAN VLAN based on MAC address is set according to the MAC address of the computer connected to each port

Subnet-based VLAN is set according to the IP address of the computer connected to each port

Based on the user's VLAN, according to the login user settings on the computer connected to the port.

Aggregation link of 4.VLAN

When you need to set up VLAN across multiple switches.

So what if you need to set up a VLAN that spans multiple switches?

When planning an enterprise network, you are likely to encounter users belonging to the same department scattered on different floors of the same building, and you may need to consider how to set up VLAN across multiple switches. Suppose you have the network shown in the following figure, and you need to set A, C, B, D on different floors to the same VLAN.

At this time, the most important thing is "how to connect switch 1 and switch 2?"

The easiest way is to set up a red and blue VLAN dedicated interface on switch 1 and switch 2 and interconnect them.

However, this approach is not good in terms of scalability and management efficiency. For example, when you build a new VLAN on top of an existing network, in order to make the VLAN interoperable, you need to connect new network cables between the switches. The vertical wiring between the floors of a building is troublesome and cannot be carried out at will by grass-roots managers. Moreover, with more VLAN, more and more ports are needed for interconnection between floors (strictly speaking, switches). The low utilization efficiency of switch ports is a waste of resources and limits the expansion of the network.

In order to avoid this inefficient connection, people find a way to centralize the interconnected network cables between switches, which is called Trunk Link.

What is an aggregation link?

A Trunk Link is a port that can forward traffic from multiple different VLAN.

The data frames circulating on the aggregation link are appended with special information to identify which VLAN they belong to.

Now let's go back and think about what would happen if we used aggregation links in that network. Users simply need to set the ports of interconnection between switches as aggregation links. At this time, the network cable used is still an ordinary UTP cable, not any other special wiring. In the illustration, the switches are interconnected, so crossover lines are needed.

Cross lines are used for links to the same device, such as PC-to-PC.

A straight-through line is used for links to heterogeneous devices, such as PC to router and other devices.

In a sentence, the same kind is used to cross, and different species is used to pass through.

568A standard: White green, green, white orange, blue, white blue, orange, white brown, brown

568B Standard: White Orange, Orange, White Green, Blue, White Blue, Green, White Brown, Brown

The straight line is the same at both ends, and the 568b standard is generally used.

The crossing line is 568a at one end and 568b at the other. ) to connect.

Next, let's take a specific look at how aggregation links implement VLAN across switches.

When the data frame sent by A travels from switch 1 to switch 2 through the aggregation link, a flag indicating that it belongs to the red VLAN is appended to the data frame.

After the switch 2 receives the data frame, after checking the VLAN logo, it is found that the data frame belongs to the red VLAN, so after removing the mark, the restored data frame is only forwarded to other ports belonging to the red VLAN as needed. Forwarding at this time refers to the port to which the destination MAC address is only forwarded to the destination MAC address after confirming the destination MAC address and comparing it with the MAC address list. Only if the data frame is a broadcast frame, a multicast frame, or a frame with an unknown destination will it be forwarded to all ports belonging to the red VLAN.

The same is true when a blue VLAN sends a data frame.

Through the VLAN identification information attached to the aggregation link, it is possible to support the standard "IEEE 802.1Q" protocol, or it may be the "ISL (Inter Switch Link)" unique to Cisco products. If the switch supports these specifications, users can efficiently build VLAN across multiple switches.

In addition, there are multiple VLAN data circulating on the aggregation link, so the natural load is heavy. Therefore, when setting the aggregation link, there is a premise that the transmission speed above 100Mbps must be supported.

In addition, by default, the aggregation link forwards all VLAN data that exists on the switch. From another perspective, the aggregation link (port) can be considered to belong to all the VLAN on the switch at the same time. Since there is probably no need to forward all VLAN data in practical applications, in order to reduce the load of the switch and reduce the waste of bandwidth, we can limit the VLAN that can be interconnected via the aggregation link. Set the number of vlan passed by the aggregation link

5.IEEE802.1Q and ISL

Convergence mode

On the aggregation link of the switch, you can build a VLAN across multiple switches by attaching VLAN information to the data frame.

The most representative methods for attaching VLAN information are:

IEEE802.1Q

ISL

IEEE802.1Q

IEEE802.1Q, commonly known as "Dot One Q", is a protocol certified by IEEE to attach VLAN identification information to data frames.

Here, please recall the standard format of Ethernet data frames.

The VLAN identification information attached by IEEE802.1Q is located between the "sending source MAC address" and the "class field (Type Field)" in the data frame. The details are 2-byte TPID and 2-byte TCI, totaling 4 bytes.

If 4 bytes are added to the data frame, the CRC value will naturally change. At this time, the CRC on the data frame is the value obtained after inserting TPID and TCI, and recalculating the whole data frame, including them.

When the data frame leaves the aggregation link, the TPID and TCI are removed, and the CRC is recalculated.

The value of TPID, which is fixed to 0x8100. The switch uses TPID to determine that IEEE802.1Q-based VLAN information is attached to the data frame. In essence, VLAN ID is the 12-bit of TCI. Since there are a total of 12 bits, a maximum of 4096 VLAN can be identified.

Based on the VLAN information attached by IEEE802.1Q, it is like a label attached to the delivery of an item. Therefore, it is also called "tagged VLAN (Tagging VLAN)".

ISL (Inter Switch Link)

ISL, which is similar to IEEE802.1Q supported by Cisco products, is used to attach VLAN information on aggregation links.

After using ISL, the header of each data frame is appended with a 26-byte "ISL header (ISL Header)" and the 4-byte CRC value obtained by calculating the entire data frame, including the ISL header, on the frame trailer. In other words, a total of 30 bytes of information has been added.

In the ISL environment, when the data frame leaves the aggregation link, simply remove the ISL header and the new CRC. Since the original data frame and its CRC are completely preserved, there is no need to recalculate the CRC.

ISL is like wrapping the entire data frame with an ISL header and a new CRC, so it is also called "encapsulated VLAN (Encapsulated VLAN)".

It should be noted that neither IEEE802.1Q 's "Tagging VLAN" nor ISL's "Encapsulated VLAN" is a very strict title. The above words may be mixed in different books and reference materials, so we need to pay special attention to them.

And because ISL is a unique protocol of Cisco, it can only be used for the interconnection of Cisco network devices.

Inter-6.VLAN routing

The necessity of Inter-VLAN routing

We already know that even if two computers are connected to the same switch, they cannot communicate directly as long as they belong to different VLAN. The next thing we will learn is how to route between different VLAN so that hosts belonging to different VLAN can communicate with each other.

First of all, why different VLAN cannot communicate without routing. For communication within the LAN, the MAC address of the communication destination must be specified in the data frame header. In order to obtain the MAC address, ARP is used under the TCP/IP protocol. The way ARP parses MAC addresses is through broadcasting. In other words, if the broadcast message cannot be reached, there is no way to resolve the MAC address, that is, it is impossible to communicate directly.

Computers belong to different VLAN, which means that they belong to different broadcast domains, so they naturally cannot receive each other's broadcast messages. As a result, computers belonging to different VLAN cannot communicate directly with each other. In order to be able to communicate between VLAN, it is necessary to use the information (IP address) of the network layer, which is a higher layer in the OSI reference model, for routing.

Routing functions are generally mainly provided by routers. But in today's local area network, we often use the switch with routing function-- Layer 3 Switch. Let's take a look at inter-VLAN routing using routers and layer 3 switches, respectively.

Using routers for inter-VLAN routing

When using routers for inter-VLAN routing, similar to the situation when building VLAN across multiple switches, we still encounter the problem of "how to connect routers to switches." There are roughly two ways to connect routers and switches:

Connect the router to each VLAN on the switch separately

No matter how many VLAN there are, the router and the switch are connected by only one network cable.

Of course, the easiest thing to think of is to "connect the router and the switch with a network cable in VLAN units." Set each port on the switch that is used to interconnect with the router as an access link, and then use a network cable to interconnect with the separate ports on the router. As shown in the figure below, if there are 2 VLAN on the switch, you need to reserve 2 ports on the switch for interconnection with the router; you also need 2 ports on the router; the two are connected by 2 network cables.

If this approach is adopted, it should not be difficult to imagine that its scalability is very problematic. Each addition of a new VLAN consumes the port of the router and the access link on the switch, as well as a new network cable. Routers, on the other hand, usually do not have many LAN interfaces. When building a new VLAN, in order to correspond to the ports required by the additional VLAN, the router must be upgraded to a high-end product with multiple LAN interfaces. This part of the cost, as well as the overhead of rewiring, makes this wiring method an unpopular method.

So, the second way, "regardless of the number of VLAN, there is only one network cable to connect the router to the switch"? An aggregation link is needed when a network cable is used to connect the router to the switch and to route between VLAN.

The specific implementation process is as follows: first, the switch port used to connect the router is set as the aggregation link, and the port on the router must also support the aggregation link. Naturally, the protocols used by both parties for the aggregation link must also be the same. Then define the "Sub Interface" corresponding to each VLAN on the router. Although there is actually only one physical port connected to the switch, we can theoretically divide it into multiple virtual ports. This is why Trunk ports are used between layer 3 switches or routers and switches.

VLAN logically divides the switch into multiple, so routers used for inter-VLAN routing must also have virtual interfaces corresponding to each VLAN.

With this approach, even if you then create a new VLAN on the switch, only one network cable is needed to connect the switch to the router. Users only need to set up a new subinterface corresponding to the new VLAN on the router. Compared with the previous approach, it is much more scalable and does not have to worry about upgrading routers with insufficient LAN interfaces or rewiring.

Of course, the corresponding bandwidth requirements will also increase, stability issues also need to be considered, and link redundancy can be carried out.

Communication within the same VLAN

Next, how inter-VLAN routing works when we continue to use aggregation links to connect the switch to the router. Set IP addresses for each computer and the subinterfaces of the router as shown in the following figure.

The network address of the red VLAN (VLAN ID=1) is 192.168.1.0 Universe 24, and the network address of the blue VLAN (VLAN ID=2) is 192.168.2.0 Universe 24. The MAC address of each computer is A/B/C/D, and the MAC address of the router aggregation link port is R. By learning the MAC address of the computer connected to each port, the switch generates the following MAC address list.

Port

Mac address Vlan

one

A

one

2B13C24D25--6R aggregation

First consider the situation of communication between computer An and computer B within the same VLAN.

Computer A sends out an ARP request message to resolve the MAC address of B. After the switch receives the data frame, it retrieves the table entry in the MAC address list that belongs to the same VLAN as the receiving port. It turns out that computer B is connected to port 2, so the switch forwards the data frame to port 2, and eventually computer B receives the frame. Both the transceiver and the sender communicate within the same VLAN, and all processing is done in the switch.

Data flow when communicating between different VLAN

Next is the core of this lecture, the communication between different VLAN. Let's consider the communication between computer An and computer C.

Computer A concludes from the IP address of the communication destination (192.168.2.1) that C does not belong to the same network segment as the local machine. As a result, data frames are forwarded to the set default gateway (Default Gateway,GW). Before sending a data frame, you need to use ARP to obtain the MAC address of the router.

After obtaining the MAC address R of the router, the next step is the data frame that is sent to C according to the steps shown in the figure.

In the data frame of ①, the destination MAC address is the address R of the router, but the destination IP address contained in it is still the address of the final object C to be communicated. The content of this part involves the communication steps when forwarded by the router in the local area network.

After the switch receives the ① data frame on port 1, it retrieves the table entry in the MAC address list that belongs to the same VLAN as port 1. Because the aggregation link is considered to belong to all VLAN, port 6 of the switch is also the referenced object. In this way, the switch knows that a data frame is sent to MAC address R and needs to be forwarded through port 6.

When a data frame is sent from port 6, because it is an aggregation link, it is appended with VLAN identification information. Since it was originally a data frame from a red VLAN, as shown by the ② in the figure, it will be added with the identification information of the red VLAN to enter the aggregation link. After receiving the data frame of the ②, the router confirms its VLAN identification information, and because it is a data frame belonging to the red VLAN, it is received by the subinterface responsible for the red VLAN.

Then, according to the routing table inside the router, determine where to relay.

Because the destination network 192.168.2.0 VLAN 24 is a blue VLAN and it is directly connected to the router through a subinterface, simply forward it from the subinterface responsible for the blue tip. At this time, the destination MAC address of the data frame is rewritten to the destination address of computer C, and because it needs to be forwarded over the aggregation link, identification information belonging to the blue VLAN is appended. This is the data frame of the ③ in the figure.

After the switch receives the data frame of the ③, it retrieves the table entry belonging to the blue VLAN from the MAC address list according to the VLAN identification information. Because the communication target, computer C, is connected to port 3, and port 3 is a normal access link, the switch forwards the data frame to port 3 after removing the VLAN identification information (data frame ④). Finally, computer C can successfully receive the data frame.

When communicating between VLAN, even if both sides of the communication are connected to the same switch, they must go through:

Sender-switch-router-switch-receiver

Such a process.

7. Layer 3 switch

Problems when using routers for inter-VLAN routing

Now, we know that as long as we can provide inter-VLAN routing, we can make computers belonging to different VLAN communicate with each other. However, if the router is used for inter-VLAN routing, with the continuous increase of traffic between VLAN, the router is likely to become the bottleneck of the whole network.

The switch uses a dedicated hardware chip called ASIC (Application Specified Integrated Circuit) to handle the switching of data frames, and it can be switched at cable speed (Wired Speed) on many models. Routers, on the other hand, are basically based on software processing. Even if a packet is received at cable speed, it cannot be forwarded without speed limit, so it will become a speed bottleneck. In the case of inter-VLAN routing, traffic is concentrated in the aggregation link portion of the router and switch interconnection, which is particularly likely to become a speed bottleneck. And from the hardware point of view, due to the need to set up routers and switches respectively, it may even be a problem to set up places in some narrow environments.

Layer 3 switch (Layer 3 Switch)

In order to solve the above problems, layer 3 switch came into being. Layer 3 switch is essentially a "layer 2 switch with routing function". Routing belongs to the function of layer 3 network layer in the OSI reference model, so the switch with layer 3 routing function is called layer 3 switch.

For the internal structure of the layer 3 switch, you can refer to the following diagram.

In an ontology, the switch module and router module are set up respectively, while the built-in routing module is the same as the switching module, and ASIC hardware is used to handle routing. Therefore, compared with traditional routers, high-speed routing can be realized. Moreover, the routing and switching module is converged and linked, and because it is an internal connection, it can ensure a considerable bandwidth.

Use layer 3 switches for inter-VLAN routing (intra-VLAN communication)

How on earth does the data spread within the layer 3 switch? Basically, it is the same as when a router and switch are connected using an aggregation link.

Suppose you have four computers interconnected to a layer 3 switch as shown in the figure below. When using a router connection, it is generally necessary to set subinterfaces corresponding to each VLAN on the LAN interface, while the layer 3 switch generates a "VLAN interface (VLAN Interface)" internally. The VLAN interface is the interface used for each VLAN to send and receive data. (note: on Cisco's Catalyst series switches, VLAN Interface is called SVI--Switched Virtual Interface)

To compare with using a router for inter-VLAN routing, let's also consider the communication between computer An and computer B. First, the data frame sent from A with the destination address B is sent to the switch; by retrieving the MAC address list of the same VLAN, it is found that computer B is connected to port 2 of the switch; therefore, the data frame is forwarded to port 2.

Use layer 3 switches for inter-VLAN routing (inter-VLAN communication)

Next, imagine the communication between computer An and computer C. For the destination IP address, computer A can determine that the communication object does not belong to the same network, so it sends data to the default gateway (Frame 1).

After retrieving the MAC address list, the switch forwards the data frame to the routing module through an internal aggregation link. When passing through the internal aggregation link, the data frame is appended with VLAN identification information (Frame 2) belonging to the red VLAN.

When the routing module receives the data frame, it first distinguishes that it belongs to the red VLAN by the VLAN identification information attached to the data frame, and then determines that the red VLAN interface is responsible for receiving and routing processing. Because the destination network 192.168.2.0 take 24 is the network of directly connected routers and corresponds to the blue VLAN;, it is then forwarded back to the switching module from the blue VLAN interface via the internal aggregation link. When passing through the aggregation link, this data frame is appended with identification information belonging to the blue VLAN (Frame 3).

When the switch receives the frame, it retrieves the MAC address list of the blue VLAN and confirms that it needs to be forwarded to port 3. Because port 3 is the usual access link, the VLAN identification information is removed before forwarding (Frame 4). Finally, computer C successfully receives the data frame forwarded by the switch.

The overall process is very similar to what happens when using an external router-- it all needs to go through

Sender → switching module → routing module → switching module → receiver.

8. Means to accelerate communication between VLAN

Stream (Flow)

We already know that inter-VLAN routing must go through an external router or the built-in routing module of a layer 3 switch. However, sometimes not all data needs to go through the router (or routing module).

For example, when using FTP (File Transfer Protocol) to transfer larger files with a capacity of more than MB, due to the limitations of MTU, the IP protocol will split the data into small chunks and reassemble them at the receiver. These segmented data are "sent to the same destination". The destination is the same, which means the same destination IP address and destination port number (note: specifically, this refers to the TCP/UDP port). Naturally, the source IP address and source port number should also be the same. Such a series of data streams are called "Flow".

As long as the original data of the flow is routed correctly, subsequent data should be routed in the same way.

Accordingly, the subsequent data no longer need to be routed by the router, and the speed of inter-VLAN routing can be further improved by omitting repeated routing operations.

Mechanism for accelerating inter-VLAN routing

Next, let's consider how to use layer 3 switches for high-speed inter-VLAN routing.

First of all, the first piece of data of the whole flow is forwarded by the switching module to the → routing module routing → again by the switching module to the port connected to the target. At this point, the result of the first block of data routing is recorded in the cache and saved. The information that needs to be recorded is:

L destination IP address

L source IP address

L destination TCP/ UDP port number

L source TCP/UDP port number

L receive port number (switch)

L forward port number (switch)

L forward destination MAC address

Wait.

After the data after the second block of the same stream arrives at the switching module / machine, it can be forwarded to the port connected to the target after finding out the "forwarding port number" by querying the information previously stored in the cache.

In this way, it is not necessary to relay through the internal routing module again and again, and the cache information inside the switch is enough to determine which port should be forwarded.

At this point, the switch performs similar processing to the data frame when it is relayed by the router, such as rewriting the MAC address, TTL and Check Sum check code information in the IP packet header, and so on.

By caching the routing results on the switch, the data transmitted by the sender can be received at cable speed (Wired Speed), and can be routed and forwarded to the receiver at full speed.

It should be noted that similar methods of accelerating inter-VLAN routing are mostly implemented by technologies unique to each vendor, and the title of this function varies from vendor to vendor. For example, on Cisco's Catalyst family of switches, this feature is called Multilayer switching (Multi Layer Switching). In addition, in addition to the internal routing module of the layer 3 switch, some models of external routers also support similar high-speed inter-VLAN routing mechanisms.

9. The significance of traditional Router

The necessity of routers

The price of layer 3 switches was very expensive at the beginning, but now their prices have come down a lot. At present, the price of some cheap foreign models is only more than 10,000 yuan after being converted into RMB, and it continues to decline.

Since layer 3 switches can provide faster routing processing than traditional routers, is it necessary to use routers in the network?

The answer is "yes".

The necessity of using routers is mainly manifested in the following aspects:

L is used to connect with WAN

After all, a layer 3 switch is a "switch". In other words, most models only have LAN (Ethernet) interface. There are also serial or ATM interfaces for connecting to WAN on a few high-end switches, but in most cases, routers are still needed to connect to WAN.

L ensure network security

On layer 3 switches, a certain degree of network security can also be ensured through packet filtering. However, using the various network security functions provided by the router, users can build a more secure and reliable network.

Among the network security functions provided by routers, in addition to the most basic packet filtering functions, you can also build × × (Virtual Private Network) based on IPSec, use RADIUS for user authentication, and so on.

L supports network architectures other than TCP/IP

Although TCP/IP has become the mainstream of the current network protocol architecture, there are still many networks using network protocols such as IPX/SPX under Novell Netware or Appletalk under Macintosh. Except for some high-end models, layer 3 switches basically only support TCP/IP. Therefore, in an environment that requires the use of network protocols other than TCP/IP, routers are still essential.

Note: the functions of the above routers can also be supported on a few high-end switches. For example, the Catalyst6500 series of Cisco can choose the interface module connected to WAN; there are optional modules that implement × × × based on IPSec; and can also support other network protocols other than TCP/IP.

An example of constructing LAN with the cooperation of router and switch

Let's take a look at an example of a router and switch working together to build a LAN.

The VLAN is defined by a layer 2 switch configured on each floor to connect the TCP/IP client computer. The communication between the VLAN of each floor is realized by the high-speed routing of the three-layer switch. If the network environment requires high reliability, you can also consider redundant configuration of layer 3 switches.

The connection to the WAN is made through a router with various network interfaces. In addition, network security is realized through the functions of packet filtering and × × of the router. In addition, using routers can also support networks other than TCP/IP, such as Novell Netware.

Only on the basis of fully mastering layer 2, layer 3 switches and traditional routers, can we achieve competitive use of things and build a highly efficient and cost-effective network.

10. Design Local area Network with VLAN

The characteristics of designing Local area Network with VLAN

By using VLAN to build a local area network, users can freely Freedom to segment broadcast domains without the limitation of physical links.

In addition, the routing between the VLAN provided by the router and layer 3 switch mentioned earlier can adapt to the flexible network composition.

However, because the use of VLAN is easy to complicate the composition of the network, it will also make it difficult to grasp the composition of the whole network.

It can be said that when using VLAN, in addition to:

In addition to the advantage of flexible network composition

It also goes with:

The disadvantage of complication of network composition.

Next, let's look at specific examples.

Changes in network composition in a local area network without VLAN

Suppose you have a network "built without VLAN" consisting of one router and two switches as shown in the figure.

The router in the figure has 2 LAN interfaces. The network on the left is 192.168.1.0 take 24, and on the right is 192.168.2.0 take 24.

Now if you want to transfer computer An on the network 192.168.1.0 to 192.168.2.0 to 24, you need to change the physical connection and connect A to the switch on the right.

Also, when you need to add a new network with the address 192.168.3.0 Universe 24, you need to occupy another LAN interface on the router and add a switch. Because there are only 2 LAN interfaces on this router, in order to add a new network, the router must be upgraded to a product with more than 3 LAN interfaces.

The change of Network composition in Local area Network using VLAN

Next, suppose there is a local area network that uses VLAN, which is made up of one router and two switches. There is an aggregation link between the switch and the switch, and between the switch and the router, and it is assumed that 192.168.1.0 VLAN 24 corresponds to red VLAN and 192.168.2.0 dial 24 corresponds to blue VLAN.

When computer A connected to the network segment 192.168.1.0 on switch 1 needs to be transferred to 192.168.2.0, there is no need to change the physical cabling. Just generate a blue VLAN on the switch, and then add port 1 to computer A to the blue VLAN to make it an access link.

Then, according to the need to set computer An IP address, default gateway and other information on it. If the IP address-related settings are obtained by DHCP, you can move between different network segments without any setting changes on the client side.

After using VLAN, we are free to carry out the logical design of the network without changing any physical wiring. If you are in a work environment that requires frequent changes in the layout of the network, the advantages of taking advantage of VLAN are obvious.

Moreover, when you need to add a new network segment with the address 192.168.3.0 VLAN 24, you only need to create a new IP address corresponding to 192.168.3.0 Universe 24 on the switch and add the required port to its access link.

If the external router is also needed in the network environment, all the operations can be done by adding a subinterface to the sink port of the router without consuming more physical interfaces (LAN interface). To use the routing module inside the layer 3 switch, you only need to set up a new VLAN interface.

The growth of the network environment is often unpredictable, and it is likely that there is a need to split the existing network or add a new network. After full use of VLAN, these problems can be easily solved.

The complication of network structure caused by VLAN

Although the use of VLAN can flexibly build the network, but at the same time, it also brings the problem of network structure complexity.

Especially because of the crisscross of data flow, once a fault occurs, it will be difficult to locate and troubleshoot it accurately.

To make it easier to understand the complexity of data flow, assume the network shown in the following figure. When computer A sends data to computer C, the overall direction of the data flow is as follows:

Computer A → switch 1 → router → switch 1 → switch 2 → computer C

First, computer A sends data (①) to switch 1, and then the data is forwarded to the router (②) for inter-VLAN routing. The routed data is returned from the aggregation link to switch 1 (③). Since the communication target computer C is not directly connected to switch 1, it also needs to be forwarded to switch 2 (④) via the aggregation link. On switch 2, the data is eventually forwarded to port 2 to which C is connected, which completes the entire process (⑤).

In this example, the network is made up of only two switches, and the data flow is already so complex that if you build a VLAN that spans multiple switches, the flow of each data flow will obviously be more difficult to grasp.

Logical structure and physical structure of Network

In order to cope with the increasingly complex data flow, administrators need to grasp the current situation of the network from two aspects: "logical structure" and "physical structure".

Physical structure refers to the current situation of the network observed from the physical layer and data link layer, indicating the physical wiring shape of the network and the setting of VLAN, and so on.

On the other hand, the logical structure represents the network structure observed from above the network layer. Let's try to analyze the logical structure of an IP network with the router as the center.

The previous example depicts the wiring pattern and the "physical structure" set by VLAN, as shown in the following figure.

After analyzing this physical structure and transforming it into a router-centric logical structure, you will get the following logical structure diagram. When we need to set up routing or packet filtering, it must be based on the logical structure.

It is very important to understand the difference between these two kinds of network structure diagrams, especially in modern enterprise networks where VLAN and layer 3 switches are popular.

If there are any deficiencies, please put forward them and add them together.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.