Shulou(Shulou.com)06/01 Report--

1.VLAN introduction

The so-called VLAN means that nodes in different physical locations form different logical subnets according to their needs, that is, a VLAN is a logical broadcast domain, which can cover multiple network devices. VLAN allows network users in different geographical locations to join in a logical subnet and share a broadcast domain. Through the creation of VLAN, the generation of broadcast storms can be controlled, thus improving the overall performance and security of the switched network. Ports in the same VLAN can accept broadcast packets in VLAN, while ports in other VLAN cannot.

2. The application of VLAN in network management.

The group has many subordinate companies and many kinds of business. According to the needs of business development, after careful planning, the unified network after networking is divided into 30 VLAN. The division principle is: the group headquarters divides the VLAN with the floor as the unit, each subordinate company divides the VLAN according to the different business, and different VLan has different security level. Among them, the VLAN where the production machine and all kinds of servers are located has a high level of security. At the same time, using the access control function of Cisco 6509, the access list is set to protect the specific VLAN users and control the specific ports 135,445,1434, etc., which ensures the security isolation of each VLAN user in the whole network. There are four strategies for VLAN partition: VLAN partition based on port, VLAN partition based on MAC address, VLAN partition based on route, and VLAN partition based on policy. The approach adopted by the group is port-based VLAN division.

Port-based VLAN partition is the simplest and most effective partition method. In this method, the network administrator only needs to reassign the switch port of the network device, regardless of the device connected to the port. Before the switch is put into operation, its physical ports are divided into designated VLAN and assigned to users as needed. This division enables the network administrator to grasp the load of the network at any time, which is conducive to the optimal use of the network, and has higher security, although to a certain extent increases the workload of the administrator. For example, the subsidiary companies of the group are distributed in different geographical locations in different cities, but for convenience of management, the OA servers of these companies all use the IP; of a VLAN to assign the IP of other network segments to the OA servers that need other permissions. The implementation of all these network applications is based on the division of the switch port VLAN. On the other hand, for the application of static VLAN technology (that is, port-based VLAN partition), the switch can not distinguish the illegal receiver of the embezzled IP address. After a user misappropriates the IP address of a privileged user in the same subnet, he can pretend to be the privileged user of the VLAN, illegally access the server in the network, and cause the IP address conflict. In order to solve this problem, taking advantage of the characteristic that users generally will not change the computer MA C address, the method of binding the IP address and MA C address of most users to the switch port is adopted, which makes up for this defect of static VLAN and effectively prevents this from happening. If different access permissions are set for different VLAN, how can VLAN and VLAN access each other?

In the general network composed of layer 2 switches, VLAN realizes the segmentation of network traffic, and different VLAN can not communicate with each other. In order to realize the communication between VLAN, we must use: 1) router to achieve; 2) layer 3 switch. Subordinate companies use layer 3 switches. Layer 3 switch is used to realize inter-VLAN communication. Layer 3 switch combines the advantages of layer 2 switch and layer 3 router organically and intelligently, and can provide line-speed performance at all levels. In the layer 3 switch, the switch module and router module are set up respectively, and the built-in routing module is similar to the switching module, which also uses ASIC hardware to handle routing. Therefore, compared with traditional routers, high-speed routing can be realized. Moreover, the routing and switching module is converged and linked, and because it is an internal connection, it can ensure a considerable bandwidth. The routing function of layer 3 switch is used to realize the communication between VLAN.

The core switch is Cisco 6509 layer 3 switch, and the connection layer switch is Cisco 3750 and Cisco 2950 series switch. Cisco 3750 switch is a layer 3 switch with routing function, which is used for branch offices with large data flow, while Cisco 2950 is a layer 2 switch, which is mainly used to connect directly with the central switch through gigabit optical fiber. Through this connection mode, the whole LAN can work well together. VLAN is completely transparent to network users, and users do not feel any difference between using and switching networks, but it is very different for network managers, because it mainly depends on several advantages of VLAN.

(1) Control of broadcast storms

Network management must solve the problem of bandwidth consumption caused by a large amount of broadcast information. As a network segmentation technology, VLAN can limit broadcast storms to one VLAN and avoid affecting other network segments. Compared with the traditional local area network, VLAN can use the bandwidth more efficiently. In VLAN, the network is logically divided into broadcast domains, and the information frames or packets sent by VLAN members are transmitted only between members within the VLAN, not to all workstations on the network. This can reduce the traffic of the backbone and improve the speed of the network.

(2) enhance the security of the network.

Broadcasting on shared LAN will inevitably cause security problems, because all users on the network can monitor the traffic flowing through, and users can access the broadcast packets on the network segment as long as they plug into any active port. Using the security mechanism provided by VLAN, you can restrict the access of specific users, control the size and location of broadcast groups, and even lock the MA C address of network members, thus restricting the use of the network by users and network members without security permission.

(3) strengthen network management.

Using VLAN technology and VLAN management program, the whole network can be managed centrally, and the manageability of the network can be realized more easily. Users can quickly build and adjust VLAN according to business needs. When the link is congested, the hypervisor can be used to redistribute the service. The management process can also provide detailed reports on the volume of business, broadcasting behaviour and statistical characteristics of the working group. For network administrators, all of this network configuration and management is transparent. When the VLAN changes, the user does not need to know the connection of the network and how the protocol is reset. In addition, after using VLAN partition, it also solves the problem of clients using IP address at will, because a computer belongs to a specific VLAN, if you set the IP address of other VLAN, it can not connect to the local area network.

3 conclusion

Through the use of VLAN partition technology, the local area network has been greatly improved in security and stability, which provides a reliable guarantee for the development of various businesses. in short, the importance of VLAN technology in the network management of the group company can not be ignored.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.