VLAN configuration of small and medium-sized LAN switches 01/28 Update SLTechnology News&Howtos

VLAN configuration of small and medium-sized LAN switches

2025-01-28 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

The technical standard IEEE 802.1Q about VLAN was formally promulgated and implemented by the IEEE committee as early as June 1999, and the earliest VLNA technology was put forward by Cisco (Cisco) in 1996.

With the development of several years, VLAN technology has been widely supported, widely used in large and small enterprise networks, and has become the most popular Ethernet LAN technology.

This paper introduces one of the most common technical applications of the switch-VLAN technology, and briefly introduces its configuration method for the network configuration of small and medium-sized local area networks (VLAN).

I. Foundation of VLAN

The Chinese name of VLAN (Virtual Local Area Network) is "virtual local area network". Note that it is not "× ×" (virtual private network). VLAN is a new data exchange technology that divides LAN devices logically (note, not physically) into network segments, thus realizing virtual workgroups.

This emerging technology is mainly used in switches and routers, but the mainstream application is still in switches. However, not all switches have this feature, and only switches above layer 3 of the VLAN protocol have this feature, which can be found in the instructions of the corresponding switches.

IEEE issued the draft 802.1Q protocol standard to standardize the implementation of VLAN in 1999. With the emergence of VLAN technology, administrators logically divide different users in the same physical local area network into different broadcast domains according to the actual application requirements. Each VLAN contains a group of computer workstations with the same requirements, which has the same properties as the physically formed LAN.

Because it is divided logically rather than physically, workstations in the same VLAN are not limited to the same physical scope, that is, these workstations can be on different physical LAN segments.

According to the characteristics of VLAN, broadcast and unicast traffic within one VLAN will not be forwarded to other VLAN, which helps to control traffic, reduce equipment investment, simplify network management, and improve network security.

The development of switching technology also accelerates the application of new switching technology (VLAN). By dividing the enterprise network into virtual network VLAN segments, network management and network security can be strengthened, and unnecessary data broadcasting can be controlled. In a shared network, a physical network segment is a broadcast domain. In a switched network, the broadcast domain can be a virtual network segment consisting of a set of randomly selected layer 2 network addresses (MAC addresses).

In this way, the division of workgroups in the network can break through the geographical location restrictions in the shared network, and can be divided entirely according to management functions. This grouping mode based on workflow greatly improves the management function of network planning and reorganization. Workstations in the same VLAN communicate with each other as if they were on a separate switch, no matter which switch they are actually connected to.

Broadcasts in the same VLAN can only be heard by members of the VLAN and will not be transmitted to other VLAN, which can well control the generation of unnecessary broadcast storms.

At the same time, if there is no routing, different VLAN can not communicate with each other, which increases the security between different departments in the enterprise network.

Network administrators can fully manage the exchange of information between different snap-ins within an enterprise by configuring routing between VLAN. The switch divides the VLAN according to the MAC address of the user's workstation.

Therefore, the user can work freely in the enterprise network, and no matter where he connects to the switching network, he can communicate freely with other users in the VLAN.

VLAN network can be composed of mixed network types of devices, such as 10m Ethernet, 100m Ethernet, token network, FDDI, CDDI, etc., can be workstations, servers, hubs, network uplink backbone, and so on.

VLAN can not only divide the network into multiple broadcast domains, so as to effectively control the occurrence of broadcast storms, and make the network topology very flexible, but also can be used to control the mutual access between different departments and different sites in the network.

VLAN is a protocol proposed to solve the broadcast problem and security of Ethernet. It adds VLAN headers on the basis of Ethernet frames, divides users into smaller workgroups with VLAN ID, and restricts the exchange of visits between different workgroups. Each workgroup is a virtual local area network. The advantage of virtual local area network is that it can limit the broadcast scope, form virtual working group and manage the network dynamically.

Second, the division method of VLAN

The implementation of VLAN on the switch can be roughly divided into six categories:

1. VLAN based on port partition

This is the most commonly used VLAN partition method, and it is also the most widely used and most effective. At present, most VLAN switches provide this VLAN configuration method. This method of dividing VLAN is divided according to the switching port of the Ethernet switch. it divides the physical port on the VLAN switch and the PVC (permanent virtual circuit) port inside the VLAN switch into several groups, each group forming a virtual network, which is equivalent to an independent VLAN switch.

When different departments need to visit each other, it can be forwarded through the router and combined with port filtering based on MAC address. Set the set of MAC addresses that can be passed on the appropriate port of the switch, routing switch, or router closest to the site on the access path to the site. This prevents illegal users from stealing IP addresses from other accessible points.

From this partitioning method itself, we can see that the advantage of this partitioning method is that it is very simple to define VLAN members, as long as all ports are defined as corresponding VLAN groups. Suitable for networks of any size. Its disadvantage is that if a user leaves the original port and goes to a port on a new switch, it must be redefined.

two。 Partition VLAN based on MAC address

This method of dividing VLAN is divided according to the MAC address of each host, that is, the host with each MAC address is configured which group he belongs to. Its mechanism is that each network card corresponds to a unique MAC address, and the VLAN switch tracks the address belonging to VLAN MAC. VLAN in this way allows network users to automatically retain their membership of the VLAN to which they belong when they move from one physical location to another.

From this partition mechanism, we can see that the biggest advantage of this VLAN partition method is that when the user's physical location moves, that is, when switching from one switch to another, the VLAN does not have to be reconfigured, because it is based on the user, not the switch port. The disadvantage of this method is that during initialization, all users must be configured, and if there are hundreds or even thousands of users, the configuration is very tiring, so this partition method is usually suitable for small Lans. And this partition method also leads to the reduction of switch execution efficiency, because there may be many VLAN group members in each switch port, and many users' MAC addresses are saved, which is not easy to query. In addition, for laptop users, their network cards may be changed frequently, so VLAN must be configured frequently.

3. Partition VLAN based on network layer protocol

According to the network layer protocols, VLAN can be divided into IP, IPX, DECnet, AppleTalk, Banyan and other VLAN networks. This kind of VLAN, which is composed according to the network layer protocol, enables the broadcast domain to span multiple VLAN switches. This is very attractive for network administrators who want to organize users for specific applications and services. Moreover, users can move freely within the network, but their VLAN membership remains unchanged.

The advantage of this method is that the physical location of the user has changed, there is no need to reconfigure the VLAN, and the VLAN can be divided according to the type of protocol, which is very important to the network manager, and this method does not need additional frame tags to identify the VLAN, which can reduce the traffic of the network. The disadvantage of this method is low efficiency, because checking the network layer address of each packet takes processing time (compared with the previous two methods). The general switch chip can automatically check the Ethernet header of packets on the network, but it takes more technology and time-consuming to enable the chip to check the IP frame header. Of course, this has something to do with the implementation methods of each vendor.

4. Dividing VLAN according to IP Multicast

IP Multicast is actually a definition of VLAN, that is, an IP Multicast Group is a VLAN. This partition method extends the VLAN to the wide area network, so this method has more flexibility, and it is also easy to expand through the router. It is mainly suitable for local area network users who are not in the same geographical area to form a VLAN, but not suitable for local area network, mainly because it is inefficient.

5. Divide VLAN by policy

VLAN based on policy can implement a variety of allocation methods, including VLAN switch port, MAC address, IP address, network layer protocol and so on. Network managers can decide which type of VLAN to choose according to their own management model and the needs of their own units.

6. VLAN is divided by user-defined, non-user authorization

The division of VLAN based on user definition and non-user authorization means that in order to adapt to the special VLAN network, VLAN is defined and designed according to the special requirements of specific network users, and non-VLAN group users can access VLAN, but they need to provide user passwords and can join a VLAN only after being authenticated by VLAN management.

III. The advantages of VLAN

There must be some key advantages for any new technology to be widely supported and applied, and so is VLAN technology, whose advantages are mainly reflected in the following aspects:

1. Increases the flexibility of network connections

With the help of VLAN technology, different locations, different networks and different users can be combined together to form a virtual network environment, which is as convenient, flexible and effective as using local LAN. VLAN can reduce the management cost of moving or changing the geographic location of workstations, especially after some companies with frequent changes in business conditions use VLAN.

two。 Control broadcasts on the network

VLAN can provide a mechanism to set up firewalls to prevent excessive broadcasting in switched networks. With VLAN, a switched port or user can be assigned to a specific VLAN group, which can be in a switched network or across multiple switches, and broadcasts in one VLAN are not sent outside the VLAN. Similarly, adjacent ports do not receive broadcasts generated by other VLAN. This can reduce broadcast traffic, release bandwidth to user applications, and reduce the generation of broadcasts.

3. Increase the security of the network

Because a VLAN is a separate broadcast domain, the VLAN is isolated from each other, which greatly improves the utilization of the network and ensures the security and confidentiality of the network. People often transmit some confidential and critical data on LAN. Confidential data should provide security measures such as access control.

An effective and easy method is to segment the network into several different broadcast groups. The network administrator limits the number of users in VLAN and forbids unauthorized access to applications in VLAN. Switched ports can be grouped based on application type and access privileges, and restricted applications and resources are generally placed in a secure VLAN.

IV. Configuration example of VLAN network

In order to give you a real configuration example learning opportunity, the following will take the typical medium-sized LAN VLAN configuration as an example to introduce the most commonly used configuration method of dividing VLAN by port.

A company has about 100 computers, and the departments that mainly use the network are: production Department (20), Finance Department (15), personnel Department (8) and Information Center (12).

The basic structure of the network is as follows: three Catalyst 1900 network managed switches (named Switch2, Switch3 and Switch4 respectively) are used in the whole network, and each switch is connected with several hubs according to their needs, which are mainly used for non-VLAN users, such as administrative documents, temporary users, etc.), a Cisco 2514 router, and the whole network is connected to the external Internet through router Cisco 2514.

The connected users are mainly distributed in four parts, namely: production department, finance department, information center and personnel department. Mainly divides VLAN to these four parts of users separately, in order to ensure that the network resources of the corresponding departments are not embezzled or destroyed.

Now in order to meet the security needs of the corresponding part of the company's network resources, especially for sensitive departments such as Finance Department and personnel Department, the information on the network does not want too many people to go in and out casually, so the company adopts the method of VLAN to solve the above problems. Through the division of VLAN, the main network of the company can be divided into four main parts: production department, finance department, personnel department and information center. The corresponding VLAN groups are: Prod, Fina, Huma, Info. The corresponding network segments of each VLAN group are shown below.

VLAN number VLAN name port number

2 Prod Switch 12-21

3 Fina Switch3 2-16

4 Huma Switch4 2-9

5 Info Switch4 10-21

[note] the reason for starting the VLAN number of the switch from "2" is that the switch has a default VLAN, which is the "1" VLAN, which includes all users connected to the switch.

The VLAN configuration process is actually very simple, with only two steps: (1) naming each VLAN group, and (2) mapping the corresponding VLAN to the corresponding switch port.

The following is the specific configuration process:

Step 1: set up HyperTerminal, connect to the 1900 switch, and configure the VLAN of the switch through HyperTerminal. After the connection is successful, the main configuration interface shown below appears (the switch has completed the configuration of basic information before):

1 user (s) now active on Management Console.

User Interface Menu

[M] Menus

[K] Command Line

[I] IP Configuration

Enter Selection:

[note] HyperTerminal is carried out by using the "HyperTerminal" (Hypertrm) program that comes with the Windows system. For details, please refer to the relevant materials.

Step 2: click the "K" button, select the "[K] Command Line" option in the main interface menu, and enter the following command line configuration interface:

CLI session with the switch is open.

To end the CLI session,enter [Exit].

At this point, we enter the normal user mode of the switch, just like the router, which can only view the current configuration, cannot change the configuration, and has a limited number of commands that can be used. So we have to go into "privilege mode".

Step 3: enter the privileged mode command "enable" at the previous step ">" prompt, enter the privileged mode with the command format of "> enable", and enter the privileged mode prompt of the switch configuration:

# config t

Enter configuration commands,one per line.End with CNTL/Z

(config) #

Step 4: for security and convenience, we give each of the three Catalyst 1900 switches names and set the login password for privileged mode. Let's just take Switch2 as an example. The configuration code is as follows:

(config) # hostname Switch2

Switch2 (config) # enable password level 15 XXXXXX

Switch2 (config) #

[note] the privileged mode password must be 4'8 characters. Note that the password entered here is directly displayed in clear text and should be kept secret. The switch uses the level-level size to determine the permissions of the password. Level 1 is the password to enter the command line interface, that is, after you set the password for level 1, the next time you connect to the switch and enter K, you will be asked to enter the password, which is the password set by level 1. Level 15 is the privileged mode password you are asked to enter after you enter the "enable" command.

Step 5: set the VLAN name. Because the four VLAN belong to different switches, the command named by VLAN is "vlan vlan number name vlan name, and the code for configuring 2, 3, 4, 5 VLAN on Switch2, Switch3, Switch4, and switch is:

Switch2 (config) # vlan 2 name Prod

Switch3 (config) # vlan 3 name Fina

Switch4 (config) # vlan 4 name Huma

Switch4 (config) # vlan 5 name Info

[note] the above configuration is carried out in accordance with the rules of Table 1.

Step 6: we configured the VLAN groups for each switch in the previous step, and now we want to map these VLAN to the switch port numbers specified in Table 1. The command for the port number is "vlan-m embership static/ dynamic VLAN number". In this command, you must choose either "static" (static) or "dynamic" (dynamic) allocation, but usually choose "static" (static). The VLAN port number application is configured as follows:

(1)。 The VLAN port number of the switch named "Switch2" is configured as follows:

Switch2 (config) # int e0bin2

Switch2 (config-if) # vlan-membership static 2

Switch2 (config-if) # int e0Compact 3

Switch2 (config-if) # vlan-membership static 2

Switch2 (config-if) # int e0amp 4

Switch2 (config-if) # vlan-membership static 2

……

Switch2 (config-if) # int e0and20

Switch (config-if) # vlan-membership static 2

Switch2 (config-if) # int e0and21

Switch2 (config-if) # vlan-membership static 2

Switch2 (config-if) #

[note] "int" is the abbreviation of "nterface" command, which means interface. "e0swap 3" is the abbreviation of "ethernet 0bin2", which represents the port of module 0 of the switch.

(2)。 The VLAN port number of the switch named "Switch3" is configured as follows:

Switch3 (config) # int e0bin2

Switch3 (config-if) # vlan-membership static 3

Switch3 (config-if) # int e0Compact 3

Switch3 (config-if) # vlan-membership static 3

Switch3 (config-if) # int e0amp 4

Switch3 (config-if) # vlan-membership static 3

……

Switch3 (config-if) # int e0bin15

Switch3 (config-if) # vlan-membership static 3

Switch3 (config-if) # int e0bin16

Switch3 (config-if) # vlan-membership static 3

Switch3 (config-if) #

(3)。 The VLAN port number of the switch named "Switch4" is configured as follows (it includes the configuration of two VLAN groups). First, take a look at the configuration code of VLAN 4 (Huma):

Switch4 (config) # int e0bin2