Divide different VLANs on the same network segment
1. What is the difference between dividing VLANs on different network segments and dividing VLANs on the same network segment?
The IP address of the divided VLAN may be in a network segment, and its main role is to prevent network storms
. 2. What is the difference between setting vlan and setting different network segments? Whether the two VLANs are divided by the switch and the two different network segments are set on the IP are the same. Are they used to divide into different subnets?
The network segment divided by IP, the IP address is not in a network segment.
If the purpose is investigated in detail, it is actually different. The same switch, after an addressing packet comes in, vlan does not analyze its ip address, but judges which port to send to based on the vid number.
Vlan is actually similar to the access control strategy on the router. When flowing inside the switch, it is no different from the ip packet, but the vlan settings you make control the port that the packet can reach.
When exchanging information by VLAN configured by port, it will only be sent to the specified switch port, and other computers on the same subnet port will not receive the information, while the IP subnet is divided and sent on all ports, but only computers in the same subnet Yes, both have the functions of increasing security, reducing broadcast storms, and narrowing conflict domains.
If aggregation mode is not used, Vlan turns a switch into multiple unconnected switches. No matter how the client IP address is set, different VLANs cannot communicate.
Because of the needs of an important application, the network I use requires more than 200 machines to be in the same network segment, and because of security factors, there must be differences in access rights. Therefore, the machines belong to the same network segment 192.168.0.0/23, and all permissions are controlled in 8 switches (one layer 3 and seven layer 2) by setting Vlan.
Finally, all machines can access the server, and there are complex accessible and inaccessible restrictions between them. These restrictions will no longer worry that they will be invalid because they change their IP addresses randomly, that is, changing the IP will only make the permissions lower and not higher.
I think the concept of subnet and VLAN should be clarified:
Subnet: In order to save the IP address, the IP address is divided into several IP address segments by mask (/ 32/24/16, etc.)
VLAN: VIRTUL LAN virtual network. For the switch, we can set each port as a VLAN, which means that each port cannot access each other or several ports can be set to a VLAN. These ports can access each other, and other ports cannot. (One VLAN and another VLAN cannot transmit information)
3. In the same VLAN, there are two machines, belonging to different subnets, and the two cannot communicate without a gateway, right?
In the same VLAN, there are two machines that belong to different subnets, and the two cannot communicate without a router, right?
It should be said that there can be no communication between VLANs without routers.
VLAN belongs to the concept of layer 2 and subnet is the concept of layer 3. That is to say, if they belong to different VLANs, even if the subnets are the same, there is no route to communicate.
In fact, this can be understood.
On the switch is a broadcast domain, broadcast packets will be sent to all ports, but by dividing the subnet, it is equivalent to split a switch into several virtual switches according to the port, you can not pass between ports in the same VLAN Routers communicate directly, but communication between different VLANs requires routers for routing.
VLANs are used for intra-enterprise network networking. One or more switches are placed in the central computer room, and VLANs are divided on them to assign different IP subnets to different departments in the enterprise and access different VLANs. In this way, communication between different departments needs to pass through the router, and various access control lists can be added to the router to increase security.
Lan must use tag vlan (802.1q) on all devices on the public network and must be planned globally.
In traditional local area networks, information transmission is based on "shared media". All nodes in the network share a common communication transmission medium. Typical media access control methods are CSMA / CD, TokenRing, TokenBus. Usually a workgroup is on the same network segment, and each network segment can be a workgroup or subnet. Multiple logical working groups exchange data through bridges or routers that interconnect different network segments.
The concept of the virtual network is generated due to the needs of the workgroup (Workgroup), and is realized with the development of the high-speed network. It separates the logical network topology from the physical network facilities, and divides the nodes on the network into several "logical work groups" according to the nature and needs of the work. A logical work group is called a virtual local area network (VLAN, Virtual LAN) .
I think that with the emergence of three-layer switching technology, routing switching and other technologies, the distinction between subnets and virtual subnets is becoming more and more indistinguishable.
