VLAN (Virtual Local Area Network) usage and configuration

1. The role of the switch

    the differenceHub (HUB), HUB is a physical layer device and can only forward current directly
    switchIt is a data link layer device that can convert current to binary, and realizes the following functions:
        1. Unlimited transmission distance
        2. Complete resolution of conflicts ---- all interfaces can send and receive data at the same time
        3. Layer 2 thin ---- Physical addressing realizes one-to-one communication in a switching network, which guarantees data security, reduces the amount of junk data, and reduces the forwarding delay.
        4. Increases the port density-more interfaces can be added

Basic classification of two and three-tier architecture

    Access layer：Provide port density for user terminal access----Layer 2 switch, AP
    Convergence layer (distribution layer): A collection of traffic, DHCP/VLAN/STP/HSRP/VRRP/channel···
    Core layer: Nat, high-speed routing and forwarding

    Redundancy-backup lines, equipment, gateways, UPS (power supply)

Three, Cisco's VLAN logic and configuration

  1) VLAN (Virtual Local Area Network) Layer 2 switches and routers (Layer 3 switches) logically divide a broadcast domain into multiple;

    Configuration ideas:
        1. Create VLAN
        on the switch 2. Assign each interface on the switch to VLAN
        3. Trunk
        4, routing between VLANs- single-arm routing (router sub-interface) Layer 3 switch

  2) The switch's forwarding mechanism for traffic: After the traffic enters the switch, first identify the source MAC address in the data frame, then bind the MAC address and the incoming interface of the traffic, record, generate a MAC address table-and then convert it into a CAM table; then check the data frame For the destination MAC address, look for the corresponding record in the CAM table. If there is a record, it will be unicast forwarded according to the record interface. If there is no record, the traffic will be flooded. Flooding ---- all the exits except the entrance of the traffic are copied; the default CAM will be deleted after the last 300s of a MAC)

    The difference between the MAC address table and the CAM table: The CAM table converts the MAC address + interface number + VLANid in the MAC table into a hash value, and then into a binary format, which means faster recognition;

  3）Cisco's vlan configuration：Number 12-bit binary structure — 0-4095 of which 1-4094 is available

         1-1005 Standard VLAN—Any condition can be used 1006-4094. Extended VLAN. When the VTP mode is transparent, the
         default switch exists. vlan1 vlan1002-1005 (for non-Ethernet use)
         vlan1 is the default native vlan, the default management vlan, and all interfaces The default is in vlan1
    1. Create vlan on the
        switch Switch(config)#vlan 2
        Switch(config-vlan)#name classroom1
        Switch(config-vlan)#exit
        Switch(config)#vlan 3-10, 15-20 Create in batch
    2, The interface is divided into vlan
        Switch(config)#interface fastEthernet 0/2
        Switch(config-if)#switchport mode access The interface must be defined in access mode before it can be divided
        Switch(config-if)#switchport access vlan 2
        Switch(config-if )#exit
        Switch(config)#interface range fastEthernet 0/3 -4 batch division
        Switch(config-if-range)#switchport mode access
        Switch(config-if-range)#switchport access vlan 3
    3. Trunk trunk
        Switch Layer 2 switch Manually configure trunk trunk
        SwitchSwitch(config)#interface fastEthernet 0/24
        SwitchSwitch(config-if)#switchport mode trunk
        Switch Cisco's Layer 2 switch Only support 802.1q
        Switch Layer 3 switches manually configure trunk trunks—ISL and 802.1q support, so the encapsulation type must be defined before configuration
        SwitchSwitch(config)#interface fastEthernet 0/1
        SwitchSwitch(config-if)#switchport trunk encapsulation dot1q
        SwitchSwitch( config-if)#switchport mode trunk

        Trunk road—Does not belong to any vlan, carries all vlan traffic, has the function of marking and identifying different vlan labels.
        There are two methods for encapsulating vlanID in data frames: 802.1q (dot1.q) ISL (cisco private standard)

Fourth, Huawei's VLAN logic and configuration

1) Huawei's vlan logic

    1. As long as the traffic enters the Huawei device, it will be labeled immediately; - The traffic forwarded by the Huawei device has a label;
    2. All interfaces on the Huawei device switch have a forwarding permission list. Only the traffic allowed by the forwarding permission list can be removed from The interface enters or transfers out;
    3. When transferring from an interface, in addition to viewing the allow list, it is also necessary to define whether to mark;
    4. If a certain traffic enters from an interface of the switch without a label, it will be marked The pvlan id of the interface;
    5. If there is a tag when a certain traffic enters from an interface of the switch, it will match the allow list of the interface, if it is allowed to enter, if it is not allowed, it will be discarded;
    6. If the PC receives To the traffic that is marked, it will be discarded

    No matter the interface is in any mode, it matches the above 5 rules;

2) Huawei's three interface modes

    1、Access mode: Only one VLAN can be allowed to pass (allow list cannot be defined directly); PVLAN is allowed VLAN; and must be untagged
        [sw1]interface GigabitEthernet 0/0/5
        [sw1-GigabitEthernet0/0/5]port link-type access
        [ sw1-GigabitEthernet0/0/5]port default vlan 2
    2,Relay mode: All VLANs can be manually added to the allow list. By default, only pvlan is in the allow list, and the export rule of pvlan
is unmarked , and the export rule of other VLANs is marked;
        [sw1]interface GigabitEthernet 0/0/6
        [sw1-GigabitEthernet0 /0/6]port link-type trunk
        [sw1-GigabitEthernet0/0/6]port trunk pvid vlan 2
        [sw1-GigabitEthernet0/0/6]port trunk allow-pass vlan all
    3.Promiscuous mode: All VLANs can be manually added to the allowed list, and when allowed to pass, you can define whether to tag; the
        default PVLAN is VLAN1, and the outgoing rule is untagged; once the PVLAN is modified, you need to manually add the VLAN to the allowed list. You can define whether to tag;
        [sw1]interface GigabitEthernet 0/0/7
        [sw1-GigabitEthernet0/0/7]port hybrid tagged vlan 2 to 3
        [sw1-GigabitEthernet0/0/7]port hybrid untagged vlan 4 to 5

        [sw1]display port vlan active View the VLAN forwarding rules of the interface;

3) Huawei's vlan configuration

    1. Create vlan
        [SWA]vlan 10
        [SWA-vlan10]quit
        [SWA]vlan batch 2 to 3 5 10 Create vlan2-3
    , 5, 10 in batches 2. Assign the interface to a vlan
        single interface and modify the interface mode to access
        [SWA] interface GigabitEthernet 0/0/5
        [SWA-GigabitEthernet0/0/5]
Change port link-type access to access in batches
        [Huawei]port-group 1
        [Huawei]group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/ 10
        [Huawei]port link-type access
        individually divide the interface into vlan
        SWA]interface GigabitEthernet0/0/5
        [SWA-GigabitEthernet0/0/5]port default vlan 3
        Batch divide the interface into vlan2
        [Huawei]vlan 2
        [Huawei-vlan2]port GigabitEthernet 0/0/1 to 0/0/2
    3. After the trunk
        enters the interface, first modify the interface type to trunk mode; then define the VLAN that the trunk can pass through; the default trunk PVLAN- The native vlan similar to cisco is vlan1, the traffic of vlan1 is not marked by default, and other added to the allow list can also pass through
        [SWA-GigabitEthernet0/0/1]port link-type trunk
        [SWA-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
        [Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all Allow all vlans to pass through
        [Huawei-GigabitEthernet0/0/1]port default vlan 3 Modify the pvlan on the trunk road, note once pvlan It is not the default vlan1, so you need to add a new PVLAN in the allowable condition; at this time, the original vlan1 is no longer a pvlan, you need to manually add it to the allow list;
    4. Inter-vlan router
        1) One-arm routing-sub Interface—Change the trunk mode of the switch interface that the switch is connected to the router
        [RTA]interface GigabitEthernet0/0/1.1
        [RTA-GigabitEthernet0/0/1.1]dot1q termination vid 2
        [RTA-GigabitEthernet0/0/1.1]ip address 192.168.2.254 24
        [RTA-GigabitEthernet0/0/1.1]arp broadcast enable
        [RTA]interface GigabitEthernet0/0/1.2
        [RTA-GigabitEthernet0/0/1.2]dot1q termination vid 3
        [RTA-GigabitEthernet0/0/1.2]ip address 192.168.3.254 24
        [RTA-GigabitEthernet0/0/1.2]arp broadcast enable

    5. DHCP pond configuration
        dhcp enable First enable the DHCP service globally
        and then enable the dhcp service on the interface, and enable each sub-interface separately
        [r1]interface GigabitEthernet 0/0/0.1
        [r1-GigabitEthernet0/0/0.1]dhcp select global
        and then define the pond
        [r1 ]ip pool a
        [r1-ip-pool-a]gateway-list 192.168.2.1
        [r1-ip-pool-a]network 192.168.2.0
        [r1-ip-pool-a]mask 255.255.255.0
        [r1-ip- pool-a]dns-list 114.114.114.114