Why VLAN
is needed 1. What is VLAN?
VLAN (Virtual LAN), translated into Chinese is "virtual local area network". A LAN can be a network composed of a few home computers, or an enterprise network composed of hundreds of computers. The LAN referred to by VLAN specifically refers to a network divided by routers—that is, a broadcast domain.
Let us first review the concept of broadcast domains. The broadcast domain refers to the range that the broadcast frame (the destination MAC address is all 1) can be transmitted, that is, the range that can be directly communicated. Strictly speaking, it is not just broadcast frames. Multicast frames and Unknown Unicast Frames with unknown targets can also be unimpeded in the same broadcast domain.
Originally, the Layer 2 switch can only construct a single broadcast domain, but after using the VLAN function, it can divide the network into multiple broadcast domains.
2. When the broadcast domain is not divided...
Then, why do you need to split the broadcast domain? That is because if there is only one broadcast domain, it may affect the overall transmission performance of the network. For specific reasons, please refer to the attached drawings for a deeper understanding.
In the figure, it is a network composed of five Layer 2 switches (switches 1 to 5) connected to a large number of clients. Suppose that computer A needs to communicate with computer B at this time. In Ethernet-based communication, the target MAC address must be specified in the data frame to communicate normally, so computer A must first broadcast "ARP Request (ARP Request) information" to try to obtain the MAC address of computer B.
After switch 1 receives the broadcast frame (ARP request), it will forward it to all ports except the receiving port, that is, flooding. Then, switch 2 will also flood after receiving the broadcast frame. Switches 3, 4, and 5 will also flood. Eventually the ARP request will be forwarded to all clients in the same network.
Please note that this ARP request was originally sent to obtain the MAC address of computer B. In other words: as long as computer B can receive it, everything will be fine. But in fact, the data frame spreads throughout the network, causing all computers to receive it. In this way, on the one hand, broadcast information consumes the bandwidth of the entire network, on the other hand, the computer that receives the broadcast information also consumes part of the CPU time to process it. Caused a lot of unnecessary consumption of network bandwidth and CPU computing power.
3. Are broadcast messages sent out so often? After
reading this, you may ask: Are broadcast messages really appearing so frequently? The
answer is: Yes! In fact, broadcast frames appear very frequently. When using the TCP/IP protocol stack to communicate, in addition to the ARP that appeared previously, it may be necessary to send out many other types of broadcast information such as DHCP and RIP.
ARP broadcast is sent when it needs to communicate with other hosts. When the client requests the DHCP server to assign an IP address, it must send out a DHCP broadcast. When RIP is used as a routing protocol, the router will broadcast routing information to other neighboring routers every 30 seconds. Routing protocols other than RIP use multicast to transmit routing information, which will also be forwarded by the switch (Flooding). In addition to TCP/IP, protocols such as NetBEUI, IPX, and Apple Talk also often require broadcasting. For example, when you double-click to open "Network Computer" under Windows, a broadcast (multicast) message will be sent out. (Except Windows XP...)
In short, broadcasting is all around us. The following are some common broadcast communications:
(1) ARP request: establish the mapping relationship between IP address and MAC address.
(2) RIP: A routing protocol.
(3) DHCP: The protocol used to automatically set the IP address.
(4) NetBEUI: The network protocol used under Windows.
(5) IPX: The network protocol used by NovellNetware.
(6) Apple Talk: The network protocol used by Apple's Macintosh computers.
If the entire network has only one broadcast domain, once the broadcast information is sent, it will spread throughout the entire network and bring additional burdens to the hosts in the network. Therefore, when designing a LAN, you need to pay attention to how to effectively divide the broadcast domain.
4. The division of broadcast domains and the necessity of VLANs When
dividing broadcast domains, routers must generally be used. After the router is used, the broadcast domain can be divided by the LAN Interface on the router.
However, under normal circumstances, there will not be too many network interfaces on the router, and the number is usually about 1 to 4. With the popularity of broadband connections, broadband routers (or IP sharers) have become more common, but it should be noted that although they have multiple (usually about 4) connected to the LAN side of the network interface, but That is actually a switch built into the router, and it cannot divide the broadcast domain.
Moreover, if a router is used to divide a broadcast domain, the number of divisions that can be divided depends entirely on the number of network interfaces of the router, so that users cannot freely divide the broadcast domain according to actual needs.
Compared with routers, Layer 2 switches generally have multiple network interfaces. Therefore, if it can be used to divide the broadcast domain, then undoubtedly the flexibility of application will be greatly improved.
The technology used to split the broadcast domain on the Layer 2 switch is VLAN. By using VLAN, we can freely design the composition of the broadcast domain and increase the freedom of network design.
Mechanism to implement VLAN
- The mechanism of implementing VLAN
After understanding "why VLAN is needed", let us understand how the switch uses VLAN to divide the broadcast domain.
First, on a Layer 2 switch without any VLAN, any broadcast frame will be forwarded to all other ports (Flooding) except the receiving port. For example, after computer A sends a broadcast message, it will be forwarded to ports 2, 3, and 4.
At this time, if two VLANs of red and blue are generated on the switch; at the same time, set ports 1 and 2 to belong to the red VLAN, and ports 3 and 4 to belong to the blue VLAN. If the broadcast frame is sent from A, the switch will only forward it to other ports that belong to the same VLAN—that is, port 2 that also belongs to the red VLAN, and will not forward it to the port that belongs to the blue VLAN.
Similarly, when C sends broadcast information, it will only be forwarded to other ports belonging to the blue VLAN, and will not be forwarded to the ports belonging to the red VLAN.
In this way, VLAN divides the broadcast domain by limiting the scope of broadcast frame forwarding. In the above figure, for ease of explanation, red and blue are used to identify different VLANs. In actual use, they are distinguished by "VLAN ID".
2. Describe VLAN intuitively
If we want to describe VLAN more intuitively, we can understand it as logically dividing a switch into several switches. Generating red and blue VLANs on a switch can also be seen as replacing a switch with two virtual switches, one red and one blue.
When a new VLAN is generated in addition to the red and blue VLANs, it can be imagined that a new switch is added.
However, the logical switches generated by the VLAN are not connected to each other. Therefore, after VLANs are set up on the switch, if no other processing is done, communication between VLANs will not be possible.
It is obviously connected to the same switch, but it is unable to communicate-this fact may be unacceptable. But it is not only a convenient and easy-to-use feature of VLAN, but also the reason that makes VLAN difficult to understand
3. What to do
when we need to communicate between VLANs So, what should we do when we need to communicate between different VLANs?
Please recall again: VLAN is a broadcast domain. Generally, two broadcast domains are connected by routers, and data packets between broadcast domains are relayed by routers. Therefore, the communication between VLANs also requires routers to provide relay services, which is called "inter-VLAN routing".
For routing between VLANs, you can use an ordinary router or a Layer 3 switch. The specific content, wait for the opportunity to elaborate. Here I hope everyone remembers that the routing function is needed when different VLANs communicate with each other.
VLAN access links (Access Link)
port type 1. switch
port of the switch can be divided into the following two:
(1) access links (Access Link)
(2) trunk link (Trunk Link)
then let us turn Learn the characteristics of these two different ports. In this lecture, first learn "Access Link".
2. Access link
Access link refers to a port that "only belongs to one VLAN and only forwards data frames to this VLAN". In most cases, the client is connected to the link.
Usually the order of setting VLAN is:
(1) Generate VLAN
(2) Set access link (determine which VLAN each port belongs to) The method of
setting access link can be fixed in advance or according to the connected computer. Dynamically change settings. The former is called "static VLAN" and the latter is naturally "dynamic VLAN".
● Static
VLAN- port-based Static VLAN is also called port-based VLAN (PortBased VLAN). As the name implies, it is a setting method for clearly specifying which VLAN each port belongs to.
Since the ports need to be specified one by one, when the number of computers in the network exceeds a certain number (for example, hundreds), the setting operation will become extremely complicated. Moreover, every time the client changes the connected port, it must also change the VLAN settings of the port at the same time-this is obviously not suitable for those networks that require frequent changes to the topology.
● Dynamic VLAN
On the other hand, dynamic VLAN changes the VLAN to which the port belongs at any time according to the computer connected to each port. This can avoid the above-mentioned operations such as changing settings. Dynamic VLAN can be roughly divided into 3 types:
(1) MAC address-based VLAN (MAC Based VLAN)
(2) Subnet Based VLAN (Subnet Based VLAN)
(3)
Differences between user-based VLAN (User Based VLAN) , It is mainly based on the information of which layer of the OSI reference model determines the VLAN to which the port belongs.
● MAC address-based VLAN
MAC address-based VLAN determines the ownership of the port by querying and recording the MAC address of the network card of the computer connected to the port. Assuming that a MAC address "A" is set by the switch to belong to VLAN "10", no matter which port the computer with the MAC address of "A" is connected to, the port will be assigned to VLAN 10. When the computer is connected to port 1, port 1 belongs to VLAN 10; and when the computer is connected to port 2, port 2 belongs to VLAN 10.
Since the VLAN to which it belongs is determined based on the MAC address, it can be understood that this is a way to set the access link in the second layer of OSI.
However, for VLAN based on MAC address, it is necessary to check and register the MAC addresses of all connected computers when setting. And if the computer swaps the network card, you still need to change the settings.
● VLAN
based on IP address VLAN based on subnet, it is through the IP address of the connected computer to determine the VLAN that the port belongs to. Unlike VLAN based on MAC address, even if the computer changes the MAC address due to the exchange of network cards or other reasons, as long as its IP address remains the same, it can still join the originally set VLAN.
Therefore, compared with the MAC address-based VLAN, the network structure can be changed more easily. The IP address is the third-layer information in the OSI reference model, so we can understand that the VLAN based on the subnet is a way to set the access link in the third layer of the OSI.
User-based VLAN determines which VLAN the port belongs to according to the currently logged-in user on the computer connected to each port of the switch. The user identification information here is generally a user logged in by a computer operating system, for example, it may be a user name used in a Windows domain. This user name information belongs to the information above the fourth layer of OSI.
In general, the higher the level of the information used in determining the VLAN to which a port belongs in the OSI, the more suitable it is to build a flexible network.
Trunk Link
of VLAN 1. When it is necessary to set up a VLAN that spans multiple switches...
So far, what we have learned is the situation when a single switch is used to set up a VLAN. So, what if you need to set up a VLAN that spans multiple switches?
When planning an enterprise-level network, you may encounter a situation where users belonging to the same department are scattered on different floors in the same building. It may be necessary to consider how to set up VLAN across multiple switches. Suppose there is a network as shown in the figure below, and A, C and B, D on different floors need to be set to the same VLAN.
At this time, the most important thing is "How should switch 1 and switch 2 be connected?"
The simplest method is naturally to set up a red and blue VLAN dedicated interface on switch 1 and switch 2 and interconnect them.
However, this method is not good in terms of scalability and management efficiency. For example, when creating a new VLAN on the basis of an existing network, in order to allow this VLAN to communicate with each other, a new network cable needs to be connected between the switches. Longitudinal wiring between building floors is more troublesome and generally cannot be carried out by grassroots managers at will. Moreover, the more VLANs there are, the more and more ports are required for interconnection between floors (strictly speaking, between switches). The inefficient use of switch ports is a waste of resources and limits the expansion of the network.
In order to avoid this low-efficiency connection method, people think of ways to concentrate the interconnection network cables between the switches into one. At this time, the trunk link is used.
2. What is a
trunk link? Trunk link refers to a port capable of forwarding communications of multiple different VLANs.
The data frames circulating on the aggregation link are all attached with special information to identify which VLAN they belong to.
Now let us go back and consider what would happen if the network just now uses aggregation links? Users only need to simply set the interconnection ports between switches as aggregation links. At this time, the network cable used is still an ordinary UTP cable, not any other special wiring. The illustration shows the interconnection between switches, so a crossover cable is needed to connect.
Next, let us take a concrete look at how the aggregation link realizes the VLAN across the switches.
When the data frame sent by A arrives at switch 2 through the convergence link from switch 1, a tag indicating that it belongs to the red VLAN is attached to the data frame.
After the switch 2 receives the data frame, after checking the VLAN ID, it is found that the data frame belongs to the red VLAN. Therefore, after removing the tag, the restored data frame is only forwarded to other ports belonging to the red VLAN as needed. At this time, the forwarding refers to only forwarding to the port connected to the target MAC address after confirming the target MAC address and comparing it with the MAC address list. Only when the data frame is a broadcast frame, a multicast frame, or a frame with an unknown destination, will it be forwarded to all ports belonging to the red VLAN.
The situation is the same when the blue VLAN sends data frames.
It is possible to support the standard "IEEE 802.1Q" protocol through the additional VLAN identification information when assembling the link, or it may be the unique "ISL (Inter Switch Link)" of Cisco products. If the switch supports these specifications, then users can efficiently construct VLANs that span multiple switches.
In addition, the data of multiple VLANs circulates on the aggregation link, which is naturally heavy. Therefore, when setting up an aggregation link, there is a prerequisite that must support a transmission speed above 100Mbps.
In addition, by default, the aggregation link will forward the data of all VLANs existing on the switch. From another perspective, it can be considered that the aggregation link (port) belongs to all VLANs on the switch at the same time. Since it is very likely that it is not necessary to forward all VLAN data in practical applications, in order to reduce the load of the switch and reduce the waste of bandwidth, we can set a limit for the VLANs that can be interconnected via the aggregation link through user settings.
The specific content of IEEE 802.1Q and ISL will be mentioned in the next lecture.
3. Summary of access links To
sum up, there are two methods for setting access links, static VLAN and dynamic VLAN, among which dynamic VLAN can be further subdivided into several sub-categories.
Among them, subnet-based VLANs and user-based VLANs may be implemented by network equipment manufacturers using unique protocols, and compatibility problems may occur in the interconnection between devices of different manufacturers; therefore, when choosing a switch, you must pay attention to confirm in advance .
The following table summarizes the related information of static VLAN and dynamic VLAN.
Type explanation
Static VLAN (port-based VLAN) assigns each port of the switch to the VLAN.
Dynamic VLAN MAC address-based VLAN is set according to the MAC address of the computer connected to each port.
Subnet-based VLAN is based on the IP of the computer connected to each port. Address setting
Based on the user-based VLAN, set the
VLAN convergence mode according to the user logged in on the computer connected to the port- IEEE802.1Q and ISL
1. Convergence mode
On the convergence link of the switch, you can add VLAN information to the data frame to construct a span VLAN for multiple switches.
The most representative methods for attaching VLAN information are:
(1) IEEE 802.1Q
(2) ISL
Now let us see how these two protocols attach VLAN information to data frames.
2.
IEEE 802.1Q IEEE 802.1Q, commonly known as "Dot One Q", is an IEEE-certified protocol for attaching VLAN identification information to data frames.
Here, please recall the standard format of Ethernet data frames.
The VLAN identification information attached by IEEE 802.1Q is located between the "sending source MAC address" and the "Type Field" (Type Field) in the data frame. The specific content is 2 bytes of TPID (Tag Protocol IDentifier) and 2 bytes of TCI (Tag Control Information), a total of 4 bytes.
Add 4 bytes of content to the data frame, so the CRC value will naturally change. At this time, the CRC on the data frame is the value obtained by recalculating the entire data frame including them after inserting TPID and TCI.
When the data frame leaves the convergence link, the TPID and TCI will be removed, and a CRC recalculation will be performed at this time.
The position of the TPID field in the Ethernet packet is the same as the position of the protocol type field in the packet without a VLAN tag. The value of TPID is fixed to 0x8100, which indicates the 802.1Q type carried by the network frame, and the switch uses it to determine that the IEEE 802.1Q-based VLAN information is attached to the data frame. The actual VLAN ID is 12 bits in TCI. Since there are 12 bits in total, up to 4096 VLANs can be identified.
VLAN information attached based on IEEE 802.1Q is like a tag attached when transferring items. Therefore, it is also called "Tagging VLAN" (Tagging VLAN).
3.
ISL (Inter Switch Link) ISL is a protocol similar to IEEE 802.1Q supported by Cisco products for attaching VLAN information to the aggregation link.
After using ISL, 26 bytes of "ISL Header" will be appended to the header of each data frame, and 4 words obtained by calculating the entire data frame including the ISL header on the frame tail band Section CRC value. In other words, a total of 30 bytes of information have been added.
In an environment where ISL is used, when a data frame leaves the convergence link, simply remove the ISL header and the new CRC. Since the original data frame and its CRC are completely preserved, there is no need to recalculate the CRC.
ISL is like wrapping the entire original data frame with an ISL header and a new CRC, so it is also called "Encapsulated VLAN".
It should be noted that neither the "Tagging VLAN" of IEEE802.1Q or the "Encapsulated VLAN" of ISL is a very strict term. In different books and reference materials, the above words may be mixed and used, so you need to pay special attention when studying.
And because ISL is a Cisco unique protocol, it can only be used for interconnection between Cisco network devices.
Inter-VLAN routing
1. Necessity of inter- VLAN routing
According to the knowledge we have learned so far, we already know that even if two computers are connected to the same switch, they cannot communicate directly as long as they belong to different VLANs. The next thing we will learn is how to route between different VLANs so that hosts belonging to different VLANs can communicate with each other.
First of all, let's review why different VLANs cannot communicate without routing. In the communication within the LAN, the MAC address of the communication destination must be specified in the data frame header. In order to obtain the MAC address, ARP is used under the TCP/IP protocol. The method of ARP to resolve MAC addresses is through broadcast. In other words, if the broadcast message cannot be reached, then there is no way to resolve the MAC address, that is, it is impossible to communicate directly.
Computers belong to different VLANs, which means they belong to different broadcast domains, and naturally they cannot receive each other's broadcast messages. Therefore, computers belonging to different VLANs cannot directly communicate with each other. In order to be able to communicate between VLANs, it is necessary to use the information (IP address) of the network layer, which is a higher layer in the OSI reference model, for routing. Regarding the specific content of routing, I will explain it in detail later when I have the opportunity.
The routing function is generally mainly provided by the router. But in today's local area network, we often use the switch with routing function-Layer 3 Switch (Layer 3 Switch) to achieve. Next, let's take a look at the situation when using routers and Layer 3 switches for inter-VLAN routing.
2. Use routers for inter-VLAN routing
When using routers for inter-VLAN routing, similar to the situation when constructing VLANs that span multiple switches, we still encounter the problem of "how to connect routers and switches". There are roughly two wiring methods for routers and switches:
(1) Connect each VLAN on the router and the switch separately
(2) No matter how many VLANs there are, the router and the switch are connected by only one network cable, which is
the easiest to think of. Of course, "connect the router and the switch with a network cable in the unit of VLAN". Set each port on the switch that is used to interconnect with the router as an access link, and then use a network cable to interconnect with an independent port on the router. As shown in the figure below, there are 2 VLANs on the switch, so you need to reserve 2 ports on the switch for interconnection with the router; the router also needs 2 ports; the two are connected separately with 2 network cables.
If this method is adopted, it should not be difficult for everyone to imagine that its scalability is very problematic. Every time a new VLAN is added, the port of the router and the access link on the switch need to be consumed, and a network cable needs to be re-routed. And routers, usually do not have too many LAN interfaces. When creating a new VLAN, in order to correspond to the ports required by the added VLAN, the router must be upgraded to a high-end product with multiple LAN interfaces. This part of the cost and the overhead caused by rewiring make this wiring method Become an unpopular approach.
So, what about the second method "no matter how many VLANs are, only one network cable is used to connect the router and the switch"? When using a network cable to connect the router and the switch and route between VLANs, the aggregation link is needed.
The specific implementation process is as follows: First, the switch port used to connect the router is set as a trunk link, and the port on the router must also support the trunk link. The protocols used by both parties to converge the link must naturally be the same. Then define the "Sub Interface" corresponding to each VLAN on the router. Although there is only one physical port connected to the switch, in theory we can divide it into multiple virtual ports.
VLAN divides the switch logically into multiple units, so routers used for routing between VLANs must also have virtual interfaces corresponding to each VLAN.
With this method, even if you create a new VLAN on the switch later, you still only need a network cable to connect the switch and the router. The user only needs to set up a new sub-interface corresponding to the new VLAN on the router. Compared with the previous method, the scalability is much stronger, and there is no need to worry about upgrading routers with insufficient LAN interfaces or rewiring.
3. Communication within the same VLAN
Next, we will continue to learn how the inter-VLAN routing is performed when the aggregation link is used to connect the switch and the router. As shown in the figure below, set the IP address for each computer and the sub-interface of the router.
The network address of the red VLAN (VLAN ID=1) is 192.168.1.0/24, and the network address of the blue VLAN (VLAN ID=2) is 192.168.2.0/24. The MAC address of each computer is A/B/C/D, and the MAC address of the router aggregation link port is R. The switch generates the following MAC address list by learning the MAC address of the computer connected to each port.
First consider the communication between computer A and computer B in the same VLAN.
Computer A sends out an ARP request message, requesting to resolve B's MAC address. After the switch receives the data frame, it retrieves the entries in the MAC address list that belong to the same VLAN as the receiving port. It is found that computer B is connected to port 2, so the switch forwards the data frame to port 2, and finally computer B receives the frame. Both the sender and receiver belong to the same VLAN for communication, and all processing is completed in the switch.
4. Communication between different VLANs
Next is the core content of this lecture, the communication between different VLANs. Let us consider the communication between computer A and computer C.
Computer A obtains from the IP address (192.168.2.1) of the communication target that C and this machine do not belong to the same network segment. Therefore, the data frame will be forwarded to the set default gateway (DefaultGateway, GW). Before sending a data frame, you need to use ARP to obtain the MAC address of the router.
After getting the router's MAC address R, the next step is to send the data frame to C according to the steps shown in the figure. In the data frame of ①, the destination MAC address is the router's address R, but the contained destination IP address is still the address of the object C to be communicated finally. The content of this part involves the communication steps when forwarded by the router in the LAN, so let's explain it in detail if you have the opportunity.
After the switch receives the data frame ① on port 1, it retrieves the entries in the MAC address list that belong to the same VLAN as port 1. Since the aggregation link is considered to belong to all VLANs, port 6 of the switch is also referred to at this time. In this way, the switch knows that the data frame sent to the MAC address R needs to be forwarded through port 6.
When a data frame is sent from port 6, since it is an aggregation link, VLAN identification information will be attached. Since it was originally a data frame from the red VLAN, as shown in Figure ②, it will be added with the identification information of the red VLAN and then enter the aggregation link. After the router receives the data frame of ②, it confirms its VLAN identification information. Since it is a data frame belonging to the red VLAN, it is received by the sub-interface responsible for the red VLAN.
Then, according to the routing table inside the router, determine where to relay.
Since the target network 192.168.2.0/24 is a blue VLAN, and the network is directly connected to the router through a sub-interface, it only needs to be forwarded from the sub-interface responsible for the blue VLAN. At this time, the target MAC address of the data frame is rewritten to the target address of computer C; and because it needs to be forwarded through the convergence link, the identification information belonging to the blue VLAN is added. This is the data frame of ③ in the figure.
After the switch receives the data frame of ③, it retrieves the entries belonging to the blue VLAN from the MAC address list according to the VLAN identification information. Since the communication target—computer C is connected to port 3, and port 3 is an ordinary access link, the switch will forward the data frame to port 3 after removing the VLAN identification information (data frame ④), and finally computer C can receive it successfully. To this data frame.
When communicating between VLANs, even if both parties in the communication are connected to the same switch, they must go through a process like "sender-switch-router-switch-receiver".