VLAN super detailed explanation

One: some models

 

 

Two: understanding of mac address

1. Unicast mac address: used to uniquely identify an interface of a device, the lowest bit of the first byte is 02.

Multicast mac address: Identifies a group of devices. The least significant bit of the first byte of this mac address is 1.

3. All bits of the broadcast mac address are all 1

Note: Only unicast mac addresses can be assigned to one interface, and multicast or broadcast mac addresses cannot be assigned to any Ethernet interface. In other words, these two types of mac addresses cannot be used as data The source mac address of the frame, but can only be used as the destination mac address

Three: Ethernet data frame

 

Four: VLAN interface and link types and forwarding principles and advantages

1. Link type:

①: Access link: access connection

②: Trunk link: trunk link

2. Interface type:

①: Access interface

The Access interface is generally used to connect to user terminals that cannot recognize tags (such as user hosts, servers, etc.), or there is no need to distinguish between different

Used when VLAN membership. It can only send and receive untagged frames and can only add unique VLAN tags to untagged frames.

②: trunk interface

Trunk interfaces are generally used to connect switches, routers, APs, and voice terminals that can send and receive Tagged and Untagged frames at the same time

It can allow multiple VLAN frames to pass through with tags, but only allows one VLAN frame to be sent out of this type of interface without tags (that is, tags are stripped).

③: Hybrid interface

The Hybrid interface can be used to connect user terminals (such as user hosts, servers, etc.) and network devices (such as Hub,

Fool switch), it can also be used to connect switches, routers, and voice terminals and APs that can send and receive Tagged and Untagged frames at the same time

④: QinQ interface

The QinQ (802.1Q-in-802.1Q) interface is an interface that uses the QinQ protocol, and is generally used for the connection between the private network and the public network. It can add double tags to the frame, that is, add a new tag to the frame based on the original tag, which can support up to 4094×4094 VLANs to meet the network's demand for the number of VLANs. The outer tag is usually called the public network tag, which is used to identify the VLAN of the public network; the inner tag is usually called the private network tag, which is used to identify the VLAN of the private network.

3. Forwarding principle

 

4. Advantages:

VLAN technology is a very important and very basic technology in the field of Layer 2 switching. It can bring many benefits to the network, such as:

1. · Isolate broadcast: When the switch deploys VLAN, the flooding of broadcast data is limited to the VLAN. The use of VLAN technology can cut the network from a large broadcast domain into multiple smaller broadcast domains, thereby reducing the loss of bandwidth resources and equipment performance caused by flooding.

2. Improve the flexibility of network formation: VLAN technology makes network design and deployment more flexible. Users in the same workgroup no longer need to be confined to the same geographic location.

3. Improve the manageability of the network: By planning different services to different VLANs and assigning different IP network segments, each service is divided into independent units, which greatly facilitates network management and maintenance.

4. ·Improve the security of the network: Using VLAN technology, different services can be isolated on the second layer. Since different VLANs are isolated from each other, when one VLAN fails, for example, ARP spoofing occurs in a certain VLAN, other VLANs will not be affected.

5. The connection between the switch and the router

If the router has no sub-interface at this time, then we set the link between the router and the switch as access, but if the router is configured with a sub-interface, then we must configure it as a trunk or hybrid link at this time. The difference between the two is The sub-interface needs to process tagged frames

6. Types of VLAN

Failed to export, re-upload canceled

7. Some basic configuration

1. Configure Proxy ARP within and between VLANs

①. In VLAN:

When port isolation is configured in a VLAN, users belonging to the same VLAN cannot communicate with each other. Enabling the Proxy ARP function in the VLAN on the interface associated with the VLAN can realize Layer 3 intercommunication between users.

//Configure the command line c interface vlanif 10 //Enter the interface view arp-proxy inner-sub-vlan-procy enable //Enable Proxy ARP in the VLAN

 

②. Between VLANs:

When users who belong to the same network segment but belong to different VLANs need to realize Layer 3 interworking, you can enable the inter-VLAN Proxy ARP function on the VLAN-associated interface. For example, enable the inter-VLAN Proxy ARP function on the VLANIF interface corresponding to the Super-VLAN to realize inter-sub-VLAN user communication.

//Configure the command line c interface vlanif 10 //Enter the interface view arp-proxy inter-sub-vlan-procy enable //Enable Proxy ARP in the VLAN

2. Configure vlan based on ip address

 

Configure VLAN100 on the Switch to associate with the IP address 192.168.1.2, with a priority of 2.

[Quidway] vlan 100

[Quidway-vlan100] ip-subnet-vlan 100 ip 192.168.1.2 24 priority 2

//Execute this command to associate the ip network segment 192.168.1.2 24 with vlan 100, so that the packets sent from this network segment can be transmitted in vlan100

[Quidway-vlan100] quit

[Quidway-GigabitEtherner0/0/0] ip-subnet-vlan enable

//This command is used to activate the function of dividing VLAN based on ip address. This command can only be used on hybrid interfaces.

 

3. Be sure to create the corresponding vlan on the switch. If you do not create the corresponding vlan, the frame carrying the vlan id will not be forwarded on the switch

 

8.MUX VLAN

1. Background:

MUX VLAN (Multiplex VLAN) provides a mechanism for network resource control through VLAN.

For example, in a corporate network, corporate employees and corporate customers can access the corporate server. For enterprises, it is hoped that employees within the enterprise can communicate with each other, while enterprise customers are isolated and cannot visit each other.

In order to realize that all users can access the enterprise server, it can be realized by configuring inter-VLAN communication. If the enterprise is large and has a large number of users, VLANs must be allocated to users who cannot access each other. This not only requires a lot of VLAN IDs, but also increases the workload of network administrators and also increases the amount of maintenance.

The Layer 2 traffic isolation mechanism provided by MUX VLAN can realize the communication between employees within the enterprise, while the enterprise customers are isolated.

2. Basic concepts:

MUX VLAN is divided into primary VLAN and secondary VLAN, and secondary VLAN is divided into isolated secondary VLAN and interoperable secondary VLAN

①: main vlan

Principal VLAN (Principal VLAN): The Principal port can communicate with all interfaces in the MUX VLAN.

②: From vlan

1) Isolated slave VLAN (Separate VLAN): Separate port can only communicate with Principal port, and is completely isolated from other types of interfaces.

Each isolated secondary VLAN must be bound to a primary VLAN.

2) Interworking slave VLAN (Group VLAN): Group port can communicate with Principal port, and interfaces in the same group can also communicate with each other, but cannot communicate with other group interfaces or separate ports.

Each interoperable secondary VLAN must be bound to a primary VLAN.

3. Configuration:

①: Matters needing attention:

• If the specified VLAN has been used in the primary VLAN or the secondary VLAN, the VLAN can no longer be used to create a VLANIF interface, or used in the configuration of VLAN Mapping, VLAN Stacking, Super-VLAN, and Sub-VLAN.

• Disabling the interface MAC address learning function or limiting the number of interface MAC address learning will affect the normal use of the MUX VLAN function.

• MUX VLAN and interface security functions cannot be configured on the same interface.

• The MUX VLAN and MAC authentication functions cannot be configured on the same interface.

• MUX VLAN and 802.1x authentication functions cannot be configured on the same interface.

• When DHCP Snooping and MUX VLAN are configured at the same time, if the DHCP Server is on the secondary VLAN side of the MUX VLAN and the DHCP Client is on the primary VLAN side, the DHCP Client will not be able to obtain an IP address normally. Therefore, please configure the DHCP Server on the main VLAN side.

• After the MUX VLAN function is enabled on an interface, VLAN Mapping and VLAN Stacking cannot be configured on the interface.

②: Configuration command

<SW>dis current-configuration

#

sysname SW

#

vlan batch 10 20 30

#

vlan 10

mux-vlan //Configure vlan 10-bit MUX valn

subordinate separate 30 //Configure isolated secondary VLAN

subordinate group 20 //Configure the interoperable slave VLAN

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 20

port mux-vlan enable //Enable the MUX VLAN function of the interface.

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 20

port mux-vlan enable

#

③: Matters needing attention

Note: The port mux-vlan enable vlan 3 command is temporarily not supported on the ensp simulator. When mux vlan is across devices, it needs to be configured on the switch interconnection interface trunk, port mux-vlan enable vlan 3. Turn on mux vlan on the trunk. Generally deployed at the convergence layer.

In the above experiment, this command cannot be configured. Therefore, isolated vlan across devices can also communicate. For example, PC3 and PC7 can communicate.

9. VLAN aggregation

1 Overview:

VLAN aggregation (VLAN Aggregation, also known as Super VLAN) refers to the use of multiple VLANs (called Sub-VLANs) to isolate the broadcast domain within a physical network, and aggregate these Sub-VLANs into a logical VLAN (called Super-VLAN). VLAN), these Sub-VLANs use the same IP subnet and default gateway.

By introducing the concepts of Super-VLAN and Sub-VLAN, each Sub-VLAN corresponds to a broadcast domain, and multiple Sub-VLANs are associated with one Super-VLAN, and only one IP subnet is assigned to the Super-VLAN. -VLANs use the IP subnet of Super-VLAN and the default gateway for Layer 3 communication.

In this way, multiple Sub-VLANs share a gateway address, saving the subnet number, subnet directional broadcast address, and subnet default gateway address, and the boundary between each Sub-VLAN is no longer the previous subnet boundary. They can flexibly divide the address range in the corresponding subnet of the Super-VLAN according to the number of hosts required by each, thereby ensuring that each Sub-VLAN is used as an independent broadcast domain to achieve broadcast isolation, saving IP address resources, and improving addressing Flexibility.

2. Principle:

VLAN aggregation defines Super-VLAN and Sub-VLAN so that Sub-VLAN contains only physical interfaces and is responsible for keeping separate broadcast domains; Super-VLAN does not contain physical interfaces and is only used to establish Layer 3 VLANIF interfaces. Then through the establishment of the mapping relationship between Super-VLAN and Sub-VLAN, the three-layer VLANIF interface and the physical interface are organically combined, so that all Sub-VLANs share a gateway to communicate with the external network, and use ARP Proxy to achieve Sub- The three-layer communication between VLANs achieves the purpose of saving IP addresses while realizing the isolation of broadcast domains of ordinary VLANs.

• Sub-VLAN: Contains only physical interfaces, and cannot establish a three-layer VLANIF interface to isolate the broadcast domain. The Layer 3 communication between the host in each Sub-VLAN and the outside is realized by the Layer 3 VLANIF interface of the Super-VLAN.

• Super-VLAN: Only establish the three-layer VLANIF interface, excluding the physical interface, and correspond to the subnet gateway. Different from ordinary VLAN, the Up of its VLANIF interface does not depend on the Up of its own physical interface, but as long as there is an Up physical interface in the Sub-VLAN it contains.

A Super-VLAN can contain one or more Sub-VLANs. Sub-VLAN no longer occupies an independent subnet segment. In the same Super-VLAN, no matter which Sub-VLAN the host belongs to, its IP address is in the subnet segment corresponding to the Super-VLAN.

3. Communication between sun-vlan

While VLAN aggregation realizes that different VLANs share the same subnet segment address, it also brings problems to Layer 3 forwarding between sub-VLANs. In a common VLAN, hosts in different VLANs can communicate at Layer 3 through their different gateways. However, in Super-VLAN, all hosts in the Sub-VLAN use the same network segment address and share the same gateway address. The host will only do Layer 2 forwarding, and will not send the gateway to Layer 3 forwarding. That is, in fact, the hosts of different Sub-VLANs are isolated from each other at the second layer, which causes the problem of the inability to communicate between Sub-VLANs.

The solution to this problem is to use Proxy ARP.

4. Configuration:

①: Matters needing attention:

• VLAN1 cannot be configured as a Super-VLAN.

• After configuring a VLAN as a super-VLAN, the VLAN type is changed to super, and no physical interface is allowed to join the VLAN.

• The flow policy takes effect only when configured under all Sub-vlans of Super-vlan, and configured under Super-vlan does not take effect.

• After configuring a VLAN as the termination VLAN of a sub-interface, the VLAN cannot be configured as a Super-VLAN or Sub-VLAN.

• Proxy ARP can only take effect after the VLANIF interface corresponding to the Super-VLAN is configured with an IP address.

 

②：命令：

[SW]dis current-configuration

#

sysname SW

#

vlan batch 10 20 100

//批量创建VLAN

#

vlan 100

aggregate-vlan//创建聚合VLAN

access-vlan 10 20//将valn10 20 添加进聚合和VLAN

#

interface Vlanif100

ip address 10.0.100.254 255.255.255.0

arp-proxy inter-sub-vlan-proxy enable

//开启VLAN间ARP代理，实现VLAN间通信

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 10

#