Switches can isolate conflict domains but not broadcast domains. When the number of hosts is large, it will lead to security risks, broadcast flooding, significant performance degradation, and even network unavailability. In this case, a VLAN (Virtual Local Area Network, Virtual Local Area Network) technology has appeared to solve the above problems.
As shown in the figure, it is a typical switching network. There are only terminal computers and switches in the network. In such a network, if a certain computer sends a broadcast frame, all other computers will receive the broadcast frame because the switch performs a flood operation on the broadcast frame.
In a typical switched network, when a host sends a broadcast frame or an unknown unicast frame, the data frame will be flooded and even transmitted to the entire broadcast domain. The larger the broadcast domain, the more network security problems and garbage traffic problems will occur. , the more serious it is.
As shown above: If PC1 sends a unicast frame to PC2. At this time, MAC address entries related to PC2 exist in the MAC address tables of SW1, SW3, and SW7, but MAC address entries related to PC2 do not exist in SW2 and SW5. Then, SW1 and SW3 will perform a point-to-point forwarding operation on the unicast frame, SW7 will perform a discarding operation on the unicast frame, and SW2 and SW5 will perform a flooding operation on the unicast frame. The final result is that although PC2 has received the unicast frame, many other non-destination hosts in the network have also received data frames that should not be received. Obviously, the larger the broadcast domain, the more serious the problem of network security and spam traffic.
In order to solve the problems caused by the broadcast domain, people introduced VLAN (Virtual Local Area Network), that is, virtual local area network technology:
By deploying VLANs on switches, a large-scale broadcast domain can be logically divided into several different, smaller-scale broadcast domains, which can effectively improve network security, reduce garbage traffic, and save Internet resources.
Features of VLANs:
A VLAN is a broadcast domain, so within the same VLAN, computers can directly communicate at Layer 2; while computers in different VLANs cannot directly communicate at Layer 2, they can only communicate at Layer 3 to transmit information, that is, broadcast messages Is limited to a VLAN.
The division of VLAN is not restricted by region.
Benefits of VLANs:
Flexible construction of virtual workgroups: VLANs can be used to divide different users into different workgroups, and users in the same workgroup do not have to be limited to a fixed physical range, making network construction and maintenance more convenient and flexible.
Restricted broadcast domain: The broadcast domain is limited to a VLAN, which saves bandwidth and improves network processing capabilities.
Enhance the security of the LAN: Messages in different VLANs are isolated from each other during transmission, that is, users in one VLAN cannot communicate directly with users in other VLANs.
Improve the robustness of the network: faults are limited to one VLAN, and faults in this VLAN will not affect the normal work of other VLANs.
VLAN can reduce the size of the broadcast domain and increase the number of broadcast domains. Today we will take a look at the implementation principle of VLAN, as shown in the figure:
Switch1 and Switch2 belong to the same enterprise, and the enterprise has uniformly planned VLANs on the network. Among them, VLAN10 is used in department A, and VLAN20 is used in department B. Employees in departments A and B have access to both Switch1 and Switch2.
The data sent by PC1 reaches Switch2 through the link between Switch1 and Switch2. If it is not processed, the latter cannot determine the VLAN to which the data belongs, nor does it know which local VLAN this data should be exported to.
In order to identify the VLAN to which the data frame belongs, a VLAN tag (VLAN Tag) is introduced. To enable the switch to distinguish packets of different VLANs, a field identifying VLAN information needs to be added to the packet. The IEEE 802.1Q protocol stipulates that a 4-byte VLAN tag is added to the Ethernet data frame, also known as VLAN Tag, or Tag for short.
As shown in the figure, after SW1 recognizes which VLAN a frame belongs to, it will add a label to a specific position of the frame. This tag clearly indicates which VLAN this frame belongs to. After other switches (such as SW2) receive the tagged data frame, they can easily identify which VLAN the frame belongs to directly based on the tag information.
Finally, let's take a look at the fields of the VLAN data frame:
In a VLAN switching network, Ethernet frames mainly have the following two forms:
- Tagged frame (Tagged frame): The IEEE 802.1Q protocol stipulates that a 4-byte VLAN tag (also known as VLAN Tag, referred to as Tag ) data frame.
- Untagged frame (Untagged frame): The original data frame without adding 4-byte VLAN tag.
The main fields in the VLAN data frame:
- TPID: 2 bytes, Tag Protocol Identifier (tag protocol identifier), indicating the data frame type.
- When the value is 0x8100, it means IEEE 802.1Q VLAN data frame. If a device that does not support 802.1Q receives such a frame, it will discard it.
- Each device manufacturer can customize the value of this field. When the neighbor device configures the TPID value to be other than 0x8100, in order to recognize such packets and realize intercommunication, the TPID value must be modified on the local device to ensure that it is consistent with the TPID value configuration of the neighbor device.
- PRI: 3 bits, Priority, indicating the priority of the data frame, used for QoS.
- The value ranges from 0 to 7, and the larger the value, the higher the priority. When the network is blocked, the switch will send the data frames with high priority first.
- CFI: 1 bit, Canonical Format Indicator (standard format indicator bit), indicating whether the MAC address is encapsulated in a standard format in different transmission media, for compatibility with Ethernet and token ring networks
- If the CFI value is 0, the MAC address is encapsulated in a standard format, and if it is 1, it is encapsulated in a non-standard format.
- In Ethernet, the value of CFI is 0.
- VID: 12 bits, VLAN ID, indicating the number of the VLAN to which the data frame belongs.
- The VLAN ID ranges from 0 to 4095. Since 0 and 4095 are reserved values for the protocol, the valid value range of the VLAN ID is 1 to 4094.
- The switch uses the VID in the VLAN tag to identify the VLAN to which the data frame belongs, and the broadcast frame is only forwarded in the same VLAN, which limits the broadcast domain to one VLAN.
How to identify data frames with VLAN tags:
Length/Type of data frame = 0x8100.
Note: The computer cannot recognize Tagged data frames, so the computer processes and sends out untagged data frames; in order to improve processing efficiency, the data frames processed by the switch are all Tagged frames.