Why VLANs are needed

Enterprise 2023-07-21 06:00:18 views: null

Why VLANs are needed

  1. What is VLAN?

VLAN (Virtual LAN), translated into Chinese is "virtual local area network". A LAN can be a network of a few home computers or an enterprise network of hundreds of computers. The LAN referred to by VLAN refers to a network divided by a router—that is, a broadcast domain.

Let's review the concept of broadcast domains first. The broadcast domain refers to the range to which the broadcast frame (the target MAC address is all 1) can be transmitted, that is, the range where direct communication is possible. Strictly speaking, not only broadcast frames, multicast frames (Multicast Frame) and target unknown unicast frames (Unknown Unicast Frame) can also travel unimpeded in the same broadcast domain.

Originally, a Layer 2 switch can only construct a single broadcast domain, but after using the VLAN function, it can divide the network into multiple broadcast domains.

2. When the broadcast domain is not divided...

Then, why do you need to divide the broadcast domain? That is because, if there is only one broadcast domain, it may affect the overall transmission performance of the network. For specific reasons, please refer to the accompanying drawings for a deeper understanding.

In the figure, it is a network composed of 5 Layer 2 switches (switches 1-5) connected to a large number of clients. Suppose at this time, computer A needs to communicate with computer B. In Ethernet-based communication, the target MAC address must be specified in the data frame to communicate normally, so computer A must first broadcast "ARP request (ARP Request) information" to try to obtain the MAC address of computer B.

After switch 1 receives the broadcast frame (ARP request), it will forward it to all ports except the receiving port, which is Flooding. Then, Switch 2 will also Flood after receiving the broadcast frame. Switches 3, 4, and 5 will also be Flooding. Eventually the ARP request will be forwarded to all clients on the same network.

Please note that this ARP request was originally sent to obtain the MAC address of computer B. That is to say: as long as computer B can receive it, everything will be fine. But in fact, the data frame is spread throughout the network, causing all computers to receive it. In this way, on the one hand, the broadcast information consumes the overall bandwidth of the network; on the other hand, the computer that receives the broadcast information also consumes part of the CPU time to process it. It causes a lot of unnecessary consumption of network bandwidth and CPU computing power.

  1. Are broadcast messages sent out that often?

After reading this, you may ask: Do broadcast messages really appear so frequently?

The answer is: yes! In fact broadcast frames will appear very frequently. When using the TCP/IP protocol stack to communicate, in addition to the ARP that appeared earlier, it may also be necessary to send out many other types of broadcast information such as DHCP and RIP.

ARP broadcasts are sent when communication with other hosts is required. When the client requests the DHCP server to assign an IP address, it must issue a DHCP broadcast. When RIP is used as the routing protocol, the router will broadcast routing information to other adjacent routers every 30 seconds. Routing protocols other than RIP use multicast to transmit routing information, which is also forwarded by switches (Flooding). In addition to TCP/IP, protocols such as NetBEUI, IPX, and Apple Talk often need to use broadcasting. For example, when double-clicking to open "Network Computer" under Windows, a broadcast (multicast) message will be sent. (Except for Windows XP...)

In short, broadcasting is all around us. Here are some common broadcast communications:

(1) ARP request: establish the mapping relationship between IP address and MAC address.

(2) RIP: A routing protocol.

(3) DHCP: A protocol for automatically setting an IP address.

(4) NetBEUI: The network protocol used under Windows.

(5) IPX: The network protocol used by Novell Netware.

(6) Apple Talk: A network protocol used by Apple's Macintosh computers.

If there is only one broadcast domain in the entire network, once the broadcast information is sent out, it will spread throughout the network and bring additional burden to the hosts in the network. Therefore, when designing a LAN, attention needs to be paid to how to effectively segment the broadcast domain.

4. The division of broadcast domain and the necessity of VLAN

When splitting broadcast domains, routers must generally be used. After using a router, the broadcast domain can be divided in units of network interfaces (LAN Interfaces) on the router.

However, under normal circumstances, there will not be too many network interfaces on the router, and the number of them is about 1 to 4 at most. With the popularity of broadband connections, broadband routers (or IP sharers) have become more common, but it should be noted that although they have multiple (generally about 4) network interfaces connected to the LAN side, they are actually built-in switches in the router and cannot divide the broadcast domain.

Moreover, if a router is used to divide a broadcast domain, the number of divisions that can be divided depends entirely on the number of network interfaces of the router, making it impossible for users to freely divide a broadcast domain according to actual needs.

Compared with routers, Layer 2 switches generally have multiple network interfaces. Therefore, if it can be used to divide the broadcast domain, the flexibility of use will undoubtedly be greatly improved.

The technology used to divide the broadcast domain on the Layer 2 switch is VLAN. By using VLAN, we can freely design the composition of the broadcast domain and improve the freedom of network design.

Mechanism to realize VLAN

  1. Mechanism to realize VLAN

After understanding "why VLAN is needed", let's take a look at how switches use VLAN to divide broadcast domains.

First of all, on a Layer 2 switch without any VLAN, any broadcast frame will be forwarded to all other ports except the receiving port (Flooding). For example, after computer A sends broadcast information, it will be forwarded to ports 2, 3, and 4.

At this time, if two VLANs, red and blue, are generated on the switch; at the same time, set ports 1 and 2 to belong to the red VLAN, and ports 3 and 4 to belong to the blue VLAN. If a broadcast frame is sent from A, the switch will only forward it to other ports that belong to the same VLAN—that is, port 2 that also belongs to the red VLAN, and will not forward it to the port that belongs to the blue VLAN.

Similarly, when C sends broadcast information, it will only be forwarded to other ports belonging to the blue VLAN, and will not be forwarded to ports belonging to the red VLAN.

In this way, VLANs divide broadcast domains by limiting the scope of forwarding of broadcast frames. In the figure above, for the sake of illustration, different VLANs are identified by red and blue colors, but in actual use, they are distinguished by "VLAN ID".

2. Intuitively describe VLAN

If we want to describe VLAN more intuitively, we can understand it as logically dividing a switch into several switches. Generating two VLANs, red and blue, on one switch can also be regarded as replacing one switch with two virtual switches, one red and one blue.

When a new VLAN is generated outside of the red and blue VLANs, it can be imagined that a new switch has been added.

However, logical switches generated by VLANs are not connected to each other. Therefore, after the VLAN is set on the switch, if no other processing is done, communication between VLANs cannot be performed.

It is obviously connected to the same switch, but it cannot communicate - this fact may be difficult to accept. But it's both a convenient and easy-to-use feature of VLANs and what makes VLANs so confusing.

  1. What to do when inter-VLAN communication is required

So, what should we do when we need to communicate between different VLANs?

Please recall again: VLAN is a broadcast domain. Usually, two broadcast domains are connected by routers, and data packets between broadcast domains are relayed by routers. Therefore, the communication between VLANs also requires routers to provide relay services, which is called "inter-VLAN routing".

For inter-VLAN routing, you can use a common router or a Layer 3 switch. Let's talk about the specific content when we have a chance. Here, I hope everyone remembers that the routing function needs to be used when different VLANs communicate with each other.

VLAN access link (Access Link)

1. The port type of the switch

Switch ports can be divided into the following two types:

(1) Access Link

(2) Trunk Link

Next, let us learn the characteristics of these two different ports in turn. In this lecture, first learn "access links".

2. Access link

An access link refers to a port that "belongs to only one VLAN and only forwards data frames to this VLAN". In most cases, the access link is connected to the client computer.

Usually the order of setting VLAN is:

(1) Generate VLAN

(2) Set the access link (determine which VLAN each port belongs to)

The method of setting the access link may be fixed in advance, or may be dynamically changed according to the connected computer. The former is called "static VLAN", and the latter is naturally "dynamic VLAN".

● Static VLAN - port-based

Static VLAN is also called port-based VLAN (PortBased VLAN). As the name suggests, it is a setting method that clearly specifies which VLAN each port belongs to.

Due to the need to specify ports one by one, when the number of computers in the network exceeds a certain number (such as hundreds), the setting operation will become extremely complicated. Moreover, every time the client computer changes the connected port, the setting of the VLAN to which the port belongs must be changed at the same time-this is obviously not suitable for those networks that need to change the topology structure frequently.

● Dynamic VLAN

On the other hand, dynamic VLAN is to change the VLAN to which the port belongs at any time according to the computer connected to each port. This avoids operations such as changing settings as described above. Dynamic VLAN can be roughly divided into 3 categories:

(1) VLAN based on MAC address (MAC Based VLAN)

(2) Subnet Based VLAN (Subnet Based VLAN)

(3) User Based VLAN (User Based VLAN)

The difference between them mainly lies in the information of which layer of the OSI reference model determines the VLAN to which the port belongs.

● VLAN based on MAC address

MAC address-based VLAN is to determine the port's ownership by querying and recording the MAC address of the computer's network card connected to the port. Assuming that there is a MAC address "A" set by the switch to belong to VLAN "10", then no matter which port the computer with the MAC address "A" is connected to, the port will be assigned to VLAN 10. When the computer is connected to port 1, port 1 belongs to VLAN 10; and when the computer is connected to port 2, port 2 belongs to VLAN 10.

Since the VLAN is determined based on the MAC address, it can be understood that this is a method of setting the access link at the second layer of OSI.

However, when setting a MAC address-based VLAN, it is necessary to check and register the MAC addresses of all connected computers. And if the computer has swapped network cards, you still need to change the settings.

● IP address-based VLAN

Based on the subnet VLAN, the VLAN to which the port belongs is determined by the IP address of the connected computer. Unlike the VLAN based on the MAC address, even if the computer's MAC address changes due to the exchange of network cards or other reasons, as long as its IP address remains unchanged, it can still join the originally set VLAN.

Therefore, compared with the MAC address-based VLAN, the network structure can be changed more easily. The IP address is the information of the third layer in the OSI reference model, so we can understand that the subnet-based VLAN is a method of setting access links at the third layer of the OSI.

The user-based VLAN determines which VLAN the port belongs to based on the currently logged-in user on the computer connected to each port of the switch. The user identification information here is generally a user logged in by a computer operating system, for example, it may be a user name used in a Windows domain. These user name information belong to the information above the fourth layer of OSI.

Generally speaking, the higher the OSI level of the information used to determine the VLAN to which a port belongs, the more suitable it is for building a flexible and changeable network.

VLAN aggregation link (Trunk Link)

1. When you need to set up a VLAN spanning multiple switches...

So far, what we have learned is the case when a single switch is used to set up VLANs. So, what if you need to set up a VLAN that spans multiple switches?

When planning an enterprise-level network, it is very likely that users belonging to the same department are scattered on different floors in the same building. At this time, it may be necessary to consider how to set up VLANs across multiple switches. Assume that there is a network as shown in the figure below, and A, C, B, and D on different floors need to be set to the same VLAN.

At this time, the most critical thing is "how to connect switch 1 and switch 2?"

The easiest way, of course, is to set up a red and blue VLAN-dedicated interface on Switch 1 and Switch 2 respectively and interconnect them.

However, this approach is not good in terms of scalability and management efficiency. For example, when creating a new VLAN on the basis of an existing network, in order to allow the VLAN to communicate with each other, it is necessary to connect a new network cable between the switches. The vertical wiring between the floors of the building is troublesome, and generally cannot be carried out by the grassroots management personnel at will. Moreover, the more VLANs, the more ports required for interconnection between floors (strictly speaking, switches). The low utilization efficiency of switch ports is a waste of resources and limits the expansion of the network.

In order to avoid this low-efficiency connection method, people find a way to concentrate the network cables interconnected between switches into one, and at this time, a trunk link (Trunk Link) is used.

2. What is aggregate link?

A trunk link (Trunk Link) refers to a port capable of forwarding communications of multiple different VLANs.

The data frames circulating on the aggregation link are all appended with special information for identifying which VLAN they belong to.

Now let's go back and think about what happens if the network just now uses aggregation links? Users only need to simply set the ports interconnected between switches as aggregation links. At this time, the network cable used is still an ordinary UTP cable, not any other special wiring. In the illustration, it is the interconnection between switches, so a crossover cable is required to connect.

Next, let's take a look at how the aggregation link is implemented across VLANs between switches.

When the data frame sent by A arrives at switch 2 through the aggregation link from switch 1, a tag indicating that it belongs to the red VLAN is attached to the data frame.

After switch 2 receives the data frame, it finds that the data frame belongs to the red VLAN after checking the VLAN ID, so after removing the mark, the restored data frame is only forwarded to other ports belonging to the red VLAN. Forwarding at this time refers to only forwarding to the port connected to the target MAC address after confirming the target MAC address and comparing it with the MAC address list. Only if the data frame is a broadcast frame, a multicast frame or a frame with unknown destination, it will be forwarded to all ports belonging to the red VLAN.

The situation is the same when the blue VLAN sends data frames.

It is possible to support the standard "IEEE 802.1Q" protocol, or the unique "ISL (Inter Switch Link)" of Cisco products through the additional VLAN identification information when the link is aggregated. If the switch supports these specifications, users can efficiently build VLANs spanning multiple switches.

In addition, data of multiple VLANs flows on the aggregation link, which naturally has a heavy load. Therefore, when setting up the aggregation link, there is a premise that it must support a transmission speed of more than 100Mbps.

In addition, by default, the aggregation link will forward the data of all VLANs existing on the switch. From another perspective, it can be considered that the aggregation link (port) belongs to all VLANs on the switch at the same time. Since the data of all VLANs may not need to be forwarded in practical applications, in order to reduce the load on the switch and reduce the waste of bandwidth, we can limit the VLANs that can be interconnected through the aggregation link through user settings.

The specific content of IEEE 802.1Q and ISL will be mentioned in the next lecture.

3. Summary of access links

To sum up, there are two methods of setting access links: static VLAN and dynamic VLAN, and dynamic VLAN can be further subdivided into several subcategories.

Among them, subnet-based VLAN and user-based VLAN may be implemented by network equipment manufacturers using unique protocols, and there may be compatibility issues between devices from different manufacturers; therefore, when selecting a switch, be sure to confirm in advance.

The table below summarizes information about static VLANs and dynamic VLANs.

Type explanation

Static VLAN (port-based VLAN) assigns each port of the switch to a VLAN

Dynamic VLAN MAC address-based VLAN is set according to the MAC address of the computer connected to each port

Subnet-based VLAN is set according to the IP address of the computer connected to each port

User-based VLAN is set according to the login user on the computer connected to the port

VLAN Aggregation Method——IEEE802.1Q and ISL

1. Aggregation method

On the aggregation link of the switch, VLAN information spanning multiple switches can be constructed by adding VLAN information to the data frame.

The most representative methods for attaching VLAN information are:

(1)IEEE 802.1Q

(2)ISL

Now let us see how these two protocols attach VLAN information to data frames respectively.

2.IEEE 802.1Q

IEEE 802.1Q, commonly known as "Dot One Q", is an IEEE-certified protocol for attaching VLAN identification information to data frames.

Here, please recall the standard format of Ethernet data frames.

The VLAN identification information added by IEEE 802.1Q is located between the "sending source MAC address" and the "Type Field" in the data frame. The specific content is 2 bytes of TPID (Tag Protocol IDentifier) ​​and 2 bytes of TCI (Tag Control Information), totaling 4 bytes.

If 4 bytes are added to the data frame, the CRC value will naturally change. At this time, the CRC on the data frame is the value obtained after recalculating the entire data frame including them after inserting the TPID and TCI.

When the data frame leaves the aggregation link, the TPID and TCI will be removed, and a CRC recalculation will be performed at this time.

The position of the TPID field in the Ethernet packet is the same as that of the protocol type field in the packet without VLAN Tag. The value of TPID is fixed at 0x8100, which indicates the 802.1Q type carried by the network frame, and the switch uses it to determine that the VLAN information based on IEEE 802.1Q is attached to the data frame. The actual VLAN ID is 12 bits in TCI. Since there are 12 bits in total, a maximum of 4096 VLANs can be identified.

VLAN information attached based on IEEE 802.1Q is like a tag attached when delivering items. Therefore, it is also called "Tagging VLAN".

3.ISL(Inter Switch Link)

ISL is a protocol supported by Cisco products that is similar to IEEE 802.1Q and is used to attach VLAN information to aggregation links.

After using ISL, each data frame header will be appended with a 26-byte "ISL Header (ISL Header)", and the 4-byte CRC value obtained after calculating the entire data frame including the ISL header is calculated on the frame tail. In other words, a total of 30 bytes of information has been added.

In the environment using ISL, when the data frame leaves the aggregation link, it is enough to simply remove the ISL header and the new CRC. Since the original data frame and its CRC are completely preserved, there is no need to recalculate the CRC.

ISL is like wrapping the original data frame with the ISL header and new CRC, so it is also called "encapsulated VLAN".

It should be noted that neither the "Tagging VLAN" of IEEE802.1Q nor the "Encapsulated VLAN" of ISL is a very strict term. In different books and reference materials, the above words may be used mixedly, so you need to pay special attention when learning.

And because ISL is a Cisco unique protocol, it can only be used for the interconnection between Cisco network devices.

Routing between VLANs

1. Necessity of inter-VLAN routing

According to the knowledge learned so far, we already know that even if two computers are connected to the same switch, as long as they belong to different VLANs, they cannot communicate directly. The next thing we will learn is how to route between different VLANs so that hosts belonging to different VLANs can communicate with each other.

First of all, let's review why different VLANs cannot communicate without routing. For communication within the LAN, the MAC address of the communication target must be specified in the data frame header. In order to obtain the MAC address, ARP is used under the TCP/IP protocol. The method of ARP to resolve the MAC address is through broadcasting. That is to say, if the broadcast message cannot arrive, the MAC address cannot be resolved, that is, direct communication cannot be performed.

Computers belong to different VLANs, which means that they belong to different broadcast domains, so naturally they cannot receive broadcast messages from each other. Therefore, computers belonging to different VLANs cannot communicate with each other directly. In order to be able to communicate between VLANs, it is necessary to use the information (IP address) of the higher layer in the OSI reference model-the network layer for routing. Regarding the specific content of routing, I will explain it in detail later.

The routing function is generally mainly provided by the router. But in today's LAN, we often use switches with routing function - Layer 3 Switch (Layer 3 Switch) to achieve. Next, let us look at the situation when using routers and Layer 3 switches for inter-VLAN routing.

2. Use a router for inter-VLAN routing

When using routers for inter-VLAN routing, similar to the situation when constructing VLANs spanning multiple switches, we still encounter the problem of "how to connect routers and switches". There are roughly two ways to connect routers and switches:

(1) Connect the router to each VLAN on the switch separately

(2) No matter how many VLANs there are, the router and the switch are connected by only one network cable

The easiest thing to think of, of course, is "connect the router and the switch with network cables in units of VLANs". Set each port on the switch that is used to connect to the router as an Access Link, and then use a network cable to connect to an independent port on the router. As shown in the figure below, there are 2 VLANs on the switch, so you need to reserve 2 ports on the switch for interconnection with the router; there also need to be 2 ports on the router; connect them with 2 network cables.

If this method is adopted, it should not be difficult for everyone to imagine that its scalability is very problematic. Every time a new VLAN is added, the ports on the router and the access links on the switch need to be consumed, and a network cable needs to be re-routed. Routers, on the other hand, usually don't have too many LAN interfaces. When creating a new VLAN, in order to correspond to the ports required by the added VLAN, the router must be upgraded to a high-end product with multiple LAN interfaces. This part of the cost, as well as the overhead caused by rewiring, make this wiring method an unpopular method.

Then, what about the second method of "connecting the router and the switch with only one network cable regardless of the number of VLANs"? When using a network cable to connect the router and the switch for inter-VLAN routing, aggregation links are required.

The specific implementation process is as follows: first, the port of the switch used to connect to the router is set as a trunk link (Trunk Link), and the port on the router must also support the trunk link. Naturally, the protocols used by both parties to aggregate links must also be the same. Then define the "sub interface" (Sub Interface) corresponding to each VLAN on the router. Although there is only one physical port actually connected to the switch, in theory we can divide it into multiple virtual ports.

A VLAN logically divides a switch into multiple switches, so routers used for inter-VLAN routing must also have virtual interfaces corresponding to each VLAN.

If this method is adopted, even if a new VLAN is created on the switch later, only one network cable is needed to connect the switch and the router. The user only needs to set up a new sub-interface corresponding to the new VLAN on the router. Compared with the previous method, the scalability is much stronger, and there is no need to worry about upgrading routers with insufficient LAN interfaces or rewiring.

3. Communications within the same VLAN

Next, we continue to learn how inter-VLAN routing is performed when using aggregation links to connect switches and routers. As shown in the figure below, set the IP address for each computer and the sub-interface of the router.

The network address of the red VLAN (VLAN ID=1) is 192.168.1.0/24, and the network address of the blue VLAN (VLAN ID=2) is 192.168.2.0/24. The MAC addresses of each computer are A/B/C/D, and the MAC address of the aggregation link port of the router is R. The switch generates the following MAC address list by learning the MAC addresses of the computers connected to each port.

First consider the situation when computer A communicates with computer B in the same VLAN.

Computer A sends an ARP request message, requesting to resolve B's MAC address. After the switch receives the data frame, it retrieves the entry in the MAC address list that belongs to the same VLAN as the receiving port. It turns out that computer B is connected to port 2, so the switch forwards the data frame to port 2, and finally computer B receives the frame. The communication between the sending and receiving parties belongs to the same VLAN, and all processing is completed in the switch.

4. Communication between different VLANs

Next is the core content of this lecture, the communication between different VLANs. Let's consider the situation when computer A communicates with computer C.

Computer A concludes from the IP address (192.168.2.1) of the communication target that C and this computer do not belong to the same network segment. Therefore, the data frame will be forwarded to the set default gateway (DefaultGateway, GW). Before sending a data frame, you need to use ARP to obtain the MAC address of the router.

After obtaining the MAC address R of the router, the next step is to send the data frame to C according to the steps shown in the figure. In the data frame of ①, the target MAC address is the address R of the router, but the contained target IP address is still the address of the object C to be communicated. The content of this part involves the communication steps when forwarding through the router in the LAN, and I will explain it in detail when I have the opportunity.

After receiving the data frame of ① on port 1, the switch retrieves entries in the MAC address list that belong to the same VLAN as port 1. Since the aggregation link will be regarded as belonging to all VLANs, port 6 of the switch also belongs to the referenced object at this time. In this way, the switch knows that sending data frames to the MAC address R needs to be forwarded through port 6.

When sending a data frame from port 6, because it is a trunk link, it will be attached with VLAN identification information. Since the data frame originally came from the red VLAN, as shown in ② in the figure, it will be added with the identification information of the red VLAN and enter the aggregation link. After the router receives the data frame of ②, it confirms its VLAN identification information. Since it belongs to the data frame of the red VLAN, it is received by the sub-interface responsible for the red VLAN.

Then, according to the routing table inside the router, determine where to relay.

Since the target network 192.168.2.0/24 is a blue VLAN, and the network is directly connected to the router through a sub-interface, it only needs to be forwarded from the sub-interface responsible for the blue VLAN. At this time, the destination MAC address of the data frame is rewritten as the destination address of computer C; and because it needs to be forwarded through the aggregation link, the identification information belonging to the blue VLAN is added. This is the data frame of ③ in the figure.

After the switch receives the data frame of ③, it retrieves the entry belonging to the blue VLAN from the MAC address list according to the VLAN identification information. Since the communication target—computer C is connected to port 3, and port 3 is an ordinary access link, the switch will forward the data frame to port 3 after removing the VLAN identification information (data frame ④), and finally computer C can successfully receive the data frame.

When communicating between VLANs, even if both communication parties are connected to the same switch, they must go through the process of "sender—switch—router—switch—receiver".

Guess you like

Origin blog.csdn.net/mkleft/article/details/105455983
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com